{"id":18892,"date":"2026-03-04T09:50:16","date_gmt":"2026-03-04T09:50:16","guid":{"rendered":"\/cybersecurity-blog\/?p=18892"},"modified":"2026-03-04T10:14:37","modified_gmt":"2026-03-04T10:14:37","slug":"february-26-attacks","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/","title":{"rendered":"Major Cyber Attacks in February 2026:\u00a0BQTLock, Thread-Hijack Phishing, and MFA Bypass Evolution"},"content":{"rendered":"\n<p>February 2026 brought a surge of sophisticated cyber threats targeting businesses across industries. ANY.RUN&#8217;s analysts exposed and explored several major cyber threats this month, providing early visibility into emerging malware families and evolving attack techniques.&nbsp;<\/p>\n\n\n\n<p>From new ransomware strains capable of encrypting entire environments in minutes, to fully undetected remote access trojans &#8212; the threat landscape this February demands attention from every security team.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Summary for Every Security Team to Focus&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Two new ransomware families, <strong>GREENBLOOD and&nbsp;BQTLock<\/strong>,&nbsp;capable of disrupting business operations within minutes and combining encryption with data theft, were&nbsp;identified&nbsp;this month.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Two new RATs \u2014 <strong>Moonrise and&nbsp;Karsto<\/strong>&nbsp;\u2014 were caught with zero detections on&nbsp;VirusTotal&nbsp;at the time of analysis, illustrating the growing gap between static detection and real-world threats.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Thread-hijack phishing<\/strong> reached a new level of sophistication, with attackers inserting themselves into&nbsp;real C-suite&nbsp;email conversations to deliver layered credential-theft campaigns using the&nbsp;EvilProxy&nbsp;phishing kit.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enterprise phishing<\/strong> infrastructure is now routinely hosted on trusted cloud platforms:&nbsp;Microsoft Azure, Google Firebase, and Cloudflare. This&nbsp;makes&nbsp;URL reputation checks and blocklists increasingly unreliable as standalone defenses.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">1. The New Threats Nobody Had Signatures For&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN analysts&nbsp;identified&nbsp;four new malicious families in February 2026 \u2014 two ransomware strains and two remote access trojans \u2014 all of which either evaded static detection entirely or compressed the window for defenders to respond.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">GREENBLOOD: Fast Encryption, Evidence Removal, and Immediate Business Exposure&nbsp;<\/h3>\n\n\n\n<p>GREENBLOOD is&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/emerging-ransomware-bqtlock-greenblood\/\" target=\"_blank\" rel=\"noreferrer noopener\">a newly identified<\/a>&nbsp;Go-based ransomware built for speed, stealth, and pressure. Rather than relying on encryption alone, it combines rapid file locking with self-deletion to reduce forensic&nbsp;visibility, and&nbsp;adds data-leak threats through a TOR-based site \u2014 transforming a technical incident into a full business crisis involving downtime, regulatory exposure, reputational damage, and recovery cost.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&#8217;s Interactive Sandbox<\/a>&nbsp;captured the full attack chain in real time.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/6f5d3098-14c0-45ed-916e-863ef4ba354d\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View&nbsp;detonation<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_1-1024x576.png\" alt=\"\" class=\"wp-image-18902\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_1-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_1-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_1-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_1-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_1-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_1-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_1-740x416.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_1.png 1920w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>GREENBLOOD exposed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure>\n\n\n\n<p>Analysts&nbsp;observed:&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; \u2022 ChaCha8-based <strong>encryption<\/strong> capable of disrupting operations within minutes of&nbsp;initial&nbsp;execution.&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; \u2022&nbsp;Attempts&nbsp;to delete the original executable, limiting post-incident <strong>forensic visibility<\/strong>.&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; \u2022 A TOR-based leak site to add <strong>extortion<\/strong> leverage beyond file recovery.&nbsp;<\/p>\n\n\n\n<p>Teams using TI Lookup can search for&nbsp;other GREENBLOOD&nbsp;sample&nbsp;analyses&nbsp;to uncover variants and expand detection coverage across environments:&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktotilookup#%7B%22query%22:%22commandLine:%5C%22greenblood%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">commandLine:&#8221;greenblood&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"488\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_2-1024x488.png\" alt=\"\" class=\"wp-image-18903\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_2-1024x488.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_2-300x143.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_2-768x366.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_2-1536x732.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_2-370x176.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_2-270x129.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_2-740x352.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_2.png 1558w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Sandbox analyses where GREENBLOOD was detected<\/em><\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">BQTLock: The Ransomware That Steals Your Data Before You Even Know&nbsp;It&#8217;s&nbsp;There&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/emerging-ransomware-bqtlock-greenblood\/\" target=\"_blank\" rel=\"noreferrer noopener\">BQTLock&nbsp;is a<\/a>&nbsp;stealthy ransomware-linked chain.&nbsp;Instead of triggering obvious alerts&nbsp;immediately, it blends into trusted Windows processes and delays visible damage \u2014 making early detection difficult and increasing the chance of data exposure, operational disruption, and&nbsp;financial loss.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nMinimize <span class=\"highlight\"> financial exposure,\u00a0breach\u00a0costs\n<\/span> and regulatory risk.<br>Build an early detection workflow\u00a0with ANY.RUN\u00a0solutions\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=february-26-attacks&#038;utm_term=030326&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nContact us\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Sandbox detonation revealed the complete kill chain, allowing SOC teams to act on early indicators (process injection, UAC bypass, persistence) before encryption begins.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/90be5f16-fdde-4aca-9482-86e2aa43fba0\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">See the execution chain of BQTLock<\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_3-1024x568.png\" alt=\"\" class=\"wp-image-18908\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_3-1024x568.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_3-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_3-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_3-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_3-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_3-740x410.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_3.png 1536w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>BQTLock attack fully exposed inside ANY.RUN sandbox<\/em><\/figcaption><\/figure>\n\n\n\n<p>BQTLock injects the&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/remcos\/\" target=\"_blank\" rel=\"noreferrer noopener\">Remcos<\/a>&nbsp;payload into explorer.exe, performs UAC bypass via fodhelper.exe, and creates autorun persistence for elevated access after reboot. Only after escalation does it shift to credential theft and screen capture:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"669\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_4-1024x669.png\" alt=\"\" class=\"wp-image-18911\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_4-1024x669.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_4-300x196.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_4-768x502.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_4-370x242.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_4-270x176.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_4-740x484.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_4.png 1414w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Credentials&nbsp;stealing&nbsp;by&nbsp;BQTLock&nbsp;discovered by ANY.RUN<\/em><\/figcaption><\/figure>\n\n\n\n<p>This sequence shows how quickly a&nbsp;seemingly quiet&nbsp;infection can evolve into a full security and compliance incident.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Moonrise RAT: Zero Detections, Full Access, Total Silence&nbsp;<\/h3>\n\n\n\n<p>Moonrise is a newly discovered Go-based remote access trojan&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/moonrise-rat-detected\/\" target=\"_blank\" rel=\"noreferrer noopener\">identified&nbsp;and named<\/a>&nbsp;by ANY.RUN analysts in February&nbsp;2026. At the time of analysis, the sample had not been&nbsp;submitted&nbsp;to&nbsp;VirusTotal&nbsp;and carried no vendor signatures \u2014 meaning it&nbsp;maintained&nbsp;active command-and-control communication while static defenses remained completely silent.&nbsp;<\/p>\n\n\n\n<p>Despite its low detection profile, Moonrise is fully equipped for high-impact operations.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/d3e5e733-3b0d-4cf7-a7a8-ea1553cd16b9?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View sandbox analysis<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"485\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_5-1024x485.png\" alt=\"\" class=\"wp-image-18913\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_5-1024x485.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_5-300x142.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_5-768x364.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_5-1536x727.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_5-370x175.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_5-270x128.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_5-740x350.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_5.png 1842w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Moonrise RAT fresh sample analysis in Interactive Sandbox<\/em>&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><strong>Behavioral analysis confirmed:<\/strong>&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; \u2022&nbsp;<strong>Credential theft<\/strong>&nbsp;targeting stored passwords, authentication tokens, and browser data.&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; \u2022&nbsp;<strong>Remote command execution<\/strong>, process control, and file upload\/execution capabilities.&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; \u2022&nbsp;<strong>Persistence mechanisms<\/strong>&nbsp;enabling long-term access even after system reboots.&nbsp;<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp; \u2022 Extensive&nbsp;<strong>user monitoring<\/strong>: screen capture and streaming, webcam and microphone access, keystroke logging, and clipboard monitoring.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">Stop paying for incidents\n<\/span> that can be stopped.<br>ANY.RUN Sandbox exposes threats that bypass antivirus and email gateways.\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=automatic-ssl-decryption&#038;utm_term=030326&#038;utm_content=linktoregistration#register\" rel=\"noopener\" target=\"_blank\">\nRegister here\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Moonrise&#8217;s silent operation extends attacker dwell time, raising the risk of data exfiltration and operational disruption long before any alert is generated. One compromised endpoint can become a pivot point for lateral movement across the entire environment.&nbsp;&nbsp;<\/p>\n\n\n\n<p>ANY.RUN&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>&nbsp;provide a continuous stream of fresh, validated indicators derived from analysis sessions by 600,000+ security professionals across 15,000+ organizations. For Moonrise specifically, TI Feeds would surface the C2 IP (193[.]23[.]199[.]88) and associated file hashes before your internal systems&nbsp;encounter&nbsp;them, allowing defensive infrastructure to block the threat at the perimeter rather than detect it post-compromise.&nbsp;<br>&nbsp;<br><a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktotilookup\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a>, in its turn,&nbsp;allows analysts to instantly pivot on any observable indicator. A hash, IP, domain, or URL can be cross-referenced against the ANY.RUN database to retrieve related sandbox analyses, historical sightings, linked infrastructure, and associated malware families.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktotilookup#%7B%2522query%2522:%2522sha256:%255C%2522ed5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">sha256:&#8221;ed5471d42bef6b32253e9c1aba49b01b8282fd096ad0957abcf1a1e27e8f7551&#8243;<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"547\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_6-1024x547.png\" alt=\"\" class=\"wp-image-18919\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_6-1024x547.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_6-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_6-768x410.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_6-1536x820.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_6-370x198.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_6-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_6-740x395.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_6.png 1554w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>File hash spotted in Moonrise samples<\/em>&nbsp;<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Karsto&nbsp;RAT: It Profiles Your Organization&nbsp;Then&nbsp;Attacks&nbsp;<\/h3>\n\n\n\n<p>Karsto&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/rat\/\" target=\"_blank\" rel=\"noreferrer noopener\">RAT<\/a>&nbsp;is another newly identified malware family caught by ANY.RUN analysts this February with zero detections on&nbsp;VirusTotal&nbsp;at the time of discovery.&nbsp;Its modular architecture combined with built-in victim profiling capabilities&nbsp;allows&nbsp;attackers to map target environments before deciding which follow-on actions to take.&nbsp;<\/p>\n\n\n\n<p>Karsto&nbsp;disguises its C2 traffic to blend with&nbsp;legitimate-looking network communication, significantly reducing the chance of detection by network monitoring tools.&nbsp;The malware checks the victim\u2019s external IP via&nbsp;api[.]ipify[.]org&nbsp;and&nbsp;maintains&nbsp;heartbeat and logging endpoints with its C2. This behavior suggests selective activation of certain modules based on country, network, or public IP.&nbsp;<\/p>\n\n\n\n<p>Functionally,&nbsp;the&nbsp;RAT combines surveillance and remote control: it steals credentials and tokens, logs keystrokes and clipboard data, executes remote commands, uploads payloads, and exfiltrates files, while also capturing screenshots, webcam, and audio activity on the infected host.&nbsp;<\/p>\n\n\n\n<p>Like Moonrise,&nbsp;Karsto&nbsp;reinforces a critical lesson: waiting for antivirus vendors to flag a sample before&nbsp;taking action&nbsp;is no longer&nbsp;a viable&nbsp;strategy. Both RATs were capable, persistent, and actively harmful before any signatures existed. Behavior-based sandbox analysis&nbsp;remains&nbsp;the only reliable method to detect such threats at the earliest possible stage.&nbsp;<br>&nbsp;<br><a href=\"https:\/\/app.any.run\/tasks\/7f289c04-c532-4879-836f-a3931822ed24\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">See sample execution in a live analysis session<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"573\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_7-1024x573.png\" alt=\"\" class=\"wp-image-18920\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_7-1024x573.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_7-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_7-768x430.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_7-1536x860.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_7-370x207.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_7-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_7-740x414.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_7.png 1841w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Karsto&nbsp;RAT&nbsp;sample dissected in the Sandbox&nbsp;<\/em><\/figcaption><\/figure>\n\n\n\n<p>TI Lookup can be used to proactively track evolving attacks by&nbsp;behavioral traces:&nbsp;<br>&nbsp;<br><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktoservice#{%22query%22:%22url:%5C%22*\/notify?event=heartbeat&amp;user=*&amp;public_ip=%5C%22%22,%22dateRange%22:30}\" target=\"_blank\" rel=\"noreferrer noopener\">url:&#8221;<em>\/notify?event=heartbeat&amp;user=<\/em>&amp;public_ip=&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"552\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_8-1024x552.png\" alt=\"\" class=\"wp-image-18922\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_8-1024x552.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_8-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_8-768x414.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_8-1536x828.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_8-370x199.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_8-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_8-740x399.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_8.png 1562w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Karsto samples detected by RAT&nbsp;typical&nbsp;activity<\/em>&nbsp;<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">2.&nbsp;The Playbooks Your Defenses Weren&#8217;t Built For&nbsp;<\/h2>\n\n\n\n<p>Beyond new malware, February 2026 saw threat actors pushing the boundaries of phishing sophistication. The three trends below&nbsp;represent&nbsp;a fundamental shift in how attackers approach enterprise credential theft \u2014 moving from noisy, easily filtered attacks to highly targeted, trust-abusing campaigns hidden behind infrastructure defenders have historically considered safe.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Thread-Hijack Phishing: When the Trap Arrives Inside a Real Conversation&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN analysts&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/enterprise-email-thread-phishing\/\" target=\"_blank\" rel=\"noreferrer noopener\">uncovered a sophisticated supply chain phishing campaign<\/a>&nbsp;in which attackers hijacked an ongoing email thread among C-suite executives discussing a document awaiting final approval. The threat actor has&nbsp;likely compromised&nbsp;a contractor mailbox already involved in the conversation&nbsp;and&nbsp;posed as a legitimate participant replying&nbsp;directly with a phishing link mimicking a Microsoft authentication form.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"537\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_9-1024x537.png\" alt=\"\" class=\"wp-image-18924\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_9-1024x537.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_9-300x157.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_9-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_9-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_9-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_9-740x388.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_9.png 1536w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing chain revealed by ANY.RUN researchers<\/em><\/figcaption><\/figure>\n\n\n\n<p>A&nbsp;supply&nbsp;chain&nbsp;phishing email triggered seven forwarded messages, building plausibility through internal forwarding chains. Recipients then&nbsp;encountered&nbsp;a Cloudflare Turnstile anti-bot page, a Turnstile-protected phishing page, and finally the&nbsp;EvilProxy&nbsp;adversary-in-the-middle kit \u2014 which captured Microsoft credentials and session tokens in real time.&nbsp;<\/p>\n\n\n\n<p>What makes thread-hijack attacks particularly dangerous is their inherent credibility. The email arrives within a real, trusted business conversation,&nbsp;not as a cold phishing lure. There are no suspicious sender addresses, no&nbsp;typosquatted&nbsp;domains in the&nbsp;thread&nbsp;body, and no obvious red flags for email security gateways to catch.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The only reliable detection method is safe behavioral detonation of links at the time of delivery.&nbsp;<\/p>\n\n\n\n<p>The business impact of a successful thread-hijack attack is severe: compromised executive credentials can give attackers access to sensitive communications, financial&nbsp;approval&nbsp;workflows, and cloud environments.&nbsp;&nbsp;<br>&nbsp;<br>Using TI Lookup, analysts were able to pivot from this incident to a broader&nbsp;EvilProxy&nbsp;campaign active since early December 2025, primarily targeting organizations in the Middle East.&nbsp;Lookup results highlight the&nbsp;countries&nbsp;the&nbsp;malware campaigns are targeting&nbsp;lately, and what industries and sectors are reporting most detections recently.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktotilookup#%7B%22query%22:%22domainName:%5C%22bctcontractors.com$%5C%22%20OR%20domainName:%5C%22himsanam.com$%5C%22%22,%22dateRange%22:180%7D%20\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;bctcontractors.com$&#8221; OR&nbsp;domainName:&#8221;himsanam.com$&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"537\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_10-1024x537.png\" alt=\"\" class=\"wp-image-18925\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_10-1024x537.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_10-300x157.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_10-768x403.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_10-1536x806.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_10-370x194.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_10-270x142.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_10-740x388.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_10.png 1549w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Search revealing&nbsp;EvilProxy&nbsp;attack on Middle East countries<\/em><\/figcaption><\/figure>\n\n\n\n<p>Compromised executive credentials can give attackers access to sensitive communications, financial&nbsp;approval&nbsp;workflows, and cloud environments. Detecting these attacks early requires solutions that can safely follow the full redirect chain and expose the phishing page behavior in seconds.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nUnderstand if emerging campaigns are targeting your industry &#038; region.\u00a0 <br>Strengthen<span class=\"highlight\"> proactive defense\n<\/span> with TI Lookup.\u00a0\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=february-26-attacks&#038;utm_term=030326&#038;utm_content=linktolookup\" rel=\"noopener\" target=\"_blank\">\nStart now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Hiding in Plain Sight: How Phishing Kits Moved&nbsp;Into&nbsp;Microsoft and Google&#8217;s Backyard&nbsp;<\/h3>\n\n\n\n<p>Another&nbsp;major trend&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/enterprise-phishing-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">identified<\/a>&nbsp;by ANY.RUN this February is the systematic migration of phishing kit infrastructure onto legitimate cloud and CDN platforms. Rather than hosting credential-theft pages on newly registered domains&nbsp;which are quickly flagged and blocked,&nbsp;attackers are now deploying phishing content directly on Microsoft Azure Blob Storage, Google Firebase Storage, AWS CloudFront, and behind Cloudflare CDN.&nbsp;<\/p>\n\n\n\n<p>Live examples can be explored&nbsp;using Threat Intelligence Lookup with queries like these:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktolookup#%7B%2522query%2522:%2522threatName:%255C%2522sneaky2fa%255C%2522%2520AND%25C2%25A0destinationIpAsn:%255C%2522cloudflarenet%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">threatName:&#8221;sneaky2fa&#8221; AND&nbsp;destinationIpAsn:&#8221;cloudflarenet&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"488\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_11-1024x488.png\" alt=\"\" class=\"wp-image-18935\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_11-1024x488.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_11-300x143.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_11-768x366.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_11-1536x732.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_11-370x176.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_11-270x129.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_11-740x353.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_11.png 1551w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishkit Sneaky2FA abusing&nbsp;CloudFlare&nbsp;infrastructure: sandbox&nbsp;sample analyses&nbsp;<\/em><\/figcaption><\/figure>\n\n\n\n<p>For defenders, this shift creates a major blind spot.&nbsp;Network traffic&nbsp;monitoring&nbsp;sees&nbsp;trusted cloud infrastructure, valid HTTPS certificates, and recognized ASN ranges. The origin server where the malicious content&nbsp;actually lives&nbsp;is hidden behind Cloudflare&#8217;s reverse proxy, making it impossible to block based on IP or domain reputation alone.&nbsp;<\/p>\n\n\n\n<p>The three most active phishing kits exploiting this technique are:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/tycoon\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tycoon2FA<\/a>, primarily abusing Microsoft Azure&nbsp;infrastructure;&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/sneaky2fa\/\">Sneaky2FA<\/a>, commonly hosted on Google Firebase Storage and&nbsp;specifically&nbsp;designed to filter out personal email addresses in favor of corporate&nbsp;targets;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/evilproxy\/\">EvilProxy<\/a>, which uses similar cloud infrastructure in executive account takeover campaigns.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This trend&nbsp;represents&nbsp;a fundamental challenge for organizations that rely on URL reputation databases and domain blocklists as primary phishing defenses. When the hosting infrastructure is indistinguishable from legitimate Microsoft or Google services, static detection fails. ANY.RUN&#8217;s TI Lookup enables teams to search for specific behavioral patterns \u2014 such as&nbsp;Sneaky2FA&nbsp;threats targeting Cloudflare ASNs \u2014 to stay ahead of campaigns that would otherwise appear clean.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Phishing Kit That Evolves Faster Than Your Defenses&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/tycoon2fa-evasion-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tycoon 2FA<\/a>, one of the most active Phishing-as-a-Service platforms designed to bypass multi-factor authentication by intercepting session cookies in real time, continued its rapid development cycle into February 2026.&nbsp;&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_add-1024x1024.png\" alt=\"\" class=\"wp-image-18938\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_add-1024x1024.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_add-300x300.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_add-150x150.png 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_add-768x768.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_add-1536x1536.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_add-2048x2048.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_add-70x70.png 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_add-370x370.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_add-270x270.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/febr_add-740x740.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Explore evolving phishkit infrastructure and gather IOCs with TI Lookup<\/em><\/figcaption><\/figure>\n\n\n\n<p>ANY.RUN\u2019s experts are seeing new URL patterns tied to the&nbsp;phishkit&nbsp;campaigns, along with a spike in phishing domains in less common TLDs&nbsp;like .biz.id, .beer,&nbsp;and .bar.&nbsp;&nbsp;<\/p>\n\n\n\n<p>From a business risk perspective, Tycoon 2FA&#8217;s ongoing evolution is significant for two reasons. First, it&nbsp;demonstrates&nbsp;that MFA is no longer a reliable last line of defense \u2014 by capturing session cookies&nbsp;at the moment&nbsp;of&nbsp;authentication,&nbsp;Tycoon 2FA renders most MFA implementations ineffective. Second, its&nbsp;PhaaS&nbsp;model means low-skill actors can access industrial-grade phishing infrastructure, enabling campaigns at a scale previously requiring significant technical capability.&nbsp;<\/p>\n\n\n\n<p>For threat hunters, the challenge is&nbsp;validating&nbsp;patterns against real attacker behavior. Hunting breaks down when detections are built on isolated IOCs without execution context.&nbsp;&nbsp;<\/p>\n\n\n\n<p>SOC teams use ANY.RUN\u2019s TI Lookup to pivot from indicators to full attack context, uncovering recurring URL patterns, infrastructure reuse, and related artifacts across real sandbox sessions.&nbsp;<br>&nbsp;<br>Use these search queries to explore updated Tycoon 2FA infrastructure,&nbsp;validate&nbsp;your hypotheses, and prioritize alerts by your industry &amp; region:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktolookup#%7B%2522query%2522:%2522url:%255C%2522\/deeplink.%255C%2522%2520OR%2520url:%255C%2522\/botchain.%255C%2522%2520OR%2520url:%255C%2522\/autogen.%255C%2522%2520OR%2520url:%255C%2522\/inflect.%255C%2522%2520OR%2520url:%255C%2522\/coremind.%255C%2522%2520OR%2520url:%255C%2522\/netloop.%255C%2522%2520OR%2520url:%255C%2522\/neural.%255C%2522%2520OR%2520url:%255C%2522\/algomesh.%255C%2522%2520OR%2520url:%255C%2522\/bytecore.%255C%2522%2520OR%2520url:%255C%2522\/datashift.%255C%2522%2520OR%2520url:%255C%2522\/cyberia.%255C%2522%2520OR%2520url:%255C%2522\/quantum.%255C%2522%2520OR%2520url:%255C%2522\/cortex.%255C%2522%2520OR%2520url:%255C%2522\/synthex.%255C%2522%2520OR%2520url:%255C%2522\/cloudra.%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">New Tycoon 2FA URL&nbsp;patterns<\/a>;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktolookup#%7B%2522query%2522:%2522(domainName:%255C%2522.biz.id$%255C%2522%2520or%2520domainName:%255C%2522.beer$%255C%2522%2520or%2520domainName:%255C%2522.bar$%255C%2522)%2520and%2520threatName:%255C%2522tycoon%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">Tycoon 2FA domains in less common&nbsp;TLDs<\/a>;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktolookup#%7B%2522query%2522:%2522suricataID:%255C%252285005824%255C%2522%2520and%2520url:%255C%2522~%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">Search by Suricata IDS&nbsp;rule<\/a>;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktolookup#%7B%2522query%2522:%2522suricataMessage:%255C%2522PHISHING%2520%5BANY.RUN%5D*DGA%2520pattern*Tycoon%255C%2522%2522,%2522dateRange%2522:60%7D\" target=\"_blank\" rel=\"noreferrer noopener\">Search&nbsp;by&nbsp;Tycoon 2FA DGA signature<\/a>.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Faster Threats, Higher Stakes: Protecting What Your Business Can&#8217;t Afford to Lose&nbsp;<\/h2>\n\n\n\n<p>The threats documented in February 2026 share something common: they are designed to defeat the tools and assumptions that most enterprise security programs still rely on. Signature-based antivirus misses zero-detection RATs. URL blocklists fail against cloud-hosted phishing. MFA is bypassed by adversary-in-the-middle kits. Email gateways cannot flag a reply within&nbsp;a real executive&nbsp;conversation.&nbsp;<\/p>\n\n\n\n<p>For security teams and business leaders, the practical implications are clear. Speed matters most: GREENBLOOD can encrypt an environment in minutes, and&nbsp;BQTLock&#8217;s&nbsp;stealth setup phase is the narrowest window for containment. Static checks are no longer sufficient: Moonrise and&nbsp;Karsto&nbsp;both&nbsp;operated&nbsp;without any vendor signatures, meaning organizations that rely only on antivirus are flying blind. And infrastructure trust cannot be assumed: when Microsoft Azure and Google Firebase are used to host credential-theft pages, traditional reputation-based defenses have no reliable signal to act on.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Detect Evasive Threats with the Interactive Sandbox<\/strong><\/h3>\n\n\n\n<p>ANY.RUN&#8217;s Sandbox enables security teams to detonate suspicious files and URLs in a safe, controlled environment and&nbsp;observe&nbsp;real behavior as it unfolds. For the threats documented this month, this means:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>confirming whether a suspicious link completes a full credential-theft redirect chain in under 60&nbsp;seconds;&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>observing ransomware encryption, self-deletion, and persistence behavior before it reaches production&nbsp;systems;&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>identifying&nbsp;C2 communication from RATs that would pass signature-based checks without any flags.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pivot IOCs and Enrich Them with Context<\/h3>\n\n\n\n<p>TI Lookup extends this capability into proactive threat hunting. Rather than waiting for an alert to arrive, analysts can query the database using behavioral indicators&nbsp;(command lines, TTPs, process behaviors, network connections, JA3 fingerprints, and more)&nbsp;to discover whether similar threats have appeared in other environments, identify campaign infrastructure before it targets the organization, and enrich alert triage with context that cuts investigation time significantly.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Expand Threat Coverage with TI Feeds<\/h3>\n\n\n\n<p>ANY.RUN&#8217;s Threat Intelligence Feeds deliver continuously updated IOCs and behavioral indicators extracted from millions of real sandbox analysis sessions directly into SIEM and EDR platforms.&nbsp;<\/p>\n\n\n\n<p>Together, these solutions&nbsp;create a continuous intelligence cycle that supports every stage of the security workflow: safe detonation and behavior confirmation at Tier 1, deep campaign investigation and pivot analysis at Tier 2, and proactive hunting and detection engineering at Tier 3.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nReduce your business risk with early threat detection from<span class=\"highlight\"> ANY.RUN\n<\/span>\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=february-26-attacks&#038;utm_term=030326&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nRequest your quote\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions, integrates seamlessly into modern SOC operations and supports investigations from the first alert through containment and detection improvement.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Security teams use ANY.RUN\u2019s <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktosandboxlanding\">Sandbox<\/a> to safely execute suspicious files and URLs,&nbsp;observe&nbsp;real behavior in controlled environments, extract actionable indicators, and enrich findings instantly through <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktotilookuplanding\">TI Lookup<\/a> and <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=february-26-attacks&amp;utm_term=030326&amp;utm_content=linktotifeedslanding\">Threat Intelligence Feeds<\/a>. This unified approach reduces uncertainty, improves validation accuracy, and strengthens response consistency across the organization.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Today, more than 600,000 security professionals across 15,000+ organizations rely on ANY.RUN to accelerate investigations, enhance detection resilience, and stay ahead of evolving&nbsp;phishing&nbsp;and&nbsp;malware campaigns.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>February 2026 brought a surge of sophisticated cyber threats targeting businesses across industries. ANY.RUN&#8217;s analysts exposed and explored several major cyber threats this month, providing early visibility into emerging malware families and evolving attack techniques.&nbsp; From new ransomware strains capable of encrypting entire environments in minutes, to fully undetected remote access trojans &#8212; the threat [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":18895,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,34,63,51],"class_list":["post-18892","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-phishing","tag-rat"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Major Cyber Attacks in February 2026<\/title>\n<meta name=\"description\" content=\"Discover top threats and techniques in February 2026 analyzed with the help of ANY.RUN\u2019s Interactive Sandbox and TI Lookup.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Major Cyber Attacks in February 2026:\u00a0BQTLock, Thread-Hijack Phishing, and MFA Bypass Evolution\",\"datePublished\":\"2026-03-04T09:50:16+00:00\",\"dateModified\":\"2026-03-04T10:14:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/\"},\"wordCount\":2846,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"phishing\",\"RAT\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/\",\"name\":\"Major Cyber Attacks in February 2026\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-03-04T09:50:16+00:00\",\"dateModified\":\"2026-03-04T10:14:37+00:00\",\"description\":\"Discover top threats and techniques in February 2026 analyzed with the help of ANY.RUN\u2019s Interactive Sandbox and TI Lookup.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Major Cyber Attacks in February 2026:\u00a0BQTLock, Thread-Hijack Phishing, and MFA Bypass Evolution\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Major Cyber Attacks in February 2026","description":"Discover top threats and techniques in February 2026 analyzed with the help of ANY.RUN\u2019s Interactive Sandbox and TI Lookup.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Major Cyber Attacks in February 2026:\u00a0BQTLock, Thread-Hijack Phishing, and MFA Bypass Evolution","datePublished":"2026-03-04T09:50:16+00:00","dateModified":"2026-03-04T10:14:37+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/"},"wordCount":2846,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","phishing","RAT"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/","url":"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/","name":"Major Cyber Attacks in February 2026","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-03-04T09:50:16+00:00","dateModified":"2026-03-04T10:14:37+00:00","description":"Discover top threats and techniques in February 2026 analyzed with the help of ANY.RUN\u2019s Interactive Sandbox and TI Lookup.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/february-26-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"Major Cyber Attacks in February 2026:\u00a0BQTLock, Thread-Hijack Phishing, and MFA Bypass Evolution"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18892"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=18892"}],"version-history":[{"count":25,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18892\/revisions"}],"predecessor-version":[{"id":18947,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/18892\/revisions\/18947"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/18895"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=18892"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=18892"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=18892"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}