The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.
In February 2025 , the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers (VTI) addressing:
Interactive Process Hollowing (via Pipes)
2) VTI improvement for:
Detection of Braodo infostealer behavior
2) New YARA rules:
We created and updated over 30 YARA rules last month! Scroll down to discover more about these exciting updates.
Now, let’s delve into each topic for a more comprehensive understanding.
VMRay Threat Identifiers
In a few last blog posts, we introduced you to the concept of the VMRay Threat Identifiers. In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.
VTI for Interactive Process Hollowing (via Pipes) Category: Â Process Injection
MITRE ATT&CK® Technique : T1055.012
During our analysis of HijackLoader samples, we identified a variant of Process Hollowing, referred to as Interactive Process Hollowing.
Process Hollowing is a technique where an attacker starts a legitimate process in a suspended state, removes its original code, and replaces it with malicious code before resuming execution. However, in this interactive variant, the injection target process is not initially created in a suspended state . Instead, it starts normally suspended later in the attack to complete the malicious code injection.
In this technique, pipes, a standard way for inter-process communication, are used to control when the malicious code starts running. The attacker sets up input and output pipes attached to the target process, which are used to trigger the execution of the malicious code after receiving data. Normally, pipes are used for interprocess communication, but here, they act as a hidden control mechanism.
The target process remains blocked, waiting for input through its standard input (STDIN) pipe just like a command prompt waiting for a user to type something.
The attacker injects malicious code into this process while it is still waiting.
To trigger execution of the malicious code, the attacker sends a simple input through the pipe.
The process, now unknowingly hijacked, resumes execution, but instead of running its original code, it now executes the attacker’s payload.
Our new VTI will trigger when a process is hollowed interactively via pipes, detecting this stealthy malware behavior that abuses standard communication mechanisms to avoid detection.
VTI to detect Braodo infostealer behavior Category: Â Data collection
In early 2024, a new threat emerged in the cybercrime landscape – Braodo Stealer, a sophisticated Python-based infostealer malware. Braodo is primarily designed to harvest sensitive personal data, such as login credentials, browser histories, cookies, and stored passwords. Once installed on a victim’s system, the malware collects and exfiltrates data to attacker-controlled servers, all while evading detection using sophisticated obfuscation techniques.
During our analysis, we observed that a sample:
Accesses and collects sensitive browser data.
Captures screenshots of the infected system.
Resolves the address of api.telegram.org and later establishes a connection to Telegram, likely to exfiltrate stolen data.
Screen capture command used in the analyzed sample
 when a process Additionally, the sample will also trigger other, already present in the VMRay Platform VTIs related to browser data collection, such as: “Searches for sensitive browser data” and “Reads sensitive browser data”.
Data collection VTI in the VMRay Platform
YARA Rules
The previous month’s detection updates bring a powerful boost to our Platform with over 30 new YARA rules! In this blog, we’ll give you a quick overview of the latest additions without diving into all the details, just enough to keep you in the loop on what’s new.
New rules for downloaders and loaders 1) Dolphin Loader
First seen in July 2024, Dolphin Loader is a relatively new malware-as-a-service.
This flexible loader is capable of fetching different types of malware, including infostealers, ransomware, or other malicious tools, depending on the specific goals of the threat actor.
Seen in targeted attack campaigns delivered via phishing emails, malicious downloads, and compromised websites.
2) Emmenhtal Loader
First seen in February 2024.
Distributes a variety of malware, including infostealers (e.g., CryptBot, Lumma Stealer) and Remote Access Trojans (RATs).
Uses modified legitimate Windows binaries to embed and execute malicious scripts.
Operates in a memory-only manner, leaving minimal traces on disk.
Associated with multiple financially motivated threat actors.
3) Legion Loader
Also known as Satacom or CurlyGate, first seen in 2019.
Legion Loader is a highly versatile malware loader that has been quiet for a period but re-emerged in a new campaign in December 2024 with over 2,000 new samples.
Delivers a variety of malicious payloads, including infostealers like Vidar, Predator the Thief, and Raccoon Stealer, as well as backdoors, cryptocurrency stealers, and miners.
Employs process injection methods, such as Process Hollowing, to evade detection by injecting malicious code into legitimate system processes.
4) Zharkbot
First identified in mid-2023, Zharkbot is a malware that has recently been observed in active campaigns, often delivered through the Amadey trojan.
Upon execution, Zharkbot gathers detailed information from the infected system, including system architecture, user data, OS details, and other unique identifiers.
The malware uses specific checks for usernames and virtual machine identifiers to avoid detection in sandbox environments.
Contains persistence mechanisms and schedules task for automatic execution at startup.
5) Sugarwraith Loader
As of February 2025, only a single sample of Sugarwraith Loader has been observed in the wild, indicating that its use is currently highly targeted.
It has been linked to APT27, a sophisticated advanced persistent threat (APT) group that has been active since at least 2010.
Due to its limited presence and targeted nature, further details on its full capabilities remain unclear.
6) JinxLoader
First discovered in April 2023, JinxLoader is a Go-based malware loader used by cybercriminals to distribute additional malicious payloads onto compromised systems.
Once installed, JinxLoader delivers various types of malware, such as Formbook and XLoader, which can steal sensitive data or provide attackers with remote control over the infected system.
JinxLoader later evolved into Astolfo Loader, a C++ rewrite designed to improve its performance, enhance its evasion techniques, and make it harder for security tools to detect.
7) LeslieLoader
First spotted in 2024, LeslieLoader is a Go-based malware loader that delivers malicious payloads, including the SPARKRAT malware.
It infects systems by decrypting and injecting malware into legitimate processes like notepad.exe, which helps it evade detection and remain hidden.
Recent campaigns suggest that LeslieLoader is primarily targeting organizations in East Asia, but its techniques could easily be applied in broader cyber attack campaigns.
8) BabbleLoader
First identified in 2024, BabbleLoader has been observed delivering infostealer payloads like WhiteSnake and Meduza, which can steal sensitive data from compromised systems.
It employs obfuscation techniques and junk code to mask its presence, making it very difficult to detect during security analysis.
Its primary targets are individuals seeking cracked software and professionals in the finance and administration sectors, where sensitive data is a valuable target.
9) SocGholish
Also known as FakeUpdate, first identified in 2018.
Since then, SocGholish has evolved, adopting more sophisticated techniques to evade detection and improve its infection rates.
It is primarily distributed through fake software update notifications on compromised websites, tricking users into downloading and running what seems like an important update.
New rules for Remote Access Trojans 1) ValleyRAT
First seen in early 2023, ValleyRAT primarily targets Chinese-speaking users, with a focus on professionals in the finance, accounting, and sales sectors.
It features a range of malicious capabilities, including screen monitoring, keystroke logging, and the ability to deploy additional plugins to expand its functionality.
Enhanced evasion techniques like DLL sideloading and process injection are employed to bypass security measures and avoid detection by traditional defenses.
2) SparkRAT
First identified in March 2022, SparkRAT is a cross-platform RAT that targets all major operating systems.
Notable features include remote desktop monitoring, system information gathering, and command execution through terminal access.
It has been observed in cyberattacks targeting government organizations in East Asia, attributed to the threat actor group DragonSpark.
3) I2PRAT
Also known as Ratatouille, first identified in November 2024.
The malware is often delivered via phishing emails, which lead users to fake CAPTCHA pages. These pages trigger malicious JavaScript that , which subsequently installs the malware on the system.
To ensure long-term access, I2PRAT creates hidden directories and enforces permission restrictions on compromised systems.
New rules for stealers 1) AtomicStealer (macOS) ARM version
AtomicStealer, also known as PoseidonStealer or AMOS, is a well known malware family targeting macOS.
It embeds itself within .dmg installers, the standard disk image format for macOS, to facilitate infection.
In early January 2025, we observed an undetected shell script deploying AtomicStealer on macOS systems.
Later that month, attackers leveraged a counterfeit DeepSeek website to distribute PoseidonStealer. Users attempting to download the legitimate application were instead tricked into executing a malicious script, leading to malware installation.
2) GlorySprout
First observed in March 2024, GlorySprout is an infostealer designed to harvest sensitive data from infected systems.
It exfiltrates data such as browser history and cryptocurrency wallet information, encrypting the stolen data using an RC4 key before transmitting it to its C2 server.
To evade detection, GlorySprout dynamically resolves APIs, making its execution more stealthy.
The malware maintains persistence by creating a scheduled task, ensuring continued operation on the compromised system.
3) StrelaStealer
First identified in late 2022, StrelaStealer is a credential-stealing malware that targets email clients such as Microsoft Outlook and Mozilla Thunderbird.
Upon execution, it extracts stored email login credentials and transmits them to an attacker-controlled server.
Recent campaigns have primarily targeted Europe, with significant activity observed in Spain, Germany, and Ukraine.
4) DarkCloud
First observed in 2022, DarkCloud is an advanced infostealer designed to exfiltrate sensitive data from compromised systems.
It transmits stolen data via multiple channels, including email, Telegram, and FTP servers, providing attackers with remote access to harvested information.
DarkCloud features a built-in tool that allows attackers to customize its payload, enabling additional capabilities such as clipboard hijacking to steal cryptocurrency funds.
New rules for backdoors 1) CARBANAK
CARBANAK is a remote backdoor and banking malware used by the Carbanak Group (later known as FIN7) to steal over $1 billion from financial institutions worldwide.
Initially delivered via phishing emails, CARBANAK employs keyloggers and administrative utilities to gain access and move within compromised networks.
Attackers leverage CARBANAK for fraudulent transactions, ATM jackpotting, and SWIFT system manipulation, often after months of reconnaissance.
2) Rozena
First observed in 2022, Rozena is a backdoor malware designed to inject shellcode and establish persistent remote access on compromised Windows systems.
It creates a secret entry point for attackers, enabling them to execute commands, steal data, and deploy additional payloads.
To evade detection, Rozena leverages PowerShell scripts and obfuscation techniques, allowing it to remain stealthy.
This malware targets both individuals and organizations and is often associated with broader cyber-espionage campaigns.
3) Berbew
First identified in 2004, Berbew is a backdoor Trojan that enables attackers to remotely access and control compromised systems.
It often operates alongside other malware, such as FormBook, to target and steal sensitive credentials, particularly from banking and financial applications.
Despite its age, Berbew remains a threat due to its continued use in cybercriminal campaigns.
Other YARA rules 1) New rule for potential RAM checks for evasion
New YARA rule created to detect HijackLoader’s evasive behavior, specifically targeting its RAM size calculation method.
The malware checks the system’s PageSize and NumberOfPhysicalPages, multiplying them to calculate the real RAM size, an indicator of potential anti-sandbox behavior.
This rule improves our ability to detect HijackLoader and similar malware that attempts to evade analysis by performing system checks to avoid detection.
2) New rule for VBA-AHK delivery chain
Recently, we’ve seen the following delivery chain: XLS -> VBA -> XML -> JScript -> Windows Installer -> AutoHotKey.
This chain involves multiple stages of execution, which is unusual and complex for typical legitimate operations.
AutoHotKey is a legitimate scripting language designed for automation but is also used by attackers to execute custom scripts that carry out malicious activities like keylogging, data exfiltration, or persistence mechanisms.
3) SystemBC
SystemBC is a proxy malware that transforms infected systems into SOCKS5 proxies, enabling attackers to route their traffic through compromised devices to evade detection and maintain anonymity.
Originally observed targeting Windows systems, SystemBC has since evolved to also infect Linux platforms.
Despite being targeted in the Operation Endgame takedown, this malware family remains active in the wild, continuing to be observed in cyber threats.
4) Havoc C2
First identified in October 2022, Havoc C2 is an open-source post-exploitation command-and-control (C2) framework.
It has been observed in targeted attacks against government organizations, using advanced evasion techniques to avoid detection.
Despite takedown efforts, Havoc remains active in cyberattacks, often exploiting sophisticated infection chains with malicious documents and scripts.
Flexible payload generation allows attackers to create payloads in various formats, including executables, DLLs, and shellcode.
5) Hive (Linux/Golang) RaaS
Hive first emerged in June 2021 as a ransomware-as-a-service (RaaS) operation, primarily targeting healthcare, finance, and critical infrastructure.
The VMRay Platform already includes a YARA rule for Hive, but the rule for detecting Linux Hive ransomware samples is outdated.
The rule has since been updated to support newer Golang-based Hive samples.
6) New rule for Gabagool phishing kit
Recently, we identified a phishing page created using the Gabagool phishing kit. This kit helps threat actors create fake web pages that look real, tricking people into entering their login details. It leverages Cloudflare R2 storage buckets – a method similar to Amazon S3 – allowing attackers to easily deploy their phishing infrastructure.
Gabagool employs a variety of techniques to evade detection and enhance its effectiveness:
Obfuscated JavaScript  – the phishing page is built dynamically, making it harder to analyze through static means.Bot detection  – a built-in detectBots function identifies automation frameworks, headless browsers, and generic bots attempting to analyze phishing sites.Mouse movement tracking  – Gabagool can detect whether mouse movements are natural, which helps it evade automated analysis systems that struggle to simulate human interactions. But not VMRay! Our advanced detection capabilities accurately identify and flag this behavior.Credential harvesting  – ultimately, the phishing page aims to steal Microsoft login credentials from unsuspecting victims.
Final Thoughts
We do hope our constant research of new malware trends and the features we together bring to our products help you in the navigation of the complex landscape of cybersecurity. Stay tuned for our March signature and detection updates, planned to be published in the weeks ahead, bringing you an even larger set of freshly created YARA rules, empowering you with more precise and effective detection capabilities.
