Windows Under Siege: Unveiling Evolving Threats and Innovations in Cybersecurity - VMRay

Windows Under Siege: 
Unveiling Evolving Threats and Innovations in Cybersecurity

Q3 – 2023

Explore Windows Threatscape 2023: From AI Copilot Exploitation to Evolving Ransomware, Uncover Strategies for Informed Defense

Table of Contents

Dive into the intricate cyber threatscape of 2023, focusing on the evolving risks targeting the Windows operating system. Explore the dynamic shifts in cross-platform threats, AI exploitation, and delivery chain innovations. The evolving sophistication of phishing attacks and the continual adaptation of notorious malware families like RedLine and XWorm underscore the pressing need for informed defenses.

Uncover the nuances of phishing attacks, malware evolution, and the relentless pursuit of cyber resilience for Windows systems.

The year 2023 has seen a surge in sophisticated cyber threats, with Windows continuing to be a prime target, which is likely to face new threats with the introduction of its new AI Copilot feature for Windows 11. The landscape is dominated by a mix of established and emerging malware families, such as RedLine and XWorm, focusing primarily on stealers and ransomware. The resurgence of certain malware and the evolution of others highlight the dynamic nature of threats, impacting entities from various sectors.

The Rising Tide of Cross-Platform Malware Threats

Cross-platform malware is gaining prominence, with modern, adaptable malware targeting multiple operating systems, exemplified by the likes of SprySOCKS malware, which targets Linux systems but is based on a Windows malware. Phishing attacks are evolving in sophistication, exploiting legitimate platforms such as Google AMP to bypass security systems, reflecting the innovative methods employed by attackers to exploit trust and deliver targeted attacks.

The integration of Artificial Intelligence (AI) in cybersecurity is expanding, with AI being leveraged for both defensive and offensive purposes. Malicious AI variants like “Evil-GPT” are raising concerns about the potential intensification of AI-driven cyber-attacks. Additionally, innovation in delivery chains is significant, with new methods and platforms such as Microsoft Teams and Facebook Messenger being exploited to deliver harmful files, and fresh modifications like embedding malicious documents inside PDF files being employed to evade detection.

The diverse and evolving nature of these threats underscores the importance of staying informed and implementing advanced security measures. The rise in sophisticated phishing attacks, the exploitation and advancement of AI, and the innovation in attack vectors necessitate heightened vigilance and proactive security solutions to protect against the multitude of threats in the digital world.

Latest trends in Windows threats

Windows 11 and the AI Copilot Era

Windows remains a prevalent target for malicious attacks as it is still the preferred operating system for most desktop users. While most attack scenarios we have seen in the past are still relevant, with the newest update to Windows 11 comes its innovative AI Copilot feature, which is likely to open up new possibilities for attackers to install malware on systems.

Note that there are two Microsoft AI products called Copilot, one is the Microsoft Security Copilot used to work with security vulnerabilities, and then there is the Windows Copilot (often just referred to as Copilot), which is a general purpose LLM integrated into Windows 11 for all users. We expect attackers to quickly adapt to this new scenario and start delivering malware through AI search results or abusing the technology to execute certain functionality. As there are a wide variety of techniques that could be deployed, we are expecting a lot of malicious innovation in the field.

Dominant Malware Forms: Stealers and Ransomware

The predominant forms of malware continue to be stealers, aiming to access sensitive information, and ransomware, which encrypts files and demands payment for their release. Both longstanding malware families like RedLine (or Amadey, AgentTesla, etc.) and ones like XWorm that recently showed more activity, illustrating the dynamic and evolving threat landscape.

In particular, BumbleBee malware increases its activities, utilizing WebDAV folders to infiltrate Windows systems. Another concern is the HTTPsnoop malware, which discreetly embeds itself into the Windows systems of telecom providers, waiting to act until it encounters specific URLs. The evolution of Raccoon stealer malware is also ongoing, as it has developed new evasion techniques to avoid detection more effectively. 

While common evasion techniques such as cryptors and packers are employed to stop static analysis, they’ve also introduced features to detect suspicious activity that could hint at security researchers, such as multiple connections from the same IP (or IP-range), or using IP addresses that are commonly associated with security researchers or tools.

Havoc Framework: Open-Source Threat Amplification

Notably, an open-source post-exploitation C2 framework called Havoc is gaining in popularity on GitHub, which has already been spotted in the wild targeting government organizations and the banking sector. 

This framework combines a multitude of technologies to evade detection, such as sleep obfuscation, indirect syscalls and patching the Anti-Malware Scan Interface of Windows.

Delivery Methods: LNK Files, ISO, and HTML Smuggling

Popular deliver methods for Windows malware are still Windows shortcuts in the form of LNK files, but ISO files have stayed popular as well, which our next release should finally address. HTML smuggling has also been popular in this quarter, demonstrating that once attackers find a viable attack surface, they will exploit it until that is not possible anymore.

Emerging Concerns: Remote Access Software and SEO Poisoning

The misuse of legitimate remote access software and the manipulation of search engine results, or SEO poisoning, are also emerging as significant concerns, allowing attackers to maintain a presence and manipulate users covertly, which is likely to worsen with the introduction of AI Copilot to Windows 11. This is a common technique where legitimate and innocent search queries show results for web pages containing malware.

QR Codes in Phishing: A Novel Tactic Exploiting User Action for Deceptive Email Attacks

But not all phishing attempts necessarily try to masquerade their URL as belonging to a trusted party. One creative method we have observed is the use of QR codes in phishing attacks. This was a new way of using QR codes in large phishing attacks and we sense this could become more common in the future.

The QR codes were put in emails that looked real, getting past security systems looking for dangerous links and reaching unaware targets. As QR codes need to be scanned first to reach the page, they require extensive user action to be exploited.

VMRay Malware & Phishing Threat Landscape – Q3/2023

Next Chapter: 
Evolving Linux threats

See VMRay in action.
Secure your organization against evolving Windows threats.

Further resources


Key forces shaping the future of security automation

Watch the full recording from the our webinar featuring Forrester


Explore VMRay’s seamless integrations

Explore all security automation use cases that help you can benefit.


VMRay Professional Services

Learn how VMRay supports deployment, configurations, integrations & more.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator