In today’s globalized world, managing supply chain risks has become a top priority for businesses. From cybersecurity threats and compliance issues to supplier sustainability and geopolitical instability, businesses face more complex risks than ever before. The right Supply Chain Risk Management (SCRM) solutions in 2025 help organizations identify, assess, monitor, and mitigate risks effectively. This […]
In 2025, digital transactions are at an all-time high, but so are the risks of fraud.
Businesses in banking, e-commerce, fintech, and even social networks are facing increasing pressure to secure their platforms against identity theft, payment fraud, and cybersecurity threats.
Fraud prevention tools have evolved into AI-driven, machine-learning-powered solutions that proactively monitor suspicious transactions in real-time.
Fraud prevention software today is not only about blocking suspicious activities but also ensuring a seamless customer experience, enhancing trust, and reducing operational costs.
Choosing the right fraud prevention company can be a critical decision that directly impacts both security and customer satisfaction.
Why Best Fraud Prevention Companies 2025
The need for fraud detection and prevention has never been more essential. With the scale of online threats increasing, traditional manual monitoring is no longer sufficient.
Businesses that fail to implement advanced fraud prevention tools risk financial losses, reputational damage, and customer distrust.
The following top 10 fraud prevention companies for 2025 are recognized worldwide for providing cutting-edge technology, strong compliance support, and AI-driven fraud detection to protect organizations of all sizes.
Comparison Table: Top 10 Best Fraud Prevention Companies 2025
Feedzai is a leading fraud prevention platform trusted by major global banks and fintech organizations. Its strength lies in AI-driven financial crime management, ensuring that customers are protected in real-time.
Feedzai leverages big data capabilities to analyze millions of transactions per second, making it ideal for high-volume organizations.
The platform is known for combining real-time analytics with behavioral intelligence to enhance fraud detection accuracy.
In large financial systems where high-speed verification is crucial, Feedzai excels as a comprehensive protection partner.
Specifications
Feedzai is built with advanced AI that integrates with existing banking and payment ecosystems seamlessly. The platform can analyze billions of data points while ensuring minimal disruption to end-users.
Designed with high scalability, it adapts well to enterprises handling large transaction volumes. It provides support for cross-border financial operations and international compliance laws, including GDPR and AML.
Features
The platform offers adaptive machine learning models, fraud detection scoring, and robust AML compliance support. Its key features include transaction monitoring, payment gateway integrations, and behavioral analytics for anomaly detection.
The customizable fraud prevention rules allow organizations to adapt quickly to evolving risks. Feedzai captures digital footprints for identity verification, protecting clients from account takeovers.
Reason to Buy
Feedzai is ideal for large enterprises seeking advanced real-time monitoring and scalable fraud prevention solutions. Businesses benefit from its reduced false positives and streamlined compliance processes.
It allows global organizations to focus on revenue growth without worrying about fraud risks. Its big data-driven approach is especially useful for cross-industry use cases, including banking, retail, and payments.
Pros
Strong AI-driven fraud detection
Seamless API integration
Global compliance support
Adaptive machine learning models
Cons
Premium pricing for small businesses
Complex initial setup for non-technical users
Best For: Large financial institutions and international banks.
Quantexa stands out as one of the best fraud prevention solutions thanks to its innovative use of contextual decision-making technology.
It leverages advanced analytics to uncover hidden relationships between data points, which greatly increases its effectiveness in fraud detection.
Its dynamic entity resolution engine makes it possible to detect complex financial fraud schemes that traditional systems would miss. Quantexa provides exceptional data visualization tools that support investigative teams in detecting unusual activity.
The platform is widely adopted in sectors like banking, insurance, and public safety. It allows users to link data from disparate sources into a single, unified view.
Specifications
Quantexa provides high-end architecture supporting enterprise-level fraud detection requirements. Its contextual decision-making technology integrates seamlessly into compliance and risk workflows.
It is designed with a scalable framework that accommodates both structured and unstructured datasets. The platform offers advanced investigative dashboards and intelligent data linking.
Features
Quantexa features include entity resolution systems, real-time transaction monitoring, and data visualization dashboards. It provides AI-powered fraud scoring that adapts as risks evolve.
The contextual decision intelligence engine ensures organizations detect risk in complex networks. Quantexa supports multilingual data ingestion across multiple geographies.
Reason to Buy
Quantexa should be considered by institutions seeking deep analytical insights and highly accurate fraud detection.
Its contextual decision-making provides a 360-degree view of customers and transactions, leading to precise case handling. Businesses in finance, insurance, and government sectors will especially benefit from its capacity.
Pros
Context-rich entity resolution
Strong data visualization tools
Global compliance integration
Works with structured and unstructured data
Cons
Complex learning curve for new users
Requires strong IT infrastructure
Best For: Enterprises needing deep contextual fraud analytics.
ClearSale is a global leader in fraud prevention with a strong reputation in the e-commerce space. The company specializes in reducing chargebacks while maintaining excellent approval rates for online merchants.
One of the unique aspects of ClearSale is its hybrid fraud detection model, which combines AI-driven technology with human intelligence.
This dual approach ensures that suspicious transactions are carefully reviewed without harming genuine customer experiences.
Online retailers appreciate ClearSale’s focus on maximizing order approvals while minimizing revenue loss due to fraud.
Specifications
ClearSale integrates with major e-commerce systems like Shopify, Magento, and WooCommerce. Its intelligent risk-scoring system evaluates thousands of parameters quickly and accurately.
The hybrid technology ensures false positives are kept to a minimum, enhancing trust between merchants and customers. The solution adapts easily across industries, particularly in online retail, travel, and entertainment.
Features
The platform includes hybrid fraud detection (AI + human review), comprehensive chargeback protection, and customizable fraud rules. Merchants can use real-time dashboards to track suspicious activity.
ClearSale provides a 24/7 fraud analyst support system for deeper investigations. Its global coverage ensures that cross-border merchants benefit equally.
Reason to Buy
ClearSale is recommended for e-commerce merchants who want an AI-driven yet human-centric fraud detection solution. It provides excellent chargeback guarantees and helps increase sales by approving more legitimate transactions.
This makes it extremely valuable for online retail businesses operating in high-risk industries.
Pros
Strong chargeback protection
Hybrid AI and manual review system
Easy integration with e-commerce platforms
High approval rates for orders
Cons
Best suited for online retail, not all industries
May require manual adjustments for specific needs
Best For: E-commerce retailers focusing on reducing chargebacks.
GBG is a trusted identity verification and fraud prevention platform serving businesses worldwide. Known for its expertise in digital identity verification, GBG reduces financial risks while ensuring regulatory compliance.
The platform combines document verification, biometric checks, and database integrations to deliver reliable fraud detection.
Many global enterprises use GBG to comply with AML and KYC regulations. Its flexibility allows organizations to authenticate user identities across multiple industries.
GBG’s data enrichment features also provide deeper insights into customer risk.
Specifications
GBG incorporates advanced identity verification systems capable of processing millions of requests per day. It integrates seamlessly with enterprise legacy systems and modern cloud platforms alike.
Its biometric solutions cover face recognition, document scanning, and liveness detection. GBG sources information from trusted global datasets, improving fraud detection accuracy.
Features
Key features include identity verification, biometric-based authentication, AML screening, and real-time fraud prevention alerts. It provides sanctions and politically exposed persons (PEP) checks globally.
The facial recognition module allows businesses to confirm that users are who they claim to be. It supports multi-layered fraud checks using government-issued IDs and databases.
Reason to Buy
Organizations should choose GBG if they require global identity verification combined with fraud prevention and compliance.
From onboarding to monitoring, it provides an end-to-end solution that balances fraud risk management with customer experience. For businesses looking to remain secure while scaling globally, GBG offers excellent protection.
Pros
Strong identity verification coverage
Compliance with AML/KYC standards
Scalable for global organizations
Biometric and document checks
Cons
Can be resource-intensive for startups
Premium service for enterprise clients
Best For: Global firms needing advanced identity verification solutions.
iDenfy is an identity verification and fraud prevention platform that delivers rapid, AI-powered KYC compliance.
It is particularly well-regarded for its strong anti-money laundering controls and biometric verification systems.
The solution leverages AI-based document recognition to improve accuracy in verifying identities. iDenfy supports real-time video verification, allowing businesses to onboard users securely.
The simplicity of integration makes it a great choice for fintech startups, e-commerce platforms, and banking institutions.
Specifications
iDenfy’s architecture relies on AI and machine learning for automated document checks. Its liveness detection technology prevents identity spoofing.
It can verify over 3,000 document types worldwide. Businesses can integrate iDenfy through API or SDK for flexible use cases.
Features
The platform includes biometric verification, AI-driven document recognition, liveness detection, and AML compliance modules. It offers secure video identity verification for sensitive industries.
Businesses can configure fraud detection workflows for unique requirements. iDenfy also provides detailed compliance reporting for KYC audits.
Reason to Buy
iDenfy is a cost-effective fraud prevention tool, particularly suitable for businesses that require fast deployment and robust security.
It delivers enterprise-grade identity verification without sacrificing affordability, making it a preferred option for SMEs and startups.
Pros
Affordable identity verification solution
Strong AML compliance integration
Video-based KYC verification
Easy API and SDK integration
Cons
Limited customization in comparison to larger competitors
Not ideal for high-volume enterprise requirements
Best For: Startups and SMEs seeking affordable fraud prevention.
Featurespace is a recognized pioneer in fraud prevention, especially known for its Adaptive Behavioral Analytics technology. The company has set benchmarks in fraud detection by analyzing subtle behavior changes in financial transactions.
Featurespace’s ARIC Risk Hub is widely used by global banks, acquirers, and payment providers to prevent fraud in real-time.
Its strong ability to reduce false positives is highly valued, as it allows genuine customers to transact without disruption. Businesses in the payment ecosystem rely on Featurespace to safeguard both themselves and their clients.
The platform’s adaptive machine learning engine continuously learns and improves fraud protection. By identifying unusual transaction patterns, it proactively prevents financial crimes.
Specifications
Featurespace is built with Adaptive Behavioral Analytics, supported by AI-driven risk prediction. The ARIC Risk Hub processes millions of transactions per second without system delays.
It supports enterprise-grade scalability and integrates seamlessly with banking systems. Both cloud and on-premises deployment options are available for flexibility.
Features
Its key features include adaptive fraud monitoring, AML transaction checks, and predictive real-time alerts. By leveraging behavior-driven insights, Featurespace detects fraud better than static rules-based systems.
Transaction scoring ensures accuracy with fewer disruptions to genuine buyers. Dashboards are equipped with data visualization tools to simplify forensic examination. The ARIC platform empowers compliance teams by providing actionable insights.
Its seamless ecosystem integration ensures organizations can rapidly deploy fraud protection across services. Featurespace also updates detection rules in real-time without manual input. The engine evolves naturally, ensuring continuous fraud defense capability.
Reason to Buy
Featurespace is recommended for financial institutions and payment providers who want a highly adaptive fraud prevention system that minimizes false declines.
It provides a strong balance between accuracy, speed, and compliance readiness.
Pros
Patented Adaptive Behavioral Analytics
Real-time fraud monitoring
Low false positives
Scalable deployments
Cons
Primarily focused on financial services
May require skilled implementation support
Best For: Banks and payment providers handling large-scale transactions.
Sardine is a next-generation fraud prevention tool designed mainly for fintech, crypto, and neobank platforms. It provides real-time fraud detection powered by AI and enriched behavioral biometrics.
Unlike many competitors, Sardine is tailored to rapidly growing fintechs handling high-risk transactions. With deep fraud intelligence, it addresses threats like account takeover, payment fraud, and unauthorized transfers.
Sardine continuously monitors devices and user sessions to identify anomalies. It has become a trusted platform for startups and digital-first organizations.
Compliance support includes AML monitoring and transaction screening, making it versatile. Sardine’s innovation in crypto and payments fraud positions it strongly in 2025.
Specifications
The platform is cloud-native with AI-driven risk monitoring. It integrates easily with neobank and payment platforms through secure APIs. Sardine uses device fingerprinting, velocity checks, and biometric behavior tracking for accurate fraud scoring.
Its real-time system can process thousands of transactions simultaneously. It offers AML compliance and suspicious activity reporting tools. The dashboard provides risk insights with full transparency.
Features
Sardine provides AI-driven identity checks, velocity monitoring, and behavioral biometrics for detecting unusual user behavior. Risk scoring integrates seamlessly into transaction workflows.
The platform delivers chargeback protections and compliance automation in high-risk environments. Device fingerprinting ensures strong authentication for digital customers.
Reason to Buy
Sardine is an excellent choice for fintechs, digital banks, and crypto businesses looking for lightweight, scalable, and AI-based fraud prevention.
It delivers security tailored to digital-native organizations operating at speed.
Pros
Strength in crypto and fintech fraud prevention
Advanced behavioral biometrics
Cloud-native and scalable
Seamless fintech integrations
Cons
Still growing compared to established players
Limited track record in traditional industries
Best For: Fintech, neobanks, and crypto payment fraud defense.
BioCatch is renowned for its innovative behavioral biometrics technology that transforms fraud prevention. Instead of just analyzing transactions, BioCatch observes how users physically interact online.
This includes keystroke dynamics, mouse movements, and touchscreen gestures to detect abnormalities. With strong adoption by banks and fintech providers, BioCatch is regarded as one of the most advanced fraud prevention specialists.
It excels at detecting account takeovers, mule accounts, and remote access fraud.
By monitoring digital session behavior, it provides a deeper layer of fraud insights than most competitors. BioCatch’s approach significantly reduces false positives, allowing genuine customers to transact freely.
Specifications
BioCatch uses behavioral biometrics combined with advanced AI to analyze user interactions. It works across multiple devices, including mobile and web-based platforms.
Its fraud prevention capabilities focus on real-time detection of account takeover, phishing, and social engineering attempts. Cloud deployment ensures smooth global scalability.
Features
BioCatch offers behavioral anomaly detection, account takeover prevention, and anti-social engineering capabilities. It tracks over 2,000 individual user interaction metrics.
Its machine learning engine generates actionable fraud alerts instantly. BioCatch simultaneously protects against account creation, login, and transaction fraud.
Reason to Buy
BioCatch is a must-have for organizations seeking invisible fraud prevention that enhances user experience.
By leveraging neuroscience and behavioral science, it provides unparalleled protection against evolving digital threats.
Pros
Industry-leading behavioral biometrics
Invisible, frictionless fraud prevention
Excellent account takeover protection
Proven adoption by global banks
Cons
Requires large data volumes for model optimization
Specific focus on behavioral analytics
Best For: Banks and fintechs requiring behavioral biometrics.
Hawk:AI specializes in fraud prevention for financial crime compliance, focusing on AML and transaction monitoring. It is widely recognized for adopting explainable AI to improve transparency in fraud detection.
This makes it easier for compliance teams to investigate flagged alerts. Hawk:AI targets fraudulent behaviors within banks and payment institutions, ensuring compliance with international legal frameworks.
Its aim is to improve fraud detection accuracy while lowering costs associated with compliance. With support for real-time monitoring, Hawk:AI ensures unlawful transactions are stopped in time.
It is used by multiple financial institutions across Europe and the U.S. Its focus on explainability and compliance differentiates it from conventional fraud detection systems.
Specifications
The solution is AI-powered, aimed at AML compliance and fraud detection monitoring. Its monitoring design supports both real-time and batch processing. Hawk:AI provides regulators with audit-ready documentation of fraud detection cases.
The solution offers flexible deployment, including full cloud-native options. Its architecture scales for small banks as well as global institutions. Hawk:AI’s dashboards are designed for compliance teams to operate seamlessly.
Features
Notable features include AML transaction screening, sanctions monitoring, and fraud risk scoring. Hawk:AI integrates with KYC systems to ensure holistic compliance.
It supports real-time fraud alerts with explanations for flagged risks. Its case management module simplifies investigations. The compliance reporting tool reduces regulatory burdens.
Reason to Buy
Hawk:AI is ideal for banks and financial institutions prioritizing AML compliance along with fraud prevention.
By making AI-based fraud analysis explainable, it provides clarity and trust to both organizations and regulators.
Pros
Strong AML and fraud prevention combo
Explainable AI for regulatory clarity
Real-time risk scoring
Easy compliance integration
Cons
Primarily for financial institutions
Less suited for smaller e-commerce businesses
Best For: Banks needing AML and explainable AI fraud detection.
Onfido is a global leader in identity verification, offering AI-powered fraud prevention with biometric checks. It focuses heavily on ensuring smooth digital customer onboarding.
By leveraging face recognition, document scanning, and advanced machine learning, Onfido blocks fraud while keeping user experience seamless.
It is trusted by companies in fintech, banking, and insurance for its compliance-ready onboarding solutions. The system cross-references documents and biometric data to validate identities instantly.
Onfido’s advanced checks help organizations prevent identity fraud at the source. Its adaptability and ease of integration have fueled its global growth.
Specifications
Onfido combines document checks with biometrics for comprehensive verification. It supports over 4,500 ID document types across 195 countries. The solution uses liveness detection to prevent spoofing with advanced AI algorithms.
Customers can deploy Onfido via cloud or SDK-based integration. It ensures compliance with AML regulations while securing onboarding processes.
Features
Features include identity verification, biometric face recognition, and liveness detection. Onfido supports robust KYC onboarding with speed and accuracy.
Fraud detection algorithms allow businesses to catch identity manipulation in real-time. The system works seamlessly on mobile and web platforms. Compliance modules support financial regulations globally.
Reason to Buy
Onfido is a top choice for digital organizations needing fast, secure, and scalable customer onboarding.
It ensures compliance with KYC requirements while stopping fraud early in onboarding workflows.
Pros
Advanced biometric and document verification
Global coverage of ID document types
API and SDK integration
Strong compliance tools
Cons
May require additional customization for complex enterprises
Compliance modules cost extra
Best For: Digital platforms needing scalable onboarding and fraud prevention.
Fraud prevention in 2025 is driven by AI, behavioral analytics, and compliance-ready platforms.
The top 10 companies Feedzai, Quantexa, ClearSale, GBG, iDenfy, Featurespace, Sardine, BioCatch, Hawk:AI, and Onfido cover a full spectrum of fraud risks, from identity fraud to AML and payment transaction fraud.
Each platform brings unique strengths, from adaptive behavioral learning to behavioral biometrics, making them highly valuable depending on an organization’s needs.
Businesses must choose based on their industry focus, compliance requirements, and scalability needs. These companies represent the best solutions for safeguarding global financial and digital ecosystems in 2025.
ESET researchers have uncovered two sophisticated Android spyware campaigns that target users seeking secure communication platforms by impersonating popular messaging apps Signal and ToTok. These malicious operations appear to focus primarily on residents of the United Arab Emirates (UAE), utilizing deceptive websites and social engineering tactics to distribute previously undocumented malware families. The investigation revealed […]
In a recent wave of targeted phishing campaigns, the Cavalry Werewolf cluster has escalated its operations by impersonating government officials and deploying both FoalShell and StallionRAT malware. These tactics underscore the urgency of maintaining continuous cyber intelligence monitoring and implementing robust email authentication measures. Cavalry Werewolf began its campaign by registering or compromising email addresses […]
In recent months, security teams have observed a surge in Android spyware campaigns that prey on privacy-conscious users by masquerading as trusted messaging apps.
These malicious payloads exploit users’ trust in Signal and ToTok, delivering trojanized applications that request extensive permissions under the guise of enhanced functionality.
Initial distribution relies on phishing websites and fake app stores, prompting users to sideload APKs from unfamiliar domains. Once granted the requested permissions, the spyware quietly embeds itself into the system, maintaining a low profile while harvesting sensitive information.
The campaigns center around two distinct spyware families: AndroidSpy.ProSpy, which impersonates Signal and ToTok plugins, and AndroidSpy.ToSpy, which poses as a standalone ToTok app.
Both are manually installed outside official app stores, taking advantage of Android’s “unknown sources” setting.
WeLiveSecurity researchers identified that the domains signal.ct.ws and encryption-plugin-signal.com-ae.net distributed ProSpy under the guise of a nonexistent “Signal Encryption Plugin,” while ToSpy variants were available through sites mimicking the Samsung Galaxy Store.
These campaigns appear regionally focused on the United Arab Emirates, leveraging local user bases of Signal and ToTok.
Upon installation, the spyware requests access to contacts, SMS messages, file storage, and device information.
ProSpy execution flow (Source – Welivesecurity)
If permissions are granted, ProSpy and ToSpy immediately begin exfiltration processes that collect hardware and OS details, chat backups, media files, documents, and installed‐app lists.
ToSpy execution flow (Source – Welivesecurity)
ToTok-specific spyware even targets “.ttkmbackup” files to harvest chat history. Both families encrypt exfiltrated data using hardcoded AES-CBC with the key p2j8w9savbny75xg, then transmit it via HTTPS POST to command-and-control servers.
This encryption routine is implemented as shown in the decompiled snippet below, highlighting the hardcoded key and encryption parameters.
Decompiled code responsible for SMS collection (Source – Welivesecurity)
Infection Mechanism
The infection mechanism begins with social-engineering lures—users encountering links via messaging apps or spoofed social media posts.
When a victim clicks a malicious link, they land on a deceptively branded page that imitates familiar app repositories.
For ProSpy, two domains presented an “Encryption Plugin” that promised enhanced messaging security, requiring users to enable manual APK installation.
Similarly, ToSpy distribution leveraged phishing pages styled after the Galaxy Store to deliver a “ToTok Pro” APK.
Once sideloaded, the app registers a foreground service to ensure persistent operation, displays a convincing onboarding screen, and uses AndroidManifest activity-alias entries to alter its icon and name to “Play Services,” effectively hiding in plain sight.
To establish persistence, the spyware sets an AlarmManager to restart its service if killed and registers a BOOT_COMPLETED BroadcastReceiver to relaunch after device reboots.
This combination of social engineering, manual installation, aliasing, and persistent background processes ensures continuous data extraction with minimal user awareness.
As these campaigns remain active, Android users are urged to avoid sideloading apps from untrusted sources and to keep Play Protect enabled.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
In recent months, a sophisticated campaign dubbed Cavalry Werewolf has emerged, targeting government and critical infrastructure organizations across Russia and neighboring regions.
Adversaries initiated these attacks by sending meticulously crafted phishing emails that impersonate officials from Kyrgyz government agencies.
These emails contain malicious RAR archives, which deploy a suite of custom tools, including the FoalShell reverse shell and a more potent component known as StallionRAT.
With its modular design and Telegram-based command-and-control (C2) infrastructure, StallionRAT has rapidly become the primary tool in the actor’s arsenal.
Bi.Zone analysts identified this cluster of activity between May and August 2025, noting its expansion into mining, energy, and manufacturing sectors.
Victims are lured into opening attachments with authentic-looking logos and editorial styles, often referencing real email addresses harvested from official websites.
Phishing emails (Source – Bi.Zone)
Once executed, these attachments drop both the reverse shell and a PowerShell-based loader for StallionRAT, ensuring the adversary gains immediate access and maintains long-term control over compromised hosts.
The impact of this campaign has been significant: once inside the network, threat actors have exfiltrated sensitive files, deployed SOCKS5 proxying tools for lateral movement, and leveraged domain enumeration commands to map internal environments.
By masquerading Triton RAT as routine correspondence, the cluster achieves high user execution rates while evading perimeter defenses.
Compromised machines are enrolled in Telegram chats, enabling operators to issue commands, upload additional payloads, and extract data in real time.
Infection Mechanism and Loader Workflow
StallionRAT’s infection mechanism relies on a dual-stage loader implemented in C++. Upon execution, the launcher invokes PowerShell with a Base64-encoded command.
This command decodes and executes the main payload entirely in memory, bypassing disk-based detections:
C# code snippet from FoalShell reverse shell (Source – Bi.Zone)
Once decoded, StallionRAT initializes by generating a random DeviceID between 100 and 10 000 and retrieving the host’s computer name via $env:COMPUTERNAME.
It then enters an infinite loop, calling the getUpdates function against the Telegram Bot API to fetch new instructions. Responses and errors are sent back to a designated chat, enabling the operator to issue commands such as /go [DeviceID] [command] to execute arbitrary code through Invoke-Expression.
This loader architecture not only evades traditional antivirus solutions by avoiding writing the main binary to disk, but also exploits the legitimacy of PowerShell to mask malicious activity.
The use of Telegram as a transport layer further complicates detection, as encrypted HTTPS traffic blends with normal application flows.
By chaining custom C++ and PowerShell components, StallionRAT achieves both stealth and flexibility, making it a formidable threat to even well-defended environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A critical vulnerability affecting DrayOS routers could let unauthenticated attackers execute code remotely. Discovered on July 22 by Pierre-Yves Maes of ChapsVision, the flaw stems from the use of an uninitialized variable in the Web User Interface (WebUI). Crafting special HTTP or HTTPS requests to the WebUI triggers memory corruption, potentially crashing the device or […]
AmCache plays a vital role in identifying malicious activities in Windows systems. This tool allows the identification of both benign and malicious software execution on a machine.
Managed by the operating system and virtually tamper-proof, AmCache data endures even when malware auto-deletes itself, making it indispensable in incident response.
AmCache stores SHA-1 hashes of executed files, enabling DFIR professionals to query public threat intelligence feeds such as OpenTIP and VirusTotal and rapidly generate indicators of compromise for blocking across the network.
The new open-source tool, released by Kaspersky researchers, simplifies the parsing of the Amcache.hve registry hive, automating IOC extraction and threat intelligence lookups to accelerate threat detection and containment.
AmCache EvilHunterTool
AmCache-EvilHunter is a command-line utility written in Python that ingests the C:\Windows\AppCompat\Programs\Amcache.hve file and extracts key metadata entries.
It parses critical registry keys InventoryApplicationFile, InventoryDriverBinary, InventoryApplication, and InventoryApplicationShortcut—to reveal file paths, publisher data, LinkDate timestamps, binary types (32-bit vs. 64-bit), and SHA-1 hashes. A sample invocation looks like this:
Basic usage of AmCache-EvilHunter
This command filters records by date range, outputting a CSV of all executables present between September 1 and September 30, 2025.
CSV result
The FileID field contains the hash with four leading zeroes, while Size and IsOsComponent flags help analysts distinguish system binaries from potential malware.
Kaspersky stated that AmCache-EvilHunter’s standout features include built-in threat intelligence integration and advanced filtering options.
The –find-suspicious flag applies heuristics—such as one-letter names (1.exe), random hex filenames, and common typo variants like scvhost.exe to highlight anomalous entries.
Suspicious files identification
Additional flags, –missing-publisher and –exclude-os, further reduce noise by filtering out signed OS components. For each identified hash, users can invoke:
This triggers automated lookups against VirusTotal and Kaspersky OpenTIP, appending detection counts and threat classification tags to the output.
Analysts can also search specific keywords or ProgramId values using –search “winscp.exe” to confirm the presence of deleted or transient tools.
AmCache-EvilHunter uses the Registry Python library to load the REGF-formatted hive while iterating through its subkeys and values.
Its modular architecture allows developers to extend support for custom IOC feeds or integrate with SOAR platforms. Binaries and scripts are available on GitHub for both Windows and Linux deployments.
By automating parsing, filtering, and threat lookups, AmCache-EvilHunter significantly cuts manual effort and accelerates DFIR workflows.
Incident responders can rapidly reconstruct execution timelines, pinpoint stealthy rootkits via InventoryDriverBinary, and generate robust IOCs from InventoryApplicationFile entries.
As adversaries increasingly employ self-erasing malware, this tool ensures that crucial execution evidence is never lost.
In the constantly evolving world of cyber threats, staying informed is not just an advantage; it’s a necessity. First observed in 2022, XWorm quickly gained notoriety as a highly effective malware, providing cybercriminals with a versatile toolkit for malicious activities. XWorm’s modular design is built around a core client and an array of specialized components […]
The resurgence of XWorm in mid-2025 marks a significant escalation in malware sophistication.
After a lull following the abrupt discontinuation of official support for version 5.6 in late 2024, threat actors unveiled XWorm V6.0 on June 4, 2025.
A post on hackforums.net by an account named XCoderTools first announced this release, claiming to patch a critical remote code execution flaw present in earlier editions.
Post made on hackforums[.]net (Source – Trellix)
Despite initial skepticism about the author’s authenticity, subsequent samples submitted to VirusTotal confirmed the malware’s rapid adoption among cybercriminals.
XWorm’s modular architecture centers around a core client and a suite of plugins that enable varied malicious activities—from credential theft to ransomware deployment.
Once the initial dropper executes, it employs a multi-stage infection chain designed to evade detection and persist on compromised systems.
Infection chain of XWorm V6.0 (Source – Trellix)
Trellix analysts noted that the attacker-delivered JavaScript installer disables Windows Defender’s Antimalware Scan Interface before launching a PowerShell script that loads an injector DLL.
By injecting code into a legitimate Windows process such as RegSvcs.exe, the malware effectively conceals its presence within trusted system binaries.
Subsequent communication follows a well-defined protocol toward a command-and-control (C2) server at 94.159.113.64 over port 4411, using an AES-encrypted channel and a default key of 666666.
Once connected, the client generates a unique machine identifier by hashing a combination of system parameters—username, OS version, processor count, and directory sizes.
Generation of Client ID (Source – Trellix)
This Client ID is stored under HKCU in the registry and used for all future plugin storage, encryption routines, and C2 transactions.
Infection Mechanism
Delving into XWorm V6’s infection mechanism reveals a carefully orchestrated sequence of actions. The initial payload arrives as a JavaScript (.js) file embedded in phishing emails or compromised websites.
When executed, this script issues a PowerShell command similar to the following:-
The downloaded PowerShell content first calls [System.Management.Automation.AmsiUtils]::ToggleAmsi(false) to disable AMSI scanning.
It then writes the injector DLL and the primary XWorm client executable to %TEMP%, before launching the DLL using:-
Process injector = new Process();
injector.StartInfo.FileName = "rundll32.exe";
injector.StartInfo.Arguments = “\"%TEMP%\\injector.dll\",#1 \"%TEMP%\\XWormClient.exe\"”;
injector.Start();
By leveraging rundll32.exe, the injector maps malicious code into the address space of RegSvcs.exe, ensuring the Trojan runs under a legitimate process context.
This stealthy approach not only bypasses application whitelisting but also complicates forensic analysis by scattering malicious components across transient directories.
Once the payload is resident, the client calls home to retrieve further instructions or plugins, which are delivered as Base64-encoded DLLs.
Each plugin’s SHA-256 hash is checked against the registry; if absent, the plugin is fetched and loaded directly into memory, negating the need for disk writes.
This memory-resident design significantly reduces the malware’s footprint and enhances persistence, making detection and remediation especially challenging for defenders.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Yes.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)
.webp)