The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.
In April 2025, the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
- Detecting known malicious mutex names
- Detecting rouge password dialogs via AppleScript
- Detecting emails masquerading as MS Office, AdobeSign and DocuSign
- Detecting host fingerprinting via video card vendor ID
2) Configuration extractors:
- New configuration extractor for DarkCloud
- Updated configuration extractor for Mirai variants
3) Smart Link Detonation and AutoUI enhancements
4) New YARA rules:
- We created and updated around 20 YARA rules last month! Scroll down to discover more about these exciting updates.
Now, let’s delve into each topic for a more comprehensive understanding.
New VTIs
VTI to detect known malicious mutex names
Category: Mutex
MITRE ATT&CK® Technique:
A mutex (Mutual Exclusion Object) is a synchronization mechanism used by applications, including malware, to prevent multiple instances of the same process from running simultaneously. Malware commonly leverages mutexes for:
- Preventing multiple infections: when executed, malware first checks if a specific mutex already exists. If found, it assumes another instance is running and exits to avoid redundant infections.
- Avoiding conflicts in multi-stage attacks: advanced malware families with multiple components use mutexes to ensure only one stage runs at a time.
VMRay Platform already has a VTI that detects when a sample creates a named mutex. Now, we’re taking this detection a step further, introducing a new VTI that will now compare detected mutex names against a blacklist of known malicious mutexes. Key highlights of this improvement:
- If a match is found, the system will score the threat and assign a malware family name to the sample.
- This helps analysts quickly identify which malware strain is associated with the mutex.
- Example: if a sample creates the mutex: AsyncMutex_6SI8OkPnk, VMRay will recognize it as associated with AsyncRAT malware and display this information in the VTI details within the Platform.
Category: Input Capture
MITRE ATT&CK® Technique: T1056
A rogue password dialog is a type of social engineering attack or malicious interface designed to mimic legitimate authentication prompts. The goal is to deceive users into entering sensitive information, such as usernames and passwords, which can then be exploited by attackers.
In this specific threat scenario, attackers exploit AppleScript—a powerful scripting language for automating tasks on macOS—and its associated command-line utility, osascript, to generate rogue password dialogs. The osascript tool allows scripts to be executed directly from the terminal, enabling attackers to create fake authentication prompts that resemble legitimate macOS system dialogs. These fake prompts can trick users into entering sensitive data like passwords or passphrases, which can then be captured by the attacker.
To counter this growing threat, we introduced a new VTI in our Platform. This VTI monitors the command-line arguments passed to osascript and triggers an alert whenever it detects an attempt to create a rogue credential prompt. By tracking suspicious AppleScript activity, this VTI helps identify potential attacks and offers proactive protection against such social engineering tactics.
VTI to detect emails masquerading as MS Office, AdobeSign and DocuSign
Category: Masquerade
MITRE ATT&CK® Technique: T1566
Cyber attackers are getting more and more convincing. One of the favorite tricks of the phishing authors? Sending emails that look like they’re from trusted services such as Microsoft Office, AdobeSign, or DocuSign. These phishing emails often include logos, design elements, and wording that closely mimic the real thing to lure users into clicking malicious links.
To combat this, we added a new VTI specifically designed to catch these masquerading attempts. This new VTI is focused on spotting emails that pretend to come from legitimate services, even when they don’t. Our VTI analyzes both the visual elements (like logos or brand styling) and the email content itself to make a decision. The VTI also triggers Smart Link Detonation if a masquerade attempt as detected.
VTI to detect host fingerprinting via video card vendor ID
Category: Discovery
MITRE ATT&CK® Technique: T1082
A Video Card Vendor ID is a unique identifier assigned to a graphics card manufacturer. Some common Vendor IDs are:
- AMD (Advanced Micro Devices) → 0x1002
- NVIDIA → 0x10DE
- Intel → 0x8086
This Vendor ID, along with the Device ID, helps identify the exact model of the GPU (Graphics Processing Unit). In the past, we observed malware samples extracting and comparing the Video Card Vendor ID to evade detection. But how does this technique work?
When malware runs, it might look up this ID to learn more about the system it’s on. If it sees a familiar Vendor ID, it might assume it’s on a real machine. But if no Vendor ID is found, that’s often a clue it’s inside a sandbox or VM, because virtual machines typically use generic or virtual hardware that lacks this identifier.
Some malware uses this trick to avoid being caught during automated analysis. If it suspects it’s in a sandbox, it might use this information to evade analysis and detection. To monitor this technique, we introduced a new VTI that detects when a malware sample queries the Video Card Vendor ID. This behavior is now flagged as part of our fingerprinting and hardware discovery detection mechanisms.
Mirai, first seen in August 2016, is a type of botnet malware that primarily targets Internet of Things devices such as cameras, routers, and DVRs. Once infected, these devices are turned into zombie bots and used to launch large-scale Distributed Denial of Service (DDoS) attacks.
Mirai became especially dangerous when its source code was publicly released, allowing anyone to modify and reuse it. Since then, we’ve seen lots of Mirai variants, many with only small tweaks to the original code.
Our Platform has long supported Mirai configuration extraction, however, because attackers keep rolling out new (often slightly modified) versions of Mirai, we’ve fine-tuned our extractor to stay ahead. This update ensures we continue to detect emerging Mirai variants and accurately extract their unique configurations.
DarkCloud first surfaced in 2022 and has since maintained an active presence in the wild. It’s a sophisticated targeting Windows systems, with a clear focus on extracting high-value data such as:
- System and network information
- Stored credentials
- Browser session data
- Cryptocurrency wallet details
Over the past month, we added a new YARA rule to improve static detection of DarkCloud samples. On top of that, we implemented a dedicated configuration extractor, which enables automatic extraction and parsing of key operational parameters embedded in DarkCloud samples immediately upon submission.
Smart Link Detonation
Detonating URLs for files hosted on OneDrive
In our previous Signature and Detections blog post, we introduced an enhancement to our AutoUI feature, enabling automatic interaction with files inside OneDrive shared folders. Building on that, we recently investigated an email containing a link to onedrive.live.com—a legitimate Microsoft domain used for sharing files via OneDrive. Attackers often take advantage of trusted platforms like OneDrive to host malicious files, such as PDFs, Office documents, or executables, hoping to bypass traditional filters.
While the URL itself looked harmless, it pointed to potentially malicious content stored inside a shared folder. Initially, this type of link wasn’t fully covered by our automated detection logic. We now updated SLD to recognize and process OneDrive share links automatically. With this enhancement, SLD is now better equipped to uncover threats hiding behind trusted domains.
AutoUI Improvements
Interaction with phishing pages hosted on Penzle
Recently, our Labs team encountered a case where a malicious PDF file embedded a link to a phishing page hosted via Penzle.com—a legitimate headless CMS and Digital Asset Management platform. While analyzing the file, we noticed a gap: AutoUI didn’t click the embedded “View Document Online” link as expected. This limited our visibility into the full attack chain, especially when phishing payloads relied on browser-based delivery or user interaction.
To stay ahead of this new phishing campaign, we extended AutoUI to recognize and interact with document-style phishing links exploiting Penzle platform.
Detecting pastejacking in Google Meet & Windows Update-themed campaigns
Pastejacking is clever technique used in phishing and malware campaigns to trick users into running malicious commands without realizing it. The attack works by silently altering the content of a user’s clipboard; so when someone copies what looks like a safe command or link from a website, they’re actually copying something harmful. For example, a user might visit a seemingly trustworthy site or read a tutorial that asks them to copy and paste a command into a terminal. What they don’t see is that the site has replaced the copied text with a malicious script. When the user pastes it using familiar shortcuts like Ctrl+V or Cmd+V, the command runs instantly. Because the action feels routine and looks harmless, it’s easy to overlook the risk.
Our Labs team recently spotted a new wave of pastejacking campaigns making the rounds, highlighted in a post on X. This time, attackers are disguising their malicious content behind legitimate-looking themes like: Google Meet or Windows Update. This technique is also referred to as “Click Fix”, where users are encouraged to follow on-screen instructions to “fix” a supposed issue—only to unknowingly trigger malicious behavior.
How it works – the Google Meet example
In the observed case:
- A fake Google Meet page prompts users with a Chrome popup requesting microphone access.
- While this seems like a normal browser behavior, in the background, the malicious site has already planted dangerous content in the clipboard.
Similarly, Windows Update-themed pages use fake “UPDATE NOW” buttons to lure users into clicking, while malicious content quietly hijacks the clipboard behind the scenes.
How we’re fighting back
To help detect these advanced pastejacking attempts, we enhanced our Adaptive Browsing Simulation feature. Now, Adaptive Browsing Simulation is able to:
- Automatically click on suspicious buttons such as “Join now” (Google Meet) and “UPDATE NOW” (Windows Update).
- Interact with the page just like a real user would; triggering any hidden clipboard manipulation or pastejacking behaviors.
- Observe and capture clipboard changes and recursively submit them for further analysis.
YARA Rules
Loaders
Emmenhtal Loader
- First observed in the wild in September 2024, Loader has become a common tool in cybercriminal campaigns. It serves as a malware delivery mechanism, designed to infiltrate a system and deploy additional malicious payloads with minimal footprint.
- Once active, the loader typically connects to a remote command-and-control (C2) server to fetch secondary malware or receive instructions from the attacker.
- What makes particularly evasive is its use of fileless techniquen operating entirely in memory rather than writing files to disk. This approach allows it to bypass many traditional, signature-based detection systems.
Zloader
- First discovered in 2016, Zloader is a dropper that gained significant traction around 2020. Known for its modular architecture, Zloader can easily be extended with various functionalities, making it a versatile tool for cybercriminals.
- Once deployed, Zloader can steal credentials and sensitive data, deploy ransomware, and provide attackers with remote access to infected systems.
- To stay under the radar, Zloader employs a variety of anti-detection techniques, including API import hashing, junk code insertion, and filename checks.
CoffeeLoader
- CoffeeLoader, first observed in late 2024, is a malware loader designed to deliver and execute a variety of malicious payloads on compromised systems. These can include infostealers, RATs, and even ransomware.
- What sets CoffeeLoader apart is its heavy focus on evasion and anti-analysis. It’s designed not just to infect a system, but to stay hidden from security tools and delay detection as long as possible.
- Among its most notable tactics are:
- Call-stack spoofing
- Sleep obfuscation
- Using a packer which executes code on the system GPU to evade sandboxes
- Often serving as the initial access vector in multi-stage attacks, it commonly delivers high-profile malware such as RedLine Stealer, FormBook, or Lumma Stealer.
PureCrypter
- PureCrypter, first identified in 2021, is a malware loader that utilizes a multi-stage architecture, allowing it to dynamically load and execute a range of malicious payloads.
- Seen distributing a variety of malware, including AgentTesla, RedLine Stealer, AsyncRAT, Remcos, SnakeKeylogger, and more.
- To avoid detection by traditional antivirus solutions, this loader employs SmartAssembly for obfuscation, alongside compression and encryption techniques.
RATs
Rhadamanthys
- Rhadamanthys, first discovered in 2022, still remains an active and potent RAT. This malware gives attackers full control over infected systems, enabling them to carry out a range of malicious activities, such as keylogging, credential theft, file exfiltration, surveillance, and more.
- To evade detection, Rhadamanthys uses anti-debugging techniques and obfuscation methods, making it difficult for traditional security tools to identify its presence. In addition, the malware often employs fileless techniques, allowing it to operate entirely in memory without leaving traces on the disk, which further complicates detection and removal.
Houdini/WSHRAT
- Houdini/WSHRAT, first identified in 2013, is a RAT that enables attackers to gain full control over infected systems. Once deployed, it allows cybercriminals to execute arbitrary commands, manipulate files, and engage in keylogging activities.
- What sets Houdini apart from other RATs is its highly modular design. This flexibility allows attackers to customize its capabilities based on the needs of a particular campaign. Whether it’s keylogging, credential theft, or ransomware deployment, the malware can be tailored to deliver the specific functionality required for the attack.
SectopRAT
- SectopRAT, also known as ArechClient2, is a RAT developed in .NET and first discovered in 2019. Once deployed, it provides attackers with extensive access to compromised Windows systems, allowing them to steal sensitive data, spy on users, and remotely control the infected machine.
- One of its most notable features is its ability to create hidden virtual desktops, enabling attackers to interact with the system and browse the web without detection.
- SectopRAT is often spread through fake software installers, typically disguised as trusted applications like Google Chrome, Notion, or NordVPN, and delivered via malicious ads.
Stealers
MetaStealer
- First discovered in 2022, MetaStealer is a powerful infostealer that shares similarities with well-known stealers like RedLine, but introduces several enhancements in both capability and targeting.
- Designed to exfiltrate sensitive data from both Windows and macOS systems, MetaStealer is capable of harvesting credentials, system information, and other valuable data.
- While it supports cross-platform operations, recent campaigns have shown a notable shift toward targeting macOS users, especially within business environments.
Improved rules for DarkCloud stealer
- As previously outlined in this blog post under the Configuration Extractors section, DarkCloud is a persistent infostealer with a wide range of capabilities.
- Recently, we i, which prompted us to further strengthen our detection logic. To improve accuracy in identifying and classifying this malware family, we developed and released an updated YARA rule specifically tailored for DarkCloud.
Other YARA rules
YARA signature for GitHub-themed phishing
- We recently identified a phishing kit leveraging a GitHub-themed template to lure users into credential theft. The lure often arrives via GitHub issue notifications, seemingly legitimate messages that link to a fraudulent GitHub login page.
- When clicked, these links redirect users to a spoofed GitHub login screen, designed to harvest usernames and passwords.
- To help detect and block this threat, we developed and deployed a YARA signature specifically tailored to this phishing kit’s template. This allows for early identification of phishing content mimicking GitHub’s interface, whether hosted on compromised domains or embedded in malspam campaigns.
YARA signatures for EncryptHub tools
- We deployed new YARA signatures targeting tools and tactics used by EncryptHub (also tracked as Larva-208), an advanced threat group responsible for a global malware campaign impacting over 600 organizations since mid-2024.
- EncryptHub operations are highly structured, typically unfolding in multiple, coordinated stages:
- Remote access footprint: the initial access phase involves the deployment of legitimate remote desktop tools like AnyDesk or TeamViewera tactic designed to maintain long-term access and blend in with normal admin behavior.
- Credential & data theft: following persistence, the attackers drop powerful infostealers such as Stealc or Rhadamanthys, designed to exfiltrate credentials, session cookies, and sensitive system data.
New YARA signatures for Go-based Hunter ransomware (PrincessLocker variant)
- We added YARA signatures targeting a new Go-based variant of PrincessLocker, identified in the wild under the name Hunter Ransomware.
- First observed in 2016, PrincessLocker was an early adopter of the Ransomware-as-a-Service (RaaS) model, empowering cybercriminal affiliates to launch attacks in exchange for a share of the ransom. Over the years, it has undergone multiple transformations, including the Princess Evolution variant, which introduced enhanced encryption mechanisms and more reliable delivery tactics.
- The latest iteration, Hunter, marks a significant shift in its architecture. Rewritten in Go, it offers cross-platform capabilities, faster development cycles, and increased evasiveness due to the nature of compiled binaries in Go’s ecosystem.
YARA signatures for WhisperGate
- WhisperGate was deployed in cyberattacks targeting Ukrainian government and infrastructure systems in early 2022. At first glance, it behaves like classic ransomware: systems are disabled, ransom notes appear, and panic sets in. But behind the scenes, there’s a much more sinister purpose—data destruction.
- This malware executes in two distinct stages:
- Stage 1: System Crippling: WhisperGate begins its attack by overwriting the system’s Master Boot Record (MBR), effectively bricking the device. This makes the operating system unbootable.
- Stage 2: Data Corruption + Disinformation: once the system is disabled, it moves on to corrupt files across the disk. It displays a fake ransom note, misleading victims into believing that their data can be recovered if they just pay up. But in reality, the data is already beyond repair.
- What sets WhisperGate apart is its motive. Traditional ransomware is financially driven: pay the ransom, maybe get your files back. WhisperGate flips the script—it pretends to be financially motivated, but its real goal is chaos.
Wetfossil/VIDEOSPY
- According to our statistics, Wetfossil has become increasingly popular in the past months, with a surprisingly high number of samples submitted every day. What’s particularly interesting is how little public information exists about it. No technical writeups. No threat intel briefings. No attribution.
- Despite the lack of documentation, our internal telemetry and analysis paint a clearer picture, and it’s one that raises serious concerns.
- References to the alias “VIDEOSPY” may provide a clue to this malware’s true purpose. Our reverse engineering and sandbox behavior analysis suggest that Wetfossil is designed for covert surveillance. Specifically, it appears to be capable of:
- Silently activating the victim’s webcam
- Capturing video feeds or snapshots
- Sending this footage back to a command-and-control server
- To help the security community get ahead of this threat, we released a custom YARA rule specifically built to detect Wetfossil samples in the wild.
60+ YARA signatures on different ransomware families
- To improve threat visibility and empower defenders, we developed over 60 YARA signatures targeting multiple ransomware families. These rules focus on distinct forensic artifacts that are often consistent across campaigns but uniquely identify individual families.
- Some of the signature categories that we address include: ransom note filenames, ransom cryptowallet addresses, hardcoded cryptographis keys, and more.
New YARA rules for phishkits impersonating Facebook/Meta
- We developed a new YARA rule targeting a freshly emerged phishing kit—Phishkit.ApealM—designed to impersonate Meta/Facebook’s Appeal page.
- Phishkit.ApealM is a social engineering tool that replicates the look and feel of Meta’s IP Takedown Appeal page, a legitimate platform where users dispute takedowns related to intellectual property violations. The phishing page mimics the official appeal process to trick users into believing they are communicating with Meta support. It prompts victims to submit sensitive personal information, including: email addresses, passwords, 2FA codes, and phone numbers.
- Once submitted, the stolen information is sent directly to a third-party server under the attackers’ control, using client-side JavaScript and the public EmailJS service, making it easy for attackers to collect the data without needing backend infrastructure.
New rules for ClearFake Web3 JS campaign
- ClearFake is a sneaky JavaScript-based malware platform that first showed up around mid-2023. Since then, it has grown into a more advanced system for delivering malware.
- It mainly spreads through hacked websites, where it uses tricks—like fake browser updates or pop-ups—to fool users into running harmful commands or downloading malware.
- In the past month, we added new YARA signatures on particular behavior in this malware: deobfuscating JavaScript code that shows Web3 smart contract transaction. This behavior may suggest that:
- The attacker wants to bypass detection from antivirus, browser extensions, or security analysts.
- Web3 interactions typically involve cryptocurrency wallets like MetaMask or Trust Wallet. If malware shows a smart contract transaction in the background, it could mean it’s trying to transfer tokens or NFTs from the victim’s wallet.
YARA signature on DocSend clickable field
- DocSend, a secure document-sharing service acquired by Dropbox in 2021, is typically used by professionals and businesses to manage access to sensitive files.
- In a recent phishing campaign, attackers exploited DocSend’s infrastructure to stage their attacks. Some of the key tactics observed:
- The phishing page hosted on DocSend appeared harmless, containing only an image with a motivational quote.
- Hidden within the page’s HTML was an invisible clickable area created via an HTML image map (<
map> and <area> tags).
- Clicking anywhere inside the invisible “rectangle” redirected victims to the actual phishing landing page, bypassing casual inspection and some automated scanners.
- To better defend against this tactic, we created a new YARA signature that specifically detects HTML files utilizing image maps (
<map> + <area>) that overlay clickable regions onto images as well as patterns indicating that the clickable field redirects to external phishing sites.
Final Thoughts
April 2025 was a busy month for our Labs team, marked by major enhancements to our VMRay Threat Identifiers arsenal and a broadened, fine-tuned YARA rule set spanning multiple threat categories. As attackers refine their tactics, our ongoing commitment remains clear—to stay ahead of the curve, proactively enhancing detection, and equipping defenders with the tools needed to counter modern cyber threats. Stay tuned for our next edition of signature and detection updates, planned to be published in the weeks ahead.
