The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.
In March 2026, the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
-
Detecting RMM tools
-
Detect querying generic IP services for hosting provider
-
Detecting suspicious characteristics in dropped PE files
-
Detecting looking for file-based sandbox artifacts
-
Detecting starting Chromium-based browsers in headless mode
-
Detecting App-Bound Encryption bypass in Chromium-based browsers
-
4 new VTIs for detecting sensitive data discovery activity
2) New or updated Configuration Extractors for:
-
PhantomStealer
-
ParallaxRAT
-
SalatStealer
3) +30 new YARA rules
Now, let’s delve into each topic for a more comprehensive understanding.
New VTIs
In a series of these blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.
Category: Persistence
MITRE ATT&CK® Technique: T1219
RMM tools are legitimate remote administration solutions commonly used by Managed Service Providers and internal IT teams to monitor, maintain, and manage endpoints, servers, and other systems remotely. Their typical functions include health monitoring, remote access, patching, software deployment, and system administration. In normal environments, they allow administrators to manage many devices from a central console instead of logging into each machine individually.
In the samples we recently analyzed, RMM tools were dropped or downloaded by malware. This is a vital signal because attackers often use legitimate RMM software to establish stable, interactive access without relying solely on the original payload. From a persistence perspective, this is especially relevant as RMM agents can survive reboots, run as services, and blend into normal administrative activity.
To address this behavior, we introduced two new VTIs:
The first VTI covers the lower-severity scenario, where malware drops a file that is identified as a known RMM tool. This indicates deployment of legitimate remote management software and can already be an important sign of attempted persistence.
The second VTI targets higher-risk behavior. It triggers when a dropped RMM tool is disguised as something else, such as by using a misleading filename. This suggests a stronger attempt to conceal the use of remote access software and increases confidence that the activity is malicious.
Detecting querying generic IP services for hosting provider
Category: Discovery
MITRE ATT&CK® Technique: T1016
Threat actors continue to use simple network-awareness checks to identify analysis environments before revealing full malicious behavior. One such technique involves querying services such as ip-api.com, a public IP geolocation service, to determine whether the system’s public IP address is associated with a hosting provider. The service can return metadata such as ISP, organization, ASN, and hosting-related indicators, and it also supports requests for the hosting field only.
In recent malware analysis, we observed a sample querying generic IP services to check whether the public-facing IP belonged to a hosting or datacenter network. This type of lookup can help malware distinguish real victim environments from sandboxes, cloud-based virtual machines, or automated detonation systems, which often operate from hosting-provider IP space. Such a behavior is a notable evasion signal. Malware may use the result to decide whether to continue execution, delay activity, or suppress malicious actions entirely when it suspects an analysis environment.
Detecting suspicious characteristics in dropped PE files
Category: Heuristics
Portable Executable (PE) files are the standard Windows format for programs, DLLs, and drivers. In a recently analyzed sample, our Labs team observed suspicious PE characteristics that differed from what is normally seen in legitimate software.
One indicator was an unusual certificate issuer. In normal cases, signed software is linked to recognizable certificate authorities such as DigiCert, Sectigo, or GlobalSign. In this sample, however, the certificate issuer appeared like a random-looking domain that does not resemble a legitimate certificate authority. This kind of naming pattern can look similar to a DGA (Domain Generation Algorithm) domain, where malware uses automatically generated domain names to make infrastructure harder to track or block. When certificate information contains a random or machine-generated issuer name instead of a trusted authority, it can be a sign of a fake, abused, or otherwise suspicious certificate chain.
The other suspicious signal was an unusual PE section name. PE files are organized into sections, and legitimate Windows software usually uses standard names like .text, .data, or .rdata. When a file contains uncommon or custom section names, it may indicate that it was built in a non-standard way. Malware authors often use such sections to hide malicious code, store encrypted content, or make the file more difficult for security tools and analysts to interpret.
Neither of these characteristics proves maliciousness on its own. However, together they highlight that the file does not look like ordinary, professionally built software. These kinds of irregularities are often associated with obfuscation, tampering, or attempts to evade detection.
Detecting looking for file-based sandbox artifacts
Category: Anti Analysis
Recently, we analyzed a SantaStealer sample that checked whether it was running on a normal user system or inside a controlled analysis environment before revealing any suspicious behavior. One way malware does this is by looking for sandbox artifacts, which are clues that a machine may be used for testing or investigation rather than everyday work. In this case, the sample searched for directories such as C:\sandbox and C:\analysis. These are not special Windows folders, but ordinary directories that analysts or engineers may create to store malware samples, tools, or investigation results.
On a typical employee laptop, you would expect to see folders such as Documents, Downloads, or project-related files. In contrast, analysis systems often contain cleaner, more technical folder names that can make the environment look artificial. To malware, those names may signal that it is being observed.
In the sample we analyzed, this directory check appears to have been used as an environment test. If malware detects enough signs of an analysis setup, it may hide its real behavior, delay execution, or stop running altogether to evade detection. Even when those folders are not present, the fact that the sample is actively looking for them is itself an important indicator of anti-analysis behavior.
Detecting starting Chromium-based browsers in headless mode
Category: Defense Evasion
Headless mode means a program runs without showing its normal visual window or interface. In the case of a browser, that means it can still open webpages, run scripts, click buttons, and perform other actions, but nothing appears on the screen for a user to see. This is not unusual by itself. Headless browsers are commonly used for legitimate purposes such as automated testing, website monitoring, and background browser tasks on servers. For example, a browser like Chrome can run in headless mode to visit a webpage and interact with it automatically, without ever opening a visible browser window.
However, this legitimate functionality can also be abused by malware. Malware authors may start a Chromium-based browser in headless mode to conceal its browser activity from the user while still benefiting from the browser’s legitimate capabilities and security context. In stealer-related cases, this can enable background interaction with websites, scripts, or authenticated sessions without displaying a visible browser window, making the activity less noticeable and harder for the victim to detect.
Detecting App-Bound Encryption bypass in Chromium-based browsers
Category: Data Collection
Recently, we addressed a technique described in research by Alex Hagenah that focuses on bypassing App-Bound Encryption in Chromium-based browsers. App-Bound Encryption is meant to better protect sensitive browser data such as saved passwords, cookies, and payment information. The idea is that this data should only be decrypted by the trusted browser application itself. This makes it harder for attackers to simply read the files from disk and extract the stored secrets.
What makes this technique notable is that it does not try to break the protection from the outside. Instead, it abuses the browser’s own trusted context. The basic idea is straightforward: a real browser process is started, code is injected into it, and that trusted browser process is then used to access and decrypt sensitive browser data. Because the activity appears to come from the browser itself, it can be more difficult to detect than a traditional file theft approach.
This is vital because it shows how attackers can use a legitimate browser against itself. Rather than attacking Chrome, Edge, or another Chromium-based browser directly from the outside, they attempt to operate from within the browser’s own trusted environment. That can make the activity look more legitimate and reduce the visibility of the theft. The project also highlights a broader concern for defenders: modern information-stealing malware is increasingly designed not only to collect data, but to do so in ways that avoid common detection methods. According to the public project description, this includes stealth-focused techniques intended to make security monitoring more difficult.
4 new VTIs for detecting sensitive data discovery activity
Category: Discovery
1) Searching for sensitive RDP configuration data
The first new VTI in this umbrella category focuses on Remote Desktop Protocol (RDP), Microsoft’s technology for connecting to and controlling another computer remotely. Configuration data for remote access tools can include hostnames, IP addresses, usernames, domains, and other connection details.
This information can be valuable to attackers because it may reveal internal systems, remote access patterns, and infrastructure details that can support further compromise. In the samples we analyzed, the malware searched for remote access configuration data associated with tools such as AnyDesk, RealVNC, and TeamViewer.
2) Searching for sensitive password manager data
The second new VTI focuses on data stored by password managers, which are commonly used to save and organize credentials, notes, and other sensitive information. Configuration and profile data from these applications can reveal stored account details, vault-related information, or other authentication material.
This information can be highly valuable to attackers because it may provide direct access to credentials or help identify where sensitive login data is stored. In the samples we analyzed, the malware searched for password manager data associated with tools such as KeePass and Bitwarden.
3) Searching for sensitive developer application configuration data
The third new VTI focuses on configuration data related to developer applications. These tools often store project settings, connection details, workspace information, extensions, and other environment-specific data that can reveal how a system is used for development or administration.
For attackers, this kind of information can be useful because it may expose internal resources, database connections, development workflows, and other technical details that may support their follow-up activities. In the samples we analyzed, the malware searched for configuration data associated with tools such as DBeaver and Visual Studio Code.
4) Searching for sensitive VPN configuration data
The fourth new VTI focuses on VPN configuration data, which is used to establish secure remote connections to corporate or private networks. This can include server addresses, connection profiles, usernames, certificate references, and other settings related to remote access.
This information can be valuable to attackers because it may reveal how users connect to internal environments and what VPN infrastructure is in use. In the samples we analyzed, the malware searched for VPN-related configuration data associated with tools such as Cisco AnyConnect VPN and NordVPN. Additionally, depending on how VPN access is secured, it might even give an attacker access to the remote network.
PhantomStealer
PhantomStealer is a .NET infostealer likely based on the open source malware Stealerium. It collects a wide range of sensitive data, including Discord authentication tokens, web browser passwords, and data from cryptocurrency wallet extensions, and exfiltrates the stolen information through multiple channels such as Discord, Telegram, SMTP, and FTP.
ParallaxRAT
ParallaxRAT is a Remote Access Tool that enables attackers to remotely control the victim’s machine, transfer files, and steal login credentials, among other capabilities. It was first observed in early 2020 in emails masquerading as messages related to the COVID-19 pandemic.
SalatStealer
SalatStealer is a credential stealer written in Go that is designed to steal web browser and email credentials, as well as cryptocurrency. It can also remotely monitor a victim’s desktop, including recording their webcam and microphone.
YARA Rules Update
Our hunt for new, undetected malware samples never stops. In the past month, we added more than 30 fresh YARA rules to strengthen detection across a wide range of threats. This month, we’re continuing that momentum with more than 30 new rules, focused on delivering a solid drop of high-quality detections. Here’s a quick preview of what we’re shipping this month.
New YARA detections for:
Stealers:
-
BluelineStealer
-
Vidar v18 variants
-
VoidStealer
-
AmethystStealer
Loader:
-
AxolotlLoader
-
PyScLoader
-
GachiLoader
-
“Zombie ZIP” loader file
RAT:
Crypter:
-
DarkTortilla
-
MatrixCrypter
Phishing:
-
Adobe phishing campaign
-
Generic phishing campaign
-
FakeCAPTCHA phishing campaign
-
JavaScript blob loader used in phishing
-
QR codes employing Unicode blocks
-
Several custom CAPTCHAs
-
Evading phishing pages
Other:
