The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.
In November 2025, the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
- Detecting tracking mouse movement
- Detecting MSHTA HTTP connections
- Detecting dropping PE files masquerading as system utilities
- Detecting large memory allocations
- Detecting the combination of CAPTCHA and branding image
- Detecting file...
The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.
In November 2025, the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
- Detecting tracking mouse movement
- Detecting MSHTA HTTP connections
- Detecting dropping PE files masquerading as system utilities
- Detecting large memory allocations
- Detecting the combination of CAPTCHA and branding image
- Detecting filename manipulation anti-analysis techniques
2) New or updated Configuration Extractors for:
- UmbralStealer
- SharkStealer
- DeerStealer
- AsyncRat
- DcRat
- VenomRat
- QuasarRat
- XWorm
- XenoRat
3) Smart Link Detonation additions, including the support for:
- Typosquatted URLs
4) +30 new YARA rules
Now, let’s delve into each topic for a more comprehensive understanding.
New VTIs
In a series of these blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.
Detecting tracking mouse movement
Category: Anti Analysis
MITRE ATT&CK® Technique: T1497/002/
During recent analyses, we observed an increase in samples that retrieve the global cursor position and convert screen coordinates into window-relative coordinates. This pattern is commonly associated with malware attempting to verify the presence of real user activity, particularly mouse movement, before unpacking or executing its payload.
This behavior is a classic anti analysis technique: if the cursor remains idle for several seconds, the malware may assume it’s being executed in a sandbox and choose not to proceed.
The VMRay environment already simulates realistic mouse movement to bypass such checks. With this update, we are additionally introducing a new VTI that flags attempts to track mouse-movement behavior. Identifying user-activity checks is essential, as many malware families remain dormant until they confirm they’re running in an environment with a “real” user.
Detecting MSHTA http connections
mshta.exe (short for Microsoft HTML Application Host) is a legitimate Windows host for HTML Applications (HTA) and scripts (VBScript/JScript). It lives in C:\Windows\System32\mshta.exe and is sometimes used legitimately by admins or Windows components to run small GUI scripts.
Attackers may abuse mshta.exe as a living-off-the-land binary – a trusted Windows tool used for malicious purposes to bypass defenses. In the observed scenario addressed by addition of this VTI, a sample attempted to establish an HTTP connection via mshta.exe to communicate with an external HTTP service.
How are users put at risk when mshta.exe connects to an HTTP service?
- Initial lure: The user opens a malicious email attachment, document, or clicks a link.
Mshta.exelaunched: That document or link causesmshta.exeto execute (often via a macro, shortcut, or malicious link).- HTTP fetch:
mshta.execonnects to an HTTP URL and downloads an HTA/JS/VBS payload (plain text over the network). - In-memory execution: The downloaded script runs directly in memory so no executable is dropped to disk.
- Follow-up actions: The script may download additional stages, run shell commands, or load other tools silently.
- Malicious activity: The attacker’s code can steal credentials, install persistence, or contact a command-and-control server.
This can lead to immediate compromise, as the fetched code runs in memory with the user’s privileges.
Why is using HTTP making it even worse?
1) The payload is sent unencrypted and can be easily hosted or modified by the attacker.
2) There is no TLS certificate to verify, making domain reputation checks less effective.
While the VMRay Platform already includes a VTI that detects mshta.exe being abused to execute code, we are now equipped with a new VTI that triggers when mshta.exe is used specifically to establish an HTTP connection.
Detecting dropping PE files masquerading as system utilities
Category: Masquerade
MITRE ATT&CK® Technique: T1036/005/
A PE file (short for Portable Executable) is the standard format used in Windows for executable files like .exe and .dll. It contains all the instructions Windows needs to load and run a program.
In one recent sample, we observed multiple PE files being dropped during execution. The interesting part? The dropped files used names mimicking real Windows utilities, such as systemhelper.exe, msiexec.exe, or 7z.exe. Even more telling, these files were written to user directories or temporary paths, not to system folders like C:\Windows\System32\ or C:\Program Files\.
What’s the suspicious part?
While legitimate installers may temporarily unpack files during setup, executables left in writable user folders are a strong indicator of malicious intent. This behavior may suggests that:
- The malware is staging payloads by preparing files that will execute later as part of its infection chain.
- It is attempting to masquerade as a trusted system utility, relying on file names that may bypass allowlists or deceive users and analysts reviewing logs.
To counter this technique, the new VTI triggers whenever a sample drops executable files that share names with known system utilities.
Detecting large memory allocations
Category: Defense Evasion
When a program runs, it uses different parts of your computer’s memory for code, temporary data, and short-term storage. Recently we’ve seen more malware families allocate unusually large chunks of memory to unpack or hold their payloads entirely in RAM instead of writing anything to disk. That lets them run quietly, avoid file-based scanners, and frustrate analysts who rely on disk artifacts.
To help uncover this behavior, we added a low-scoring VTI that flags unusually large anonymous memory allocations. It’s intentionally a lightweight indicator, because large allocations can be legitimate (e.g.: in databases, scientific apps, etc). The goal is to add context to our existing detections so analysts see this behavior in the chain of events.
Detecting the combination of CAPTCHA and branding image
Category: Heuristics
We recently expanded our heuristic-based detection capabilities with a new VTI that flags samples exhibiting both a CAPTCHA and a branding image within their interface.
Previously, we introduced a VTI that triggers whenever a sample contains a CAPTCHA. This behavior alone is treated as low-severity because CAPTCHAs can appear in legitimate applications. During recent analysis, we encountered a sample that not only displayed a CAPTCHA but also presented a branding element mimicking Microsoft. This kind of impersonation is a classic social-engineering technique. A Microsoft (or any major vendor) logo is used by threat actors to create a false sense of legitimacy and lower user suspicion.
While the presence of a CAPTCHA or a branding image can be benign on its own, the combination of the two is unusual and raises red flags. Additionally, Microsoft sites do not generally employ CAPTCHAs.
To highlight this suspicious combination, our Platform products now include a new VTI that triggers when a page displays both a CAPTCHA and a branding image. By correlating these behaviors, the system can more accurately identify samples exhibiting advanced evasion and impersonation techniques helping analysts quickly prioritize and understand potentially malicious activity.
Detecting filename manipulation techniques
Category: Anti Analysis
MITRE ATT&CK® Technique: T1497
First, let’s start with explaining why analysis systems or sandboxes may rename malware samples. Malware analysis environments often modify a sample’s filename before execution. This behavior is usually benign and driven by operational or safety requirements:
1) Safety controls: Sandboxes may rename uploaded binaries to prevent accidental execution outside controlled directories or workflows.
2) Workflow consistency: At scale, systems must process thousands of samples reliably. Standardized naming, such as randomized values, UUIDs, or hash-based filenames like SHA256.exe, helps ensure consistency and simplifies automated handling.
3) Extraction of artifacts: When samples are embedded in archives (ZIP, RAR, etc.), the sandbox might extract them and assign clearer or more structured names as part of the unpacking process.
Some malware families validate their own filename or execution path to detect whether they are running in an analysis environment. The logic typically looks like this:
- The malware contains an expected filename hardcoded or generated at runtime.
- At execution, it checks the actual filename/path it is running under.
- If the two differ, the malware may treat this as a sign of analysis and respond by refusing to execute and not revealing malicious behavior.
Our new VTI detects this technique by monitoring when malware invokes functions responsible for retrieving and validating its own execution name. When these checks occur, the VTI triggers, highlighting that the sample may be attempting to evade analysis through filename-based detection.
AutoUI Enhancements
Support interaction with newly emerging fake CAPTCHAs
During recent analysis, we encountered a phishing sample that placed two CAPTCHA gates in front of the actual phishing page. While this behavior is unusual for legitimate websites, it starts to be seen among more sophisticated phishing operations.
Attackers rely on these fake CAPTCHA walls to evade automated detection. Most security crawlers, URL scanners, and sandbox environments cannot solve CAPTCHA challenges; let alone two in succession. By forcing automated systems to stop at the CAPTCHA stage, attackers significantly reduce the likelihood that the true phishing content will ever be retrieved, analyzed, or blocked.
In the sample we analyzed, the second CAPTCHA required clicking a “Verify Humanity” button. While earlier versions of the VMRay AutoUI engine did not automatically interact with this specific design pattern, we have since expanded our automated interaction rules. Over the last month, our AutoUI engine has been enhanced to recognize and click through both CAPTCHA layers, ensuring complete behavioral visibility – no matter how many fake CAPTCHAs stand in the way.
Configuration Extractors
New extractor for UmbralStealer
UmbralStealer is a stealer written in C# that can extract login credentials and cookies from various web browsers and video games. It also includes functionality to capture screenshots and webcam images. Its primary means of communication with attackers is via Discord.
New extractor for SharkStealer
SharkStealer is a Golang “malware-as-a-service” information stealer, which uses EtherHiding to store C2 information on a public blockchain.
New extractor for DeerStealer
DeerStealer is a Malware-as-a-Service (MaaS) infostealer which is sold on underground forums. DeerStealer mainly targets credentials and cryptocurrencies, but also offers remote access capabilities.
New multi-family extractor supporting the following malware’s variants:
- AsyncRAT
- DcRat
- VenomRat
- QuasarRat
- XWorm
- XenoRat
- and other clones
Smart Link Detonation
One of the key component of the VMRay Platform, Smart Link Detonation (SLD), is an automatic evaluation and detonation of hyperlinks embedded in emails and documents. We recently made two important improvements to our SLD feature to keep pace with evolving threats:
Support detonating typosquatted URLs
Typosquatting is a cybersecurity attack technique where an attacker registers a misspelled or visually similar version of a legitimate domain name, hoping that users will mistype the address or fail to notice subtle differences. For example, instead of going to the legitimate site vmray.com, a user might accidentally visit:
vmary.com(swapped letters)vnnray.com(extra character)v-mray.com(added hyphen)
To strengthen our defenses against this tactic, we enhanced our Smart Link Detonation feature with typosquatting detection. SLD now evaluates URLs using patterns commonly seen in phishing campaigns, flagging cases where attackers disguise malicious domains to resemble trusted ones.
This capability is reinforced by a new VMRay Threat Identifier dedicated to spotting potential typosquatting. When a suspicious domain is detected, the VTI flags it, and SLD automatically detonates it in the VMRay Platform environment for deeper analysis.
YARA Rules Update
Our hunt for new, undetected malware samples never stops. Over the past months, we added more than 220 fresh YARA rules to strengthen detection across a wide range of threats. This month, we’re continuing that momentum with 30+ new rules, focused on delivering a solid drop of high-quality detections. Here’s a quick preview of what we’re shipping this month.
New YARA detections for:
Backdoors:
- Stormkitty/Cameleon
Stealers:
- Shuyal Stealer
- Genesis Stealer
Loaders:
- MorpheusLoader
- OysterLoader/Broomstick
- CryptoLove
- QuirkyLoader
- PhantomVAI
Downloaders:
- Raspberry Robin
Techniques:
- Browser Cache Smuggling
- Fake CAPTCHA used in Phishing
- New YARA detection on specific Gambling sites
- New rules for several sandbox evasion techniques
- New YARA detection on suspicious PDF structure names
- New rules on suspicious VSCode extensions
- New rules for Telegram-themed phishing pages
- New rules for EDRKiller variant
- YARA signature on captcha wall
Ransomware:
- Kuiper ransomware
- BeastCrypt ransomware
- Playboy ransomware
- Jasmin ransomware
- HybridPetya
- Nspire/Poliex ransomware
Trojans:
- DiskWriter
RATs:
- GodRAT
- CastleRAT
Other:
- Morpheme
- AsgardProtector
- APT41 KEYPLUG payload
- Add new rules to support the following families:
- Kkrunchy packer
- DarkTortilla crypter
- Rustock Rootkit
- Aisuru
- YARA signatures for PDF converter PUAs