Introduction
Welcome to 2026! We’re starting the year with a new release of the VMRay Platform, and we’re enthusiastic to share what’s new. This release brings meaningful enhancements designed to improve visibility, accuracy, and usability across the Platform. Here’s a look at what’s included in the VMRay 2026.1.0 release:
- Redesigned Relations tab for clearer insights into complex malware delivery chains
- New integrated phishing connector with VMRay + KnowBe4
- Improved QR code detection accuracy
- Further enhancements to the Live Interaction feature
Let’s dive into the details.
A Better Way to Understand Malware Delivery Chains
Introducing our redesigned Relations tab experience
Malware delivery chains continue to grow in complexity. Threat actors routinely employ multi-stage payloads, layered documents, embedded archives, and a variety of delivery vectors to evade detection and confuse analysts.
VMRay has long been exceptional at automatically unwrapping even the most complex malware delivery chains, revealing every stage, relationship, and dependency that attackers try to hide. However, as these chains grew more sophisticated, the depth of analysis could sometimes make it harder for customers to quickly navigate and visually understand how samples were connected within the VMRay Platform UI. But that’s about to change because now, understanding these relationships is easier than ever!
We are excited to introduce a fully redesigned Relations tab UX that gives analysts a crystal-clear view of parent/child relationships, embedded samples, contacted URLs, email clusters, and more, without hunting through nested lists or deciphering unclear connections. Relations between samples are now displayed as a clean, structured graph that reflects the actual flow of the delivery chain. This makes the delivery chain not just visible, but truly understandable.
A clearer, smarter sample hierarchy
Every sample now comes with a structured overview that clearly visualizes:
Parent and child relationships:
Immediately understand which child samples led to a Verdict for a parent sample by visualizing all recursive child samples that contributed to it.
Sample clusters and related items:
Clustered views make it easy to identify, e.g., all emails related to a submission and navigate through them visually.
Each sample in the hierarchy now displays:
- Verdict + reason
So analysts instantly see why the Verdict was generated.
- Sample Name
Helpful for quickly identifying attachments or extracted components.
- Sample Type
Quickly distinguish URLs, PDFs, archives, scripts, and more.
The Relations tab after a complete UX overhaul
Graphical representation now includes:
Smart sample grouping: To keep the graph readable, samples of the same type (e.g., large sets of URLs or attachments) are automatically grouped.
Color-coded relation types: Each relation type (attachment, dropped file, contacted URL, etc) is shown in a different color. Hover over any line to see a tooltip explaining the relation type, and refer to the legend for easy reference.
Built-in zoom & navigation: Zoom in, zoom out, or pan the graph to examine specific items in complex chains closely.
Current sample highlighting: The sample you’re viewing is always highlighted in blue to keep you oriented in the chain.
Separate relation categories: If multiple relation types exist, they are presented separately for clarity.
Enhanced cluster display: Clicking “enlarge” on, e.g., an email cluster opens a lightbox with flexible viewing options.
And of course, if no relations exist for a given sample, the UI reflects that cleanly.
A simple example: LNK → OneNote → Windows Shell Link
To illustrate how this redesign helps, even with a simple delivery chain, here’s a basic example:
- Inside it, an embedded file is extracted: a Microsoft OneNote document.
- That OneNote document contains a next-stage malicious Windows Shell Link (.lnk).
In the new Relations view:
- The ZIP file appears as the parent sample.
- The extracted OneNote file appears clearly below it as a child, leading to an embedded Windows Shell Link.
- Each component is labeled with its type, Verdict, name, and relation color.
Relations tab: a simple example
Explore a more intuitive investigation workflow
No matter how complex a threat actor’s delivery chain becomes, the VMRay Platform now presents it in a way that matches how analysts think and how real investigations unfold. Take a look and experience the new workflow for yourself!
Boost your Phishing Response with VMRay + KnowBe4 Integration
We’re happy to announce the release of our integrated KnowBe4 phishing connector. VMRay now offers a native integration with KnowBe4 PhishER, enabling fully automated enrichment of suspicious emails within your existing phishing response workflow.
VMRay + KnowBe4 integration overview
What does the integration provide?
The integrated phishing connector enhances your KnowBe4 workflow by embedding key VMRay analysis insights directly within the KnowBe4’s PhishER interface. This allows security teams to triage suspicious messages faster and make informed decisions without switching platforms.
The following VMRay details are provided inside the PhishER module:
- VMRay Tag and Verdict: A clear tag showing that VMRay analyzed the submission, along with the final Verdict (e.g., Malicious, Suspicious, Clean).
- Automated Discussion Note containing:
- Verdict
- Verdict Reason
- Detected Threat Names and Classification
- Direct Link to VMRay: A shortcut to the full analysis report in the VMRay Platform for deeper investigation.
This workflow enables streamlined phishing triage, reduces manual overhead, and ensures your analysts have access to advanced VMRay threat analysis right where they already work.
Improving QR Code Detection Accuracy
QR codes have become a convenient part of daily life – from logging into apps to accessing menus or making payments. But as their popularity grows, cybercriminals are finding new ways to exploit them. Threat actors now use QR codes to hide malicious URLs and avoid analysis by security tools. To make detection even harder, these codes are often distorted, stylized, or intentionally obfuscated.
Keeping up with these tricks, the VMRay Platform now uses several advanced QR code detection libraries that work together to spot even more cleverly disguised codes. Each detection library performs differently on QR codes. By merging the results from several independent libraries, the VMRay Platform can now recognize and decode a broader range of malformed or obfuscated QR codes that might be missed by single-library scanners.
This improvement strengthens VMRay’s ability to detect and analyze QR-based threats, ensuring that even cleverly disguised codes are accurately identified and decoded during automated analysis.
Elevate your Analysis with Live Interaction (without Elevating your Clicks)
User Account Control (UAC) is a core Windows security feature that prevents unauthorized changes to the operating system. When an action requires administrative privileges, Windows displays a UAC prompt asking the user to approve or deny it. These prompts most commonly appear when running:
- Installer files (EXE/MSI)
- System or administrative utilities
- Scripts launched via elevated interpreters
In previous versions of the VMRay Platform, Auto UI was disabled by default during Dynamic Analyses with Live Interaction enabled. This meant that users had to manually confirm the UAC dialog to start sample execution before Live Interaction could begin; a step that could cause delays or even prevent the sample from running if the dialog was not confirmed promptly.
With this release, we’ve improved the Auto UI experience to make Live Interaction smoother . Auto UI is now enabled by default during the Bootstrapping stage before Dynamic Analysis with Live Interaction begins, allowing critical actions like confirming UAC prompts to happen automatically. After the system finishes preparing the analysis, and the Live Interaction session is ready for your input, Auto UI is disabled so you can take full control.
The result? You no longer need to worry about manually confirming UAC dialogs just to get the analysis started. Auto UI acts quickly to ensure the sample executes smoothly, while still allowing you to interact with it manually in later stages.
This enhancement significantly reduces the number of “N/A” Verdicts, improving the flexibility of the Platform. From now on, your Live Interaction sessions are faster, more predictable, and let you focus on analysis rather than routine confirmations.
Auto UI now automatically clicks through the UAC
Final Thoughts
As we look back on an eventful year, we would like to express our sincere thanks to our dedicated teams, customers, and valued partners. While 2025 has come to a close, our New Year’s resolution remains clear – to anticipate the unexpected and respond with speed and precision. Looking ahead, expect three additional VMRay Platform releases in 2026. There’s plenty more to come, so stay tuned for updates throughout the year.
Here’s to celebrating past achievements and looking forward to an even more remarkable future. Happy New Year!
