The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.

In July 2025, the VMRay Labs team has been focused on the following areas:

1) New VMRay Threat Identifiers addressing:

• Detecting hiding file extensions via registry
• Detecting JavaScript-only SVG files
• Detecting attempts to query the name of the joined domain
• Detecting GUI input monitoring behavior
• Detecting Explorer injection via COM hijacking
• Detecting thread-based keylogging activity
• Detecting changing permissions of system binaries

2) New or updated Configuration Extractors for:

• WarmCookie
• Rhadamanthys
• Stealcv2
• Wetfossil/VIDEOSPY

3) Adaptive Browser Simulation enhancements to address recent phishing tricks

4) Smart Link Detonation additions

5) +35 new YARA rules

Now, let’s delve into each topic for a more comprehensive understanding.

New VTIs

In a few last blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.

Detecting hiding file extensions via registry

Category: Masquerade

MITRE ATT&CK® Technique: T1036

Adversaries employ deception techniques to manipulate how malicious files appear to end users. One such method involves hiding file extensions in Windows Explorer by modifying a specific registry value. This tactic helps attackers masquerade malicious executables as benign files.

By default, Windows hides extensions for known file types such as .exe, .jpg, or .txt. Threat actors may abuse this behavior, for example, by renaming malware with double extensions (e.g., invoice.pdf.exe). When file extensions are hidden, such a file appears simply as invoice.pdf, tricking users into believing it’s a harmless document. This disables visual cues that would otherwise alert a user to the true, executable nature of the file. To achieve this, attackers typically modify a user-specific setting in the Windows Registry that controls whether known file extensions are displayed in Windows Explorer.

To counter this tactic, we introduced a new VTI in the VMRay Platform. This VTI triggers whenever a process attempts to hide file extensions via the registry.

Detecting JavaScript-only SVG files

Category: Heuristics

While analyzing recent SVG samples, we encountered an interesting anomaly: an SVG file that contained no graphical elements at all — only JavaScript. Instead of being used as an image, the file served purely as a redirector to a phishing site.

SVG is an image format, designed primarily for rendering vector graphics via XML. While it does support embedded JavaScript, typically used for light interactivity like animations or tooltips, it is uncommon for an SVG to consist entirely of JavaScript. Such usage often indicates an evasion technique employed by threat actors to leverage SVGs as a means of bypassing content filters. Whereas formats like .js, .exe, or .html are commonly blocked by email gateways or upload filters, .svg files may pass through more easily, making them an attractive option for delivering malicious scripts.

To address this, we introduced a new VTI that will trigger whenever an SVG file is observed that lacks semantic vector image content and is composed entirely of JavaScript.

Detecting attempts to query the name of the joined domain

Category: Discovery

One of the key early steps in malware reconnaissance is environment awareness to understand whether the infected machine is part of a domain, a workgroup, or standalone. To do this, malware queries the system using specific Windows API functions, which reveal if the machine is joined to a domain. Why is this important?

• Targeting high-value environments: Domain-joined machines are usually enterprise or government systems, representing more valuable targets with access to sensitive networks and data. Malware may prioritize these for  payloads.
• Sandbox and VM evasion: Many analysis environments and sandboxes are not domain-joined. Malware detecting the absence of a domain might alter its behavior to avoid detection.
• Tailored payload delivery: Knowing the domain status helps malware decide whether to deploy complex persistence mechanisms and credential theft or simpler data-stealing modules on standalone machines.

Our new VTI now triggers whenever a process calls relevant Windows API endpoints to query the host’s domain name. This allows analysts to  or signs of evasive samples focused on domain membership.

Detecting GUI input monitoring behavior

Category: Input Capture

MITRE ATT&CK® Technique: T1056/002/

A recently analyzed sample deployed a technique that allows it to monitor and potentially interfere with GUI events such as dialog interactions, warning prompts, and other message-based UI elements. While commonly seen in legitimate applications for enhancing user experience, this technique is rarely observed in malicious code, making it a strong anomaly.

This approach stands out because it does not rely on typical input capture techniques like keyboard or mouse hooks. Instead, it uses a UI-specific message monitoring mechanism that operates within the application thread context, making it less likely to be flagged by traditional keylogger heuristics.

To address this, we introduced a new VTI that flags malware exhibiting this unusual behavior.

Detecting Explorer injection via COM hijacking

Category: Persistence

MITRE ATT&CK® Technique: T1546/015/

Recently, our analysis of the SnipBot malware family highlighted a common persistence tactic: explorer.exe injection via COM hijacking.

What is COM hijacking?

The Windows Component Object Model (COM) allows software to interact with system components and other applications through pre-defined interfaces. Malware can abuse this mechanism by modifying specific COM registry keys so that, instead of a legitimate DLL, a malicious DLL is loaded whenever the COM object is triggered.

In the case of SnipBot, the malware:

1. Creates or modifies a COM registry key (often under a CLSID path).
2. Sets its value to point to a malicious DLL.
3. Starts explorer.exe, which automatically loads the hijacked COM object, executing the malicious code.

By injecting into explorer.exe, attackers gain:

• Stealth: explorer.exe is a trusted Windows process, making malicious activity harder to detect.
• Persistence: Explorer restarts every time a user logs in, ensuring repeated execution.

To improve defenses against this threat, we introduced a new VTI. This VTI specifically triggers when a sample attempts to perform COM hijacking to inject code into explorer.exe, allowing analysts to quickly identify this stealthy persistence technique during automated detonation.

Detecting thread-based keylogging activity

Category: Input Capture

MITRE ATT&CK® Technique: T1056/001/

In recent analyses, including samples from malware families like VideoSpy, we’ve identified a common technique for stealing user input: thread-based keylogging. This approach is commonly used by keyloggers, which often run in dedicated threads to capture keystrokes without interfering with other malicious components.

Our new VTI detection improves on existing keylogging indicators by being more generic and reliable, scoring higher and reducing false positives. Instead of relying solely on specific API calls, which can be noisy, this detection leverages behavioral insights from our Dynamic Analysis to pinpoint threads dedicated exclusively to keylogging activity.

In case of the sample we analyzed, we observed it performing the following activities:

1. Creates a dedicated thread whose sole purpose is to monitor keyboard input.
2. Uses certain API function to capture the state of individual keys, effectively recording every keystroke.
3. Implements a short sleep cycle after each check to reduce CPU usage and avoid detection by resource monitoring tools.
4. Repeats this loop continuously, ensuring no keystrokes are missed while staying stealthy.

This behavior is typically invisible to the victim but provides attackers with a steady stream of sensitive data that can later be exfiltrated or used for further compromise.

To address this threat, we added a new VTI that specifically detects the creation of new threads dedicated to keyboard monitoring.

Detecting changing permissions of system binaries

Category: System Modification

System binaries (e.g., /bin/ls, /usr/bin/bash, /sbin/init) are essential for the operating system to function. Changing their permissions results in the binary not being usable enough, and may:

• Break system utilities and scripts
• Prevent users or the OS from running commands
• Lead to boot failure or system crash

This dangerous behavior is an indicator of a hostile or destructive malware sample, and it usually requires immediate response, such as isolation of the affected system and forensic investigation. To be prepared for this threat, we added a new VTI that will trigger when a process that removes execute permission from  is detected.

In the past month, we added Configuration Extractors for the malware families mentioned below:

WarmCookie

WarmCookie is a Windows-based, two-stage backdoor primarily used for gaining remote access and persistent control over infected systems. Once activated, WarmCookie enables:

• Machine fingerprinting: collects machine name, DNS domain, username, CPU info, volume serial number, IP, etc
• Data exfiltration via HTTP cookie parameter, often encrypted with RC4 and Base64
• Screenshot capture, executing arbitrary commands via cmd.exe, file read/write, and dropping additional payloads

Rhadamanthys

First surfacing in late 2022, Rhadamanthys has quickly gained notoriety as a potent C++-based information stealer, offered as Malware-as-a-Service to cybercriminals seeking to extract credentials and sensitive data at scale. Its modular design, constant updates, and stealthy delivery tactics make it one of the more sophisticated infostealers in circulation today.

Rhadamanthys is distributed through a mix of phishing campaigns, malvertising, and SEO-poisoned websites. The malware is often hidden behind convincing facades: fake Zoom installers, cloned software update pages, and fraudulent copyright notices are common lures. These attack vectors aim to trick users into downloading what appears to be legitimate software but actually launches the initial infection chain.

What makes Rhadamanthys especially dangerous is its continual evolution. The recent v0.7.0 update introduced AI-powered OCR capabilities, allowing the malware to scan images (e.g. screenshots or photos) for seed phrases – a critical piece of data in the cryptocurrency ecosystem. This marks a shift toward more advanced, intelligent forms of data exfiltration that go beyond traditional text scraping.

Stealc made its debut in 2023 as a versatile credential stealer, sharing traits with malware families like RedLine, Raccoon, and Vidar. Its main goal? Harvesting sensitive data such as browser credentials, crypto wallet information, and personal files, then exfiltrating them to a command-and-control (C2) server.

Fast forward to March 2025, and we see the release of , a significant upgrade written in C++ that brings new levels of stealth and capability. This latest iteration uses a custom RC4 encryption scheme to obfuscate both its internal code strings and network communications, making it much harder to detect and analyze.

 expands its reach by targeting credentials not only from web browsers but also from cryptocurrency wallets, popular game clients, VPN software, and a wide range of messenger applications. This makes it a formidable threat for anyone using these platforms, especially given its advanced encryption and evasive tactics.

Wetfossil/VIDEOSPY

VideoSpy, also known as Wetfossil, shares many traits with the infamous Gh0stRAT malware family. Equipped with powerful keylogging capabilities and the ability to establish persistent access, VideoSpy leverages process hollowing to evade detection by security tools. Once deployed, it connects to a remote command-and-control (C2) server, giving attackers full control over the victim’s PC.

This malware typically spreads via malicious spam emails, trojanized software installers, and fake video codecs — all exploiting social engineering tactics to trick users into executing the payload.

Beyond stealing credentials, Wetfossil can:

• Capture screenshots
• Log keystrokes
• Steal cryptocurrency wallets
• Exfiltrate sensitive files

Its primary targets are individual users and small businesses, with a particular focus on harvesting financial credentials and crypto-related data to fuel cybercrime monetization efforts.

Addressing recent phishing tricks

Phishing kits are constantly evolving, using new tricks to evade detection and lure victims. One tactic we recently analyzed involved a fake Facebook login page where the credential-stealing form was initially hidden, only appearing after the user clicked a “Get Started” button. Modern phishing campaigns often rely on conditional user actions – like clicking, scrolling, or hovering – to trigger their malicious payloads to evade automated detection systems and increase their success rate. Additionally, a button like “Get Started” or “Verify” feels more legitimate to the victim than an immediate credential prompt.

To address this challenge, our VMRay Labs team researched the issue and, in July, rolled out an enhancement to our Adaptive Browser Simulation feature. Adaptive Browser Simulation can now detect and click these “Get Started” buttons automatically, ensuring that hidden phishing elements are revealed and analyzed.

Smart Link Detonation

One of the key component of the VMRay Platform, Smart Link Detonation (SLD), is an automatic evaluation and detonation of hyperlinks embedded in emails and documents. We recently made two important improvements to our SLD feature to keep pace with evolving threats:

1) Recursive Submission of suspicious TLDs

We extended a list of suspicious top-level domains (TLDs) seen more often in phishing attacks such as, e.g.: .click, .top, .lol, .xyz, and submit them for recursive detonation. This enhancement applies within one of the existing SLD modes and increases our detection coverage.

2) Detonating URLs from SafeLink providers

Phishing actors increasingly exploit trusted URL rewriting services, often referred to as SafeLink providers, to disguise malicious URLs. In a recent case, we observed phishing attempt using embedded safe links – upon clicking these links, users were directed to phishing lures.

To address this threat, we extended the SLD logic to detonate URLs coming from Safe Link providers. This update allows VMRay to effectively expose phishing URLs hidden behind these URL protection layers and provide stronger security for our users.

YARA Rules Update

Our hunt for new YARA rules never stops. Over the past months, we added more than 140 fresh YARA rules to strengthen detection across a wide range of threats. This month, we’re continuing that momentum with 35+ new rules, focused on delivering a solid drop of high-quality detections. Here’s a quick preview of what we’re shipping this month.

Stealers

AurotunStealer/MonsterV2

SVCStealer

FleshStealer

Arcane Stealer

MaksRAT/MaksStealer

UmbralStealer

DeerStealer

New Lumma version

CoinLurker Stealer

BlankGrabber

RATs

VenomRAT

NiceRAT

BlackMoon/KrBanker

.NET RAT (PureCrypter variant)

AsyncRAT Rust/RustyAsyncRAT

HiddenGh0st

Loaders

WuspLoader

Anubis Loader

ArmillariaLoader

Matanbuchus 3.0

Other

HeartCrypt

OneDrive phishing page that asks for email

HellsVectoredGate

CAPTCHA-style blockwall

BlackLock Linux ransomware

FileFix PoC

YARA signature on SVG files with Drive links

YARA signature on Visme phishing form

CozyDuke/CozyBear

AteraAgent

YARA coverage for SharePoint CVE-2025-53770 vulnerability

PurpleFox

NimDoor

GAZPROM ransomware

DiskView trojan

Final Thoughts

July 2025 was a busy month for our Labs team, marked by major enhancements to our VMRay Threat Identifiers, configuration extractors and a broadened, fine-tuned YARA rule set spanning multiple threat categories. As attackers refine their tactics, our ongoing commitment remains clear — to stay ahead of the curve, proactively enhancing detection, and equipping defenders with the tools needed to counter modern cyber threats. Stay tuned for our next edition of signature and detection updates, planned to be published in the weeks ahead.