ANY.RUN, the interactive malware analysis platform, has wrapped up 2025 with impressive growth figures and significant contributions to the cybersecurity community.
The company’s annual report reveals how its global user base collectively spent over 400,000 hours analyzing threats—equivalent to more than 45 years of continuous research.
The platform processed 5.7 million analyses across 195 countries throughout the year, uncovering 1.1 million threats in the process. The user community expanded to over 500,000, with 81,000 new members joining in 2025.
Notably, 74 of the Fortune 100 companies utilized ANY.RUN’s sandbox for their security operations, with the most active users based in the United States, Germany, the United Kingdom, and India.
Platform Evolution and New Capabilities
ANY.RUN introduced substantial updates to its Interactive Sandbox in 2025, expanding analysis capabilities beyond traditional Windows environments.
The addition of Android support enabled security teams to analyze APK files in virtual machines that closely replicate real Android devices—a timely enhancement given the surge in mobile threats throughout the year.
The platform also added Linux Debian OS support, allowing analysts to detonate ARM-based threats targeting IoT devices and other ARM systems. These expansions made the sandbox more versatile for investigating diverse threat landscapes.
To streamline the analysis process, ANY.RUN launched Detonation Actions, which provide guided hints to help analysts uncover hidden threats more efficiently.
The platform also introduced AI Sigma Rules, automating one of the most time-consuming aspects of detection work by generating deployment-ready rules for SIEM, SOAR, and EDR systems.
Threat Intelligence Expansion
ANY.RUN’s Threat Intelligence Lookup saw nearly 195,000 requests in 2025, with Tycoon2FA emerging as both the most searched and most active threat.
The company democratized access to its threat intelligence by launching a free plan, offering 100% verified context at no cost.
New features like TI Reports and Industry & Geo Threat Landscape data provided analysts with campaign-specific insights and contextual information about how threats relate to specific sectors and countries.
The Threat Intelligence Feeds product grew through STIX/TAXII integration and new connectors, including partnerships with ThreatQ and major security platforms.
Detect malware & phishing in under a minute => Try today
First-to-Detect Discoveries
ANY.RUN researchers identified several significant threats before the broader security community.
Notable discoveries included Salty 2FA, a sophisticated Phishing-as-a-Service framework; Salvador Stealer and Pentagon Stealer, both Android banking malware variants; and Tykit, a credential-stealing malware demonstrating how small defense gaps can lead to major impacts.
The year concluded with detection of a hybrid cross-kit malware combining Salty2FA and Tycoon2FA frameworks.
The company also published groundbreaking research documenting Lazarus Group’s North Korean IT workers infiltration scheme, capturing actors live inside controlled environments.
Recognition and Integration
ANY.RUN received multiple industry accolades in 2025, including gold and silver awards at the Globee Awards, recognition as Best TI Service at the Cybersecurity Excellence Awards, and the title of Threat Intelligence Company of 2025 at the CyberSecurity Breakthrough Awards.
The platform expanded its ecosystem through SDK release and ready-to-use integrations with Palo Alto Networks Cortex XSOAR, Microsoft Sentinel, Microsoft Defender, and IBM Security QRadar SOAR, enabling seamless workflows within existing security stacks.
Looking Ahead to 2026
ANY.RUN outlined ambitious plans for 2026, including enhanced collaboration features for SOC teams, refined reporting capabilities with AI-powered summaries and auto-generated YARA rules, and SSL decryption without MITM for improved network threat detection.
The company will also expand VM support to include macOS and Windows Server environments for Enterprise users.
Users reported measurable improvements in 2025, with average mean time to detect dropping to 15 seconds, mean time to respond reduced by 21 minutes, and investigation speed improved in 95% of security operations centers.
Detect malware & phishing in under a minute => Try today
