{"id":19659,"date":"2026-03-31T10:24:19","date_gmt":"2026-03-31T10:24:19","guid":{"rendered":"\/cybersecurity-blog\/?p=19659"},"modified":"2026-03-31T11:16:09","modified_gmt":"2026-03-31T11:16:09","slug":"release-notes-march-2026","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/","title":{"rendered":"Release Notes: Cross-Platform\u00a0Threat Analysis with macOS, SSL Decryption, and\u00a01,300+ New Detections\u00a0"},"content":{"rendered":"\n<p>March was a packed month for&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>.&nbsp;We rolled out major product improvements that help security teams investigate phishing inside encrypted traffic, expand cross-platform analysis with macOS, and bring Windows Server into the&nbsp;sandbox&nbsp;workflow. <\/p>\n\n\n\n<p>At the same time, our detection team continued to strengthen threat coverage with new&nbsp;behavior&nbsp;signatures, Suricata rules, and fresh threat intelligence reports focused on active malware and attack techniques.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s&nbsp;a closer&nbsp;look&nbsp;at&nbsp;what\u2019s&nbsp;new.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Product Updates&nbsp;<\/h2>\n\n\n\n<p>This month\u2019s updates are all about helping security teams see more and investigate with less friction. We improved phishing detection inside encrypted traffic, expanded <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">sandbox coverage<\/a> to macOS, and added Windows Server analysis so teams can work across more of the environments they protect every day.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Automatic SSL Decryption for Stronger Phishing Detection&nbsp;<\/h3>\n\n\n\n<p>Encrypted HTTPS traffic remains one of the main reasons phishing is harder to confirm quickly. It hides credential theft, redirect chains, and token-based attacks inside traffic that often appears legitimate, forcing teams to spend more time on validation and increasing the chance of missed compromise.<\/p>\n\n\n\n<p>In March, ANY.RUN introduced <a href=\"https:\/\/any.run\/cybersecurity-blog\/automatic-ssl-decryption\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>automatic SSL decryption<\/strong><\/a> in the <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a> across all subscription tiers. By extracting encryption keys directly from process memory, the sandbox can now inspect decrypted traffic during analysis and apply Suricata rules, detection signatures, and IOC extraction immediately.<\/p>\n\n\n\n<p>Check real-world example: <a href=\"https:\/\/app.any.run\/tasks\/73fb8a10-2721-4da4-9f9b-a340a6eac370?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Detecting Salty2FA phishing campaign with SSL decryption<\/a><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2048x1152-1-1024x576.png\" alt=\"\" class=\"wp-image-19667\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2048x1152-1-1024x576.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2048x1152-1-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2048x1152-1-768x432.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2048x1152-1-1536x864.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2048x1152-1-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2048x1152-1-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2048x1152-1-740x416.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/image2-2048x1152-1.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Automatic SSL decryption provides a major phishing detection boost in the&nbsp;sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This significantly expands phishing visibility across every&nbsp;sandbox&nbsp;session. After implementing the technology, ANY.RUN saw a&nbsp;5x increase in SSL-decrypted phishing detection&nbsp;and added&nbsp;60,000 more confirmed malicious URLs to&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI&nbsp;Lookup<\/a>&nbsp;each month.&nbsp;<\/p>\n\n\n\n<p>For your SOC, this means:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Higher detection rate:<\/strong>&nbsp;Analysts can now&nbsp;identify&nbsp;phishing activity that would otherwise stay hidden inside encrypted traffic.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster MTTD and MTTR:<\/strong>&nbsp;Teams confirm malicious&nbsp;behavior&nbsp;earlier and respond before phishing causes broader damage.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced Tier 1-to-Tier 2 escalation volume:<\/strong>&nbsp;Tier 1 can close more cases independently and escalate only the incidents that truly need deeper investigation.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Expanding\u00a0Your SOC&#8217;s\u00a0Cross-Platform Analysis with macOS\u00a0<\/h3>\n\n\n\n<p>As enterprise environments grow more complex, SOC teams are expected to investigate threats across multiple operating systems without slowing down triage. But when analysis is split across separate tools and environments, investigations take longer, alert backlogs grow, and the risk of delayed or missed detection increases.&nbsp;<\/p>\n\n\n\n<p>To help solve this,&nbsp;ANY.RUN expanded its&nbsp;<strong>sandbox&nbsp;OS coverage with&nbsp;<\/strong><a href=\"https:\/\/any.run\/cybersecurity-blog\/anyrun-macos-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>macOS virtual machine<\/strong><\/a>, now available in beta for&nbsp;<a href=\"https:\/\/any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoplans\" target=\"_blank\" rel=\"noreferrer noopener\">Enterprise Suite<\/a>&nbsp;users. This gives teams one environment to investigate threats across&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/windows-10-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows<\/a>,&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a>,&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/android-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Android<\/a>, and now macOS.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/65678bab-2c5f-47b8-b0d4-cb0870b1a3c8?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View&nbsp;analysis of&nbsp;macOS threat<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"570\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-11.35.08-1024x570.png\" alt=\"Miolab stealer\u00a0analyzed\u00a0inside ANY.RUN\u00a0sandbox\u00a0\" class=\"wp-image-19670\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-11.35.08-1024x570.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-11.35.08-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-11.35.08-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-11.35.08-1536x854.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-11.35.08-2048x1139.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-11.35.08-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-11.35.08-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-11.35.08-740x412.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Miolab stealer&nbsp;analyzed&nbsp;inside ANY.RUN&nbsp;sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Bringing <strong>interactive macOS analysis<\/strong> into the workflow is especially important for threats that stay dormant until a user enters a password, approves a system dialog, or triggers another action. By allowing real user interaction during detonation, the sandbox can expose behaviors that automated analysis often misses, including fake authentication prompts, staged execution chains, file collection, and post-authentication data exfiltration.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nExpand\u00a0your SOC\u2019s <span class=\"highlight\">\ncross-platform threat visibility <\/span><br><span class=\"highlight\">Reduce breach risk<\/span> with analysis across 4 major OS\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=release-notes-march-2026&#038;utm_term=310326&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nRequest for your team\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>This operational improvement leads to measurable outcomes:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster validation of suspicious files and URLs:<\/strong>&nbsp;Teams can confirm malicious&nbsp;behavior&nbsp;in minutes through&nbsp;behavior-based analysis during triage.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Shorter investigation cycles:<\/strong>&nbsp;Analysts can&nbsp;observe&nbsp;full execution&nbsp;behavior&nbsp;in one environment without manually piecing evidence together across multiple tools.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improved cross-platform detection coverage:<\/strong>&nbsp;Security teams can investigate platform-specific threats across macOS, Windows, Linux, and Android in a consistent workflow.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Higher productivity during triage:<\/strong>&nbsp;Less context switching helps analysts process more alerts per shift.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced alert backlog during peak activity:<\/strong>&nbsp;Faster decisions help SOC teams keep queues under control during phishing waves and malware outbreaks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Advancing Server-Side Threat Analysis with Windows Server&nbsp;<\/h3>\n\n\n\n<p>For many enterprise teams, critical infrastructure runs on&nbsp;<strong>Windows Server<\/strong>, from domain services and file storage to business applications and backups. But malware that targets server environments often behaves differently from threats launched on standard Windows systems, making it harder to assess risk accurately in a desktop-focused setup.&nbsp;<\/p>\n\n\n\n<p>To close that gap,&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN&nbsp;Sandbox<\/strong><\/a><strong>&nbsp;<\/strong>now supports analysis in a Windows Server environment.&nbsp;This gives security teams a way to&nbsp;observe&nbsp;attack&nbsp;behavior&nbsp;in a server OS and investigate techniques tied to infrastructure, including changes to domain accounts, security policies, and the use of administrative tools.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"800\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-09.04.09-1024x800.png\" alt=\"Threats\u00a0analyzed\u00a0inside a Windows Server environment\" class=\"wp-image-19671\" style=\"width:588px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-09.04.09-1024x800.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-09.04.09-300x234.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-09.04.09-768x600.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-09.04.09-1536x1199.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-09.04.09-370x289.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-09.04.09-270x211.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-09.04.09-385x300.png 385w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-09.04.09-740x578.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-31-at-09.04.09.png 1670w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Threats&nbsp;analyzed&nbsp;inside a Windows Server environment<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>This addition helps teams strengthen infrastructure-focused triage and response:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Better visibility into server-specific techniques:<\/strong>&nbsp;Teams can&nbsp;analyze&nbsp;behavior&nbsp;tied to domains, policies, and administrative utilities in a more relevant environment.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stronger investigation confidence for infrastructure threats:<\/strong>&nbsp;Analysts can&nbsp;validate&nbsp;whether a sample affects server-side services or critical business systems before escalating.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>More effective detection and response preparation:<\/strong>&nbsp;Security teams can collect artifacts, refine detections, and improve incident playbooks for Windows Server scenarios.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n<span class=\"highlight\">\nCut business risk <\/span>with earlier malware &#038; phishing detection <br>Equip your SOC with <span class=\"highlight\">deeper threat analysis<\/span>\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=release-notes-march-2026&#038;utm_term=310326&#038;utm_content=linktoenterprise#contact-sales\" rel=\"noopener\" target=\"_blank\">\nIntegrate in your SOC\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Threat Coverage Updates&nbsp;<\/h2>\n\n\n\n<p>In March, our detection team continued to expand coverage across phishing, credential theft, backdoors, miners, stealers, loaders, and evasive system abuse.&nbsp;<\/p>\n\n\n\n<p>This month\u2019s updates include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>91 new&nbsp;behavior&nbsp;signatures<\/strong>&nbsp;<\/li>\n\n\n\n<li><strong>1,293 new Suricata rules<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>These additions give security teams better visibility into modern attack chains, from OAuth phishing and Telegram-based credential theft to backdoor communication, loader&nbsp;behavior, and suspicious use of built-in system tools.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">New&nbsp;Behavior&nbsp;Signatures&nbsp;<\/h3>\n\n\n\n<p>In March, we added&nbsp;<strong>91 new&nbsp;behavior&nbsp;signatures<\/strong>&nbsp;to strengthen detection across malware families, Android threats, stealers, loaders, RATs, ransomware, and suspicious system-level activity.&nbsp;<\/p>\n\n\n\n<p>These updates improve visibility into&nbsp;behaviors&nbsp;often seen in real attacks, including persistence, self-deletion, loader activity, shell delivery, registry tampering, PowerShell abuse, and virtual machine checks used to evade analysis.&nbsp;<\/p>\n\n\n\n<p><strong>Highlighted families and detections include:<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-1 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/dfcf4df2-f5b8-4fc4-9318-0016f88981d4?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Oreshki<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/a90ede8f-1d75-41ae-a288-f658821fb8d7?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Lixvo<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/70547603-d023-4bcc-8d9e-4fe6f54aa270?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Genesis<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/8a9d8a39-38ee-4813-9b88-dcf577dee4d5?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Overlord<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/0b8c2ab8-4740-4d5a-a1cf-3c3882fcb7b8?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Libka<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/912971bd-04f3-4c6c-b96c-6953f22ae1f7?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">A0Backdoor<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/2739f67d-18f2-4b88-b5a8-33751c1e30f4?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Banshee<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/9dd0cd56-fdce-4402-bfb1-839373ea5be3?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Vdw0rm<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/4020bc2b-dca7-498a-88c7-9901f36644b3?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">TaxiSpy<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/cf4722d5-4105-42a0-a9da-e08c36d27971?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Perseus<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/29166775-2874-42d4-ba3a-e0a6d46a60e7?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Slopoly<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/56b8e219-4840-4c30-aded-9bae849c869c?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Venon<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/0758e8b1-53d7-4728-a661-4db50e04bc9b?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Herodotus<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/71ea1390-918b-4ad5-97ed-fea1cb64a818?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Boryptgrab<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/02084297-b0aa-4a7c-a1ec-ca7bdd640c19?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">NexusRAT<\/a>&nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"640\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.18.19-1024x640.png\" alt=\"District\u00a0analyzed\u00a0inside ANY.RUN sandbox\" class=\"wp-image-19675\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.18.19-1024x640.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.18.19-300x188.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.18.19-768x480.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.18.19-1536x960.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.18.19-2048x1280.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.18.19-370x231.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.18.19-270x169.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.18.19-740x463.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>District&nbsp;analyzed&nbsp;inside ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-2 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li>HolyCat&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SuperCard&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/8749ea16-4efc-4901-a39e-2acaaf1f65e8\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Mamont<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/79551733-b9c2-4995-8c3e-9bef92760909\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">MrDec<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/90631fad-0c8d-4211-81cd-80ba7ddfe525\/\" target=\"_blank\" rel=\"noreferrer noopener\">Nopname<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/da847acb-f2b6-45b0-b9e2-d042418e0477\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">BlackShrantac<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Noodlopfile&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/a1cb8ca4-a870-47ef-8a65-a1cff379dee0\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">CastleLoader<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CharlieKirk&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>LockCrypt&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GibCrypto&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ZipWhisper&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PixyNetLoader&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Quantum&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/3687a1da-df45-42f5-8fda-d08029242639\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">BlackReaper<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Queen&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Zov&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>FileScavenger&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Rodecap&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Recuva&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCRFix&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/6052ac64-6e3b-4cef-9e10-e254c7202497\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">UnixStealer<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/50d74211-ad49-4b70-926d-de4350713ab0?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">XWorm<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/1e576ce0-c28a-40e2-8e28-148fb95845f0?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">District<\/a>&nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nReduce MTTD to <span class=\"highlight\">\n15 seconds per case <\/span>in your SOC <br>Detect malware &#038; phishing threats early\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=release-notes-march-2026&#038;utm_term=310326&#038;utm_content=linktoregistration\" rel=\"noopener\" target=\"_blank\">\nSign up now\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-3 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/e83564ba-25d4-45d0-a0fa-bb3a03b40291?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">SPRON<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/ebeabebf-7d1f-4659-bece-15737eb538fa?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">ATROPINE<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/49947827-3e42-4ee8-95c0-dc9e5f55aa14?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">BamboLoader<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/c11440d1-e60b-4aaa-9cbb-1a8053584df9?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">RUTSSTAGER<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/7f57ace0-4e2d-4aa2-abdf-a3a5fddbb7f7?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">IRONZERO<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/89c28bf3-8737-4475-8e80-470d7c1734e4\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">BeardShell<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/0b8afd4e-30d5-4247-b2a4-92ab6fbf0407?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">SplitDrop<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/a3d8f313-ec06-4ee0-bf92-b6b11f3342bb?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">JIGSAW<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/c943d7b0-5347-407a-b3af-d936ec0e1f92\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">GHOSTFORM<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/0b8afd4e-30d5-4247-b2a4-92ab6fbf0407?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">TWINTALK<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/0b8afd4e-30d5-4247-b2a4-92ab6fbf0407?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">TWINTASK<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/0ab27187-663f-4f18-adbf-47d87ccab5ce\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">PXAStealer<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/aac66ac8-ac32-4f5f-b3dc-a3a720e9ee92?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Phorpiex<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/3b9657cf-24e3-4885-8ba4-b040aa1ee8e9?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Pulser<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/752ccbfe-9d00-4cf9-8dbf-71edeef21693\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">HoppingAnt<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/c069f8d6-132d-4880-8674-d640756f3bb3?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Vidar<\/a>&nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"570\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.23.33-1024x570.png\" alt=\"Banshee stealer targeting macOS users detected inside ANY.RUN\u00a0sandbox\u00a0\" class=\"wp-image-19676\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.23.33-1024x570.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.23.33-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.23.33-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.23.33-1536x855.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.23.33-2048x1140.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.23.33-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.23.33-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-21.23.33-740x412.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Banshee stealer targeting macOS users detected inside ANY.RUN&nbsp;sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>New&nbsp;behavior-based detections also cover:<\/strong>&nbsp;<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-grid wp-container-core-group-is-layout-4 wp-block-group-is-layout-grid\">\n<ul class=\"wp-block-list\">\n<li>PhantomCore&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/54086338-157f-47b3-adb3-fb16e7db85f9\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Hide file extensions via registry<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/144fd53d-fff3-4cd0-a36d-e459e9e7a6f2\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Self-deletion pattern detected<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Delivers shell command via&nbsp;<strong>nslookup<\/strong>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%227ev3n%20has%20been%20detected%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">7ev3n process activity<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%22CRYPREN%20mutex%20has%20been%20found%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">CRYPREN mutex<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%22REDEEMER%20mutex%20has%20been%20found%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">REDEEMER&nbsp;mutex<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%22PowerShell%20remote%20script%20execution%20via%20IRM%20piped%20to%20IEX%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">PowerShell IRM\/IEX command execution<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%22Uses%20SLMGR.VBS%20to%20activate%20Windows%20license%20online%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">Use of SLMGR.VBS with \/ato<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%22Uses%20SLMGR.VBS%20to%20install%20a%20license%20key%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">Use of SLMGR.VBS with \/ipk<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%22FORBIX%20has%20been%20detected%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">FORBIX registry activity<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%22HYDRA%20has%20been%20detected%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">HYDRA-related files<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%22STUXNET%20has%20been%20detected%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">STUXNET-related files<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%22POWERSHELL%20executes%20a%20script%20with%20a%20hex-encoded%20filename%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">Suspicious hex-named PowerShell execution<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%22SERVICEFOR%20has%20been%20detected%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">SERVICEFOR registry activity<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolookup#%7B%22query%22:%22ruleName:%5C%22NSMINER%20has%20been%20detected%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">NSMINER-related files<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/3b9657cf-24e3-4885-8ba4-b040aa1ee8e9\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Changes monitor brightness via PowerShell<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/044cc204-4784-4746-a575-130d4f3fdf60?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Checks VM-related processes<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/044cc204-4784-4746-a575-130d4f3fdf60?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Checks VM-related registry<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/044cc204-4784-4746-a575-130d4f3fdf60?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">NET.EXE used to gather Windows client statistics<\/a>&nbsp;<\/li>\n<\/ul>\n<\/div><\/div>\n\n\n\n<p>Together, these additions give security teams broader&nbsp;behavioral&nbsp;coverage across both established malware families and attacker techniques that commonly appear in multi-stage intrusions.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nThreats evolve fast across campaigns and infrastructure <br>Now your SOC can track them with <span class=\"highlight\">TI Lookup\u00a0<\/span>\n&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=release-notes-march-2026&#038;utm_term=310326&#038;utm_content=linktotilookup\" rel=\"noopener\" target=\"_blank\">\nTry TI Lookup\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">New Suricata Rules&nbsp;<\/h3>\n\n\n\n<p>In March, we added&nbsp;<strong>1,293 new Suricata rules<\/strong>&nbsp;to strengthen detection of credential theft, phishing activity, and malicious command-and-control traffic.&nbsp;<\/p>\n\n\n\n<p>Key highlights include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Credential theft via Telegram API&nbsp;(sid: 84001778)<\/strong>: Tracks adversary&nbsp;attempts&nbsp;to exfiltrate victim&#8217;s email &amp; password via Telegram Bot API&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>MS OAuth Device Code phish \/ EvilTokens activity (sid: 84001845)<\/strong>: Identifies usage of emerged attack technique that exploits legitimate OAuth 2.0 device authorization flows to gain control over victims&#8217; Microsoft 365 accounts<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DinDoor backdoor HTTP activity (sid: 85006556)<\/strong>: Detects Iran-linked MuddyWater (TA450) actor&#8217;s new backdoor attempts to establish C2 communication via HTTP<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Threat Intelligence Reports&nbsp;<\/h3>\n\n\n\n<p>In March, our team published new <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-reports\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Reports<\/a> on emerging malware, banking trojans, ransomware, backdoors, and stealthy delivery techniques. <\/p>\n\n\n\n<p>Available as part of ANY.RUN\u2019s <a href=\"https:\/\/intelligence.any.run\/plans?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktotiplans\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup Premium<\/a> plan, these reports help security teams better understand active threats and investigate them with stronger context.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"524\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-23.16.33-1024x524.png\" alt=\"\" class=\"wp-image-19677\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-23.16.33-1024x524.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-23.16.33-300x154.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-23.16.33-768x393.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-23.16.33-1536x786.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-23.16.33-2048x1049.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-23.16.33-370x189.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-23.16.33-270x138.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-23.16.33-585x300.png 585w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/03\/Screenshot-2026-03-30-at-23.16.33-740x379.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Threat Intelligence reports available in ANY.RUN<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/reports\/2026-03-25-threat-brief-vidar-venon-slopoly\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>VIDAR,&nbsp;VENON, and SLOPOLY<\/strong><\/a><strong>:<\/strong>&nbsp;This report covers a polymorphic stealer, a Rust-based banking RAT, and a PowerShell backdoor tied to the Hive0163 ecosystem, with a focus on their&nbsp;behavior, artifacts, and detection opportunities.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/reports\/03-19-threat-brief-steaelite-blackreaperrat-jigsaw1\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Steaelite,&nbsp;BlackReaper, and Jigsaw<\/strong><\/a><strong>:<\/strong>&nbsp;This brief&nbsp;looks at three threats combining credential theft, remote access, persistence, and ransomware&nbsp;behavior, including Telegram-based control and file encryption activity.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/intelligence.any.run\/reports\/05-03-threat-brief-phantomproxylite-rutsstager-steaeliterat-nopname\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>PhantomProxyLite,&nbsp;Rutsstager,&nbsp;Steaelite&nbsp;RAT, and&nbsp;Nopname<\/strong><\/a><strong>:<\/strong>&nbsp;This report explores&nbsp;tunneling, registry-based staging, data theft, and ransomware, showing how these threats mix stealth techniques with clear forensic traces.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>&nbsp;provides interactive malware analysis and threat intelligence solutions built to support modern security operations.&nbsp;<\/p>\n\n\n\n<p>By combining&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktosandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive&nbsp;Sandbox<\/a>,&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence&nbsp;Lookup<\/a>, and&nbsp;<a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>, ANY.RUN helps SOC and MSSP teams accelerate threat analysis, investigate incidents with greater clarity, and detect emerging attacks earlier.&nbsp;<\/p>\n\n\n\n<p>Used by more than 15,000 organizations and over 600,000 security professionals worldwide, including 74% of Fortune 100 companies, ANY.RUN is focused on helping teams improve detection and response while meeting the data protection, <a href=\"https:\/\/any.run\/compliance\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktocompliance\" target=\"_blank\" rel=\"noreferrer noopener\">compliance<\/a>, and workflow demands of real-world security operation<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=release-notes-march-2026&amp;utm_term=310326&amp;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Integrate ANY.RUN\u2019s solution for Tier 1\/2\/3 in your organization \u2192<\/strong><\/a><strong><\/strong>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>March was a packed month for&nbsp;ANY.RUN.&nbsp;We rolled out major product improvements that help security teams investigate phishing inside encrypted traffic, expand cross-platform analysis with macOS, and bring Windows Server into the&nbsp;sandbox&nbsp;workflow. At the same time, our detection team continued to strengthen threat coverage with new&nbsp;behavior&nbsp;signatures, Suricata rules, and fresh threat intelligence reports focused on active [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":15741,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[57,10,56],"class_list":["post-19659","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-service-updates","tag-anyrun","tag-cybersecurity","tag-update"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Release Notes: SSL Decryption, macOS, Windows Server &amp; 1300+ New Detecions<\/title>\n<meta name=\"description\" content=\"March updates in ANY.RUN bring stronger phishing detection, broader sandbox coverage with macOS and Windows Server, new detections, and fresh TI reports.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Release Notes: Cross-Platform\u00a0Threat Analysis with macOS, SSL Decryption, and\u00a01,300+ New Detections\u00a0\",\"datePublished\":\"2026-03-31T10:24:19+00:00\",\"dateModified\":\"2026-03-31T11:16:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/\"},\"wordCount\":1749,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"update\"],\"articleSection\":[\"Service Updates\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/\",\"name\":\"Release Notes: SSL Decryption, macOS, Windows Server & 1300+ New Detecions\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-03-31T10:24:19+00:00\",\"dateModified\":\"2026-03-31T11:16:09+00:00\",\"description\":\"March updates in ANY.RUN bring stronger phishing detection, broader sandbox coverage with macOS and Windows Server, new detections, and fresh TI reports.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Service Updates\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Release Notes: Cross-Platform\u00a0Threat Analysis with macOS, SSL Decryption, and\u00a01,300+ New Detections\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Release Notes: SSL Decryption, macOS, Windows Server & 1300+ New Detecions","description":"March updates in ANY.RUN bring stronger phishing detection, broader sandbox coverage with macOS and Windows Server, new detections, and fresh TI reports.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Release Notes: Cross-Platform\u00a0Threat Analysis with macOS, SSL Decryption, and\u00a01,300+ New Detections\u00a0","datePublished":"2026-03-31T10:24:19+00:00","dateModified":"2026-03-31T11:16:09+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/"},"wordCount":1749,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","update"],"articleSection":["Service Updates"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/","url":"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/","name":"Release Notes: SSL Decryption, macOS, Windows Server & 1300+ New Detecions","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-03-31T10:24:19+00:00","dateModified":"2026-03-31T11:16:09+00:00","description":"March updates in ANY.RUN bring stronger phishing detection, broader sandbox coverage with macOS and Windows Server, new detections, and fresh TI reports.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/release-notes-march-2026\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Service Updates","item":"https:\/\/any.run\/cybersecurity-blog\/category\/service-updates\/"},{"@type":"ListItem","position":3,"name":"Release Notes: Cross-Platform\u00a0Threat Analysis with macOS, SSL Decryption, and\u00a01,300+ New Detections\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19659"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=19659"}],"version-history":[{"count":30,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19659\/revisions"}],"predecessor-version":[{"id":19705,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/19659\/revisions\/19705"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/15741"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=19659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=19659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=19659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}