Fully undetected Shell Script dropping macOS Atomic Stealer 04 February 2025 VMRay Labs found a DMG file containing a malicious Shell Script used to download and execute Atomic Stealer remained fully undetected on VirusTotal for two days. The Shell Script applies basic obfuscation via encoding and shows strong indicators to
Heavily obfuscated batch file loads XWorm hosted on GitHub 20 January 2025 VMRay Labs found a multi-stage obfuscated batch script with low detections on VirusTotal which downloads and executes XWorm from GitHub. The sample uses a UTF-16 Byte Order Marker and an open source Batch obfuscator to hinder manual analysis.
Backdoored configuration script waits until user is inactive (!) to run Linux malware VMRay Labs has found a backdoored build configuration script for httpd designed to drop and run the XMRig malware to mine Monero. ⛏️ ⏳ Surprisingly, the script waits until the user has been inactive for at least
Latrodectus updates to version 1.4 with AES-256 string encryption We found a new Latrodectus version (1.4) which switched its string encryption routine to AES-256. This new version also utilizes the /test/ C2 endpoint, indicating that it is an early testing sample for this version. In a nutshell: PRNG and XOR
Malware goes undetected by hiding malicious code in uncommon MS Access format 0/64 detections on VirusTotalas of 05.08.2024 The VMRay Labs team has uncovered a malware that goes completely undetected for weeks by hiding malicious p-code in MS Access’ uncommon ACCDE format. Microsoft Access allows users to export their databases
Malicious batch file reveals full behavior only when it’s started by a double-click. 0/64 detections on VirusTotal as of 04.07.2024 The VMRay Labs team has uncovered a heavily obfuscated malicious batch file that has managed to evade detection on VirusTotal with no security vendors flagging it (0/64). This batch file
Obfuscated batch file downloads open-source stealer straight from GitHub 0/64 detections on VirusTotal as of 03.07.2024 The VMRay Labs team has uncovered a heavily obfuscated malicious batch file that has managed to evade detection on VirusTotal, with no security vendors flagging it (0/64). This batch file downloads an open-source stealer
Malware executes its payload only when the screen is locked. 3/48 detections on VirusTotal as of 04.06.2024 The VMRay Labs team has uncovered a malicious Excel file uses macros to download an image from a remote resource – but hidden inside are the commands to execute the next payload Then
AgentTesla delivered via exploiting Microsoft Office 5/61 detections on VirusTotalas of 14.05.2024 Malicious Microsoft Excel document used to exploit a vulnerability in Equation Editor, leading to the execution of AgentTesla. 5 of 61 detections on VirusTotal HASH: dc62fc5febad93b231a91fcb806df63441c6dff69b9a7c793aec78373f45e888 XLS → Equation Editor → Agent Tesla Malicious code loaded via remote
Keep up to date with our weekly digest of articles. Get the latest news, invites to events, and threat alerts!
Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!