The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitoring of events reported by the security community to stay up to date on the latest changes in the cyber threat landscape.
In December 2025 and January 2026, the VMRay Labs team was focused on the following areas:
1) New VMRay Threat Identifiers addressing:
- Detecting Linux system information discovery
- Detecting XSL script processing used for hidden code execution
- Detecting file hiding via attrib
- Detecting injected process setting up a local server
- Detecting VBS proxy execution
- Detecting Web3 smart contract-based payload delivery
- Detecting logon forms hidden behind a suspicious redirection
- Detecting API hooking evasion
- Detect dropping Python and running a Python script
- Detecting timestomping
- Detecting monitoring clipboard content
2) New or updated Configuration Extractors for:
3) Improved AutoUI behavior for Sharepoint pages
4) 65+ new YARA rules
Now, let’s delve into each topic for a more comprehensive understanding.
New VTIs
In a series of these blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.
Category: Injection
MITRE ATT&CK® Technique: T1055
Process injection is a long-standing technique used by malware authors to hide malicious code inside legitimate applications such as Notepad, Chrome, or critical system processes. Many security tools look for injection by watching the usual routes malicious programs take to interact with Windows, for example, by monitoring common Windows API patterns associated with injection. More sophisticated malware tries to avoid those usual routes and instead uses more direct path to ask Windows to perform certain actions, such as relying on direct (or indirect) system calls. This is dangerous because direct system calls let malware perform powerful actions (read/write memory, create threads, etc.) closer to Windows’ core.
VMRay already recognizes process injection attempts, including those performed via direct or indirect system calls. This is supported by VMRay’s transition-based monitoring, which observes the underlying behavior without relying solely on the higher-level API layer.
This new VTI helps the VMRay Platform be more confident when that direct path is specifically being used for process injection. Direct system calls by themselves are a broad signal. There are legitimate reasons some software may behave this way, so a generic direct syscall indicator is typically scored conservatively. This VTI narrows the focus by looking for direct system calls that align with the common sequence of actions used in process injection. By linking direct syscalls to injection-relevant behavior, the Platform can now score and interpret these events more accurately.
Category: Discovery
MITRE ATT&CK® Technique: T1082
Linux malware frequently performs system information discovery as an early reconnaissance step to understand the environment it has infected and to determine how to proceed while minimizing detection. This behavior is commonly observed shortly after execution and provides attackers with crucial context for tailoring follow-up actions.
In recent Linux samples analyzed by VMRay, we observed malware executing commands such as, for example:
cat /etc/machine-id to capture stable, unique host identifierscat /etc/machine-info to capture operating system and distribution detailscat /etc/hostname to get host naming conventions that may indicate corporate infrastructure
Backed with this information, malware may decide which payload to deploy (e.g., spyware vs. ransomware), enable or disable functionality based on system role, alter execution paths for servers versus desktop environments, or detect sandboxed environments and suppress malicious behavior. Our new VTI ensures that even such subtle Linux reconnaissance techniques do not go unnoticed.
Detecting XSL script processing used for hidden code execution
Category: Defense Evasion
MITRE ATT&CK® Technique: T1220
Attackers continuously look for ways to execute malicious code while avoiding traditional detection mechanisms. One such technique is XSL script processing, a lesser-known but powerful method that allows code execution to occur indirectly and in the background, often without relying on obvious shell commands.
What is XSL script processing?
XSL (Extensible Stylesheet Language) is a language for defining how XML documents should be presented, it is similar to CSS, but designed specifically for styling and transforming XML. However, XSL stylesheets can also contain embedded scripts. When an XML file is processed using such a stylesheet, the embedded script may be executed automatically as part of the transformation process, without launching a command shell or executable.
How attackers abuse this technique?
In a recent case a malicious Excel document leveraged XSL script processing to run a script silently in the background. This allowed the attackers to blend malicious behavior into what appears to be normal document processing thereby bypassing security controls that targets command line executions
Because the execution is delegated to XSL processing, it can appear benign at first glance, making it an effective defense evasion technique.
Category: Hide Tracks
MITRE ATT&CK® Technique: T1564
Malware often tries to hide its presence on a compromised system to avoid being noticed by users or administrators. One simple but effective way to do this on Windows systems is by hiding files after they have been dropped to disk. The VMRay Platform already detects several techniques used to hide files. Recently, however, we observed a malware sample that relied on a native Windows utility (attrib) to conceal its files; a method that was not yet explicitly covered by an existing VTI. To address this, we introduced a new VTI that detects file hiding via attrib.
How attackers hide files using attrib?
attrib is a legitimate, built-in Windows command-line tool that allows users (and malware) to modify file attributes, such as:
- +H → Marks a file as Hidden
- +S → Marks a file as a System file
- +R → Makes a file Read-only
A typical malicious command looks like this:
When these attributes are set, the file:
- No longer appears in file explorer by default
- Looks similar to legitimate system files
- Is less likely to be discovered during casual inspection
From a defensive perspective, this technique is not sophisticated, but it is very common and effective, especially against non-technical users. Malware typically uses it to:
- Hide dropped payloads
- Conceal secondary tools or configuration files
- Prepare for long-term persistence on the system
Because attrib is a trusted built-in Windows utility, attackers can abuse it as a LOLBin (Living Off the Land Binary), helping it blend into normal system activity.
Detecting injected process setting up a local server
In a recently analyzed sample, the malware injects code into another, often legitimate, process and executes from within that process’s memory space. Once injected, it sets up a local TCP server to listen for incoming connections.
The combination of process injection and a listening server is highly suspicious. Injecting into a trusted process helps the malware stay hidden, while the TCP server allows attackers to communicate with the system remotely. Together, this behavior is a common technique used to establish a backdoor or maintain persistent access.
This type of behavior is often seen in:
- Remote Access Trojans (RATs) and banking trojans
- Loaders and droppers
- Red-team and adversary simulation frameworks (e.g., Cobalt Strike)
Our new VTI triggers whenever these two behaviors occur together, helping defenders spot stealthy malware that hides inside legitimate processes.
Detecting VBS proxy execution
Category: Execution
MITRE ATT&CK® Technique: T1059/005
VBS proxy execution describes a technique in which malware abuses a VBScript (.vbs), a legacy scripting language built into Windows, as an intermediate step to execute other files. In this context, the script itself does not carry the main malicious payload. Instead, it quietly launches or relays execution to other components.
How the technique is used?
Rather than running a malicious executable directly, the attacker uses the as a trusted launcher. Because the execution is initiated through a native Windows scripting utility, it often occurs without visible alerts. The executable being launched may already exist on the system or be introduced as part of a multi-stage infection chain.
Why attackers choose VBS?
1) Stealth: VBScript execution often appears benign and may not raise immediate suspicion.
2) Trust abuse: VBScript is a built-in Windows capability, making it less likely to be blocked than unknown executables.
Detecting Web3 smart contract-based payload delivery
Category: Web3
MITRE ATT&CK® Technique: T1027.006
This VTI detects malicious web content that abuses Web3’s blockchain layer and blockchain smart contracts as part of a multi-stage malware delivery chain.
We are now seeing a growing trend in hiding malicious activities: using blockchain infrastructure to deliver malware. In a recent investigation, we analyzed a website that appeared harmless at first glance. Hidden within the page, however, was a heavily obfuscated script, designed to evade inspection. While the script did not immediately appear malicious, its true purpose only became evident once it executed.
What was happening behind the scenes?
Instead of downloading malware from a traditional attacker-controlled server, the website connected to a blockchain network endpoint. From there, it retrieved a smart contract, a piece of code stored on the blockchain. This smart contract acted as a delivery mechanism for subsequent attack stages, ultimately leading to the download of malicious payloads. This technique is increasingly associated with campaigns such as ClearFake, which abuse Web3 technologies to make attacks:
- Harder to trace
- More resilient to takedowns
- Less dependent on traditional malicious infrastructure
Rather than hosting malware in obvious locations, attackers are hiding their instructions inside decentralized systems that were never designed for this purpose.
Why it’s important?
Web3 ecosystem is legitimate, widely used, and trusted, which also makes it an attractive target for abuse. By pulling malware instructions from a blockchain:
- Attackers avoid hosting obvious malicious files
- Malicious infrastructure becomes harder to block or remove
- Traditional indicators of compromise may be missing
Category: Heuristics
In a recent analysis, we encountered a URL containing a logon form that was hidden using either an open redirection or a click tracking service. At first glance, the page looked normal, but behind the scenes, it was designed to trick users into revealing credentials.
Open redirection
An open redirect occurs when a website automatically sends a user to another URL provided in a link parameter without checking if it’s safe.
Example:
https://trustedsite.com/redirect?url=https://malicious-site.com
Here, trustedsite.com is legitimate, but the url= parameter points to a potentially malicious page. Clicking the link redirects the user immediately to the attack site.
Click tracking service
A click tracking service is typically used by marketers to monitor who clicks links in emails or ads. Each click goes through a tracking URL before reaching the final destination.
Example:
https://tracking-service.com/click?target=https://example.com
The service records the click, then forwards the user to the intended page. Attackers can replace the final destination with a phishing site, making the link appear harmless while hiding the true target.
Both techniques are commonly abused in phishing:
- They make malicious logon forms appear behind trusted domains, increasing credibility
- Security tools may only see the initial, legitimate-looking link
- Users are silently redirected to a fake login page, making attacks harder to detect and more convincing
Our new MetaVTI for logon forms hidden behind suspicious redirection flags these types of behaviors during analysis.
Detecting API hooking evasion
Category: Defense Evasion
MITRE ATT&CK® Technique: T1497, T1106
Security tools try to monitor what programs do on Windows, especially actions that are often abused by malware. One common approach is to watch key Windows functions, so suspicious behavior can be recorded or blocked.
Some malware attempts to bypass this monitoring. Instead of using the normal, observed path, it looks for a way to call the same Windows functions without triggering the usual visibility points.
What we observed:
In the sample we analyzed, the malware used a trick involving ntdll.dll, a core Windows component that many low-level system actions go through, and a place security tools often monitor. To reduce the chance of detection, the malware:
- Loaded a fresh (“clean”) copy of
ntdll.dll, (the already present ntdll.dll may be watched or modified by security tools), and
- Used that copy to perform a sensitive action, bypassing the monitored instance already loaded in memory.
Detect dropping Python and running a Python script
Category: Execution
MITRE ATT&CK® Technique: T1059/006/
Attackers sometimes bring their own tools with them. One common trick is to drop a portable copy of Python onto the system and use it to run a script, so they don’t depend on anything already being installed.
In the case we observed, the malware:
- Saved Python program files into a temporary folder, and then
- Immediately used that newly dropped Python to run a script file it also placed in a temporary folder.
Temporary folders are designed for short-lived files, so running a newly dropped tool from there is a common tactic to stay low profile and avoid normal installation paths.
Our new VTI detects that pattern: “drop Python → run a dropped script”, which is a strong sign of malicious execution, because legitimate software rarely installs and launches a scripting engine from a temporary location as part of normal use.
Detecting timestomping
Category: Defense Evasion
MITRE ATT&CK® Technique: T1070/006
A timestamp is the date and time attached to a file (for example, when it was created or modified). In investigations, timestamps help analysts understand when something happened and in what order.
This VTI detects a common evasion trick called timestomping: when malware manipulates file timestamps to make activity harder to trace. In the sample we analyzed, a dropped file had an obviously suspicious date, such as a
Unusual timestamps can hide the real timeline of an attack and mislead simple detections that focus on newly created files. Even on their own, extreme timestamps are rare in legitimate software, so they’re a strong signal that something is trying to cover its tracks.
Detecting monitoring clipboard content
Category: Input Capture
MITRE ATT&CK® Technique: T1115
We observed a sample that monitored the Windows clipboard, which serves as the copy/paste buffer your computer uses to temporarily store text and data you copy. What made this case especially concerning was how persistent it was. Instead of checking the clipboard occasionally, the sample queried clipboard content repeatedly and at high frequency (essentially asking “did the user copy something new?” over and over). This kind of polling behavior is typical of malware that wants to capture sensitive information the moment it appears.
Our new VTI detects that pattern: frequent, repeated clipboard reads consistent with clipboard monitoring.
It’s pretty important to react to this behavior fast as the clipboard often contains high-value data, including:
- Passwords (copied from password managers or reset flows)
- One-time codes (2FA/SMS/Authenticator)
- Cryptocurrency wallet addresses
- Private text from emails, chats, or documents
- Internal company data copied for sharing or reporting, etc
AutoUI Enhancements
Improved AutoUI for Sharepoint pages
In the past two months, we improved AutoUI to better handle links on SharePoint pages.
During analysis, we encountered a sample where our AutoUI was unable to click certain elements or links. , rather than a traditional document. Microsoft allows users to add links this way, so a library can contain items that look like regular entries but actually point to external content (Microsoft’s guide). While convenient for collaboration, this format can be tricky for automated tools as SharePoint link items can masquerade as normal documents, but they behave like interactive web controls and redirects, so automated sandboxes may click the wrong element, miss the navigation flow, or never reach the external content.
New extractor for MetaStelaer
MetaStealer is a C++ information stealer targeting common web browsers, and using a domain generation algorithm (DGA) for command and control domains. The name is also used for a .NET stealer with strong similarities to Redline stealer.
YARA Rules Update
Our hunt for new, undetected malware samples never stops. Over the past year, we added more than 300 fresh YARA rules to strengthen detection across a wide range of threats. This month, we’re continuing that momentum with 65+ new rules, focused on delivering a solid drop of high-quality detections. Here’s a quick preview of what we’re shipping this month.
New YARA detections for:
Stealers:
- TimbreStealer
- MeStealer
- AdaStealer
- OctalynStealer
- Stealerium
- ZeroTrace Stealer
- DataTheif Stealer
- Valkyrie Stealer
- XaXa Stealer
- FickerStealer
- DigitStealer
- XoriumStealer
- Aetheryx
- OrionLogger
- VenomCyber
- SteamDumper
- CrypVault
Backdoor:
- ChaosBot
- Squidoor
- YiBackdoor
- EchoGather
Ransomware:
- HellCat
- RansomHub
- LukaLocker
- ShinyHunters
- HolyCat
Trojan:
- Fatbeehive
- JustAskJacky
- Picsys
- Farfli
- Padodor
Techniques:
- New rule for fake sliding-based captcha and ClickFix page
- New rule for FakeCAPTCHA phishing page
- New rule for a ClickFix campaign
- New rule for generic Ransomware behavior
- New rule for generic InfoStealer behavior
- New rule for generic Python malware
- New rule for phishing campaign using SecureDocumentSharing
- New rule for MITMProxy and several malicious MSI files
- New rule for evasive redirector phishing page
- New rule for HTARedirector and different HTA malware
- New rule for malicious VBScripts
- New rule for MacOS infogathering commands
- DHL-themed phishing URL
- Custom CAPTCHA pages
New signatures for the following PUAs (Potentially Unwanted Applications):
- BitComet
- DrFone
- GoToResolve
- LogMeIn
- Datto RMM
- Tarian RMM
Other:
- TelegramNotifer
- PyDNSExfil
- Mozi botnet
- MyDoom
- CaminhoLoader
- GrokPy
- Obfusheader
- Prince of Persia APT
- WhatsApp Brazil Bot
