Attackers are using a tool called Evilginx to steal session cookies, letting them bypass the need for a multi-factor authentication (MFA) token.

Attackers are using a tool called Evilginx to steal session cookies, letting them bypass the need for a multi-factor authentication (MFA) token.

Researchers are warning about a rise in cases where this method is used against educational institutions.

Evilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real website, relaying the genuine sign-in flow so everything looks normal while it captures what it needs. Because it sends your input to the real service, it can collect your username and password, as well as the session cookie issued after you complete MFA.

Session cookies are temporary files websites use to remember what you’re doing during a single browsing session–like staying signed in or keeping items in a shopping cart. They are stored in the browser’s memory and are automatically deleted when the user closes their browser or logs out, making them less of a security risk than persistent cookies. But with a valid session cookie the attacker can keep the session alive and continue as if they were you. Which, on a web shop or banking site could turn out to be costly.

**Attack flow**

The attacker sends you a link to a fake page that looks exactly the same as, for example, a bank login page, web shop, or your email or company’s single sign-on (SSO) page. In reality, the page is a live proxy to the real site.

Unaware of the difference, you enter your username, password, and MFA code as usual. The proxy relays this to the real site which grants access and sets a session cookie that says “this user is authenticated.”

But Evilginx isn’t just stealing your login details, it also captures the session cookie. The attacker can reuse it to impersonate you, often without triggering another MFA prompt.

Once inside, attackers can browse your email, change security settings, move money, and steal data. And because the session cookie says you’re already verified, you may not see another MFA challenge. They stay in until the session expires or is revoked.

Banks often add extra checks here. They may ask for another MFA code when you approve a payment, even if you’re already signed in. It’s called step-up authentication. It helps reduce fraud and meets Strong Customer Authentication rules by adding friction to high-risk actions like transferring money or changing payment details.

**How to stay safe**

Because Evilginx proxies the real site with valid TLS and live content, the page looks and behaves correctly, defeating simple “look for the padlock” advice and some automated checks.

Attackers often use links that live only for a very short time, so they disappear again before anyone can add them to a block list.​ Security tools then have to rely on how these links and sites behave in real time, but behavior‑based detection is never perfect and can still miss some attacks.

So, what you can and should do to stay safe is:

*   **Be careful with links that arrive in an unusual way.** Don’t click until you’ve checked the sender and hovered over the destination. When in doubt, feel free to use Malwarebytes Scam Guard on mobiles to find out whether it’s a scam or not. It will give you actionable advice on how to proceed.
*   **Use up-to-date real-time anti-malware protection** with a web component.
*   **Use a password manager.** It only auto-fills passwords on the exact domain they were saved for, so they usually refuse to do this on look‑alike phishing domains such as paypa1\[.\]com or micros0ft\[.\]com. But Evilginx is trickier because it sits in the middle while you talk to the real site, so this is not always enough.
*   **Where possible, use phishing-resistant MFA.** Passkeys or hardware security keys, which bind authentication to your device are resistant to this type of replay.
*   **Revoke sessions **if you notice something suspicious**.** Sign out of all sessions and re-login with MFA. Then change your password and review account recovery settings.

Pro tip: Malwarebytes Browser Guard is a free browser extension that can detect malicious behavior on web sites.

**We don’t just report on threats—we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 Attackers have a new way to slip past your MFA 

The threat actor known as Water Saci is actively evolving its tactics, switching to a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate a worm that deploys a banking trojan via WhatsApp in attacks targeting users in Brazil.
The latest wave is characterized by the attackers shifting from PowerShell to a Python-based variant that spreads the

The threat actor known as **Water Saci** is actively evolving its tactics, switching to a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate a worm that deploys a banking trojan via WhatsApp in attacks targeting users in Brazil.

The latest wave is characterized by the attackers shifting from PowerShell to a Python-based variant that spreads the malware in a worm-like manner over WhatsApp Web.

"Their new multi-format attack chain and possible use of artificial intelligence (AI) to convert propagation scripts from PowerShell to Python exemplifies a layered approach that has enabled Water Saci to bypass conventional security controls, exploit user trust across multiple channels, and ramp up their infection rates," Trend Micro researchers Jeffrey Francis Bonaobra, Sarah Pearl Camiling, Joe Soares, Byron Gelera, Ian Kenefick, and Emmanuel Panopio said.

In these attacks, users receive messages from trusted contacts on WhatsApp, urging them to interact with malicious PDF or HTA attachments and activate the infection chain and ultimately drop a banking trojan that can harvest sensitive data. The PDF lure instructs victims to update Adobe Reader by clicking on an embedded link.

Users who receive HTA files are deceived into executing a Visual Basic Script immediately upon opening, which then runs PowerShell commands to fetch next-stage payloads from a remote server, an MSI installer for the trojan and a Python script that's responsible for spreading the malware via WhatsApp Web.

"This newly observed variant allows for broader browser compatibility, object-oriented code structure, enhanced error handling, and faster automation of malware delivery through WhatsApp Web," Trend Micro said. "Together, these changes make propagation faster, more resilient to failure, and easier to maintain or extend."

The MSI installer, for its part, serves as a conduit for delivering the banking trojan using an AutoIt script. The script also runs checks to ensure that only one instance of the trojan is running at any given point of time. It accomplishes this by verifying the presence of a marker file named "executed.dat." If it does not exist, the script creates the file and notifies an attacker-controlled server ("manoelimoveiscaioba\[.\]com").

Other AutoIt artifacts uncovered by Trend Micro have also been found to verify whether the Windows system language is set to Portuguese (Brazil), proceeding further to scan the infected system for banking-related activity only if this criteria is met. This includes checking for folders related to major Brazilian banking applications, security, and anti-fraud modules, such as Bradesco, Warsaw, Topaz OFD, Sicoob, and Itaú.

It's worth noting Latin America (LATAM)-focused banking trojans like Casbaneiro (aka Metamorfo and Ponteiro) have incorporated similar features as far back as 2019. Furthermore, the script analyzes the user's Google Chrome browsing history to search visits to banking websites, specifically a hard-coded list comprising Santander, Banco do Brasil, Caixa Econômica Federal, Sicredi, and Bradesco.

The script then proceeds to another critical reconnaissance step that involves checking for installed antivirus and security software, as well as harvesting detailed system metadata. The main functionality of the malware is to monitor open windows and extract their window titles to compare them against a list of banks, payment platforms, exchanges, and cryptocurrency wallets.

If any of these windows contain keywords related to targeted entities, the script looks for a TDA file dropped by the installer and decrypts and injects it into a hollowed "svchost.exe" process, following which the loader searches for an additional DMP file containing the banking trojan.

"If a TDA file is present, the AutoIt script decrypts and loads it as an intermediate PE loader (Stage 2) into memory," Trend Micro explained. "However, if only a DMP file is found (no TDA present), the AutoIt script bypasses the intermediate loader entirely and loads the banking trojan directly into the AutoIt process memory, skipping the process hollowing step and running as a simpler two-stage infection."

Persistence is achieved by constantly keeping tabs on the newly spawned "svchost.exe" process. Should the process be terminated, the malware starts afresh and waits to re-inject the payload the next time the victim opens a browser window for a financial service that's targeted by Water Saci.

The attacks stand out for a major tactical shift. The banking trojan deployed is not Maverick, but rather a malware that exhibits structural and behavioral continuity with Casbaneiro. This assessment is based on the AutoIt-based delivery and loader mechanism employed, as well as the window title monitoring, Registry-based persistence, and IMAP-based fallback command-and-control (C2) mechanism.

Once launched, the trojan carries out "aggressive" anti-virtualization checks to sidestep analysis and detection, and gathers host information through Windows Management Instrumentation (WMI) queries. It makes Registry modifications to set up persistence and establishes contact with a C2 server ("serverseistemasatu\[.\]com") to send the collected details and receive backdoor commands that grant remote control over the infected system.

Besides scanning the titles of active windows to identify whether the user is interacting with banking or cryptocurrency platforms, the trojan forcibly terminates several browsers to force victims to reopen banking sites under "attacker-controlled conditions." Some of the supported features of the trojan are listed below -

*   Send system information
*   Enable keyboard capture
*   Start/stop screen capture
*   Modify screen resolution
*   Simulate mouse movements and clicks
*   Perform file operations
*   Upload/download files
*   Enumerate windows, and
*   Create fake banking overlays to capture credentials and transaction data

The second aspect of the campaign is the use of a Python script, an enhanced version of its PowerShell predecessor, to enable malware delivery to every contact via WhatsApp Web sessions using the Selenium browser automation tool.

There is "compelling" evidence to suggest that Water Saci may have used a large language model (LLMs) or code-translation tool to port their propagation script from PowerShell to Python, given the functional similarities between the two versions and the inclusion of emojis in console outputs.

"The Water Saci campaign exemplifies a new era of cyber threats in Brazil, where attackers exploit the trust and reach of popular messaging platforms like WhatsApp to orchestrate large-scale, self-propagating malware campaigns," Trend Micro said.

"By weaponizing familiar communication channels and employing advanced social engineering, threat actors are able to swiftly compromise victims, bypass traditional defenses, and sustain persistent banking trojan infections. This campaign demonstrates how legitimate platforms can be transformed into powerful vectors for malware delivery and underscores the growing sophistication of cybercriminal operations in the region."

**Brazil Targeted by New RelayNFC Android Malware**

The development comes as Brazilian banking users are also being targeted by a previously undocumented Android malware dubbed RelayNFC that's designed to carry out Near-Field Communication (NFC) relay attacks and siphon contactless payment data. The campaign has been running since early November 2025.

"RelayNFC implements a full real-time APDU relay channel, allowing attackers to complete transactions as though the victim's card were physically present," Cyble said in an analysis. "The malware is built using React Native and Hermes bytecode, which complicates static analysis and helps evade detection."

Primarily spread via phishing, the attack makes use of decoy Portuguese-language sites (e.g., "maisseguraca\[.\]site") to trick users into installing the malware under the pretext of securing their payment cards. The end goal of the campaign is to capture the victim's card details and relay them to attackers, who can then perform fraudulent transactions using the stolen data.

Like other NFC relay malware families such as SuperCard X and PhantomCard, RelayNFC operates as a reader that's designed to gather the card data by instructing the victim to tap their payment card on the device. Once the card data is read, the malware displays a message that prompts them to enter their 4- or 6-digit PIN. The captured information is then sent to the attacker's server through a WebSocket connection.

"When the attacker initiates a transaction from their POS-emulator device, the C&C server sends a specially crafted message of type 'apdu' to the infected phone," Cyble said. "This message contains a unique request ID, a session identifier, and the APDU command encoded as a hexadecimal string."

"Upon receiving this instruction, RelayNFC parses the packet, extracts the APDU data, and forwards it directly to the victim device's NFC subsystem, effectively acting as a remote interface to the physical payment card."

The cybersecurity company said its investigation also uncovered a separate phishing site ("test.ikotech\[.\]online") that distributes an APK file with a partial implementation of Host Card Emulation (HCE), indicating that the threat actors are experimenting with different NFC relay techniques.

Because HCE allows an Android device to emulate a payment card, the mechanism allows a victim's card interactions to be transmitted between a legitimate payment-of-sale (PoS) terminal and an attacker-controlled device, thereby facilitating a real-time NFC relay attack. The feature is assessed to be under development, as the APK file does not register the HCE service in the package manifest file.

"The RelayNFC campaign highlights the rapid evolution of NFC relay malware targeting payment systems, particularly in Brazil," the company said. "By combining phishing-driven distribution, React Native-based obfuscation, and real-time APDU relaying over WebSockets, the threat actors have created a highly effective mechanism for remote EMV transaction fraud."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Brazil Hit by Banking Trojan Spread via WhatsApp Worm and RelayNFC NFC Relay Fraud

Guide to scale ready code security with event driven scans unified data and API first design for large teams seeking strong growth aligned control.

Choosing a security platform is more than just a feature-for-feature comparison. As organisations grow, the underlying architecture of their security tools becomes critically important. A solution that works for ten developers can quickly buckle under the weight of a hundred, leading to slow scans, missed alerts, and frustrated engineering teams. This is a common challenge for teams considering Cycode alternatives, as they seek solutions that can not only meet their immediate needs but also scale with their ambitions.

To successfully implement a code security platform at scale, you need more than just a good tool; you need the right architectural patterns. These patterns ensure that your security processes are decentralised, automated, and seamlessly integrated, allowing you to secure thousands of repositories and pipelines without creating a central bottleneck. This isn’t just about swapping out one tool for another; it’s about building a scalable blueprint for DevSecOps.

This guide explores the key architecture patterns that enable code security platforms to thrive at scale, providing a framework for evaluating and implementing a solution that will grow with you.

****Pattern 1: Decentralised, Event-Driven Scanning****

In a small organisation, it might be feasible to have a central security team manage scanning configurations and triage alerts. At scale, this model collapses. The “security as a service” model, where a central team is a gatekeeper, becomes a bottleneck that slows down development. A scalable architecture flips this model on its head.

**The Blueprint:** Instead of a centralised, polling-based system, a scalable architecture uses a decentralised, event-driven approach. This means security scanning is initiated by events happening within the development lifecycle itself.

*   **Event Triggers:** Scans are not run on a fixed schedule by a central server. Instead, they are triggered by webhooks from your Source Code Management (SCM) tool (like GitHub, GitLab, or Bitbucket). A git push to a new branch, a new pull request, or a merge to the main branch all become events that trigger targeted security scans.

*   **Ephemeral Runners:** When an event occurs, the CI/CD system spins up an ephemeral, or short-lived, runner to execute the scan. This containerised environment pulls the relevant code, runs the security analysis (SAST, SCA, IaC scanning), and then spins down. This is highly scalable, as you can run hundreds or thousands of scans in parallel without managing a fleet of dedicated scanning servers. For additional insight into microservices-based scalability, see Google Cloud’s guide to event-driven architecture. The CNCF’s guide on cloud native principles provides great context for why this ephemeral, microservices-based approach is so resilient. You can also explore Microsoft’s documentation on distributed event-driven architecture.

*   **Configuration as Code:** Scan configurations, policies, and rules are not managed through a central UI. Instead, they are defined in a simple configuration file (e.g., a YAML file) that lives inside each repository. This empowers individual teams to manage their own security settings within the context of their application, a concept often referred to as “Policy as Code.”

**Why It Scales:** This pattern removes the central security team as a bottleneck. It distributes the workload across your existing CI infrastructure and empowers development teams with the autonomy to manage their own security context, making the entire process faster and more efficient.

****Pattern 2: The Unified Data Model and “Single Pane of Glass”****

One of the biggest challenges with scaling security is tool sprawl. Teams often end up with one tool for SAST, another for SCA, a third for secrets detection, and a fourth for IaC scanning. This creates data silos. The alerts from these disparate tools lack context, making it impossible to prioritise effectively.

**The Blueprint:** A scalable architecture relies on a platform that can ingest findings from various security scanners into a unified data model. Whether you’re using an all-in-one solution or integrating best-of-breed scanners, the goal is to have a single place where all security data is normalised, deduplicated, and correlated.

*   **Normalisation:** The platform should translate alerts from different tools into a standard format. A “critical” vulnerability from your SAST scanner should be comparable to a “critical” one from your SCA tool.

*   **Deduplication:** A good system will recognise when the same vulnerability is found in multiple branches or by different scan types, presenting it as a single, persistent issue rather than a flood of duplicate alerts.

*   **Correlation:** The true power comes from correlating data. For example, the platform can link a vulnerability in an open-source library (SCA finding) to the specific lines of code in your repository that use it (SAST context). This tells you if the vulnerability is actually reachable and exploitable, allowing you to prioritise real risks over theoretical ones.

For deeper perspectives on the value of unified security data management and prioritisation, see Google’s commentary on unified security data lakes and SANS’s guide to vulnerability management prioritisation.

**Why It Scales:** A unified data model turns noise into signal. At scale, you will be dealing with tens of thousands of potential security findings. Without a way to prioritise, your teams will be paralysed by alert fatigue. A “single pane of glass” that provides this rich context is essential for focusing remediation efforts on the issues that matter most.

****Pattern 3: The API-First, Hub-and-Spoke Integration Model****

A scalable security platform doesn’t try to be everything to everyone. It acknowledges that it is one part of a larger, complex toolchain. An architecture built for scale is designed to integrate, not dictate.

**The Blueprint:** The platform should be built with an API-first philosophy. Every feature available in the UI should also be accessible via a well-documented REST API. This allows you to treat the security platform as a central “hub” that connects to other tools in a “hub-and-spoke” model. For an in-depth look at API-first design principles and their benefits in building extensible systems, see the Google Cloud API Design Guide. Additionally, organisations adopting integrated DevSecOps workflows may benefit from the guidance offered in the OpenAPI Initiative documentation, which supports API standardisation in complex environments.

*   **Source of Truth:** The security platform acts as the central source of truth for all security findings.

*   **CI/CD Spoke:** Your CI/CD pipeline (the spoke) communicates with the hub via API to trigger scans and retrieve results.

*   **Ticketing Spoke:** The hub integrates with ticketing systems like Jira or Azure DevOps. When a high-priority vulnerability is found, the platform’s API can automatically create a ticket, assign it to the right team, and populate it with all the necessary context.

*   **Notification Spoke:** The hub connects to Slack or Microsoft Teams to send targeted, actionable notifications to the developers responsible for the code.

*   **Business Intelligence Spoke:** The API allows you to pull data into BI tools like Tableau or Power BI to create custom dashboards and reports for leadership, tracking metrics like Mean Time to Remediate (MTTR). For more on key DevSecOps metrics, GitLab’s DevSecOps survey often has valuable insights.

**Why It Scales:** An API-first, hub-and-spoke model makes the security platform incredibly flexible and extensible. It allows you to embed security information into the tools your teams already use, creating a seamless and automated workflow that can adapt as your organisation’s toolchain evolves.

When evaluating alternatives to any security platform, look beyond the feature list. Examine the underlying architecture. A solution built on decentralised scanning, a unified data model, and API-first principles won’t just solve today’s problems; it will provide a robust foundation for a secure and scalable development lifecycle for years to come.

(Photo by Wesley Ford on Unsplash)

Architecture Patterns That Enable Cycode alternatives at Scale

We’ve seen a new wave of attacks exploiting legitimate Remote Monitoring and Management (RMM) tools to remotely control victims’ systems.

A new wave of attacks is exploiting legitimate Remote Monitoring and Management (RMM) tools like LogMeIn Resolve (formerly GoToResolve) and PDQ Connect to remotely control victims’ systems. Instead of dropping traditional malware, attackers trick people into installing these trusted IT support programs under false pretenses–disguising them as everyday utilities. Once installed, the tool gives attackers full remote access to the victim’s machine, evading many conventional security detections because the software itself is legitimate.

We’ve recently noticed an uptick in our telemetry for the detection name RiskWare.MisusedLegit.GoToResolve, which flags suspicious use of the legitimate GoToResolve/LogMeIn Resolve RMM tool.

Our data shows the tool was detected with several different filenames. Here are some examples from our telemetry:

The filenames also provide us with clues about how the targets were likely tricked into downloading the tool.

Here’s an example of a translated email sent to someone in Portugal:

As you can see, hovering over the link shows that it points to a file uploaded to Dropbox. Using a legitimate RMM tool and a legitimate domain like dropbox\[.\]com makes it harder for security software to intercept such emails.

Other researchers have also described how attackers set up fake websites that mimic the download pages for popular free utilities like Notepad++ and 7-Zip.

Clicking that malicious link delivers an RMM installer that’s been pre-configured with the attacker’s unique “CompanyId”–a hardcoded identifier tying the victim machine directly to the attacker’s control panel.

This ID lets them instantly spot and connect to the newly infected system without needing extra credentials or custom malware, as the legitimate tool registers seamlessly with their account. Firewalls and other security tools often allow their RMM traffic, especially because RMMs are designed to run with admin privileges. The result is that malicious access blends in with normal IT admin traffic.

**How to stay safe**

By misusing trusted IT tools rather than conventional malware, attackers are raising the bar on stealth and persistence. Awareness and careful attention to download sources are your best defense.

*   Always download software directly from official websites or verified sources.
*   Check file signatures and certificates before installing anything.
*   Verify unexpected update prompts through a separate, trusted channel.
*   Keep your operating system and software up to date.
*   Use an up-to-date, real-time anti-malware solution. Malwarebytes for Windows now includes Privacy Controls that alert you to any remote-access tools it finds on your desktop.
*   Learn how to spot social engineering tricks used to push malicious downloads.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 How attackers use real IT tools to take over your computer 

### Impact

Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled.

### Workaround

If the standard CSP rules are active (default in production mode), an exploit isn't possible.

### Credits

Lwin Min Oo <lwinminoo2244@gmail.com>

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewIntegrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-66468

**Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors**

**Package**

composer aimeos/ai-cms-grapesjs (Composer)

**Affected versions**

\>= 2021.04.1, < 2021.10.8

\>= 2022.04.1, < 2022.10.9

\>= 2023.04.1, < 2023.10.15

\>= 2024.04.1, < 2024.10.8

\>= 2025.04.1, < 2025.10.2

**Patched versions**

2021.10.8

2022.10.9

2023.10.15

2024.10.8

2025.10.2

**Description**

Published to the GitHub Advisory Database

Dec 3, 2025

**EPSS score**

GHSA-424m-fj2q-g7vg: Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors

Ransomware groups target enterprises during off-hours, weekends, and holidays when security teams are stretched thin and response times lag.

The Ransomware Holiday Bind: Burnout or Be Vulnerable

Your antivirus scans files. But what about attacks that never create files? Here's how we catch the threats hiding on your family's computers.

Most antivirus software for personal users scans your computer for malware hiding in files. This is, after all, how most malware is traditionally spread. But what about attacks that never create files? Fileless malware is a fast-growing threat that evades traditional antivirus software, because simply, it’s looking for files that don’t exist.

Here’s how Malwarebytes goes beyond signature scans and file analysis to catch those fileless threats hiding on your family’s computers. 

****What are fileless attacks?** **

Most malware leaves a trail. It drops files on your hard drive so it can survive when you restart your computer. Those files are what traditional antivirus software hunts for.

Fileless attacks play by different rules, living only in your computer’s active memory. This means they vanish when you reboot, but they do their damage before that happens. 

Fileless attacks don’t bring in their own files at all. Instead, they hijack legitimate Windows tools that your computer already trusts. PowerShell, for example, is a built-in program that helps Windows run everyday tasks. Fileless malware slips into memory, runs harmful commands through tools like PowerShell, and blends in with normal system activity.

Because Windows sees these tools as safe, it doesn’t throw up red flags. And because there are no malicious files saved to the disk, traditional antivirus has nothing to scan or quarantine, missing them completely.

Fileless attacks are becoming more common because they work. Cybercriminals use them to steal your passwords, freeze your files for ransom, or turn your computer into a cryptocurrency-mining machine without you knowing.

****How Malwarebytes stops these invisible attacks** **

Malwarebytes takes a different approach. Instead of just scanning files on your hard drive, we watch what programs are actually doing in your computer’s memory. We developed comprehensive protection creating a defense system that works in two powerful ways: 

**Defense Layer 1: Script Monitoring**  

Script Monitoring catches dangerous code before it runs. Whether it’s PowerShell, VBScript, JavaScript, or other scripts, we inspect them the moment they try to execute. Malicious? Blocked instantly. Safe? Runs normally. 

Attackers scramble their malicious code so it looks like gibberish. Imagine a secret message where every letter is shifted three places in the alphabet. Our technology automatically decodes these scrambled commands, revealing what they’re really up to.  

**Defense Layer 2: Command-Line Protection**  

Command-Line Protection tracks what programs are trying to do when they run commands on your system.   

When programs like PowerShell, Windows Script Host, or other command tools run, we examine what they’re trying to do. Are they downloading files from suspicious websites? Trying to modify system files? Attempting to turn off security software? We catch these patterns even if attackers try to bypass the first layer of defense. 

**What might a **fileless attack look like?** **

Let’s look at specific attack scenarios and how Malwarebytes protects you: 

****Attack scenario 1: The disguised email attachment** **

You receive what looks like a legitimate invoice or document via email. When you open the Excel or Word attachment, it contains a macro (a small script that automates tasks). The macro looks harmless at first glance, but it’s actually scrambled to hide malicious commands.  

**What happens next:** The macro silently launches PowerShell in the background and tries to download ransomware. Your traditional antivirus sits idle because it’s waiting to see a file – but the file hasn’t been created yet. 

**How Malwarebytes stops it:** Our Script Monitoring unscrambles the macro, sees it trying to download ransomware, and blocks the PowerShell command immediately. The ransomware never reaches your computer. You see a notification that Malwarebytes blocked a threat, and your files stay safe. 

****Attack scenario 2: The silent cryptocurrency miner** **

You visit a normal-looking website or click on an ad. Hidden JavaScript code starts running immediately, hijacking your computer’s processor to mine cryptocurrency. You notice your laptop fan spinning louder, the computer running hotter, but you don’t connect the dots. Meanwhile, your electricity bill creeps up month after a month. 

**What happens next:** The script tries to load mining software directly into your computer’s memory using PowerShell or similar tools. It runs continuously in the background, stealing your computing power. 

**How Malwarebytes stops it:** Our Command-Line Scanner recognizes the mining script’s pattern and blocks it before it can start using your processor. Your computer maintains normal performance, and criminals can’t abuse your resources. 

****Attack scenario 3: The persistent backdoor** **

A sophisticated attacker wants long-term access to your computer. They use Windows Management Instrumentation (WMI), a legitimate Windows tool, to create a persistent backdoor. This backdoor lets them access your computer whenever they want, all without installing any traditional malware files. 

**What happens next:** Using WMI, they set up scheduled tasks that run invisible scripts in the background. These scripts give them a permanent remote access pass to your computer. Restart doesn’t help. The backdoor survives because it’s woven into Windows itself, disguised as a normal system task. 

**How Malwarebytes stops it:** Our protection monitors WMI activity for suspicious patterns. When we detect WMI being used to create unauthorized backdoors or scheduled tasks, we block the commands and alert you. The backdoor never gets established. 

**About Fileless Protection in Malwarebyes**

When choosing security software, ask: Can it protect against attacks that never write files? Can it catch memory-based threats? With Malwarebytes, the answer is yes. 

**Runs automatically**

You don’t need to set anything up. Fileless Protection runs quietly in the background from the moment you install it. You won’t notice it until it blocks an attack and keeps your files safe.

**Works with your everyday tools**

Your legitimate programs and scripts work normally. You can run PowerShell, use your business software, and browse the web without interruption. We only step in when there’s a real threat.

**Part of a bigger defence**

Fileless Protection is one layer in Malwarebytes’ broader security stack, working alongside machine-learning detection, web protection, and exploit protection. Each layer supports the others, so if one misses something, another catches it.

**Stops attacks that never write files**

Fileless attacks hide in memory, but they’re not unstoppable. Fileless Protection watches what programs do in memory, analyzes suspicious commands, and blocks attacks before they can steal data or damage your files.

**Included with Malwarebytes Premium**

Fileless Protection is included in Malwarebytes Premium. Whether you’re protecting your home devices or your small business systems, Malwarebytes works automatically, stays out of your way, and catches threats that traditional antivirus often misses.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**About the author**

Core Technology is the team behind the protection engine that powers Malwarebytes products. From threat detection and performance optimization to SDK innovation and telemetry, the group builds the foundational technology that keeps users safe across every platform.

 Fileless protection explained: Blocking the invisible threat others miss 

Smarter SOC performance with faster triage, proactive defence, and a unified stack powered by instant alert context from ANY.RUN to cut MTTD and MTTR.

_Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research._

Speeding up the workflow in a **SOC** team is rarely just a matter of time management or additional staffing. To improve metrics like mean-time-to-detect (MTTR) and mean-time-to-response (MTTR), it’s often more important to step back, notice gaps in current processes, and close them with purpose-built solutions.

Below are three key steps to take as a CISO on the way to better SOC performance.

****Solution 1 – Providing context to alerts********Why it matters:****

Slow incident response isn’t usually caused by a lack of expertise on _how_ to respond to alerts. It’s more about wasting time on figuring out _why_ an alert occurred in the first place by consulting multiple sources and enriching indicators manually.

And even after this daunting investigation for each incident, there’s not always a complete context for analysts to make judgment calls based on.

Not knowing which alerts matter most might lead to a longer response cycle, burnout across tiers, and inconsistent decision-making. That’s why it’s important to provide access to high-fidelity threat context: malware behaviour, network IOCs, and related attacks. Clarity is the way to better prioritisation and a reduction in MTTR.

****Best way to implement:****

Use solutions that provide context to alerts instantly, without disruptions to investigation workflow. ANY.RUN’s **Threat Intelligence Lookup** draws on one of the world’s largest ecosystems of malware data accumulated by more than half a million analysts and 15,000+ SOC teams.

TI Lookup in action: delivering a verdict and threat context for a URL

Eliminating time-consuming manual enrichment not only creates room for faster triage but also helps prevent alert fatigue in teams. Analysts get immediate, high-confidence answers: IPs, domains, URLs, and other indicators get quick verdicts and threat context, from network activity and malware classification to relationships and related IOCs.

The result is faster triage, less alert fatigue, and a lower risk of missing critical signals.

**Cut MTTD & MTTR with instant alert context enrichment**

**Request a trial for TI Lookup**

****Solution 2 – Establishing a proactive defence********Why it matters:****

Given the unprecedented speed of malware evolution, a SOC team that only does reactive response is always one step behind. Detection rules require constant updates with fresh indicators. The only way to achieve a robust defence system in these conditions is to promote early detection and research.

Proactive defence gives analysts the advantages of pre-incident visibility, shifting the workflow from “respond to incidents only” to “prevent incidents altogether” mode. By doing research, gathering information on the latest threats, attacks, and campaigns active across industries, teams catch threats earlier in the kill chain. This reduces their dwell time and maintains focus on real risks.

****Best way to implement:** **

Equip your SOC team with intelligence that turns context into actionable insights. Threat Intelligence Lookup by ANY.RUN can be used for threat hunting, helping analysts gain an immediate, behaviour-based understanding of any artefact.

Data provided by TI Lookup for Agent Tesla threats researched in Germany

With over 40 parameters that cover all analysts’ needs, it’s never been easier to browse data collected by a global expert community of 15K teams all over the world. Analysts can uncover hidden threats quickly and validate suspicious activity in seconds. 

Using TI Lookup for threat hunting enables earlier detection and a consistently proactive security posture.

****Solution 3 – Unifying and automating the tech stack********Why it matters:****

A fragmented tech stack is never intentional. It’s a result of a long process of accumulating solutions over time. Each tool solves a specific problem, but the lack of integration between them causes friction: fractured visibility, duplicated work, and manual data transfer. As a result, the investigations get staggered.

A well-integrated ecosystem reinforced by automation brings everything together. It ties together indicators and context, alerts and responses. Ultimately, it speeds up the analysis flow, strengthens threat hunting, and facilitates an efficient use of resources.

Connect ANY.RUN’s solutions with your stack for unified security

Best way to implement:

Choose solutions designed for frictionless workflows and interoperability. A unified system works better than a collection of disconnected components: “The whole is greater than the sum of its parts”.

Threat Intelligence Lookup fits into this approach in two ways:

*   **Integrations support:** From ready-to-use connectors to custom integrations, they drive an automated, fast workflow, making it easier to embed high-quality intelligence into existing SOC processes without disruption.
*   **Native connection to malware sandbox:** Every TI Lookup’s indicator is linked to tied to a real-life investigation done in **ANY.RUN’s Interactive Sandbox**. Analysts get one-click access to deeper visibility.

****Conclusion****

Fast and efficient SOC is about smarter workflows and decisions powered by quality threat intelligence. Rich alert context, proactive hunting, and refined tech stack lead to lower MTTR and better prevention of incidents.

Fixing a Slow SOC: Top 3 Solutions that Actually Work

Remember when phishing emails were easy to spot? Bad grammar, weird formatting, and requests from a "Prince" in a distant country?
Those days are over.
Today, a 16-year-old with zero coding skills and a $200 allowance can launch a campaign that rivals state-sponsored hackers. They don't need to be smart; they just need to subscribe to the right AI tool.
We are witnessing the industrialization of

Cybercrime / Artificial Intelligence

Remember when phishing emails were easy to spot? Bad grammar, weird formatting, and requests from a "Prince" in a distant country?

Those days are over.

Today, a 16-year-old with zero coding skills and a $200 allowance can launch a campaign that rivals state-sponsored hackers. They don't need to be smart; they just need to subscribe to the right AI tool.

We are witnessing the industrialization of cybercrime. The barrier to entry has collapsed, and your current email filters are looking for threats that no longer exist.

Watch the Live Breakdown of AI Phishing Tools ➜

**The New "Big Three" of Cybercrime**

Security leaders don't need another lecture on what phishing is. You need to see exactly what you are up against. This isn't science fiction—these tools are being sold on the dark web right now.

In this webinar, we are going inside the "AI Phishing Factory" to deconstruct the three tools rewriting the threat landscape:

*   **WormGPT:** Think of ChatGPT, but without the "ethical guardrails." It doesn't have a conscience. It writes flawless, highly personalized Business Email Compromise (BEC) messages that sound exactly like your CEO—no typos, perfect tone.
*   **FraudGPT:** The "Netflix" of hacking. For a low monthly subscription, attackers get a full suite of tools to write malicious code, create scam landing pages, and draft emails. It is hacking-as-a-service.
*   **SpamGPT:** This acts like a high-end marketing automation tool, but for criminals. It allows attackers to A/B test their scams and deliver them at a volume that overwhelms standard detection limits.

Here is the hard truth: You cannot train your employees fast enough to outsmart a machine that learns instantly. If an email is written by AI to be indistinguishable from a legitimate sender, **someone will click.** It is a statistical certainty.

Most defensive strategies focus on _detection_—trying to spot the bad email. But when the AI changes the emails' signature every second, detection fails.

Register for the Webinar ➜

**Stop the Damage, Not Just the Email**

This session isn't about scaring you with the problem; it's about fixing it.

Since we know users will eventually click, we have to change the strategy. We need to make the click irrelevant. We need to ensure that even if they land on the phishing page, the attacker gets nothing.

**Join us to learn how to:**

1.  **Identify** the specific signatures of WormGPT and FraudGPT attacks.
2.  **Shift** your defense strategy from "blocking emails" to "protecting identity."
3.  **Neutralize** the attack at the point of access by removing the one thing hackers want: the credentials.

The bad guys are using AI to scale their attacks. You need to use intelligence to scale your defense.

Secure Your Seat Now ➜

Don't wait for the quarterly report to find out you were vulnerable. Get the strategy you need to shut this down now.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Discover the AI Tools Fueling the Next Cybercrime Wave — Watch the Webinar

Water Saci has upgraded its self-propagating malware to compromise banks and cryptocurrency exchanges by targeting enterprise users of the popular chat app.

Latest News