The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.
In March 2025, the VMRay Labs team has been focused on the following areas:
1) New VMRay Threat Identifiers addressing:
- Detecting CPU property queries
2) AutoUI improvements
3) New YARA rules:
- We created and updated around 30 YARA rules last month! Scroll down to discover more about these exciting updates.
Now, let’s delve into each topic for a more comprehensive understanding.
New VTIs
In a few last blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.
VTI to detect CPU property queries
Category: Discovery
:Â T1082
Recently, we observed a sample of CryptBot Stealer aiming at identifying the system it is running on by querying CPU properties. Specifically, it looks up the full name of the CPU and its operating . This tactic is often used by malware to determine if it is executing in a virtualized or sandboxed security environment.
Why malware checks CPU properties:Â
1. CPU model name lookupÂ
Malware may query the CPU model name via the Windows registry to identify whether it is running on an Intel Xeon processor. This is significant because:
- Xeon processors are commonly found in enterprise-grade servers and cloud infrastructures.
- Virtual machines and sandbox environments often use Xeon processors, rather than consumer-grade Intel Core i5/i7/i9 CPUs.
- If malware detects a Xeon CPU, it may refuse to execute, assuming it is under analysis in a controlled security environment.
- Conversely, malware targeting high-value corporate networks or cloud environments may specifically look for Xeon processors to ensure it is infecting a relevant system.
2. CPU clock speed queryÂ
Malware may also check the approximate CPU clock speed as an anti-analysis measure. This is because many malware sandboxes allocate minimal CPU resources, resulting in an unusually low MHz value.
- If the CPU speed is significantly low (e.g., 100 MHz), malware may recognize this as a sandbox and terminate itself to avoid detection.
- By using this method, malware can evade automated threat analysis tools that operate with resource constraints.
To counter these evasion techniques, we have introduced a new VTI that will trigger when a sample attempts to query the CPU model name via the Windows registry, or check the CPU MHz frequency.
AutoUI Enhancements
AutoUI now clicks on files in Onedrive shared folder
Recently, we analyzed a phishing campaign where a malicious URL led to a OneDrive folder share containing a single PDF file. Previously, our AutoUI feature did not interact with the file, missing the opportunity to trigger a preview or download. Attackers use this technique to bypass traditional phishing detections, as cloud storage links often appear benign and require user interaction to expose their malicious intent.
With this latest enhancement, VMRay’s AutoUI now:
- Clicks on files inside OneDrive shared folders to trigger previews.
- Automatically downloads all files in the folder for deeper analysis.
- Recursively submits downloaded files, ensuring layered inspection.
- Detonates URLs inside PDFs using SLD (Smart Link Detection) to expose final phishing pages.
This update enables automatic interaction with cloud-hosted files, ensuring better visibility into threats that rely on cloud storage as an initial infection vector.
YARA Rules
This month, we’re rolling out another powerful update to the YARA rules package in our VMRay products. Here’s a quick recap of some of the key enhancements.
Stealers
1) PureLogs
- Part of the “Pure” malware family, developed by PureCoder (alongside PureCrypter and PureMiner).
- First observed on hacking forums in October 2022.
- Runs in the background, stealing credentials, browsing history, and cryptocurrency wallet data.
- Uses obfuscation and anti-virtual machine techniques to evade analysis.
2) Frigid Stealer
- First discovered in February 2025, primarily targeting macOS users.
- Disguises itself as fake browser update prompts.
- Harvests login credentials, cookies, and stored passwords from Safari and Chrome.
- Delivered through web inject campaigns linked to TA2726 and TA2727.
- Evades security defenses through social engineering tactics.
3) Mystic Stealer
- First emerged in April 2023, primarily targeting Windows users.
- Steals sensitive data from gaming, banking, and e-commerce platforms.
4) WhiteSnake Stealer
- Sophisticated .NET-based information stealer first identified in early 2022.
- Designed to exfiltrate sensitive data, focusing on web browsers, cryptocurrency wallets, and application credentials.
- Uses a scheduled task to execute every minute, ensuring persistence.
5) PhantomGoblin Stealer
- Newly identified , first detected in March 2025.
- Uses social engineering tactics, mainly targeting web browsers and developer tools.
- Delivered via malicious RAR attachments in phishing emails.
- The RAR file contains LNK shortcut files disguised as legitimate documents.
- Upon execution, a PowerShell script downloads additional payloads from GitHub.
- Stolen data is packed into a ZIP file and sent to a Telegram bot controlled by attackers.
6) Phemedrone Stealer
- Open-source C#-based information stealer.
- Targets Telegram, Steam, and Discord to steal session data.
- Uses anti-analysis techniques to evade detection.
- Has exploited CVE-2023-36025Â vulnerability in Windows Defender SmartScreen to bypass security prompts.
7) Kutaki Stealer
- First seen in 2020, functioning as both an info-stealer and keylogger.
- Records keystrokes to collect sensitive data, including usernames, passwords, and payment details.
- Detects virtual machines, sandbox environments, and debugging tools to avoid detection.
RATs
1)Â Spectre RAT
- First identified in September 2020, Spectre RAT is a C++-based malware offered as Malware-as-a-Service (MaaS).
- Allows attackers to remotely execute commands, steal credentials, manipulate processes, and exfiltrate sensitive data from infected systems.
- Since its launch, multiple versions have been released, enhancing its capabilities and making it harder to detect.
- Used in attacks against industries like finance, cloud services, gaming, andÂ
2) zgRAT
- Active since 2021, zgRAT allows attackers to remotely control infected systems, steal credentials, and exfiltrate sensitive data.
- Uses Telegram and Discord as exfiltration channels, making detection more challenging while targeting browser credentials and cryptocurrency wallets.
- Delivered through malware loaders, USBs or phishing emails with malicious LNK and BAT file attachments.
3) ToxicEye RAT
- First seen in 2021, built in C#, this RAT allows attackers to carry out a wide range of malicious activities, including data theft and system manipulation, by interacting with a Telegram bot.
- In addition to providing remote access, ToxicEye can exfiltrate sensitive information and deploy ransomware.
- ToxicEye uses the Telegram messaging platform for its C2 communication, making it harder to detect and blocking its command signals.
4) XenoRAT
- First seen in July 2024, this RAT is commonly used for espionage, data theft, and remote execution of malicious commands.
- One of its most dangerous features is its ability to record keystrokes and extract saved credentials from browsers, enabling attackers to steal passwords, banking details, and sensitive information.
- Additionally, Xenorat can secretly capture screenshots and access webcams, putting users’ privacy at serious risk.
- It also employs persistence mechanisms to remain on the system even after reboots.
5) RokRAT
- Initially detected in 2016, attributed to APT37 (North Korea).
- Utilizes stealthy evasion techniques, including fileless execution and encrypted communication.
- Main capabilities include keylogging, screen capturing, data theft, and remote command execution.
6) Lobshot
- Lobshot is a complex malware discovered in 2022, acting mainly as a RAT with the ability to steal sensitive information.
- One of its key features is an Hidden Virtual Network Computing (hVNC) module, which allows attackers to secretly control the victim’s desktop without being detected.
- The TA505 cybercrime group, notorious for financially driven attacks, is believed to be behind the distribution of Lobshot.
Ransomware
1) Lockbit 4.0
- YARA coverage for the latest variant of Lockbit 4.0.
- This variant introduces evasion techniques, such as disabling security features like Windows Antimalware Scan Interface (AMSI).
- Uses heavy obfuscation, hiding its payload inside seemingly legitimate system processes.
- Leverages multi-threading to accelerate encryption, rapidly locking down files before incident responders can react.
2) Trigona Ransomware
- First observed in 2023, Trigona encrypts files and appends a unique file extension.
- Drops ransom notes in affected directories, instructing victims to contact attackers via a Tor-based portal.
- Victims are typically asked to pay in Monero (XMR) or Bitcoin (BTC) for decryption.
- Uses customized ransom notes and unique victim identifiers, making automated decryption difficult.
3) Zombie Ransomware
- Zombie is a ransomware strain belonging to the MedusaLocker family, a well-known group of ransomware variants that primarily target large organizations rather than individual users.
- It encrypts the victim’s data using strong encryption algorithms, rendering files inaccessible.
- Once encryption is complete, it demands a ransom payment in exchange for the decryption key, threatening permanent data loss or public data exposure.
4) Mimic Ransomware
- First identified in 2022, this ransomware encrypts files and demands cryptocurrency payments for decryption.
- Suspected to be built on a leaked CONTI ransomware builder.
- Misuses APIs from “Everything”, a legitimate Windows file search tool by Voidtools, to quickly locate and encrypt specific files.
5) MauiCrypt
- Discovered in 2021, attributed to North Korean state-sponsored hackers.
- Primarily targets healthcare and public health sectors, encrypting critical servers storing electronic health records, diagnostics, and imaging data.
- Unlike most ransomware, Maui does not execute encryption automatically—attackers manually select files via a command-line interface.
- Does not leave a ransom note, suggesting attackers communicate directly with victims for ransom demands.
Other YARA Rules
1) YARA signatures on AntiSandbox checks
We’ve updated our YARA signatures to detect anti-sandbox techniques used by Latrodectus and HijackLoader.
- Latrodectus checks how many processes are running before it executes. On Windows 10 and 11, it requires at least 75 active processes; on Windows 8.1 and older, it needs 50 active processes. If there aren’t enough, it simply shuts down, likely to avoid running in sandboxed or low-resource environments.
- HijackLoader checks the system’s RAM size before running. It calculates the total memory by measuring the number of physical pages and their size. If the system has less than a certain amount of RAM, HijackLoader won’t execute properly, using yet another trick to evade analysis in restricted environments.
2) YARA signatures on PyInstaller/PyArmor/Py2Exe
Malware may be hidden inside Python-based executables created with PyInstaller, PyArmor, and Py2Exe—tools originally meant for packaging legitimate applications. Cybercriminals abuse these tools to make their malware harder to detect.
- Instead of storing malicious code in regular files, these executables unpack and run the code directly in memory, making traditional antivirus less effective.
- Since the final file looks like a normal application, it can bypass security scans and sandbox checks.
3) YARA signature for AlfaTeam Webshell
AlfaTeam Webshell is a malicious PHP-based webshell used by attackers to gain unauthorized remote access to compromised web servers.
- Webshells like this allow cybercriminals to execute commands, upload/download files, manipulate databases, and maintain persistence on infected servers.
- Designed to evade basic security detections by obfuscating code and using encryption, it can also be used to steal login details and gain higher access to the system.
4) Matanbuchus
First discovered in 2021, Matanbuchus is a Malware-as-a-Service (MaaS) loader. It deploys malicious payloads, including Cobalt Strike, onto infected systems.
- Targets enterprises, often bypassing security measures using advanced evasion techniques.
- Modular design allows customization, enabling threat actors to deliver various types of malware.
5) GCleaner
GCleaner is a Pay-Per-Install (PPI) loader for multiple malware strains, first seen in early 2019.
- Operates as a malware distribution platform, delivering different payloads based on the victim’s geolocation.
- Masquerades as a legitimate system optimization tool but facilitates the distribution of various malicious payloads.
- Once active, GCleaner connects to multiple C2 servers to receive further instructions. This allows attackers to dynamically modify the payloads, ensuring the malware can adapt to different targets and security environments.
6) HermeticWiper
HermeticWiper is a type of destructive malware (wiper) first observed in February 2022 during cyberattacks against Ukrainian organizations.
- Designed to corrupt the Master Boot Record (MBR) and Master File Table (MFT) of infected systems, rendering them inoperable.
- Unlike ransomware, which encrypts files for ransom, HermeticWiper is purely destructive; it wipes system data and makes recovery difficult.
7) Xorbot (Linux)
First seen at the end of 2024, primarily used for DDoS attacks, botnet operations, and data exfiltration. It is believed to be a variant of older Linux botnets such as XorDDoS and Mirai.
- Spreads through brute-force SSH attacks, exploiting weak or default credentials on Linux servers.
- Modifies system configurations to ensure it survives reboots, often by adding itself to startup scripts.
8) Prometei
Prometei is a modular botnet that works mainly as a cryptocurrency miner and credential stealer. First identified in 2020, it’s believed to have been active since 2016 and has versions for both Windows and Linux.
- The botnet spreads across networks by exploiting vulnerabilities in Microsoft Exchange servers and using SMB and RDP exploits to gain access.
- It has caused widespread damage, particularly in countries like Brazil, Indonesia, and Turkey.
9) Kinsing (Linux)
Kinsing is a type of malware primarily associated with cryptojacking and cloud security threats. It targets misconfigured Docker, Kubernetes, and Linux servers, exploiting weak security settings to gain unauthorized access.
- First observed in early 2020, Kinsing malware actively exploits misconfigured Docker API endpoints and vulnerabilities in cloud environments to deploy cryptojacking payloads.
- Over time, it has been linked to multiple exploitation campaigns, including attacks leveraging vulnerabilities in WordPress plugins, Redis servers, and Java-based applications (like Oracle WebLogic and Spring Boot).
- Deletes other cryptominers to monopolize system resources and removes security logs and processes to evade detection.
10) Extended YARA coverage for MsVoiceMail phishing
A new phishing campaign uses Microsoft-themed voicemail-like phishing landings to lure victims into providing credentials.
- People are generally more likely to trust messages from well-known companies, especially those that resemble legitimate Microsoft communications.
- This familiarity increases the likelihood of users falling for the scam.
11) Extended YARA coverage for Pastejacking samples (Google Meet, Windows Update)
Recently, we came across a new pastejacking campaign. This time, Google Meet and Windows Updates are the used themes/brands to hide the maliciousness of the pages.
- Threat actors use these lures to trick users into clicking “Join Now” or “Update Now” buttons.
- To enhance detection, we have expanded YARA coverage to identify these behaviors.
Final Thoughts
March 2025 has been a particularly active month for our Labs team, with significant enhancements to our YARA rule set across multiple threat categories. As attackers refine their tactics, our ongoing commitment remains clear – to stay ahead of the curve, proactively enhancing detection, and equipping defenders with the tools needed to counter modern cyber threats. Stay tuned for our April edition of signature and detection updates, planned to be published in the weeks ahead.
