How to Keep Your SOC Ready – Hackread – Cybersecurity News, Data Breaches, Tech, AI, Crypto and More

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

The third quarter of 2025 saw a concerning evolution in the malware landscape. The latest ANY.RUN Malware Trends quarterly report confirms a clear pattern: threat actors are prioritising fast monetisation and initial access operations.

The number of threats investigated in ANY.RUN’s Sandbox grew by 21.6% since Q2, compared to 9.8% growth between Q1 and Q2.

Malicious verdicts increased by 18%. The sandbox extracted 32.8% more IOCs than in Q2, respectively enriching threat data available via Threat Intelligence Lookup and TI Feeds.

The Three Top Threats SOC Teams Must Watch

Three malware families dominate the threat landscape due to their ability to quickly monetise stolen data and establish remote control:

Analysts must adapt by reducing triage time, switching from signature-based detection to behaviour-based detection, and enriching indicators with real-time threat context.

1. Lumma Stealer – Credential Monetisation at Scale

Lumma Stealer is currently the most active and prevalent malware family observed in the report. It specialises in stealing sensitive data from endpoints, focusing on browser-stored credentials, cryptocurrency wallets, form autofill data, saved credit cards, and session cookies. Lumma is particularly aggressive in industries such as finance and commerce in Europe and North America, where the stolen data has the highest monetary value.

For organisations, a single Lumma infection can result in corporate account compromise, lateral movement through SaaS access, and asset theft without triggering traditional ransomware alarms.

Lumma’s operators consistently update their infrastructure, rotating malicious domains and other C2 inventory. Threat Intelligence Lookup allows analysts to extract IOCs from the most recent sandbox sessions where Lumma samples were detonated and fuel detection and response systems. threatName:”Lumma” and domainName:””

Where ANY.RUN’s Threat Intelligence Lookup Fits In

TI Lookup is a real-time threat investigation platform that enriches indicators with context, not just reputation scores. It aggregates fresh IOCs, IOAs, and behaviour patterns (IOBs) directly from malware detonations performed in ANY.RUN’s Interactive Sandbox, powered by data contributed by more than 15,000 enterprise SOCs and security teams across multiple industries.

This gives analysts access to threat intelligence captured from real attacks happening right now, not stale feeds or public blocklists.

Besides the context, it enables analysts to reduce triage time, raise detection accuracy, and retain confidence in their decisions. For business, the key objectives gained are analyst efficiency and better judgment, faster MTTR, and measurable ROI.

In short, TI Lookup turns threat intelligence into operational efficiency: less time spent investigating means more time preventing breaches.

2. AgentTesla – activity doubled quarter-over-quarter

AgentTesla is a widely distributed credential stealer and remote access tool (RAT) with a multilayered set of functions, including keylogging, clipboard monitoring, credential extraction from browsers and email clients, and exfiltration via SMTP or HTTP.

The malware has recently seen a sharp increase in activity, doubling quarter-to-quarter. It is particularly common in industries with large numbers of external communications, transportation, logistics, and education. Its operational simplicity and low barrier to entry make it popular among less sophisticated cybercriminal groups.

Use Threat Intelligence Lookup to instantly check network artefacts and spot AgentTesla in your network.

domainName:”mail.funworld.co.id”

Explore the linked sandbox sessions to observe AgentTesla’s attack chain and behaviour patterns:

View analysis

3. Xworm (RAT) – modular, covert, highly scalable

Xworm is a flexible, modular remote access Trojan, is often used as the first foothold in an intrusion, where it serves as a launcher for other malware, including stealers and ransomware. After execution, Xworm enables remote command execution, file manipulation, keylogging, surveillance, and exfiltration. It supports multiple communication channels, including C2 tunnelling through legitimate cloud services, which complicates detection.

Xworm infections are especially dangerous for organisations because the malware acts as a bridge to full compromise. The malware actively targets manufacturing, tourism, and healthcare: industries where business disruption can have immediate operational consequences.

Analysts can look up malware samples recently submitted to the Sandbox by users from a selected region by combining the malware’s name with a country code:

threatName:”xworm” AND submissionCountry:”co”

To sum up:

• Lumma steals access.
• AgentTesla steals communications.
• Xworm turns those stolen credentials into full control of the environment.

Conclusion

As Q4 2025 unfolds, Lumma Stealer, AgentTesla, and Xworm RAT will continue to evolve, adopting new evasion techniques and targeting mechanisms to bypass traditional defences.

For SOC analysts, the challenge isn’t just detecting these threats: it’s responding fast enough to minimise impact. The difference between a contained incident and a major breach often comes down to how quickly you can identify what you’re dealing with and implement the right countermeasures.

ANY.RUN’s Threat Intelligence Lookup bridges this critical gap, transforming unknown indicators into actionable intelligence within seconds. By combining comprehensive threat data with interactive analysis capabilities, it empowers your team to move from reactive detection to proactive defence.

The threat landscape will only grow more complex. Ensure your SOC has the intelligence infrastructure to stay one step ahead.