The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.
In October 2025, the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
- Detecting regsvr32 proxy execution
- Detecting hostname discovery
- Detecting dead drop resolver
- Detecting checking if an IP address is listed in SPAM blocklists
- Detecting disabling Windows Recovery Environment
- Detecting changing permissions with takeown and icacls
- Detecting disabling automatic system hibernation
- Detecting the use of Wusa to uninstall Windows features
- Detecting changing power settings
2) AutoUI enhancements addressing recent phishing tricks
3) Smart Link Detonation additions
4) +14 new YARA rules
New VTIs
In a series of these blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.
Detecting regsvr32 proxy execution
Category: Defense Evasion
MITRE ATT&CK® Technique: T1218/010/
regsvr32.exe is a small, built-in Windows utility used to register or unregister software components (usually DLLs or ActiveX controls) so that other programs can find and use them. Think of it like telling Windows: “This piece of code exists: here’s where to find it and how to use it.” Once registered, other programs can call that component when needed.
How attackers abuse regsvr32?
Because regsvr32 is a trusted, Microsoft-signed system tool, attackers sometimes it as a proxy to execute their own code. By tricking regsvr32 into loading a malicious DLL or remote script, malware can:
- Run under a legitimate Windows process name.
- Execute code in memory or fetch additional payloads from the network.
- Bypass basic antivirus, whitelisting, or behavior-based defenses that typically trust signed Windows binaries.
To strengthen detection against this technique, we introduced a new VTI detecting regsvr32 proxy execution.
Detecting hostname discovery
Category: Discovery
MITRE ATT&CK® Technique: T1033
In a recently observed sample, we saw the use of certain function to obtain the system hostname (the computer’s network name). Malware often queries the hostname for several possible reasons:
- Fingerprinting: Malware may check the hostname as part of system profiling, gathering details to uniquely identify the infected machine.
- Sandbox evasion: Security researchers often run malware in virtual machines or sandboxes. These environments sometimes use default or obvious hostnames (e.g., WIN-VM, MALWARE-LAB, SANDBOX, etc). Malware can detect such hostnames and alter behavior (e.g., not executing its payload, staying dormant).
- Operational decisions: Some malware families use hostname checks to decide
- Whether the system is a high-value target (e.g., a domain controller, server, or developer workstation),
- Whether to deploy certain payloads (e.g., ransomware might avoid certain regions or companies).
To be better equipped against these discovery technique, we added a new VTI which will trigger when a process in the analyzed sample tries to collect the hostname.
Detecting dead drop resolver
Category: Network Connection
MITRE ATT&CK® Technique: T1102/001/
Attackers constantly look for ways to communicate with their malware while staying under the radar. One such method is called a dead drop resolver — where malware uses legitimate public web services like Pastebin, GitHub, Telegram, or even YouTube to quietly retrieve its next set of instructions.
What a dead drop resolver is?
Instead of embedding a fixed command-and-control (C2) address inside the malware, attackers hide that address within normal, public websites. , it connects to one of these services, reads a small piece of hidden or encoded data, and learns where to reach the real C2 server.
Attackers use this technique for the following reasons:
- Stealth: Requests to popular websites look normal and are rarely blocked by firewalls.
- Flexibility: Attackers can easily update or change the hidden instructions without redeploying the malware.
- Resilience: Even if defenders block one C2 server, the operator can post a new address on the same service, and infected systems will find it automatically.
In one of our recent analyses, the malware connected to endpoints known to be abused for hosting dynamic C2 configurations, such as domains related to Steam-powered content delivery or Telegram channels. These connections served as indirect “waypoints” leading the malware to its real command server.
To counter this evasion technique, we added a new VTI triggering when the submitted sample reveals this behavior.
Detecting checking if an IP address is listed in SPAM blocklists
Category: Defense Evasion
MITRE ATT&CK® Technique: T1667
In one of our recent analyses, we observed malware performing quite clever behavior: it queried public blocklists to check whether a potential command-and-control (C2) server’s IP address was listed as malicious. In simple terms, the malware was testing its C2 options before actually connecting, making sure that the server it planned to use wasn’t already flagged or monitored by defenders.
Why attackers do this?
Malware operators use this technique to stay stealthy and maintain control by:
1) Avoiding sinkholes or takedowns: Security teams often seize or redirect known C2 servers to “sinkholes” for tracking infections. If a C2 address appears on a blocklist, the malware will skip it to avoid revealing itself.
2) Bypassing network defenses: Many organizations use threat intelligence feeds and spam blocklists to block bad IPs. By testing first, the malware ensures it picks a C2 that won’t be automatically blocked.
This kind of behavior shows how attackers apply operational security (OPSEC) to their own infrastructure — they don’t want to get caught talking to an address defenders are already .
To improve visibility into this behavior, we added a new VTI triggering when the VMRay Platform observes a process querying public spam or IP reputation services.
Detecting disabling Windows Recovery Environment
Category: System Modification
MITRE ATT&CK® Technique: T1490
The Windows Recovery Environment (WinRE) is a built-in rescue mode in Windows – a minimal, standalone operating system used for repairing, restoring, or recovering a system that can’t boot normally. It includes tools like Startup Repair, System Restore, System Image Recovery, and Command Prompt access; essentially Windows’ built-in “first aid kit.”
In a recent analysis, we observed a malware process executing commands that disabled WinRE via command line. This is a clear defense-evasion and destructive tactic, aiming to remove the system’s ability to recover or repair itself after infection.
By disabling WinRE, attackers:
- Make recovery and remediation harder for defenders,
- Prevent victims from restoring backups or using repair tools, and
- Increase the effectiveness of ransomware or destructive payloads.
This technique is commonly associated with ransomware operators and threat actors who want to ensure that once the system is damaged by avoiding easy restore options, it stays that way.
Our new VTI triggers when the VMRay Platform observes a process attempting to disable WinRE.
Detecting changing permissions with takeown and icacls
Category: System Modification
What takeown and icacls are?
Let’s start with that basic distinction.
takeown.exe
- Legitimate purpose: It’s a built-in Windows command-line tool used to take ownership of a file or folder.
- Typical use case: Admins use it when they need to access or repair files that belong to the system or another account (e.g., fixing permissions after a failed update).
icacls.exe
- Legitimate purpose: Used to view, modify, or grant access control lists (ACLs); basically, to manage file and folder permissions.
- Typical use case: System administrators use it to manage file and folder permissions on servers and workstations, set up or audit shared folders in enterprise environments or fix permission issues.
What’s the risk?
When malware uses takeown and icacls, especially on system binaries (like files in C:\Windows\System32), it’s often trying to bypass Windows protections to:
- Modify, replace, or delete system binaries (e.g., to inject code or disable a protection mechanism).
- Change ownership or permissions so it can tamper with files normally locked by the OS.
Why it’s suspicious (especially with /f, /r, and grant)?
/f → “force”: executes the change even if permissions or warnings exist./r → “recursive”: applies the change to all subfolders/files, which means widespread modification.grant → explicitly gives permissions (often Full Control) to non-system users, allowing tampering.
Malware doing this is essentially breaking into locked rooms of the OS, clearing the way to overwrite binaries, disable defenses, or plant persistence mechanisms.
Detecting disabling automatic system hibernation
Category: System Modification
MITRE ATT&CK® Technique: T1653
In one observed case, malware invoked powercfg.exe to set the hibernate timeout to 0 (never), so the system will not automatically hibernate while on AC power. Hibernation remains possible if a user explicitly triggers it, but the OS will no longer write RAM to disk automatically or put the system into a power-saving mode on its .
Why malware might do this?
1) Prevent forensic capture via hibernation
If malware lives only in volatile memory, an automatic hibernation would write artifacts to disk for later analysis. Stopping automatic hibernation lowers the chance that an unattended system will capture that memory snapshot.
2)
Preventing the system from sleeping keeps the system reachable for the attacker at any time. Auto-hibernation would pause execution and potentially interrupt the malicious workflow.
3) Living-off-the-land stealth
Using powercfg.exe avoids introducing new binaries. It’s a signed, trusted Windows tool so activity looks legitimate in process logs if not correlated with malicious behavior.
Detecting the use of Wusa to uninstall Windows features
Category: System Modification
wusa.exe (Windows Update Standalone Installer) is a built-in Windows utility used to install, uninstall, or manage Windows Update packages (.msu files). While wusa.exe is a legitimate administrative tool, it has been observed in malicious activity. Certain malware families leverage it to uninstall Windows security updates or features, effectively weakening system defenses.
By running certain commands, an attacker can silently remove a specific Windows update. These updates often contain security fixes, mitigations, or telemetry improvements that make it harder for malware to execute undetected.
Attackers may use wusa.exe for several reasons:
- Re-enable old vulnerabilities: If a patch closed an exploit the attacker relies on, uninstalling that update reopens the door.
- Evade detection: Updates can include new signatures, heuristics, or telemetry that detect suspicious behavior. Removing them reduces alerting.
- Disrupt system stability and defense: Removing key updates can hinder security tools, break recovery mechanisms, or prevent future patches from installing correctly, effectively buying attackers more time.
VMRay’s new VTI detects attempts of abusing wusa.exe for uninstalling Windows security updates or features.
Detecting changing power settings
Category: System Modification
In a recent sample, we observed it enabling maximum system performance invoked via a powercfg.exe. Maximum performance typically disables:
- CPU frequency scaling (keeps CPU at full speed)
- Sleep or hybrid sleep
- Hibernation timeouts
- Hard disk idle spin-down
But why malware would do this?
1) To keep malicious processes running without interruption: If the system goes idle or enters sleep mode, malicious programs (for example, crypto-miners, keyloggers) would pause or stop. At the same time, the network connection will be disconnected and thus, the attacker would lose remote control. By enabling maximum performance, the malware ensures the system never slows down or sleeps, so it can keep working — stealing data, mining cryptocurrency, or maintaining a live connection to its command-and-control server.
2) Support long-running payloads: Cryptocurrency miners, backdoors, or memory-resident malware may require the CPU to stay active for extended periods.
