Unveiling the motive: 
Why adversaries seek to evade sandboxes

Explore the reasons behind sandbox evasion and the tactics employed by cyber threat actors to evade sandboxing solutions.

In the realm of cybersecurity, where the battle between attackers and defenders rages on, understanding the motivations behind adversary actions is paramount. This chapter delves into the intriguing world of sandbox evasion and seeks to answer a critical question: why do adversaries go to such great lengths to evade sandboxes?

The adversarial quest for evasion

“So why evade a sandbox?” This question lies at the heart of our exploration into the motives of cyber adversaries. To comprehend their actions, we must first recognize the evolving threat landscape they operate within.

Malware authors have evolved to evade traditional security measures deployed at the perimeter and endpoint. Their creations are no longer easily thwarted by antivirus detection methods. Instead, they invest significant resources, both in terms of finances and human effort, into crafting malware that can infiltrate and compromise systems undetected.

These adversaries are no longer confined to simple, indiscriminate attacks. They are tactical, selective, and adaptive. They identify high-value targets and meticulously research the target environment. Armed with open-source intelligence (OSINT), they build infrastructure mirroring the target’s setup, often in cloud environments. Their aim is clear: to breach the target without arousing suspicion.

In essence, sandboxes pose a significant threat to malware writers. These controlled environments meticulously observe the behavior of malware, generating crucial Indicators of Compromise (IOCs) and other artifacts. IOCs form the foundation for blocking malware, effectively curtailing its lifecycle.

Imagine you’re a ransomware operator seeking to infect as many systems as possible, collect ransoms, and swiftly retreat. Malware sandboxes disrupt this malicious dance, curtailing the effectiveness of your operation. As such, adversaries view sandboxes as their nemesis, actively seeking ways to outsmart these defenses and evade detection.

Bypassing the sentry:
How adversaries evade sandboxes

The challenge for adversaries is clear: how do they successfully bypass sandbox technology? There are multiple avenues they explore to accomplish this:

Detecting the Environment:

Malware possesses the ability to detect the characteristics of its execution environment. By identifying specific elements indicative of a sandbox, it can alter its behavior to evade detection.

Attacking the Sandbox:

Another approach adversaries employ is to directly attack the sandbox technology itself. By rendering the sandbox useless or disrupting its functionality, they can circumvent analysis.

Contextual Evasion:

Malware can assess the context within its environment, discerning whether it resides within a real end-user system or a monitored sandbox or research environment. This contextual awareness helps malware remain undetected.

Sandbox vulnerabilities:
Kernel-mode and hooking-based sandboxes

Not all sandboxes are created equal in terms of their susceptibility to evasion. Kernel-mode and hooking-based sandboxes are particularly vulnerable to evasion tactics. Their architectural design exposes detectable elements and instrumentation that malware can exploit.

These sandbox types rely on certain components and mechanisms that can be identified by malware. For example, debuggers and other instrumentation often leave traces that indicate monitoring. When these elements are exposed, malware gains insights into its confinement within a sandbox, giving rise to evasion opportunities.

In contrast, hypervisor-based sandboxes, such as the innovative technology offered by VMRay, provide a robust defense against evasion. In this approach, malware is executed within a virtualized environment, meticulously monitored from outside the detonation environment. By keeping the monitoring technology separate, it becomes exceedingly challenging for malware to detect indicators of analysis, ensuring its true behavior is unveiled.

VMRay’s hypervisor-based approach leverages microprocessors designed for cloud computing, rendering it fast, scalable, and resistant to evasion techniques. This advanced technology allows for comprehensive malware analysis, even without the malware’s knowledge, mirroring real-world victim systems. VMRay’s Intelligent Monitoring further enhances the process, offering unparalleled visibility into malware actions, paving the way for in-depth analysis using over 30 different analysis technologies.

Testing sandbox efficacy:
Pafish and Al-Khaser

One of the enduring challenges in the cybersecurity industry is testing the efficacy of sandboxes. It’s impractical to create malware samples and drop them into live environments for testing. Fortunately, there are tools available that help security professionals assess sandbox effectiveness.

Two notable tools are Pafish and Al-Khaser. Pafish can be downloaded or compiled from source code, and it evaluates sandboxes by running various checks to identify detectable elements within the detonation environment. On the other hand, Al-Khaser is a comprehensive stress-testing tool designed to evaluate sandbox resilience. Security professionals aim for “green” results in both tools to signify a robust sandbox solution. However, the reality is that different sandbox architectures yield varying results, with certain elements sometimes detectable by potential malware.

Practical tools like Pafish and Al-Khaser are helpful for security teams to assess the efficacy of sandboxing solutions.
Tools like Pafish and Al-Khaser can help security teams to assess the efficacy of sandboxing solutions.

The evasion techniques of BumbleBee:
An example case

To illustrate the depth of sandbox evasion techniques employed by adversaries, consider the case of BumbleBee. This malware represents a significant evolution in evasion strategies. BumbleBee operates as a reconnaissance element rather than a traditional payload-bearing malware. It does not deliver malicious payloads but instead focuses on evading antivirus detection and sandbox analysis.

BumbleBee was deployed via OneNote, exploiting archive files that use compression techniques to bypass antivirus detection. This malware also employs packers and other archive-based methods to evade detection. What sets it apart is its extensive evasion checks, many of which were directly borrowed from Al-Khaser, an open-source tool available on GitHub.

A malicious "WSF" script file hides behind a fake button in a OneNote document, which infects the system once the button is double-clicked.
BumbleBee using OneNote as part of its delivery chain

Initially, BumbleBee had no evasion checks, but adversaries quickly adapted. Within months, they incorporated 35 evasion checks, with further additions in subsequent updates. These evasion checks are designed to ensure that the malware remains undetectable, especially within virtual environments. When BumbleBee detects that it’s within a virtual environment, it behaves benignly, deceiving sandbox analysis. As a result, the malware appears harmless, leading to its release into the target environment.

A rough timeline of changes for the evasion techniques show the increase in the number of evasion techniques employed by BumbleBee
A rough timeline of BumbleBee's evasion techniques

However, when an Endpoint Detection and Response (EDR) system eventually raises suspicions, security analysts face a daunting task. Tier-3 analysts may need to spend several hours reverse engineering and inspecting the sample to determine its true nature.

Understanding the elaborate tactics used by adversaries like those behind BumbleBee is essential in the ongoing battle for cybersecurity. In the chapters ahead, we will delve deeper into these evasion techniques and explore their implications for security automation.


In conclusion, this chapter has illuminated the motives driving adversaries to invest substantial resources in evading sandboxes. We’ve unraveled the intricate tactics they employ to outsmart these critical cybersecurity defenses, shedding light on the vulnerabilities of certain sandboxing technologies.

As we journey further into the realm of cybersecurity, our next chapter will explore the diverse landscape of sandboxing technologies and delve into the crucial aspect of profiling these solutions. Join us as we uncover the nuances that define the efficacy of sandbox defenses in our ongoing battle against evolving cyber threats.

Combating sandbox evasion for a more effective security automation

Chapter 3: 
Profiling different types of sandboxes

Table of Contents

See VMRay in action.
Detect and analyze even the most evasive malware and phishing threats.

Further resources


Single source of truth for effective security automation


Checkmate: How sandbox evasion can stall automation

Watch our webinar from at SANS EDR / XDR Solutions Forum


The most advanced malware and phishing sandbox

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator