VMRay

🚨Alert: Evolution of EtherHiding in ArechClient2 🔬Report: vmray.com/analyses/ether… ArechClient2 has been using the Binance Smart Chain (BSC) to fetch C2 servers (a technique known as EtherHiding) since at least June 2025, but we observed a change in the technique in a more recent sample. In the past, a single API endpoint hxxps[:]//bsc-dataseed1[.]binance[.]org was used for this, but in this new sample we see requests to 10 different API (sub)domains. While it is currently unclear why the sample queries the same smart contract on 10 different API endpoints, it is likely an attempt to circumvent blocking, or a first step into diversification of API endpoints used to access the smart contracts. Either way, due a limited number of possible API endpoints, this still is a great detection opportunity to detect malware (for example ArechClient2, SharkStealer) that uses EtherHiding. 🔎In a nutshell: - ArechClient2 contains one hardcoded C2, fetches second C2 server from Binance Smart Chain via RPC call (eth_call) - Smart contract returns base64 encoded tuple (with “START” and “FINISH” markers) consisting of IV and encrypted C2 IP - Executable uses embedded hardcoded key plus IV to decrypt C2 channel (AES) - We identified samples communicating with three different smart contracts, one of them being updated very frequently - 10 different BSC API endpoints queried in recent sample 🔐Find the full decryption procedure here: #recipe=From_Hex('Auto')Regular_expression('User%20defined','START(.*)FINISH',true,true,false,false,false,false,'List%20capture%20groups')From_Base64('A-Za-z0-9%2B/%3D',true,false)To_Hex('Space',0)Comment('Fetch%2016%20bytes%20IV')Register('(.%7B48%7D).*',true,false,false)Comment('Fetch%20encrypted%20C2')Regular_expression('User%20defined','.%7B48%7D(.*)',true,true,false,false,false,false,'List%20capture%20groups')AES_Decrypt(%7B'option':'Base64','string':'VOqkXCYMgproaIQIj50Z2tsBru1ULFzXeKKKg19WMTs%3D%3D'%7D,%7B'option':'Hex','string':'$R0'%7D,'CBC','Hex','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)&input=MHgwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDIwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNzUzNTQ0MTUyNTQ3MDRiMmY2NTMwNmY1MTc2NDk3NzM2NmY1OTQxNzM0YzQzNjc3NTcwN2E2MzM4MzM0ZTQ0NDc2ZDMzNzU2NjcxNGY3MjUyNDk3MjM5MzY1NjYzMzc1NTNkNDY0OTRlNDk1MzQ4MDAwMDAwMDAwMDAwMDAwMDAw" target="_blank" rel="nofollow noopener">gchq.github.io/CyberChef/#rec… 🧬IoCs: - 79326544757d48a9f0fc0cfd9628df712a92271fa85e1194c5132fa465896e72 - Contract: 0xbd75e2f339d4aebf72ff13f3af4c27096f709a4d - AES Key: VOqkXCYMgproaIQIj50Z2tsBru1ULFzXeKKKg19WMTs= - C2:138[.]226[.]238[.]96:443 🌐BSC API endpoints - hxxps[:]//bsc-dataseed1[.]binance[.]org - hxxps[:]//bsc-dataseed2[.]binance[.]org - hxxps[:]//bsc-dataseed3[.]binance[.]org - hxxps[:]//bsc-dataseed4[.]binance[.]org - hxxps[:]//bsc-dataseed1[.]ninicoin[.]io - hxxps[:]//bsc-dataseed2[.]ninicoin[.]io - hxxps[:]//bsc-dataseed1[.]defibit[.]io - hxxps[:]//bsc-dataseed2[.]defibit[.]io - hxxps[:]//bsc-dataseed3[.]defibit[.]io - hxxps[:]//bsc-dataseed4[.]defibit[.]io

A year. Real samples. Real threats. Real comparison. vmray.com/customer-succe… This North American bank didn't return to VMRay because of a sales conversation. They returned because twelve months of operational data left no other conclusion. "Ultimately, our journey led us back to VMRay for one simple reason: unmatched accuracy and reliability in detecting and analyzing malicious activities. VMRay isn't just a solution; it's an essential component of our cybersecurity strategy, providing us with the peace of mind we need to defend against sophisticated threats." - SOC Analyst, North American Bank The gap they discovered wasn't visible in a demo. It wasn't apparent in the first weeks. It emerged in the accumulation of samples the alternative passed and VMRay caught. Read their full story → 🔗 vmray.com/customer-succe…

Data sovereignty isn't a compliance checkbox anymore. For a growing number of organizations, it's the architectural requirement that decides which vendors stay on the shortlist. vmray.com/release-highli… With the VMRay Platform release 2026.2.0, we're introducing VMRay Cloud hosted in the AWS European Sovereign Cloud, located in Germany. Data hosted and processed entirely within the EU. Operations within EU sovereignty boundaries. Access limited to EU-resident personnel. Full analytical capability, no trade-off. Alongside that, the release brings several meaningful updates for security teams: 🔹 Recursive threat visibility — threat names and classifications from deep analysis now surface automatically in the parent sample view. Full context at a glance, without digging through the analysis tree. 🔹 Enhanced tag support — broader special character support means alert IDs and identifiers from SIEMs, EDRs, and connectors like Microsoft Defender for Endpoint map cleanly into VMRay submissions. Fewer workarounds, smoother correlation. 🔹 IP allowlisting for Cloud login — account managers can now restrict login access to approved networks. A simple control that meaningfully reduces the attack surface. 🔹 Faster PDF report generation — rebuilt from the ground up. Reports that previously took tens of seconds now generate in seconds. Full release highlights → vmray.com/release-highli…

The dashboards got better. The detections did not. What looked like a comprehensive security platform turns out to be a sophisticated aggregation layer sitting on top of thin analytical capabilities. For more than a decade, the cybersecurity industry has optimized for consolidation. Fewer vendors. Single panes of glass. Unified platforms. And the result has often been impressive: polished interfaces, sophisticated workflows, endless threat feeds. But when a real incident happens, and analysts have to explain exactly how an attack worked, the answers are frequently shallow. Incomplete. Hard to defend. This is Part 1 of our new series for CISOs: Strategic Decisions for CISOs. In this first piece, we examine - the core competence the industry quietly underinvested in, - why analysis quality is becoming the metric that separates real security from the appearance of it, and - what a growing number of organizations are discovering when they actually put their platforms to the test. Analysis is a craft. Consolidation alone cannot replace it. 🔗 vmray.com/strategic-deci…

Ransomware is still the final payload. But how it gets onto the device... That changes almost weekly. vmray.com/malware-phishi… Defenders aren't just fighting malware; they are tackling the ever-evolving delivery mechanisms. In our H2 2025 Threat Landscape Report, VMRay Labs breaks down the exact shifts in attacker behavior that are bypassing static defenses. The biggest takeaway? Attackers are increasingly pushing the execution step onto the user. In our report you'll find details on: 🔹 The evolution of ClickFix and fake CAPTCHAs to force user-driven execution. 🔹 The Top 10 Malware Families: The remote access trojans and stealers dominating the landscape, and why they still work. 🔹 Shifting Vectors: From SVG phishing to malicious supply chain dependencies. For the full breakdown of how to detect these evasive techniques, read the complete report: 🔗 vmray.com/malware-phishi…

The teams building and running security automation don't need more data. They need data they can act on, without spending hours validating it first. vmray.com/customer-succe… That distinction matters most at scale. When your workflows span EDR, SOAR, and a Threat Intelligence Platform across a 100,000+ person organization, every unreliable verdict creates friction that compounds across the entire pipeline. High-fidelity analysis isn't a nice-to-have in that environment. It's what automation runs on. Read the full story → vmray.com/customer-succe…

VMRay has joined the Microsoft Intelligent Security Association (MISA). Our integrations with Microsoft Sentinel and Microsoft Defender for Endpoint bring deep, behavior-based malware and phishing analysis into the workflows security teams already rely on; helping them triage faster, cut through noise, and respond to evasive threats with greater confidence. Glad to be part of an ecosystem built around making security work better for defenders.

Security automation is only as effective as the intelligence feeding it. If you automate incident response based on noisy data, you just create faster mistakes. Microsoft just featured VMRay in their RSAC 2026 update on Microsoft Sentinel connector ecosystem, highlighting how our integration brings automated sandbox analysis and behavior-based threat intelligence directly into Sentinel workflows. aka.ms/SentinelIntegr… We built this connector to solve a specific operational bottleneck: bridging the gap between initial detection and high-fidelity investigation. The integration allows SOC teams to automatically route suspicious files and phishing URLs from Sentinel directly to VMRay for dynamic analysis. What returns isn't a raw data dump. It’s validated, high-confidence IOCs streamed straight into Sentinel’s Threat Intelligence repository, giving your analysts the exact context they need to correlate threats, and providing your workflows with the reliable inputs required to actually trigger a response. Less manual triage. Faster, accurate detection. Read Microsoft's full ecosystem update here: 🔗 aka.ms/SentinelIntegr… Explore the VMRay connector in the Microsoft Security Store: 🔗 securitystore.microsoft.com/solutions/vmra…

User-reported phishing is one of the highest-volume, most time-consuming tasks a SOC team deals with. Most of what gets reported is benign. But the ones that aren't; demand fast and accurate triage. And that's exactly where the process tends to break down. zoom.us/webinar/regist… On March 24, join Serge Haumont from our team, for our March Detection & Intelligence Highlights webinar. The main demo: how VMRay's integration with Microsoft Defender for Office helps SOC teams efficiently investigate and manage user-reported phishing: cutting through the noise without cutting corners. Alongside that, Serge will walk through the latest detection innovations from VMRay Labs: 🔹 DLL injection detection: surfacing malware hiding inside trusted Windows processes 🔹 SyncAppvPublishingServer & ntdll.dll abuse: catching proxy execution used to evade monitoring 🔹 WMI uptime checks: detecting sandbox-aware malware before it goes quiet 🔹 ClickFix & pastejacking: AutoUI updates that automatically uncover social-engineering chains 🔹 New YARA rules & config extractors: expanded coverage across malware families Practical and to the point. Built for SOC analysts, CTI teams, detection engineers, and threat hunters. 🔗 zoom.us/webinar/regist…

🏛️ When you're defending a 100,000+ person organization, scaling security automation requires more than just connecting your tools: it requires reliable data. vmray.com/customer-succe… This major European government department had the orchestration in place: EDR, SOAR, Threat Intelligence Platform. But their automated workflows needed something more precise at the analysis layer. Standard sandboxing wasn't delivering the verdict accuracy, IOC quality, and clarity required to reduce manual review cycles at scale. They integrated @vmray as a specialized analysis component. Not to replace what they had built, but to make it work better. The result: significantly reduced manual triage, cleaner inputs into SOAR playbooks and SIEM, and an automation pipeline that could finally run at the pace the threat landscape demands. __________ The key takeaways from their deployment: 🔹 Evasion resistance is non-negotiable: You cannot automate a response to a threat you cannot fully observe. 🔹 Filter the noise: Standard sandboxes often output raw data dumps. True automation requires filtering out benign activity to produce automation-safe IOCs. 🔹 API-first orchestration: Intelligence must flow directly into existing playbooks to eliminate manual review cycles. __________ Full story → vmray.com/customer-succe…

Next week week, VMRay's CEO & Co-founder Dr. Carsten Willems and VP of Products Uriel Cohen will be at RSAC 2026 in SanFrancisco. 🤝 If you're a security leader or practitioner looking to exchange ideas on where threat intelligence and malware analysis are heading, or if you want to explore how to bridge the gap between deep technical analysis and operational clarity, we'll be there for exactly that. To keep leading innovation in cybersecurity built on community and collaboration. See you in San Francisco! 🌉

SANS Institute provides defenders with the tactical foundation to hunt and respond to threats. But applying those skills in a noisy environment requires the ability to reliably extract high-fidelity Threat Intelligence from evasive malware and phishing threats. Next week, we are heading to SANS 2026 in Orlando to discuss how teams can integrate evasion-resistant sandboxing and precise malware analysis directly into their daily workflows. If you are attending, let’s connect to talk about reducing manual triage, filtering the noise, and extracting the IOCs that actually matter.

🛡️ Malware doesn't announce itself. It blends in, using built-in Windows tools, trusted system components, and everyday traffic like DNS and image downloads to move quietly and stay hidden. Our February 2026 Detection Highlights documents exactly how: vmray.com/february-2026-… DNS lookups used to smuggle stolen data out. Legitimate Windows components like SyncAppvPublishingServer repurposed to launch malicious PowerShell. Security vendor domains silently redirected to nowhere, cutting systems off from the tools meant to protect them. In response, the VMRay Labs team shipped 8 new threat identifiers, expanded config extractors for Telegram-based phishkits and SantaStealer, improved ClickFix coverage in AutoUI, and added 30+ fresh YARA rules — covering stealers, RATs, loaders, packers, and phishing techniques. The full breakdown, with behavioral context on each detection, is in the link below. 🔗 vmray.com/february-2026-…

🚀 @vmray and @Broadcom announce official partnership & on-premise sandbox integration vmray.com/broadcom-on-pr… 🔎 What this integration delivers: • High-fidelity malware and phishing analysis powered by VMRay • Seamless integration with Broadcom security environments • On-premise deployment for maximum data control and compliance 🤝 We’re excited to collaborate with Broadcom, Broadcom customers and their partner ecosystem to bring this solution to market. If your team is interested in participating in the Early Adopter Program, we’d be happy to connect and discuss next steps. 👉 Learn more about the integration: vmray.com/broadcom-on-pr…

If you're using @MISPProject for Threat Intelligence, this one's for you. vmray.com/setting-up-uni… To help CTI teams operationalize their data, we are launching a new technical series by Koen Van Impe @cudeso focused on getting the most out of VMRay within MISP, starting with a step-by-step guide to setting up the VMRay UniqueSignal feed. Not just a config walkthrough. It covers the kind of detail that saves you an afternoon of trial and error: - feed types, - authentication, - distribution settings, - tagging with the Admiralty Scale, - scheduling ingestion, and - building dashboard widgets to monitor feed activity Next up in the series: operationalising UniqueSignal with Microsoft Defender, Sentinel, and custom MISP workflows. 🔗 vmray.com/setting-up-uni…

🚨Alert: New cryptocurrency stealer likely written in Zig 🔬Report: vmray.com/analyses/vidar… We found a multi-stage infection chain delivering what appears to be a new cryptocurrency clipper, likely written in Zig. The infection begins with Vidar, which drops a heavily obfuscated AutoIt script that injects and executes the Zig-based stealer. This stealer resolves its C2 address through a BSC smart contract, a technique known as EtherHiding. Its primary purpose appears to be replacing cryptocurrency addresses in the clipboard with an attacker-controlled wallet. 🔎 In a nutshell: -Vidar → SFX → AutoIt Loader → Zig Crypto Stealer -The AutoIt script is heavily obfuscated, the next-stage payload is RC4-decrypted then LZNT1-decompressed at runtime before injection -Script contains junk code and performs multiple anti-sandbox and anti-AV checks, timing-based evasion, and a DNS request to a non-existing domain -C2 address is resolved via a BSC smart contract (EtherHiding) -Constantly polls clipboard for multiple cryptocurrency address formats: BTC, ETH, etc. -When a match is found: exfiltrates the victim's original address to the C2 and replaces it with attacker wallet -Likely written in Zig as some strings are uniquely associated with that language -Querying the attackers smart contract transactions, one can identify many more C2 addresses -In recent days the sample seems to drop a different payload, no longer the Zig crypto stealer 🧬 IoCs: -Zig sample SHA256: a82d031d99b15f8eb5a1d8cc24e55fec6d393d549edde8da9507f3cf17503ce1 -C2: quartermaster-sec[.]cc -Smart contract address: 0x7CC3cFC1Ac007B8c6566fD2C7419b15a75473468 via API endpoint hxxps[:]//data-seed-prebsc-1-s1[.]binance[.]org:8545 -Vidar sample SHA256: 62338c7764f4e82105ea52fab868e1f04dc2f54bb44c5a47ddac685eacd6ed3c -C2: 65.21.165[.]15 -Steam profile: hxxps[:]//steamcommunity[.]com/profiles/76561198736378968 🧩 More C2's from other smart contracts by the same creator: -artisan-advertising[.]cc -brain-game[.]cc -celebration-internet[.]cc -cmicrosoft1[.]click -devops-offensive[.]cc -ed-security-buff[.]cc -en.hugo-lapp[.]co -evil-toy[.]cc -fast-node[.]com -firewall-sentinel[.]cc -flame-guard[.]cc -kr.hugo-lapp[.]co -lavande-rocket[.]cc -quartermaster-sec[.]cc ⭐ Credits: Likely related sample documented by @0xfluxsec via fluxsec.red/analysing-an-A… (but their AutoIt script does not seem to drop the Zig crypto clipper highlighted here)

One of Europe's biggest cybersecurity gatherings is just around the corner. And we'll be there. 🇫🇷 VMRay is heading to InCyber Forum in Lille (31 March – 2 April). Come talk to us about what it actually takes to detect evasive malware and phishing threats, and build Threat Intelligence you can trust, not just collect. Find us at Lille Grand Palais. Let's connect. 🤝

In ThreatIntelligence, analyzing WHO is targeted often reveals the WHY behind a campaign. Our latest collaborative research by independent researcher Pol Thill reveals a highly structured, state-sponsored targeting matrix: Water utilities. Energy grids. Government agencies. Across 8 countries — and reconnaissance reaching 200+ more. This is the footprint of Hydra Saiga (also tracked as YoroTrooper / ShadowSilk) — a state-sponsored threat actor that has been quietly active since 2021, and shows no sign of slowing down. A clear pattern emerges from the victimology: 🔹 Strategic alignment: Heavy targeting of critical water and energy infrastructure in Central Asia. 🔹 Sector footprints: Unique industry focus by region—such as Water infrastructure exclusively in the CIS, and Aviation in the Middle East & Africa. For CTI and SOC teams, mapping these overlaps helps filter noise and prioritize defensive resources based on realistic risk profiles, rather than generic global alerts. Watch the global spread below. The full execution logic, and all extracted IOCs & TTPs (now available within the VMRay UniqueSignal Threat Intelligence Feed), are detailed in our complete analysis: 🔗 vmray.com/hydra-saiga-co…

🚨 Alert: Covert payload delivery through alternative object storage platforms 🔬Report: vmray.com/analyses/cover… 📦 In a newly observed attack chain, threat actors have started exploiting lesser known object storage platforms like cubbit[.]io or ufs[.]sh as disposable payload safehouses. 🥷 The chain starts off with an obfuscated VBScript, unfolding into an obfuscated PowerShell downloader. The PS1 script downloads a seemingly harmless image file, pulled from one of these object storage platform providers. Using simple steganography, a Base64 .NET Injector payload is concealed as appended bytes at the end of the image file. The smuggled .NET Injector is then reflectively loaded into RegAsm.exe and a final Agent Tesla payload is downloaded. This attack chain shows how modern delivery chains are constantly looking for alternative platforms to host and conceal their payload. 🔎 Key takeaways: - VBS → PS1 → GuLoader / Image (steganography) → .NET Assembly → Payload on cubbit[.]eu → RegAsm.exe → Agent Tesla -  Initial VBScript utilized junk code, Base64 obfuscation, word slicing, reverse string, and character substitution - Dropped PowerShell script (Base64 encoded), uses character replacement to thwart static analysis - Downloads a payload (usually GuLoader) from hosting site ufs[.]sh - Pulls an image file from firebasestorage.googleapis[.]com, which has a - Base64 blob at the end (steganography) - PowerShell parses the Base64 blob, decodes it and uses Reflection.Assembly to load the revealed executable (protected with SmartAssembly) - Dynamically locates a method named 'runss' on a type called 'Homees', invokes it with a remote payload hosted on cubbit[.]io - Injects the remote payload (Agent Tesla) into RegAsm.exe 🧬 IoCs: 1c216dc51330c5f56cc37f7e37b3516e57b172bd83f787788f80dcdb88b5545b hxxps://firebasestorage.googleapis[.]com/v0/b/remasd-6c702.firebasestorage.app/o/image.jpg?alt=media&token=b9d8bf3e-b1eb-4c56-9434-d4af570d4a91 hxxps://au72nuxzv2.ufs[.]sh/f/4LhV5B1sDCwIrgzpCwYKXE4gwWVSzU8Dck1rs5tJYqhnmpx6 hxxps://zip1.s3.cubbit[.]eu/SCANNED%20COPIES%20OF%20FINAL%20CONTRACT%20PDFupload.txt