The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events that the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.
In June 2025, the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
- Detecting CAPTCHAs within SVG files
- Detecting SVG files used for redirection
- Querying OS information
- Detecting hidden SystemInfo process
- Detecting credit card forms
2) New or updated Configuration Extractors for:
- SocGholish/FAKEUPDATES
- Tofsee
- Prometei
- PrivateLogger/MassLogger
3) Adaptive Browser Simulation enhancements for SVG files
4) +30 new YARA rules
Now, let’s delve into each topic for a more comprehensive understanding.
New VTIs
In a few last blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.
New VTI detecting CAPTCHAs within SVG files
Category: Defense Evasion
MITRE ATT&CK® Technique: T1027.006
With the latest VMRay Platform release, we introduced support for analyzing SVG files — a critical step as threat actors increasingly abuse this vector graphic format to deliver malicious content. To improve our detection capabilities, we rolled focused specifically on malicious behavior in SVG files, including one that detects CAPTCHA-based smuggling techniques.
CAPTCHAs in SVGs: a red flag
In a sample we recently analyzed, an SVG file displayed a CAPTCHA challenge to the user — a visual element commonly associated with legitimate verification. However, in this context, it was clearly a malicious behavior. Why?
1) Typically, CAPTCHA logic is served via HTML embedded in a webpage. In this case, however, the entire CAPTCHA mechanism was embedded directly within an SVG file. This is highly unusual and concerning because SVGs are primarily used for vector graphics, not for executing complex logic.
2) Attackers often use CAPTCHAs to prevent automated analysis in sandbox environments. However, VMRay Platform can still handle such cases using our Adaptive Browser Simulation feature, which can solve these challenges automatically.
To mitigate this emerging tactic, VMRay Platform now includes a dedicated VTI that triggers when a CAPTCHA is detected within an SVG file.
VTI detecting SVG files used for redirection
Category: Heuristics
As phishing campaigns evolve, attackers increasingly leverage unconventional file formats to bypass traditional detection methods. In response, we expanded our heuristic detection capabilities to include a new VTI targeting SVG-based redirection techniques.
This VTI detects SVG files embedded with JavaScript that redirect users to phishing pages or other malicious sites. While HTML-based redirection is a familiar tactic, SVG files are now being used as lightweight, stealthy redirectors. These files may contain obfuscated JavaScript that dynamically constructs and triggers redirects using specific functions.
Due to the use of obfuscation and runtime execution, static signature-based detection often falls short. This heuristic-based VTI enhances detection by identifying behavioral patterns indicative of malicious redirection in SVG files.
Category: Discovery
MITRE ATT&CK® Technique: T1082
In a recent analysis of a CryptBot sample, we observed the malware querying certain Windows Registry keys to enumerate system details. These include:
ProductNameInstallationTypeCurrentBuildNumber
This type of OS fingerprinting is often used by malware to tailor payload execution based on the host environment or to evade detection in sandbox environments. While VMRay Platform previously had a VTI that detected registry enumeration patterns, the newly observed queries from CryptBot prompted an enhancement. We now extended the logic to cover these additional registry keys, ensuring that our VTI triggers appropriately when this specific behavior is detected.
VTI for detecting hidden SystemInfo process
Category: Discovery
MITRE ATT&CK® Technique: T1082, T1564/003/
During the analysis of the Metastealer sample we saw another technique used during the malware’s discovery phase. In this case, the malware sample launches systeminfo.exe, a legitimate Windows utility used to gather system details. This is an example of a LOLBIN (Living Off the Land Binary), where malware leverages built-in system tools instead of custom code to avoid detection.
The goal of running systeminfo is to fingerprint the environment; that is, to gather insights about where it’s running. Specifically, Metastealer may be trying to determine:
- Is it inside a VM or sandbox?
- Is the system part of a corporate or high-value environment?
- What operating system, version, and architecture are present?
This information can guide its next steps, such as whether to deploy the full payload, adjust its behavior, or exfiltrate specific types of data.
Hidden SystemInfo Sample in the VMRay Platform
Category: Heuristics
Phishing websites often impersonate trusted brands to trick users into entering sensitive financial information such as credit card numbers, expiration dates, and CVV codes. These fake forms are typically embedded within convincing webpages and use JavaScript to silently exfiltrate the data to attacker-controlled servers. To evade detection, they often rely on obfuscation techniques and highly realistic visual design.
With phishing tactics increasingly targeting payment information, we expanded our heuristic detection to include credit card harvesting behavior. Our new VTI scans the Document Object Model (DOM) of a webpage for forms containing input fields of credit card data. When such patterns are identified, the VTI triggers, helping analysts quickly pinpoint phishing pages aimed at stealing financial credentials.
Actual phishing website aimed to steal CC information
VTI for detecting credit card forms in the VMRay Platform
SocGholish/FAKEUPDATES
SocGholish (also known as FakeUpdates) is a downloader written in JScript or JavaScript that typically infects victims by prompting them to install a fake update disguised as legitimate software.
In recent months, we observed a notable surge in the use of SocGholish, with this malware family ranking among the top 20 threats tracked by multiple vendors in Q2 2025. In response to this trend, we added a dedicated configuration extractor to the VMRay Platform. This new extractor enhances visibility into SocGholish infections by automatically parsing and exposing the C2 URL.
Tofsee
In Q2 of 2025, we observed a resurgence of Tofsee, an older but still highly active malware family. Despite its age, Tofsee remains a persistent threat in the wild — particularly through phishing emails and spam-based campaigns.
Tofsee is a modular trojan, meaning it’s designed to perform a wide variety of malicious tasks depending on what its operators need. It can:
- Send massive volumes of spam to spread itself further
- Steal credentials
- Mine cryptocurrency using a victim’s computer resources
- Launch distributed denial-of-service (DDoS) attacks
In response to this re-emergence, we added a dedicated configuration extractor for Tofsee to the VMRay Platform.
Prometei
In Q2 2025, Prometei ranked among the top malware families observed in the wild. No surprise, considering how stealthy and persistent this threat has become.
Prometei is a modular botnet that has been around since at least 2016. Its main job? Illegally mining cryptocurrency (typically Monero, a coin known for its anonymity) by hijacking the computing power of infected systems. Over the years, it has grown more advanced — capable of spreading across networks, hiding from detection, and now even targeting cloud environments and remote desktops (RDP).
While most of the Prometei samples currently circulating (especially on platforms like MalwareBazaar) are aimed at Linux systems, research shows that Windows variants are still active in the wild. To help analysts and security teams stay ahead, we added a new configuration extractor for Prometei to our Platform.
PrivateLogger/MassLogger
MassLogger is an infostealer first observed in 2020, designed to exfiltrate sensitive data such as credentials from browsers, email clients (like Outlook and Thunderbird), and messaging platforms. It often spreads via phishing emails carrying malicious RAR or ZIP attachments that use obfuscated scripts for initial execution. Notably, it supports modular configuration for targeted data collection and often executes filelessly in memory, making detection more difficult.
This malware family has remained active into 2025, with recent campaigns targeting several European countries including Turkey, Italy, Latvia, Bulgaria, Hungary, Lithuania, Estonia, Romania, and Spain. These campaigns frequently rotate targets and leverage evasive delivery techniques such as CHM-based phishing lures. With the new config extractor, analysts can now automatically retrieve critical configuration data from MassLogger samples.
Adaptive Browser Simulation
Generic interaction with SVG submissions
As already mentioned, our previous Platform release, brought the support for SVG file analysis — a crucial step forward, especially as SVG files are increasingly being weaponized in phishing campaigns. Now, we’re taking another step further to improve the SVG analysis.
With this update, our Adaptive Browser Simulation — a component of Dynamic Web Analysis that automatically detects and interacts with UI elements — now fully supports SVG-based interactions. This means the VMRay Platform can not only analyze SVG files statically, but also interact with them dynamically, just like a real user would. If an SVG contains clickable elements leading to a second-stage URL (such as a phishing site), our enhanced browser simulation will automatically detect, click, and follow those links to analyze what lies beyond.
YARA Rules Update
Our ongoing hunt for new malware families and the creation of high-quality YARA signatures doesn’t slow down. Over the past four months, we added more than 100 fresh YARA rules to strengthen detection across a wide range of threats. This month, we’re continuing that momentum with 30+ new rules, focused on delivering a solid drop of high-quality detections. Here’s a quick preview of what we’re shipping this month.
Loaders
TransferLoader
ModiLoader/DBatLoader
BokuLoader
DoubleLoader
MintsLoader
TetraLoader
Stealers
PupkinStealer
TerraStealerV2/TerraLogger
KatzStealer
PlanetStealer
JuniperStealer
StaticStealer
ACRStealer
PentagonStealer
EddieStealer
AmateraStealer
SalatStealer
RATs
FatalRAT
DarkVision RAT
Parallax RAT
ChaosRAT
Other YARA Rules
AI PhishKit tool
Amber Albatross
Tofsee
XRed
GhostWeaver
PumaBot
ClpBot
Grenam/Renamer
Grandoreiro
Final Thoughts
June 2025 was a busy month for our Labs team, marked by major enhancements to our VMRay Threat Identifiers and a broadened, fine-tuned YARA rule set spanning multiple threat categories. As attackers refine their tactics, our ongoing commitment remains clear — to stay ahead of the curve, proactively enhancing detection, and equipping defenders with the tools needed to counter modern cyber threats. Stay tuned for our next edition of signature and detection updates, planned to be published in the weeks ahead.
