The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.
In September 2025, the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
- Detecting querying if machine is joined to Azure Active Directory
- Detecting credit card forms hosted on temporary/IPFS hosters
- Detecting time-based VM detection
- Detecting VM evasion by checking for specific mutex names
- Detecting APC Injection
- Detecting suspicious OAuth abuse
2) New or updated Configuration Extractors for:
- BlankGrabber
- ValleyRAT
- Gafgyt
3) AutoUI enhancements addressing recent phishing tricks
4) Smart Link Detonation additions
5) +25 new YARA rules
Now, let’s delve into each topic for a more comprehensive understanding.
New VTIs
In a series of these blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.
Detecting querying if machine is joined to Azure Active Directory
Category: Discovery
During recent analysis, we encountered a sample that checks whether the host machine is joined to Azure Active Directory (Azure AD) before deciding to execute further.
This behavior is not unusual in targeted campaigns which are carefully planned cyberattacks aimed at a specific group of victims such as individuals, companies, industries, or governments. Threat actors increasingly employ such checks as a filtering and evasion technique for the following reasons:
Target selection: Devices joined to Azure AD typically belong to enterprises rather than individuals. By focusing only on corporate environments, attackers maximize the value of their operations — whether the goal is ransomware deployment, credential harvesting, or espionage — while avoiding the noise of infecting personal machines.
Sandbox and analysis evasion: Many automated malware sandboxes and research environments run on generic, non-domain-joined systems. By checking for Azure AD membership, malware can suppress its full behavior in analysis settings, more difficult.
To address this tactic, we introduced a new VTI that automatically triggers whenever a sample queries the system’s Azure AD join status.
Category: Heuristic
MITRE ATT&CK® Technique: T1566
Recentlwe’ve added a new VTI aimed at detecting credit card forms hosted on temporary or disposable hosting services. While legitimate businesses rarely host payment forms on such short-lived infrastructure, attackers frequently use it to collect sensitive data such as credit card information.
A temporary hoster is a web hosting service that allows you to quickly deploy websites or web resources for a short period, often with minimal setup. These hosts are typically low-cost or free, and sites may automatically expire after a few hours, days, or weeks. Hosting credit card forms on such services is suspicious for a few reasons:
- Legitimacy: As mentioned before, reputable businesses usually host payment forms on stable, well-known domains with proper SSL certificates. Temporary or disposable hosts are rarely used for sensitive payment processing.
- Short lifespan / evasion: Temporary hosts can disappear quickly, making it difficult for security teams to trace or take down phishing campaigns.
Detecting time-based VM detection
Category: Anti Analysis
MITRE ATT&CK® Technique: T1497/003/
We recently saw a time-based virtual machine detection technique in a MetaStealer sample. The malware attempts to determine whether it’s running in a virtualized environment by leveraging a combination of timing APIs, such as QueryPerformanceCounter, GetSystemTime, or Sleep. This technique is a classic anti analysis method: the malware tries to detect whether it’s being monitored by security tools or analysts before executing its full behavior.
In this sample, we observed the following repeated sequence:
- Call to timing functions: (e.g.,
QueryPerformanceCounter, GetSystemTime).
- Call to sleep: the process pauses for a defined duration.
- Another timing function call: to measure elapsed time.
- Repeat: this sequence is executed a couple of times.
This loop helps the malware measure how long it actually slept and compare it to the expected sleep duration. If the timing appears inconsistent, which can happen in virtualized or sandboxed environments that speed up execution, the malware assumes it’s under observation. In response, it may terminate early, remain dormant, or alter its behavior to avoid detection.
To better detect this pattern, we introduced a new VTI that triggers when this timing-based behavior is observed.
Detecting VM evasion by checking for specific mutex names
Category: s
MITRE ATT&CK® Technique: T1497
VMRay’s latest VTI now detects when malware tries to figure out if it’s running inside a virtual machine by checking for specific mutex names.
What’s happening in such a scenario?
A mutex (short for mutual exclusion object) is a simple tool used by software to avoid conflicts. Think of it as a “flag” that says: “I’m already running, don’t start another copy of me.”
Virtualization software like VMware or VirtualBox creates their own mutexes to coordinate internal processes. A few well-known examples are:
VMToolsHookQueueLock (VMware Tools)VBoxService (VirtualBox Guest Additions)
When malware checks for the presence of one of these mutexes, it’s really asking: “Am I inside a virtual machine?”. By checking for these VM-related mutexes, malware can:
- Hide its true behavior (stay inactive inside a sandbox)
- Exit early so researchers see nothing malicious
- Deliver a different payload only on “real” machines
In other words, it’s a classic trick designed to evade analysis in virtual environments.
Detecting APC Injection
Category: Injection
MITRE ATT&CK® Technique: T1055/004/
What is APC injection?
An Asynchronous Procedure Call (APC) is a Windows mechanism that lets one thread ask another thread to run a small function. Think of each thread as having a private inbox; an APC is like a sticky note placed in that inbox asking the thread to perform a short task when it next checks its messages. The OS only invokes user‑level APCs when the target thread enters an alertable state, which is a built‑in safety mechanism.
Attackers abuse this mechanism by writing malicious code (or a pointer to it) into the target process and then queueing an APC against a target thread. When that thread later becomes alertable, the OS invokes the queued routine and the attacker’s code runs inside the victim process, with that process’s privileges and resources.
Why attackers like to use APC injection?
1) Defense evasion: injected code runs inside a legitimate process, creating fewer obvious artifacts such as a new suspicious process.
2) Privilege advantage: the attacker gains access to the victim memory space, file handles, network sessions, and other resources — enabling lateral movement, data theft, or privilege escalation.
Our new VTI triggers when a process performs the characteristic sequence of actions that indicate APC‑style injection, giving analysts an actionable alert correlated with process, thread, and memory activity.
Detecting suspicious OAuth abuse
Category: Heuristics
OAuth (Open Authorization) is an open standard that lets applications access resources on behalf of a user without needing the user’s password. Instead of handing over credentials, the user grants the application an access token with limited permissions. Legitimate examples include logging into a third‑party app using your Google, Microsoft, or GitHub account. However, attackers have weaponized this trust model.
What we observed in phishing attempts
1) Open redirect abuse: The link contained within an email first pointed to a legitimate but misconfigured service that allowed redirects. This makes the link look safe at first glance but ultimately forwards the victim elsewhere.
2) Suspicious OAuth flow: The redirect landed on a real Microsoft OAuth login page. However, a few signals suggested suspicious activity:
- The application ID presented was not known or trusted by the user. A known application ID belongs to trusted apps like Outlook, Teams, or those approved by your company. An unknown ID could belong to an attacker’s app that looks legitimate but isn’t recognized or trusted. If a user approves it, they’re essentially handing over access to their emails and files to a stranger, which is why it’s a strong sign of phishing.
- The redirect URI pointed to an unfamiliar destination page.
- The TLS/SSL certificate of that destination had been issued on the same day as the phishing email, which is a strong indicator of freshly rolled-out infrastructure.
Together, these anomalies suggest an attacker attempting to trick the user into granting OAuth permissions to a rogue app. Once granted, the attacker can silently access email, files, or cloud services — with no password theft required.
To strengthen protection against this attack vector, VMRay’s new VTI now triggers when it detects: requests to well‑known OAuth services, specific suspicious parameter combinations such as unusual or unknown client_id, unexpected redirect_uri and other out‑of‑profile consent request patterns.
In the past month, we added Configuration Extractors for the malware families mentioned below:
BlankGrabber
BlankGrabber is an open-source info stealer written in Python, often distributed as a PyInstaller executable wrapped in multiple layers of obfuscated and compiled code. Currently, it ranks among the most prevalent threats in Q2 2025, which prompted us to develop and release a configuration extractor that supports its latest version.
ValleyRAT
ValleyRAT (also known as Winos) is a C++-based trojan first observed in 2023, primarily targeting Chinese-speaking users. It provides standard backdoor functionality, including persistence, evasion techniques, remote control, and the ability to fetch and execute additional payloads. Given its high prevalence and continued ranking among the most active malware families in Q2–Q3 2025, we added a configuration extractor to support ValleyRAT.
Gafgyt
Gafgyt (also known as BASHLITE) is a Linux malware used mostly , typically distributed by exploiting security flaws in vulnerable devices. After its source code was leaked, many different variants are now in circulation. To keep pace with these evolving threats, we developed configuration extractors for a range of Gafgyt variants that share common behavioral patterns.
Smart Link Detonation
One of the key component of the VMRay Platform, Smart Link Detonation (SLD), is an automatic evaluation and detonation of hyperlinks embedded in emails and documents. We recently made some important improvements to our SLD feature to keep pace with evolving threats.
Expanded coverage: mailsuite.com
In recent analyses, we identified a phishing campaign leveraging the mailsuite.com domain to lure victims into clicking malicious URLs. This domain has been associated with distributing a significant volume of phishing content. With our latest update, Smart Link Detonation will now automatically detect, detonate, and recursively analyze all URLs pointing to mailsuite.com, ensuring that threats originating from this domain are fully exposed.
Safe detonation of xtiles.app links
A recently analyzed sample used xTiles (xtiles.app) as part of the phishing delivery flow. xTiles is a legitimate visual workspace/productivity platform used for notes, tasks and projects, but threat actors abused it to host landing pages that present a PDF icon and a redirect link to the malicious document. Because the xTiles link was the pivot to the next stage (the actual document), it needed to be detonated in a controlled environment rather than blocked outright or ignored. We extended our Smart Link Detonation SLD trigger conditions to include xTiles links that follow a specific URL format.
Extended SLD to cover recent services abused for redirections
Attackers often abuse legitimate services to hide malicious destinations behind trusted domains. A common trick is to append a redirectUrl parameter that forwards the browser from a well-known service to an external, attacker-controlled site. This technique helps phishing links bypass simple domain filters and appear more credible to victims.
Recently, we’ve extended the Smart Link Detonation trigger set to include additional services we recently observed being abused as redirectors. These domains were not previously covered, but are now safely detonated:
- YouTube
- Google
- Bing
- Cisco
- Medium
- Emailprotection
- Federal Ministry of Agriculture, Water Management and Forestry | Hamdije
- Tabulex
