{"id":8562,"date":"2024-08-13T09:23:57","date_gmt":"2024-08-13T09:23:57","guid":{"rendered":"\/cybersecurity-blog\/?p=8562"},"modified":"2025-03-11T12:16:11","modified_gmt":"2025-03-11T12:16:11","slug":"emerging-threats","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/","title":{"rendered":"What Are Emerging Threats <br>and How to Investigate Them"},"content":{"rendered":"\n<p>An emerging threat is a new or evolving cybersecurity risk that is particularly challenging to defend against due to the lack of intelligence on its attack methods, strategies, and techniques.&nbsp;<\/p>\n\n\n\n<p>These threats can take various forms, from sophisticated malware to unconventional attack vectors. They also often exploit new vulnerabilities or technologies that can bypass current security measures.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Characteristics of Emerging Threats&nbsp;<\/h2>\n\n\n\n<p>Unlike persistent threats, which are well-known and have existing defenses, emerging threats:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Involve new techniques, tools, or exploits that have not been widely seen before.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Evolve continuously, with attackers continually refining their methods to evade detection and countermeasures.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Can be difficult to predict, making them challenging to defend against.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>May have much more serious implications for victims.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Why Organizations Need to Monitor Emerging Threats&nbsp;<\/h2>\n\n\n\n<p>Many organizations are not equipped to handle emerging threats due to a lack of awareness, resources, or expertise. Such threats can disrupt their operations, lead to data breaches, and cause financial losses. They can also damage a company&#8217;s reputation and have a negative impact on customer trust.&nbsp;&nbsp;<\/p>\n\n\n\n<p>To protect their assets, businesses need to stay informed about emerging threats and take proactive measures.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How Threat Intelligence Lookup Helps Collect Information on Emerging Threats&nbsp;<\/h2>\n\n\n\n<p>One of the services that help organizations learn about new threats is <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence (TI) Lookup<\/a> from <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=emerging_threats&amp;utm_term=130824&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"572\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagea-1024x572.png\" alt=\"\" class=\"wp-image-8563\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagea-1024x572.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagea-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagea-768x429.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagea-1536x858.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagea-370x207.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagea-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagea-740x413.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imagea.png 1839w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Main page of TI Lookup<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The service is powered by a global community of 400,000 security experts who submit thousands of samples to the ANY.RUN sandbox for analysis every day.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Through this process, large volumes of <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">indicators of compromise<\/a> (IOCs) and other threat data are extracted and sent to Threat Intelligence Lookup, making it accessible to users for searching and gathering fresh info on malware and phishing threats.&nbsp;&nbsp;<\/p>\n\n\n\n<p>TI Lookup allows users to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Search through the latest malware and phishing threat data&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Refine your searches using over 40 different search parameters and combinations, including wildcards&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Get quick results, each with a corresponding sandbox session&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search-guide\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a> with a built-in rule editor&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Integrate with your security systems using API&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nSee how ANY.RUN\u2019s <span class=\"highlight\">TI Lookup<\/span> can help your team&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=emerging_threats&#038;utm_term=130824&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nRequest a free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Examples of Emerging Threats and How to Investigate Them with TI Lookup&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">1. New Phishing Threats&nbsp;<\/h3>\n\n\n\n<p>Attackers are constantly finding new ways to make their phishing attempts convincing.&nbsp;<\/p>\n\n\n\n<p>By abusing legitimate services, mimicking popular websites, and crafting believable lures, criminals attempt to trick users into engaging in the target activity like revealing their credentials or installing malware on their systems.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example: Abuse of SES Accounts by Tycoon 2FA Phish-kit&nbsp;<\/h3>\n\n\n\n<p>Recently, ANY.RUN researchers <a href=\"https:\/\/x.com\/anyrun_app\/status\/1818972716659093913\" target=\"_blank\" rel=\"noreferrer noopener\">spotted a phishing campaign<\/a> exploiting compromised Amazon Simple Email Service (SES) accounts to distribute phishing emails.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The attack chain began with an email from Amazon SES, which then redirected the victim through various domains, including social networks and news outlets like India Times, to the final page requesting their credentials.&nbsp;<\/p>\n\n\n\n<p>Using a TI Lookup query featuring a string used in phishing URLs combined with the abused domain, we can find more samples and relevant threat data on the campaign:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-133\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"133\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522commandLine:%255C%2522\/etl.php?url=%255C%2522%2520and%2520domainName:%255C%2522.economictimes.indiatimes.com%255C%2522%2520%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522commandLine:%255C%2522\/etl.php?url=%255C%2522%2520and%2520domainName:%255C%2522.economictimes.indiatimes.com%255C%2522%2520%2522,%2522dateRange%2522:180%7D\" data-link-text=\"commandLine:&quot;\/etl.php?url=&quot; AND domainName:&quot;.economictimes.indiatimes.com&quot; \" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">commandLine:&quot;\/etl.php?url=&quot; AND domainName:&quot;.economictimes.indiatimes.com&quot; <\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-133'>\ntable#wpdtSimpleTable-133{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-133 td, table.wpdtSimpleTable133 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"570\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-1024x570.png\" alt=\"\" class=\"wp-image-8564\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-1024x570.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-768x428.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-1536x855.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1-740x412.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image1.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup provides an in-depth threat context in relation to the submitted artifacts<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Threat Intelligence Lookup returns 8 domains, 20 IPs, 29 files, and other details found across a hundred viewable sandbox sessions that match our search query.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. New and Evolving Malware Families&nbsp;<\/h3>\n\n\n\n<p>New strains of malware appear daily with some of them going on to become serious security challenges on the global stage. These can include ransomware, trojans, and other types of malicious software.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Often, they use advanced methods to avoid detection and attack systems, such as <a href=\"https:\/\/any.run\/cybersecurity-blog\/fileless-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">running only in memory<\/a> or using legitimate tools to blend in with normal activities.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example: DeerStealer Malware&nbsp;<\/h3>\n\n\n\n<p>DeerStealer is a new malware family <a href=\"https:\/\/any.run\/cybersecurity-blog\/deerstealer-campaign-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">discovered by ANY.RUN<\/a> in July 2024. This malicious program was distributed as part of a phishing campaign mimicking Google Authenticator website.&nbsp;<\/p>\n\n\n\n<p>With Threat Intelligence Lookup, we can quickly gather information on the latest samples of this malware, by using <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search-guide\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a>. This tool lets us use custom YARA rules to find samples that match their contents.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s borrow a rule for DeerStealer from ANY.RUN\u2019s <a href=\"https:\/\/github.com\/anyrun\/YARA\/blob\/main\/DeerStealer.yara\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">public collection<\/a> of YARA rules.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"574\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-4-1024x574.png\" alt=\"\" class=\"wp-image-8565\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-4-1024x574.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-4-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-4-768x431.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-4-1536x861.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-4-370x207.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-4-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-4-740x415.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image2-4.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Yara rule search takes just a few seconds to complete&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In response to our query, the service provides four samples with their corresponding sandbox sessions, allowing us to take a closer look at how the threat operates and collect valuable intelligence.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"579\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-1-1024x579.png\" alt=\"\" class=\"wp-image-8566\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-1-1024x579.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-1-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-1-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-1-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-1-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-1-740x418.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image3-1.png 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN sandbox analysis of a DeerStealer sample<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>We can easily navigate to each of the samples to view a detailed sandbox report on their execution and even rerun the analysis sessions <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">using our custom VM setup<\/a>.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. TTPs (Tactics, Techniques, and Procedures)&nbsp;<\/h3>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-ttps-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">TTPs<\/a>, or Tactics, Techniques, and Procedures, are the methods used by attackers to carry out their operations. Evolving malware families often introduce new ways to exploit vulnerabilities, avoid detection, and steal data with each new version. These tactics can be strong indicators of the latest malware samples.&nbsp;<\/p>\n\n\n\n<p>The MITRE ATT&amp;CK matrix is a detailed framework for understanding different TTPs. Each type of behavior is categorized and given its own identifier. For example, &#8220;T1059.003&#8221; refers to the abuse of the Windows Command Shell.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example: Samples of New HijackLoader Version&nbsp;<\/h3>\n\n\n\n<p>Let\u2019s consider <a href=\"https:\/\/any.run\/cybersecurity-blog\/new-hijackloader-version\/\" target=\"_blank\" rel=\"noreferrer noopener\">HijackLoader<\/a>, which received an update earlier in 2024.&nbsp;&nbsp;<\/p>\n\n\n\n<p>One of the core features of the new version is <a href=\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/\" target=\"_blank\" rel=\"noreferrer noopener\">User Account Control<\/a> (UAC) bypass (TT1548.002) that lets the malware execute on the computer by slipping past Windows security controls.&nbsp;<\/p>\n\n\n\n<p>To find samples of the new HijackLoader version, we can use the following query in TI Lookup:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-134\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"134\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522MITRE:%255C%2522T1548.002%255C%2522%25C2%25A0AND%25C2%25A0threatName:%255C%2522hijackloader%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522MITRE:%255C%2522T1548.002%255C%2522%25C2%25A0AND%25C2%25A0threatName:%255C%2522hijackloader%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"MITRE:&quot;T1548.002&quot; AND threatName:&quot;hijackloader&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">MITRE:&quot;T1548.002&quot; AND threatName:&quot;hijackloader&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-134'>\ntable#wpdtSimpleTable-134{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-134 td, table.wpdtSimpleTable134 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-1024x569.png\" alt=\"\" class=\"wp-image-8567\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-1024x569.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-768x427.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4-740x411.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image4.png 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup also displays events related to the TTP found in the analysis sessions<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The service returns 8 sandbox sessions with the analysis of the newest variants of HijackLoader.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Exploitation of World Events&nbsp;&nbsp;<\/h3>\n\n\n\n<p>World events, such as natural disasters, political crises, or global health emergencies, can be exploited by attackers to launch cyber threats.&nbsp;&nbsp;<\/p>\n\n\n\n<p>During the COVID-19 pandemic, there was a surge in phishing emails and malicious websites claiming to offer information or assistance related to the virus.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Attackers take advantage of the heightened interest and concern surrounding these events to trick users into clicking on malicious links or downloading malware.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example: CrowdStrike Incident&nbsp;<\/h3>\n\n\n\n<p>One of the recent events used by threat actors to spread malware and phishing was the CrowdStrike outage.&nbsp;&nbsp;<\/p>\n\n\n\n<p>After the cybersecurity company pushed a bad update, millions of PCs around the world received a blue screen of death. This sent attackers on a race to exploit the confusion, launching a wave of phishing emails and malicious websites offering fake recovery guides.&nbsp;<\/p>\n\n\n\n<p>ANY.RUN analysts were among the first to <a href=\"https:\/\/any.run\/cybersecurity-blog\/crowdstrike-outage-abuse\/\" target=\"_blank\" rel=\"noreferrer noopener\">uncover the threats<\/a> abusing this event and TI Lookup played a significant role in this investigation.&nbsp;<\/p>\n\n\n\n<p>Here is one of the search queries used by our team to find domains mimicking the official CrowdStrike domain that emerged right after the incident:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-135\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"135\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522domainName:%255C%2522crowdstrike%255C%2522%25C2%25A0AND%25C2%25A0threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522domainName:%255C%2522crowdstrike%255C%2522%25C2%25A0AND%25C2%25A0threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"domainName:&quot;crowdstrike&quot; AND threatLevel:&quot;malicious&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">domainName:&quot;crowdstrike&quot; AND threatLevel:&quot;malicious&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-135'>\ntable#wpdtSimpleTable-135{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-135 td, table.wpdtSimpleTable135 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"605\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imageb-1024x605.png\" alt=\"\" class=\"wp-image-8568\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imageb-1024x605.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imageb-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imageb-768x454.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imageb-1536x907.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imageb-370x219.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imageb-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imageb-740x437.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/imageb.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The flame icon indicates domains that have been proven to host malicious content&nbsp;<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>TI Lookup provides 76 domains fitting our description along with IPs, events, and sandbox sessions.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">More Ways to Investigate Threats with TI Lookup&nbsp;<\/h2>\n\n\n\n<p>Investigating threats requires a systematic and proactive approach.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Here are more ways to effectively conduct investigations with TI Lookup using different types of indicators and artifacts.<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\n\nTry <span class=\"highlight\">Threat Intelligence Lookup<\/span> for 14 days&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=emerging_threats&#038;utm_term=130824&#038;utm_content=linktotiplans\/\" rel=\"noopener\" target=\"_blank\">\nGet free trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">1. Check Suspicious Connections&nbsp;<\/h3>\n\n\n\n<p>As a security professional, you may receive dozens of security alerts daily. TI Lookup helps you quickly determine if a certain artifact is an actual threat.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s an example query showing how you can check a suspicious destination IP:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-136\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"136\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522destinationIP:%255C%2522185.196.9.26%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522destinationIP:%255C%2522185.196.9.26%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"destinationIP:&quot;185.196.9.26&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">destinationIP:&quot;185.196.9.26&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-136'>\ntable#wpdtSimpleTable-136{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-136 td, table.wpdtSimpleTable136 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"573\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1024x573.png\" alt=\"\" class=\"wp-image-8569\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1024x573.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-768x430.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-1536x859.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-370x207.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-270x151.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6-740x414.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image6.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup simplifies your investigations helping you identify malicious activity<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The service instantly shares wider context on the threat and gives a conclusive verdict on the IP.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Enrich Intelligence on Malware\u2019s C2 Infrastructure&nbsp;<\/h3>\n\n\n\n<p>Command and Control (C2) infrastructure refers to the servers and communication channels used by attackers to control compromised systems. Attackers regularly update their C2 infrastructure but using TI Lookup you can stay up to date on any changes.&nbsp;<\/p>\n\n\n\n<p>Investigating C2 infrastructure can help identify the source of attacks and the methods used to communicate with infected systems.&nbsp;<\/p>\n\n\n\n<p>Here is a query for finding domains used by the <a href=\"https:\/\/any.run\/malware-trends\/lumma\">Lumma stealer<\/a>:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-137\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"137\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522domainName:%255C%2522*%255C%2522%2520AND%2520threatName:%255C%2522lumma%255C%2522%2520%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522domainName:%255C%2522*%255C%2522%2520AND%2520threatName:%255C%2522lumma%255C%2522%2520%2522,%2522dateRange%2522:180%7D\" data-link-text=\"domainName:&quot;*&quot; AND threatName:&quot;lumma&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">domainName:&quot;*&quot; AND threatName:&quot;lumma&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-137'>\ntable#wpdtSimpleTable-137{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-137 td, table.wpdtSimpleTable137 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"551\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-1024x551.png\" alt=\"\" class=\"wp-image-8571\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-1024x551.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-300x161.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-768x413.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-1536x827.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-370x199.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-270x145.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7-740x398.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image7.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The search yielded over 573 domain results<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>TI Lookup provides a list of domains found in sandbox sessions featuring Lumma. At the top, we can see domains tagged \u201cmalconf\u201d, which means that they were extracted directly from the malware\u2019s configuration.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/malconf-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about malconf IOCs<\/a>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">3. Discover Malicious Network Activity Detected by Suricata IDS&nbsp;<\/h3>\n\n\n\n<p>Suricata is an open-source Intrusion Detection System (IDS) that can detect suspicious network activity. Investigating network activity detected by Suricata can help identify emerging threats and understand their behavior.&nbsp;<\/p>\n\n\n\n<p>TI Lookup lets us search its database using Suricata rule details like Message, Class, Threat Level, and ID.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s an example of a query featuring a message of Suricata rule that detects potential phishing threats:<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-138\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"138\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522suricataMessage:%255C%2522Domain%2520chain%2520identified%2520as%2520Phishing%255C%2522%2520%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522suricataMessage:%255C%2522Domain%2520chain%2520identified%2520as%2520Phishing%255C%2522%2520%2522,%2522dateRange%2522:180%7D\" data-link-text=\"suricataMessage:&quot;Domain chain identified as Phishing&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">suricataMessage:&quot;Domain chain identified as Phishing&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-138'>\ntable#wpdtSimpleTable-138{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-138 td, table.wpdtSimpleTable138 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"564\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-1024x564.png\" alt=\"\" class=\"wp-image-8572\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-1024x564.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-300x165.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-768x423.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-1536x846.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-370x204.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8-740x407.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image8.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Phishing threats during analysis of which the Suricata rule was triggered<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The service gives us a list of matching network threats that we can study further in the sandbox.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/suricata-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about Suricata search<\/a>&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Learn about the Current Threat Landscape&nbsp;<\/h3>\n\n\n\n<p>TI Lookup also lets us explore the overall threat landscape specific to a certain country. based on the samples uploaded to the ANY.RUN sandbox by the local users.&nbsp;<\/p>\n\n\n\n<p>Here is a query for finding malicious submissions from Spanish users:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-139\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"1\"\n           data-rows=\"1\"\n           data-wpID=\"139\"\n           data-responsive=\"0\"\n           data-has-header=\"0\">\n\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell wpdt-align-left\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:100%;                    padding:10px;\n                    \"\n                    >\n                                        <a class=\"wpdt-link-content\" style=\"color: #009cff; text-decoration: underline\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522submissionCountry:%255C%2522es%255C%2522%25C2%25A0AND%25C2%25A0threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\"  rel=\"\" target=\"_blank\" data-cell-id=\"00\" data-link-url=\"https:\/\/intelligence.any.run\/analysis\/lookup#%7B%2522query%2522:%2522submissionCountry:%255C%2522es%255C%2522%25C2%25A0AND%25C2%25A0threatLevel:%255C%2522malicious%255C%2522%2522,%2522dateRange%2522:180%7D\" data-link-text=\"submissionCountry:&quot;es&quot; AND threatLevel:&quot;malicious&quot;\" data-link-target=\"true\" data-link-nofollow=\"0\" data-link-noreferrer=\"0\" data-link-sponsored=\"0\" data-link-btn-status=\"0\" data-link-btn-class=\"\" data-link-content=\"wpdt-link-content\">submissionCountry:&quot;es&quot; AND threatLevel:&quot;malicious&quot;<\/a>                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-139'>\ntable#wpdtSimpleTable-139{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-139 td, table.wpdtSimpleTable139 th { white-space: normal !important; }\n<\/style>\n\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"591\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-1024x591.png\" alt=\"\" class=\"wp-image-8574\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-1024x591.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-300x173.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-768x443.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-370x214.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-270x156.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9-740x427.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/image9.png 1431w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Lookup lists sandbox sessions for samples uploaded to ANY.RUN sandbox from Spain<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The results can help you get a better understanding of the threats currently active in your location.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>Effective investigation of emerging threats relies on comprehensive threat intelligence. TI Lookup provides a wealth of data on C2 infrastructure, network activity, processes, registry changes, and wider threat context. By analyzing these indicators, organizations can better understand and mitigate emerging threats, ensuring the safety and integrity of their systems.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=emerging_threats&amp;utm_term=130824&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/plans\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=emerging_threats&amp;utm_term=130824&amp;utm_content=linktotiplans\/\" target=\"_blank\" rel=\"noreferrer noopener\">Try Threat Intelligence Lookup for free \u2192<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>An emerging threat is a new or evolving cybersecurity risk that is particularly challenging to defend against due to the lack of intelligence on its attack methods, strategies, and techniques.&nbsp; These threats can take various forms, from sophisticated malware to unconventional attack vectors. They also often exploit new vulnerabilities or technologies that can bypass current [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":8580,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,34,40],"class_list":["post-8562","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>What Are Emerging Threats and How to Investigate Them - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn about emerging threats and see how you can investigate them using Threat Intelligence Lookup from ANY.RUN.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"y.shvetsov\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/\"},\"author\":{\"name\":\"y.shvetsov\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"What Are Emerging Threats and How to Investigate Them\",\"datePublished\":\"2024-08-13T09:23:57+00:00\",\"dateModified\":\"2025-03-11T12:16:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/\"},\"wordCount\":1802,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/\",\"name\":\"What Are Emerging Threats and How to Investigate Them - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-08-13T09:23:57+00:00\",\"dateModified\":\"2025-03-11T12:16:11+00:00\",\"description\":\"Learn about emerging threats and see how you can investigate them using Threat Intelligence Lookup from ANY.RUN.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"What Are Emerging Threats and How to Investigate Them\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"y.shvetsov\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g\",\"caption\":\"y.shvetsov\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/y-shvetsov\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What Are Emerging Threats and How to Investigate Them - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn about emerging threats and see how you can investigate them using Threat Intelligence Lookup from ANY.RUN.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/","twitter_misc":{"Written by":"y.shvetsov","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/"},"author":{"name":"y.shvetsov","@id":"https:\/\/any.run\/"},"headline":"What Are Emerging Threats and How to Investigate Them","datePublished":"2024-08-13T09:23:57+00:00","dateModified":"2025-03-11T12:16:11+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/"},"wordCount":1802,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/","url":"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/","name":"What Are Emerging Threats and How to Investigate Them - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-08-13T09:23:57+00:00","dateModified":"2025-03-11T12:16:11+00:00","description":"Learn about emerging threats and see how you can investigate them using Threat Intelligence Lookup from ANY.RUN.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/emerging-threats\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"What Are Emerging Threats and How to Investigate Them"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"y.shvetsov","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d0d0a5df59078efed19ba1b45c4fb721?s=96&d=mm&r=g","caption":"y.shvetsov"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/y-shvetsov\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8562"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=8562"}],"version-history":[{"count":11,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8562\/revisions"}],"predecessor-version":[{"id":12057,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/8562\/revisions\/12057"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/8580"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=8562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=8562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=8562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}