{"id":5140,"date":"2023-06-08T07:32:12","date_gmt":"2023-06-08T07:32:12","guid":{"rendered":"\/cybersecurity-blog\/?p=5140"},"modified":"2023-06-08T10:55:26","modified_gmt":"2023-06-08T10:55:26","slug":"malware-analysis-news-may2023","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/","title":{"rendered":"Malware Analysis News: May 2023\u00a0\u00a0"},"content":{"rendered":"\n<p>Welcome to the May 2023 edition of our monthly malware analysis news report.&nbsp;<br>&nbsp;<\/p>\n\n\n\n<p>We\u2019ve gathered some of the most important cybersecurity events that transpired over the past month. Read on to make sure you\u2019re not missing any emerging threats.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. QBot Malware Abuse of Windows WordPad EXE&nbsp;<\/h2>\n\n\n\n<p>The <strong>QBot<\/strong> malware operation has <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/qbot-malware-abuses-windows-wordpad-exe-to-infect-devices\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">begun<\/a> exploiting a DLL hijacking vulnerability in the Windows 10 WordPad program (write.exe) to infiltrate computers.&nbsp;<\/p>\n\n\n\n<p>This technique, known as DLL hijacking, leverages the way Windows applications load DLL files, allowing a malicious DLL to be loaded instead of a legitimate one when the application is launched. <a href=\"https:\/\/any.run\/malware-trends\/qbot\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=tracker&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\">QBot<\/a> is primarily spread through phishing campaigns that include a link to download a file. This file, when downloaded and executed, initiates the infection.&nbsp;<\/p>\n\n\n\n<p>While QBot initially started as a banking Trojan, it has since evolved into a dropper for other types of malware, working with ransomware groups to compromise corporate networks. The malware also steals emails for use in further phishing attacks&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. Batloader Campaign Utilizes AI Ads to Distribute RedLine Stealer&nbsp;<\/h2>\n\n\n\n<p>A new campaign involving the <strong>Batloader <\/strong>malware is using Google Search advertisements for the ChatGPT and Midjourney generative AI services to distribute the RedLine stealer.&nbsp;<\/p>\n\n\n\n<p>The fraudulent ads misdirect users to webpages, which allow the installation of ChatGPT or Midjourney executables bundled with a PowerShell script. This script facilitates RedLine stealer downloads, while its malicious activity remains undetected due to the binary&#8217;s use of Microsoft Edge WebView2.&nbsp;<\/p>\n\n\n\n<p>This new method shows the evolving tactics of cybercriminals. Previous reports identified BATLOADER used in campaigns with ChatGPT lures for <a href=\"https:\/\/any.run\/malware-trends\/vidar\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=tracker&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\">Vidar Stealer<\/a> and <a href=\"https:\/\/app.any.run\/submissions\/#tag:ursnif\" target=\"_blank\" rel=\"noreferrer noopener\">Ursnif<\/a> malware distribution. Furthermore, an increase in ChatGPT-related domain registrations has been noted, highlighting the need for heightened cybersecurity vigilance.\u00a0<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware samples and get fresh IOCs <span class=\"highlight\"><\/span> in ANY.RUN&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article_ctabanner&amp;utm_campaign=maydigest2023&amp;utm_content=trial\" rel=\"noopener\" target=\"_blank\">\nStart free trial \n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">3. SeroXen Remote Access Trojan is rising in popularity&nbsp;<\/h2>\n\n\n\n<p><strong>SeroXen<\/strong>, a fileless Remote Access Trojan (RAT), has <a href=\"https:\/\/malware.news\/t\/seroxen-rat-for-sale\/70022\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">surged<\/a> in popularity, especially targeting the gaming community.&nbsp;<\/p>\n\n\n\n<p>SeroXen, which emerged in late 2022, is a blend of <a href=\"https:\/\/any.run\/malware-trends\/quasar\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=tracker&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\">Quasar RAT<\/a>, r77-rootkit, and the command-line NirCmd, offering robust evasion capabilities. This low-cost RAT, touted as a legitimate, undetectable access tool, is primarily used to target video game users. Its growing prevalence and affordability ($30\/month or $60\/lifetime license).&nbsp;<\/p>\n\n\n\n<p>Stay alert \u2014 it\u2019s only a matter of time before businesses encounter this threat as well.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. RomCom Malware Spread with Google Ads&nbsp;<\/h2>\n\n\n\n<p>A new malware campaign, impersonating software such as <a href=\"https:\/\/any.run\/cybersecurity-blog\/chatgpt-for-analysts\/\" target=\"_blank\" rel=\"noreferrer noopener\">ChatGPT<\/a> and GIMP, has been detected <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/romcom-malware-spread-via-google-ads-for-chatgpt-gimp-more\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">distributing<\/a> the <strong>RomCom<\/strong> backdoor malware.&nbsp;<br>&nbsp;<\/p>\n\n\n\n<p>This campaign tricks users into downloading malicious installers by impersonating well-known software websites and distributing them via Google Ads. The malware can cause significant damage and is associated with a Cuba ransomware affiliate.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5. MDBotnet Emerges as a New DDoS Threat&nbsp;<\/h2>\n\n\n\n<p>A new strain of malware, called &#8220;<strong>MDBotnet<\/strong>&#8220;, has been <a href=\"https:\/\/blog.cyble.com\/2023\/05\/23\/new-mdbotnet-unleashes-ddos-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">discovered<\/a> by Cyble Research and Intelligence Labs (CRIL).&nbsp; MDBotnet is designed to execute Distributed Denial of Service (DDoS) attacks using HTTP\/SYN flood attack techniques.&nbsp;<br>&nbsp;<\/p>\n\n\n\n<p>The service is advertised in a cybercrime forum for 2,500 Rubles (roughly $30), offering lifetime access. The advertisement provides comprehensive details about the features included in the MDBotnet service. It&#8217;s critical for organizations to ensure their DDoS mitigation strategies are up-to-date to defend against such threats.&nbsp;<br>&nbsp;<br>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">6. npm Packages Found Distributing TurkoRAT Malware&nbsp;<\/h2>\n\n\n\n<p>Multiple npm packages have been <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/npm-packages-caught-serving-turkorat-binaries-that-mimic-nodejs\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">found<\/a> to contain a trojan named <strong>TurkoRAT<\/strong>, disguised as NodeJS libraries.&nbsp;<br>&nbsp;<\/p>\n\n\n\n<p>These packages have been present on npm for over two months before detection, with a very low detection rate contributing to their prolonged presence.&nbsp;<br>&nbsp;<\/p>\n\n\n\n<p>The three packages \u2014 nodejs-encrypt-agent, nodejs-cookie-proxy-agent, and axios-proxy \u2014 were downloaded over 1,200 times in total. They contained a Windows executable file that mimics NodeJS but is malicious in nature. This executable runs the TurkoRAT infostealer, a customizable &#8220;grabber&#8221; and credential stealer that is difficult to detect.&nbsp;<\/p>\n\n\n\n<p>These packages were removed from the npm registry upon detection, but their prolonged presence highlights the ongoing risk unvetted open source packages pose to software supply chain security.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">7. Water Orthrus Launches Rootkit and Phishing Campaigns&nbsp;<\/h2>\n\n\n\n<p>Water Orthrus, a known threat actor, has been <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/e\/water-orthrus-new-campaigns-deliver-rootkit-and-phishing-modules.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">identified<\/a> as the source of two new malware campaigns: CopperStealth and CopperPhish.&nbsp;<\/p>\n\n\n\n<p>CopperStealth uses a rootkit to install malware onto systems, while CopperPhish targets credit card information. The group has been observed distributing CopperStealer malware through pay-per-install networks since 2021, modifying it multiple times for different purposes such as injecting network ads, gathering personal information, and cryptocurrency theft.&nbsp;<\/p>\n\n\n\n<p>The new campaigns resemble CopperStealer in several ways, suggesting they may be from the same author. CopperStealth was first distributed in March 2023, targeting users via a popular Chinese software sharing website.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">8. DarkWatchMan RAT Spreads Via Phishing Sites, Hides in Windows Registry&nbsp;<\/h2>\n\n\n\n<p>Cyble Research and Intelligence Labs (CRIL) have <a href=\"https:\/\/blog.cyble.com\/2023\/05\/05\/sophisticated-darkwatchman-rat-spreads-through-phishing-sites\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">identified<\/a> a phishing site distributing the DarkWatchMan Remote Access Trojan (RAT).&nbsp;<\/p>\n\n\n\n<p>The site mimics a legitimate website, CryptoPro CSP, and offers a malicious file for download. DarkWatchMan, first detected in 2021 primarily targeting users in ex-USSR territories, allows attackers remote control over compromised systems to extract sensitive data. Notably, DarkWatchMan stores captured data in the registry rather than writing it&nbsp;to the files, reducing the likelihood of detection. The malware is spotted&nbsp;being delivered via a file called &#8220;CSPSetup.rar&#8221; available for download on the phishing site.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping Up May with ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>Throughout May, the dedicated team of analysts at ANY.RUN has been busy analyzing malware, adding new config extractors and signatures. In case you haven&#8217;t caught up with our May releases, here&#8217;s a quick recap.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>New signatures and extractors<\/strong>&nbsp;<\/h3>\n\n\n\n<p>We&#8217;ve added automatic configuration extractors for <a href=\"https:\/\/app.any.run\/tasks\/301076c5-d6bc-4cbe-9149-f7d46d853ead\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=task1&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>StealC<\/strong><\/a>, <a href=\"https:\/\/app.any.run\/tasks\/83c51072-9e4f-48d4-9b4a-cea3acae60f6\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=task2&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>RevengeRAT<\/strong>,<\/a> <a href=\"https:\/\/app.any.run\/tasks\/5d94717f-aefa-4b17-8047-b52d7a310f29\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=task3&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>LucaStealer<\/strong><\/a>,&nbsp;<a href=\"https:\/\/app.any.run\/tasks\/46d8c5dd-0fa5-43fc-9055-6b645c6cfbd7\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=task4&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>SolarMarker<\/strong><\/a>, and <a href=\"https:\/\/app.any.run\/tasks\/d5e7131c-582a-4ddc-9f29-c882e8dd9e3f\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=task5&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>DBatLoader<\/strong><\/a>.&nbsp;<\/p>\n\n\n\n<p>DBatLoader briefly entered our weekly top 10 most uploaded malware chart. Keep an eye on this one.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"761\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-1-1024x761.png\" alt=\"Top 10 malware families uploaded to ANY.RUN\" class=\"wp-image-5141\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-1-1024x761.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-1-300x223.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-1-768x571.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-1-1536x1141.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-1-370x275.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-1-270x201.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-1-740x550.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-1-80x60.png 80w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/06\/image-1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Top 10 malware families uploaded to ANY.RUN&nbsp;in the 22 \u2013 29 May period&nbsp;<\/figcaption><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>New Rules for Emerging Threats<\/strong> &nbsp;<\/h3>\n\n\n\n<p>We\u2019ve written 5 detection rules which were <a href=\"https:\/\/community.emergingthreats.net\/t\/ruleset-update-summary-2023-05-23-v10330\/587\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">added<\/a>&nbsp;by the Emerging Threats community. Here\u2019s the full list, and you can use them in ANY.RUN directly, too.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/app.any.run\/tasks\/998d498a-c66d-41b4-b3d0-b51cf5f8c6db\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=maydigest2023&amp;utm_content=task6\" target=\"_blank\" rel=\"noreferrer noopener\">ET MALWARE [ANY.RUN] LgoogLoader Retrieving Config File <\/a>&nbsp;&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/app.any.run\/tasks\/6214baa7-48dc-4694-94d1-05c8ec1fed85?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=maydigest2023&amp;utm_content=task7\" target=\"_blank\" rel=\"noreferrer noopener\">ET MALWARE [ANY.RUN] PikaBot Related Activity (GET)<\/a>&nbsp;&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/app.any.run\/tasks\/fabf0238-b02b-4b7e-8c42-05befe9664b5\/?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=maydigest2023&amp;utm_content=task8\" target=\"_blank\" rel=\"noreferrer noopener\">ET MALWARE [ANY.RUN] RedLine Stealer Related (MC-NMF Authorization)<\/a>&nbsp;&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/app.any.run\/tasks\/0c7b50ac-6787-4c3c-9351-637fc4f27402?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=maydigest2023&amp;utm_content=task9\" target=\"_blank\" rel=\"noreferrer noopener\">ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)&nbsp;<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/app.any.run\/tasks\/4c4c0c96-79d2-4a6b-ba28-2531bde07c05?utm_source=mtt&amp;utm_medium=article&amp;utm_campaign=maydigest2023&amp;utm_content=task10\" target=\"_blank\" rel=\"noreferrer noopener\">ET MALWARE [ANY.RUN] RCRU64 Ransomware Variant CnC Activity&nbsp;<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>108 Suricata rules added to ANY.RUN<\/strong>&nbsp;<\/h3>\n\n\n\n<p>108 network rules in the Suricata format have been created for detection in ANY.RUN. These include the detection of the following threats:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PennyWise&nbsp;<\/li>\n\n\n\n<li>Vice Society&nbsp;<\/li>\n\n\n\n<li>GootLoader&nbsp;<\/li>\n\n\n\n<li>Banditstealer&nbsp;<\/li>\n\n\n\n<li>Ducktail&nbsp;<\/li>\n\n\n\n<li>ViperSoftX&nbsp;<\/li>\n\n\n\n<li>Arkei&nbsp;<\/li>\n\n\n\n<li>DarkVision&nbsp;<\/li>\n\n\n\n<li>ZgRat&nbsp;<\/li>\n\n\n\n<li>PrivateLoader&nbsp;<\/li>\n\n\n\n<li>Mekotio&nbsp;<\/li>\n\n\n\n<li>Gh0st&nbsp;<\/li>\n\n\n\n<li>AsyncRat&nbsp;<\/li>\n\n\n\n<li>NetSupport RAT&nbsp;<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">&nbsp;<br><strong>Blog updates<\/strong>&nbsp;<\/h3>\n\n\n\n<p>We&#8217;ve delved into <a href=\"https:\/\/any.run\/cybersecurity-blog\/deobfuscating-guloader\/\" target=\"_blank\" rel=\"noreferrer noopener\">automating GuLoader analysis<\/a>, explored how malware analysts can <a href=\"https:\/\/any.run\/cybersecurity-blog\/chatgpt-for-analysts\/\" target=\"_blank\" rel=\"noreferrer noopener\">leverage ChatGPT<\/a>, and, last but not least, released a useful step-by-step guide on <a href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-create-a-task\/\" target=\"_blank\" rel=\"noreferrer noopener\">setting up a new task in ANY.RUN<\/a> cloud malware sandbox.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>New Malware Overviews<\/strong>&nbsp;<\/h3>\n\n\n\n<p>We&#8217;ve also added several new malware overviews to our Trends Tracker, where we post information about different malware families along with IOCs and samples \u2014 updated in real time. In May, we\u2019ve added:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/malware-trends\/darkside\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=tracker&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\">DarkSide<\/a>&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/any.run\/malware-trends\/squirrelwaffle\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=tracker&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\">SquirrelWaffle<\/a>&nbsp;<\/li>\n\n\n\n<li><a href=\"https:\/\/any.run\/malware-trends\/lockbit\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=tracker&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\">LockBit<\/a>&nbsp;<\/li>\n\n\n\n<li>And <a href=\"https:\/\/any.run\/malware-trends\/snakekeylogger\/?utm_source=blog&amp;utm_medium=article&amp;utm_campaign=maydigest&amp;utm_content=tracker&amp;utm_term=080623\/\" target=\"_blank\" rel=\"noreferrer noopener\">Snake Keylogger<\/a>&nbsp;<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to the May 2023 edition of our monthly malware analysis news report.&nbsp;&nbsp; We\u2019ve gathered some of the most important cybersecurity events that transpired over the past month. Read on to make sure you\u2019re not missing any emerging threats.&nbsp; 1. QBot Malware Abuse of Windows WordPad EXE&nbsp; The QBot malware operation has begun exploiting a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":5142,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[34],"class_list":["post-5140","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Malware Analysis News May 2023\u00a0\u00a0<\/title>\n<meta name=\"description\" content=\"We&#039;ve compiled some of the most significant security events, news and emerging threats over the past month in our malware analysis digest.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Malware Analysis News: May 2023\u00a0\u00a0\",\"datePublished\":\"2023-06-08T07:32:12+00:00\",\"dateModified\":\"2023-06-08T10:55:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/\"},\"wordCount\":1230,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware analysis\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/\",\"name\":\"Malware Analysis News May 2023\u00a0\u00a0\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2023-06-08T07:32:12+00:00\",\"dateModified\":\"2023-06-08T10:55:26+00:00\",\"description\":\"We've compiled some of the most significant security events, news and emerging threats over the past month in our malware analysis digest.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/news\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Malware Analysis News: May 2023\u00a0\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malware Analysis News May 2023\u00a0\u00a0","description":"We've compiled some of the most significant security events, news and emerging threats over the past month in our malware analysis digest.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Malware Analysis News: May 2023\u00a0\u00a0","datePublished":"2023-06-08T07:32:12+00:00","dateModified":"2023-06-08T10:55:26+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/"},"wordCount":1230,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware analysis"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/","url":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/","name":"Malware Analysis News May 2023\u00a0\u00a0","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2023-06-08T07:32:12+00:00","dateModified":"2023-06-08T10:55:26+00:00","description":"We've compiled some of the most significant security events, news and emerging threats over the past month in our malware analysis digest.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-news-may2023\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/any.run\/cybersecurity-blog\/category\/news\/"},{"@type":"ListItem","position":3,"name":"Malware Analysis News: May 2023\u00a0\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5140"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=5140"}],"version-history":[{"count":3,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5140\/revisions"}],"predecessor-version":[{"id":5147,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/5140\/revisions\/5147"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/5142"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=5140"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=5140"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=5140"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}