The 2025 annual report from the interactive malware analysis platform ANY.RUN reveals a year of significant achievement and expansion, marking a pivotal period that not only scaled its user base to unprecedented levels but also introduced critical technological advancements in the fight against cybercrime. The detailed analysis encapsulates a company solidifying its role as an essential component of the global security apparatus, with its platform’s evolution directly reflecting the dynamic and increasingly complex nature of modern digital threats. The year was characterized by a surge in community engagement, pioneering research that led to the discovery of major new threats, and the strategic expansion of its sandbox capabilities to cover a wider array of attack vectors, providing vital tools for security professionals ranging from independent researchers to corporate security operations centers within the world’s most influential organizations. This comprehensive progress underscored the growing reliance on interactive and automated analysis in an era of persistent and sophisticated cyber adversaries.
A Year of Unprecedented Community Expansion
The platform’s growth in 2025 was a testament to its increasing indispensability within the global cybersecurity community, which expanded to include over half a million users by year’s end. This substantial community, which welcomed 81,000 new members, demonstrated remarkable engagement by collectively dedicating more than 400,000 hours to analyzing malicious software—an effort equivalent to over 45 consecutive years of continuous research. This intensive activity resulted in the processing of 5.7 million distinct analysis tasks originating from 195 countries, culminating in the successful identification and documentation of 1.1 million unique threats. The sheer volume of this collaborative effort highlights the platform’s capacity to serve as a central hub for threat analysis on a global scale, pooling expertise and data from a diverse and highly active user base to build a more comprehensive understanding of the evolving threat landscape and its various actors.
This explosive growth was not confined to individual researchers; it also reflected deep penetration into the corporate sector, affirming the platform’s value in enterprise-level security operations. A significant milestone was the adoption of the service by 74 of the Fortune 100 companies, a clear indicator of its trusted status in protecting the assets of the world’s largest and most targeted organizations. The geographical distribution of the most active users further emphasized its international relevance, with major hubs of activity located in the United States, Germany, the United Kingdom, and India. This widespread adoption across key economic and technological centers demonstrates the platform’s ability to meet the rigorous demands of different regulatory environments and threat contexts, solidifying its position as a go-to solution for high-stakes corporate cybersecurity and incident response teams across the globe.
Pioneering New Frontiers in Malware Analysis
Responding directly to the shifting tactics of cybercriminals, 2025 saw a strategic and substantial evolution of the ANY.RUN platform’s core capabilities, expanding its analysis environments far beyond its traditional Windows-based sandbox. A landmark development was the introduction of full support for Android analysis, a timely enhancement that allowed security teams to safely detonate and inspect malicious APK files in virtual machines that closely mimic real mobile devices. This addition directly addressed the significant surge in mobile-based threats observed throughout the year. In a parallel expansion, the platform also incorporated support for the Linux Debian operating system. This was a crucial move that empowered security analysts to investigate ARM-based threats, a rapidly growing category of malware specifically designed to target the vast and often-vulnerable ecosystem of Internet of Things (IoT) devices and other systems powered by ARM architecture, thus closing a critical gap in modern threat analysis.
To complement these expanded environments, the company introduced innovative features designed to streamline and accelerate the analytical workflow. A key innovation was the launch of “Detonation Actions,” a feature that provides analysts with guided, contextual hints during an investigation to help them more efficiently uncover obfuscated or hidden malicious behaviors that might otherwise be missed. In a major stride toward intelligent automation, the platform also unveiled “AI Sigma Rules.” This advanced capability directly confronts one of the most time-consuming tasks in security operations: the manual creation of detection signatures. By automatically generating deployment-ready Sigma rules from analysis results, the platform enables security teams to seamlessly integrate these new detections into their existing enterprise security systems, such as SIEM, SOAR, and EDR platforms, thereby significantly reducing the time from malware discovery to organizational protection.
Delivering Actionable Threat Intelligence and Groundbreaking Research
The platform’s threat intelligence offerings matured significantly in 2025, becoming a vital resource for the security community and demonstrating a commitment to democratizing access to critical data. The Threat Intelligence Lookup service proved its value by fielding nearly 195,000 search requests, with the phishing-as-a-service kit known as Tycoon2FA emerging as both the most frequently searched-for and most actively observed threat of the year. In a landmark move to support the broader security ecosystem, a free plan was launched for the threat intelligence portal, providing verified, high-context data to researchers and organizations without a cost barrier. The intelligence portfolio was further enriched with the introduction of “TI Reports,” which deliver deep, campaign-specific insights, and “Industry & Geo Threat Landscape” data, which provides essential context on how threats are targeting specific economic sectors and geographical regions, allowing for more tailored and proactive defense strategies.
A cornerstone of the company’s success in 2025 was the research team’s ability to consistently deliver first-to-detect discoveries of several high-impact threats, providing invaluable early warnings to the global security community. The team identified and documented Salty 2FA, a sophisticated and highly complex Phishing-as-a-Service framework. Researchers also uncovered Salvador Stealer and Pentagon Stealer, two new variants of Android banking malware, and Tykit, a credential-stealing malware that served as a stark reminder of how minor security gaps could be exploited for major impact. The year’s research culminated in the detection of a novel hybrid malware that ingeniously combined the functionalities of the Salty2FA and Tycoon2FA frameworks. Perhaps the most groundbreaking investigation published was the detailed documentation of a live operation by the Lazarus Group, in which researchers captured the state-sponsored actors’ activities in real-time as they attempted to infiltrate legitimate IT companies, offering an unprecedented look into their operational tactics.
Industry Accolades and a Vision for the Future
This record of innovation and impact was met with widespread industry recognition, as ANY.RUN earned multiple prestigious awards throughout 2025. These accolades included gold and silver honors at the Globee Awards, the title of Best TI Service at the Cybersecurity Excellence Awards, and the distinguished recognition as the Threat Intelligence Company of 2025 at the CyberSecurity Breakthrough Awards. Furthering its commitment to seamless integration within the broader security ecosystem, the company released a new SDK and launched out-of-the-box integrations with major security orchestration and management platforms. These integrations included key players such as Palo Alto Networks Cortex XSOAR, Microsoft Sentinel, Microsoft Defender, and IBM Security QRadar SOAR, enabling enterprise teams to incorporate the platform’s powerful analysis capabilities directly into their existing workflows and automate incident response processes more effectively.
The tangible benefits of these advancements in 2025 were directly reflected in the improved operational metrics of the platform’s user base, which experienced a dramatic enhancement in its ability to detect and respond to threats. Security operations centers using the platform reported that the average mean time to detect (MTTD) had fallen to an impressive 15 seconds, a critical reduction that minimizes the window of opportunity for attackers. Furthermore, the mean time to respond (MTTR) was reduced by an average of 21 minutes, allowing teams to contain and remediate threats far more rapidly. Ultimately, 95% of SOCs utilizing the platform confirmed a measurable improvement in their overall investigation speed, a conclusive result that validated the year’s focus on user-centric innovation and workflow efficiency.
