What is Cymulate and how does it help organizations manage cyber threats?

Cymulate is an Exposure Management Platform designed to proactively validate security controls, threats, and response capabilities. It helps organizations focus on exploitable exposures, strengthen their security posture, and stay ahead of emerging risks by simulating real-world attacks across IT environments.

How does Cymulate's technology work to simulate real-world malware threats?

Cymulate uses automated offensive testing, leveraging a library of over 100,000 attack actions aligned to MITRE ATT&CK and daily threat intelligence. This enables organizations to validate their defenses against threats like malware droppers, ransomware, and phishing, providing actionable insights for remediation.

What is the primary purpose of Cymulate's platform?

The primary purpose of Cymulate's platform is to harden defenses and optimize security controls by proactively validating controls, threats, and response capabilities. This ensures organizations focus on exploitable exposures and strengthen their overall security posture.

How does Cymulate address threats from pirated software sites and malware droppers?

Cymulate simulates threats such as malware droppers distributed via pirated software sites by testing security controls against these attack vectors. The platform validates whether defenses can detect and mitigate threats delivered through complex redirect systems, malvertising networks, and obfuscated download mechanisms, as described in the original webpage analysis.

What types of cyber threats does Cymulate help defend against?

Cymulate helps defend against a wide range of cyber threats, including ransomware, phishing, advanced persistent threats (APTs), malware droppers, and threats targeting cloud and hybrid environments.

How does Cymulate's Threat Validation solution differ from manual pen tests and traditional BAS?

Cymulate's Exposure Validation provides automated, continuous security testing with a library of over 100,000 attack actions, easy control integrations, and automated mitigation capabilities. Unlike manual pen tests and traditional BAS, Cymulate offers real-time validation, actionable remediation, and daily threat intelligence updates.

What is the benefit of Cymulate's immediate threats module?

According to a Penetration Tester, Cymulate's immediate threats module is highly valued for its rapid updates. It allows organizations to quickly assess their IT estate for new risks and implement remedial actions promptly.

How does Cymulate's 'Threat (IoC) updates' feature improve threat resilience?

Cymulate's 'Threat (IoC) updates' feature provides recommended Indicators of Compromise (IoCs) that can be exported and applied directly to security controls. This improves threat resilience by enabling control owners to build defenses against new threats quickly and efficiently.

What technical documentation is available for Cymulate?

Cymulate offers a range of technical resources, including whitepapers, guides, data sheets, solution briefs, and impact reports. These cover topics like CTEM, threat validation, vulnerability management, and automated mitigation. Access the full resource hub at Cymulate Resources.

What are the key capabilities of Cymulate's platform?

Cymulate's platform offers continuous threat validation, unified security validation (BAS, CART, Exposure Analytics), AI-powered optimization, complete kill chain coverage, attack path discovery, automated mitigation, and cloud validation. These capabilities ensure organizations stay ahead of emerging risks and improve operational efficiency.

What integrations does Cymulate support?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Crowdstrike Falcon LogScale, Wiz, and more. For a complete list, visit Partnerships and Integrations.

How does Cymulate help organizations prioritize exposures?

Cymulate ranks vulnerabilities based on exploitability, business context, and threat intelligence, enabling organizations to focus remediation efforts on the most critical exposures. This evidence-based prioritization improves threat resilience and operational efficiency.

Does Cymulate support cloud security validation?

Yes, Cymulate provides dedicated validation features for hybrid and cloud environments, integrating with cloud security solutions like AWS GuardDuty, Check Point CloudGuard, and Wiz to ensure comprehensive coverage.

How often does Cymulate update its threat library?

Cymulate updates its threat library daily, ensuring customers have access to the most advanced and current attack simulations to stay ahead of emerging threats.

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's requirements. Pricing is determined by the specific package, number of assets, and scenarios selected for testing and validation. For a detailed quote, schedule a demo with Cymulate's team.

How long does it take to implement Cymulate?

Cymulate is designed for quick and seamless implementation. Operating in agentless mode, it requires no additional hardware or complex configurations. Customers can start running simulations almost immediately after deployment.

What support options are available for Cymulate customers?

Cymulate offers comprehensive support, including email support (support@cymulate.com), real-time chat support, a knowledge base with technical articles and videos, webinars, and e-books on security validation best practices.

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications. These attest to Cymulate's robust security practices, cloud security, and privacy management.

How does Cymulate ensure data security and privacy?

Cymulate is hosted in secure AWS data centers, offers multiple data locality choices, uses TLS 1.2+ for data in transit and AES-256 for data at rest, and maintains high availability through redundancy and disaster recovery. The platform is developed using a Secure Development Lifecycle (SDLC) and undergoes annual third-party penetration tests.

How does Cymulate compare to AttackIQ?

Cymulate delivers the industry's leading threat scenario library and AI-powered capabilities to streamline workflows and accelerate security posture improvement. AttackIQ provides automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use.

How does Cymulate compare to Mandiant Security Validation?

Mandiant Security Validation is one of the original BAS platforms but has seen minimal innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management and maintaining a leadership position.

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks the depth Cymulate provides for full kill chain coverage and cloud control validation. Cymulate offers comprehensive exposure validation and automated mitigation.

How does Cymulate compare to Picus Security?

Picus is suitable for those seeking an on-premise BAS vendor, but Cymulate is the better choice for a complete exposure validation platform with full kill chain coverage and cloud control validation.

How does Cymulate compare to SafeBreach?

Cymulate outpaces SafeBreach with unmatched innovation, precision, and automation. As the pioneer of AI-powered BAS, Cymulate offers the industry's largest attack library, a full CTEM solution, and comprehensive exposure validation.

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams building custom attack campaigns but lacks Cymulate's ease of use, continuous validation, and actionable remediation. Cymulate provides a more complete exposure validation platform with automated mitigation and a library of over 100,000 attack actions.

Who can benefit from Cymulate's platform?

Cymulate is designed for CISOs, Security Leaders, SecOps teams, Red Teams, and Vulnerability Management teams in industries such as media, transportation, financial services, and more. The platform addresses the needs of organizations prioritizing cybersecurity and exposure management.

What business impact can customers expect from using Cymulate?

Customers report an 81% reduction in cyber risk within four months, a 60% increase in efficiency, 40X faster threat validation, 30% improvement in threat prevention, 52% reduction in critical exposures, and measurable ROI with improved detection accuracy and reduced manual SecOps tasks.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly platform. Testimonials highlight easy implementation, practical insights, accessible support, and immediate value. For example, Raphael Ferreira, Cybersecurity Manager at Banco PAN, said, 'Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights into how you can improve your security posture.'

What pain points does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers. It provides continuous threat validation, prioritization of exposures, improved resilience, collaboration across teams, automated processes, and validated exposure scoring.

Do the pain points solved by Cymulate differ by persona?

Yes, Cymulate tailors its solutions for CISOs (communication barriers, metrics), SecOps teams (operational inefficiencies, visibility), Red Teams (threat simulation capabilities), and Vulnerability Management teams (risk prioritization, efficiency). Each persona benefits from features aligned to their specific needs.

What is Cymulate's mission and vision?

Cymulate's mission is to empower organizations to manage their security posture proactively and effectively. The vision is to drive lasting change in cybersecurity by providing an Exposure Management Platform that proves threats and improves resilience.

What is Cymulate's company history and global reach?

Cymulate was founded in 2016 and has grown to serve over 1,000 customers in 50 countries, with offices in 8 locations worldwide. The company is recognized for its innovative solutions and customer-centric approach.

What is Gartner's prediction regarding threat exposure findings by 2028?

Gartner predicts that by 2028, more than half of threat exposure findings will result from nontechnical vulnerabilities, requiring a fundamental shift in security priorities as these risks surpass traditional IT concerns.

Fake Pirated Software Sites Distribute Malware via InstallUSD

September 2, 2021

Traffic exchanges” are an old standby of malware campaigns. Often mocked on underground boards as outdated, these marketplaces for “software installs” remain a tool for various malware actors and cybercriminals—particularly entry-level criminals with minimal skills looking to distribute malware.

Many of these services advertise on the same boards where they are ridiculed. Criminal affiliates can set up accounts quickly, but most require an initial Bitcoin deposit before they can begin distributing installers.

One example, InstallBest (hosted on installs[.]info), is based in Russia. The site provides direct instructions in Russian and English on how to get started. It also offers advice on “best practices,” such as avoiding Cloudflare-based hosts for downloaders and using URLs within Discord’s CDN, Bitbucket, or other cloud services. However, affiliates don’t always follow this advice, as evidenced by the presence of some installers on Discord.

Once the affiliate deposits Bitcoin, they can set up campaigns through a simple web form. The form allows selection of specific geographic targets, with higher prices for the U.S., Canada, and Australia. For $2 per drop, buyers can purchase 1,000 downloads through the service’s distribution chain.

Another Russian-based site, shop1[.]host, promoted on underground forums, appears to be pivoting as it claims to be putting its payment system into maintenance for “a month or two.”

Malware Middlemen

Some of these services provide their own delivery networks, while others act as intermediaries for established traffic suppliers, including malvertising networks that pay blog publishers for traffic.

One of these, linked to several malware campaigns found on “cracked” software blogs, was powered in part by InstallUSD, an advertising network based in Pakistan. InstallUSD promised payments of up to $5 per software install delivered.

InstallUSD’s site allowed publishers to register and post download links, but required them to complete registration via Skype chat with a “publishers manager” named Jamashad.

Further investigation uncovered a Facebook page for InstallUSD, listing a phone number that also linked to WorkingKeys[.]org, a website that claims to host cracked software downloads. This site is directly connected to InstallUSD through the malware-linked download URLs.

The WorkingKeys domain name servers (ns1.installusd.online and ns2.installusd.online) also serve about 150 other domains related to cracked software. Some of these domains are inactive, some contain no outbound links, but several actively distribute malware.

While analyzing other malware dropper services, we found that many were connected to InstallUSD’s malvertising infrastructure.

Following the Downloads

Method 1: InstallUSD Affiliate System

Eight of the initial 15 “bait” blogs analyzed were linked to InstallUSD’s install-as-a-service network. These sites used JavaScript-driven download buttons, redirecting users through multiple sites to:

Track campaign data
Verify the user’s OS and browser information via User-Agent headers
Generate redirects based on the gathered data

These tracker sites and many bait blogs were hidden behind Cloudflare’s CDN and registered through Namecheap.

Redirect behavior depended on the user's system:

Mobile, MacOS, or Linux users saw:
- Fake security alerts promoting VPN or security app installations
- Prompts to install a browser plugin to view content
- “Captcha” pages requiring users to allow notifications—leading to spammed malware alerts
- Redirects to other affiliate programs, including fake Yahoo news pages, adult web games, and dating sites

The JavaScript controlling the download buttons came from different source servers but followed the same basic structure:

Opened a new browser tab using forwarding links via referral proxies
Used proxies to scrub referrer data from originating sites
Initially used nullrefer[.]com as a refer proxy, but later switched to href[.]li (operated by Automattic, WordPress’ parent company)
Concealed destination URLs using HTTPS, preventing browser security tools from inspecting the actual destination
Embedded Base64-encoded text pointing to a command-and-control (C2) server

The cross-site scripts loaded for download buttons were generated dynamically based on URL source parameters.

Download Plan B

Some disrupted sites did not transition to new infrastructure. Instead, they:

Continued using the original scripting hosts
Launched a simplified redirect system pointing directly to the malware payload download server

These sites did not use href.li as a refer proxy. Instead, the JavaScript-controlled download buttons contained three variables:

s – Identifying the source of the link
q – Name of the download
g – Unique source blog identifier

A function called getThere opened a new browser window pointing to a tracker server. The URL format followed a structured pattern.

A smaller subset of sites embedded download links directly into the page code, either via:

A JavaScript function controlling the button
A raw HTML link associated with the button

Some raw links contained HTML artifacts indicating the connection was obfuscated by a backend PHP plugin, hiding the connection to the C2 server providing malicious scripts.

Evasion Tactics

Unlike the initial tracker site, the new redirect system did not inspect User-Agent data. This allowed users with various browser types to reach the intended Windows payload. However, some download servers did perform checks, redirecting non-Windows users to:

Fake security alerts
Adult dating sites
Other monetized destinations

These redirects were localized based on IP addresses, ensuring users saw content tailored to their geographical region.

Meanwhile, another set of servers implemented a different JavaScript-based delivery mechanism, further diversifying the attack methods used by these malware campaigns.

Featured Resources

View More Resources

blog

When a Web Search Becomes a Backdoor: Remote Code Execution in Codex CLI via Prompt Injection and Binary Hijacking on Windows

Ilan Kalendarov, Security Research Team LeadBen Zamir, Security ResearcherElad Beber, Security Researcher As AI coding agents gain deeper access to

Data Sheet

Cymulate Vero AI

Cymulate Vero AI delivers secure, domain-specific cybersecurity AI with private infrastructure and zero customer data training.