VMRay

🚨 Alert: New GaiaTools crypter-and-loader service spotted in stealthy multi-stage attack: vmray.com/analyses/gaiat… 🔍 This new, multi-stage attack delivery chain pivots from a Batch script to PowerShell, retrieving a staged payload via Pastee[.]dev, de-obfuscating it through layered Base64 and single-byte XOR transformations. The attack culminates in shellcode execution and deployment of an AutoIt-based loader, ultimately injecting an encrypted payload into the legitimate charmap.exe process to evade detection. Final C2 is established through GaiaTools, a seemingly new crypter-and-loader service advertised on Telegram. GaiaTools is promoted as being able to crypt executables at scale, with in-memory shell execution capabilities and syscall-based code execution. They also offer a small, tiny PE loader with the customer’s baked-in gate URL for fetching a final payload, a Golang infostealer this time. 🛠️ Takeaways: ⛓️ Attack chain: Batch → PowerShell → Pastee[.]dev → PowerShell → Base64 → XOR → Shellcode → AutoIt loader → Encrypted payload (XOR) → Inject to charmap.exe → GaiaTools C2 🎭 Obfuscated Batch script using env vars to build commands and strings one character at a time, using substitution / lookup table 📥 PowerShell command to grab staged loader from Pastee[.]dev 🧠  The in-memory shellcode loader is written in heavily obfuscated PowerShell with sleeps, pointless random calculations, Base64 obfuscation, and single-byte XOR-decryption (0xED) 💾 Allocates a block of RWX memory via kernel32!VirtualAlloc, copies the decrypted shellcode to it, then turns the memory address into a .NET delegate and calls it 📂 Drops several files: AutoItv3 interpreter, encrypted AutoIt loader, encrypted payload 📡  Final stage is reaching GaiaTools, a seemingly new crypter-and-loader service to pull a Golang infostealer 🗓️  Domain gaia[.]su registered on 2026-03-11 at registrar REGRU-SU IoCs: abe7e5da48a8a55badb87c6937c19d10561fe6f22024c2a5b3600c97706e96bd (SHA256 - 1st stage) b73fe7ca0fd4e4e0a9e8b8f5fdecb42a95f91f7477e2fecf129f797e2892d21c (SHA256 - 2nd stage) 28ca2c00c4e2e5e9a7a1b469c264358fff209822a9dc0a74443e1eb0eb11b315 (SHA256 - 3rd stage) hxxps://pastee[.]dev/r/6OVBx076 (2nd stage payload) hxxps://gaia[.]su/remote-admin/api/payload/91e70b4f5f92e2f138aa8c612cfbc517[.]exe (3rd stage payload)

When threat actors host C2 infrastructure on a public blockchain, traditional takedown requests fail. The data is immutable. The infrastructure is decentralized. And the API endpoints used to access it are, by themselves, entirely legitimate. vmray.com/threat-intelli… That last point is what makes EtherHiding difficult to detect through IOC feeds. The same blockchain API endpoints used by malware to retrieve C2 configurations from smart contracts are also used for legitimate purposes — which means they can't easily be added to blocklists. But they can be used for threat hunting. In a new piece from the VMRay Labs team, we walk through that approach: starting from a list of public blockchain API endpoints, pivoting through sandbox analysis, and identifying both known malware families using EtherHiding and previously unknown samples surfaced through the same method. What's in the post: 🔹 Known families confirmed using EtherHiding: SharkStealer, ArechClient2, ClearFake, and a ClickFix campaign hosting multi-stage JavaScript on smart contracts 🔹 A newer variant of ZigCryptoStealer that moved from BSC Testnet to Mainnet, with a C2 domain previously identified in other smart contracts created by the same author 🔹 Two unknown Polygon-based samples: a Java stealer, and a .NET backdoor called LoaderOnNet that uses Steam user profiles as dead-drop resolvers 🔗 vmray.com/threat-intelli…

User-reported phishing is one of the highest-volume tasks a SOC team deals with. The challenge: today's phishing rarely reveals itself in the email. Fake CAPTCHAs, ClickFix prompts, QR codes inside PDFs, redirect chains that only activate three layers deep: the actual threat lives at the end of the chain, not in the inbox. zoom.us/webinar/regist… On May 28th, join us for a joint webinar with @KnowBe4 on how the new VMRay + KnowBe4 PhishER integration automates the deep analysis that used to require thirty minutes of manual work per email. What you'll see: 🔹 How attachments and URLs from PhishER-reported emails get recursively analyzed in VMRay's sandbox 🔹 How fake CAPTCHAs, ClickFix attacks, advanced QR codes, and multi-stage chains get followed to the final payload 🔹 How clear verdicts and threat details land directly inside your PhishER console 🔹 Real-world attack scenarios walked through end to end Built for SOC analysts and security engineers handling user-reported phishing at scale. Practical, behavioral, and to the point. 🔗 zoom.us/webinar/regist…

🇺🇸 The most valuable signal in phishing detection often comes from users themselves. The challenge is what happens next: hundreds of reports a day, complex multi-stage delivery chains, and analysts who don't have thirty minutes per email to follow every redirect. From May 11-13, VMRay is at KB4-CON in Orlando, alongside the KnowBe4 community. The VMRay team will be there to talk about how recursive analysis turns user-reported phishing from a queue of work into a source of intelligence. What the latest phishing techniques look like once you follow them all the way to the actual payload. How the VMRay integration with KnowBe4 PhishER automates triage of complex chains. If you're attending, let's have a conversation.

🇺🇸 Risk has changed. The work of managing it has changed with it. From June 1-3, VMRay is at the Gartner Security & Risk Management Summit in National Harbor, MD to talk about where deep malware and phishing analysis fits into that picture: how high-fidelity threat intelligence supports risk-based decisions, why analysis quality matters more than ever, and how data sovereignty and deployment flexibility are becoming central to how security tools get evaluated. If you're attending, come find us. Worth a conversation.

Attackers are working harder than ever to stay invisible. Living off legitimate tools. Quietly probing for credentials and configs in the corners of the system most defenders don't watch. Slipping data out through trusted browser processes that look entirely benign in EDR telemetry. Detecting that kind of activity requires understanding exactly how it behaves, and building detection logic that keeps up. Tomorrow, Thorsten Schreiber will walk through what VMRay Labs shipped this month: 🔹 RMM tool detection: catching legitimate remote management software repurposed for persistent access 🔹 Sandbox evasion via geolocation and directory checks: surfacing malware that goes quiet in analysis environments 🔹 Chromium browser abuse: detecting headless-mode execution and App-Bound Encryption bypass from inside the browser's own trusted process 🔹 Sensitive data discovery: four new threat identifiers targeting infostealer reconnaissance against password managers, RDP configs, developer tools, and VPN clients 🔹 30+ new YARA rules and config extractors covering MuddyWater, CamaroDragon, PhantomStealer, ParallaxRAT, SalatStealer, and more Practical, behavioral, and built for the analysts and engineers doing the work. 🔗 zoom.us/webinar/regist…

A few years ago, a phishing email was a phishing email. A sketchy link, a credential page, a verdict. Done. That world is gone. Today's phishing arrives as a clean email. vmray.com/why-simple-phi… A clean email carrying a password-protected document. The QR code inside redirects through legitimate services. The malicious payload only materializes after a user opens, scans, clicks, or pastes, three or four steps removed from the original message. By design, every individual stage looks benign enough to pass automated checks. The threat lives in the CHAIN, not in the email. In a new piece, Andrey Voitenko, CISSP walks through what this shift means for SOC operations, why traditional gateways struggle, and what effective triage of multi-stage delivery chains actually requires. Worth reading if user-reported phishing is part of your team's daily reality. 🔗 vmray.com/why-simple-phi…

A single phishing email rarely represents a single threat. The URL is a doorway. The attachment is a container. The QR code is a redirect. The actual threat almost always lives several steps deeper in the chain. vmray.com/unlocking-the-… This is why phishing triage increasingly has to follow that chain to its end. In this new post, we walk through what recursive analysis actually surfaces in a real SOC environment with three examples from user-reported phishing folders: + ClickFix attempt dropping NetSupport, + PDF-embedded QR code delivering Vidar, and an + HTML application deploying Remcos. Full breakdown, including what the SOC sees happen in Microsoft Defender within minutes. 🔗 vmray.com/unlocking-the-…

A library full of empty bookshelves is still just a library. It looks like knowledge. It has the architecture of knowledge. But if the books are thin, outsourced, or missing, the shelves are just furniture. A lot of modern security platforms have become extraordinarily good at building the shelves. vmray.com/strategic-deci… Orchestration layers. Workflow automation. Dashboard reporting. Threat feed aggregation. All beautifully constructed. But shelves don't stop attacks. The books do. The detection engines. The analytical models. The actual depth of understanding about how threats behave. That's where investigations succeed or fail. That's what either explains an attack, or doesn't. The uncomfortable question every security leader should ask once a year: how good is the actual books on my library? Not the interface. Not the integrations. The analytical engine underneath. vmray.com/strategic-deci…

Security tools have gotten very good at detecting malicious binaries. So attackers stopped relying on them. vmray.com/march-2026-det… RMM agents. Chromium browsers in headless mode. The browser's own trusted context, used to decrypt data it was designed to protect. These aren't exotic tools. They're the same software your IT team deploys, your users open every day, and your EDR is trained to treat as benign. The attacker's job has shifted. The goal isn't to smuggle something foreign onto the endpoint anymore. It's to use what's already there, or what looks like what's already there, to stay invisible. That's the pattern running through our latest detection work. New VTIs that flag malware dropping legitimate RMM software for persistent access. Detection for App-Bound Encryption bypass, where malicious code runs from inside the browser process itself rather than attacking it from outside. Headless browser detection for stealer activity that leaves no visible trace. The behavioral signals are still there. They just require looking in different places. Full breakdown of this month's detection logic → 🔗 vmray.com/march-2026-det…

A year. Real samples. Real threats. Real comparison. vmray.com/customer-succe… This North American bank didn't return to VMRay because of a sales conversation. They returned because twelve months of operational data left no other conclusion. "Ultimately, our journey led us back to VMRay for one simple reason: unmatched accuracy and reliability in detecting and analyzing malicious activities. VMRay isn't just a solution; it's an essential component of our cybersecurity strategy, providing us with the peace of mind we need to defend against sophisticated threats." - SOC Analyst, North American Bank The gap they discovered wasn't visible in a demo. It wasn't apparent in the first weeks. It emerged in the accumulation of samples the alternative passed and VMRay caught. Read their full story → 🔗 vmray.com/customer-succe…

Data sovereignty isn't a compliance checkbox anymore. For a growing number of organizations, it's the architectural requirement that decides which vendors stay on the shortlist. vmray.com/release-highli… With the VMRay Platform release 2026.2.0, we're introducing VMRay Cloud hosted in the AWS European Sovereign Cloud, located in Germany. Data hosted and processed entirely within the EU. Operations within EU sovereignty boundaries. Access limited to EU-resident personnel. Full analytical capability, no trade-off. Alongside that, the release brings several meaningful updates for security teams: 🔹 Recursive threat visibility — threat names and classifications from deep analysis now surface automatically in the parent sample view. Full context at a glance, without digging through the analysis tree. 🔹 Enhanced tag support — broader special character support means alert IDs and identifiers from SIEMs, EDRs, and connectors like Microsoft Defender for Endpoint map cleanly into VMRay submissions. Fewer workarounds, smoother correlation. 🔹 IP allowlisting for Cloud login — account managers can now restrict login access to approved networks. A simple control that meaningfully reduces the attack surface. 🔹 Faster PDF report generation — rebuilt from the ground up. Reports that previously took tens of seconds now generate in seconds. Full release highlights → vmray.com/release-highli…

🚨Alert: Evolution of EtherHiding in ArechClient2 🔬Report: vmray.com/analyses/ether… ArechClient2 has been using the Binance Smart Chain (BSC) to fetch C2 servers (a technique known as EtherHiding) since at least June 2025, but we observed a change in the technique in a more recent sample. In the past, a single API endpoint hxxps[:]//bsc-dataseed1[.]binance[.]org was used for this, but in this new sample we see requests to 10 different API (sub)domains. While it is currently unclear why the sample queries the same smart contract on 10 different API endpoints, it is likely an attempt to circumvent blocking, or a first step into diversification of API endpoints used to access the smart contracts. Either way, due a limited number of possible API endpoints, this still is a great detection opportunity to detect malware (for example ArechClient2, SharkStealer) that uses EtherHiding. 🔎In a nutshell: - ArechClient2 contains one hardcoded C2, fetches second C2 server from Binance Smart Chain via RPC call (eth_call) - Smart contract returns base64 encoded tuple (with “START” and “FINISH” markers) consisting of IV and encrypted C2 IP - Executable uses embedded hardcoded key plus IV to decrypt C2 channel (AES) - We identified samples communicating with three different smart contracts, one of them being updated very frequently - 10 different BSC API endpoints queried in recent sample 🔐Find the full decryption procedure here: #recipe=From_Hex('Auto')Regular_expression('User%20defined','START(.*)FINISH',true,true,false,false,false,false,'List%20capture%20groups')From_Base64('A-Za-z0-9%2B/%3D',true,false)To_Hex('Space',0)Comment('Fetch%2016%20bytes%20IV')Register('(.%7B48%7D).*',true,false,false)Comment('Fetch%20encrypted%20C2')Regular_expression('User%20defined','.%7B48%7D(.*)',true,true,false,false,false,false,'List%20capture%20groups')AES_Decrypt(%7B'option':'Base64','string':'VOqkXCYMgproaIQIj50Z2tsBru1ULFzXeKKKg19WMTs%3D%3D'%7D,%7B'option':'Hex','string':'$R0'%7D,'CBC','Hex','Raw',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)&input=MHgwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDIwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzNzUzNTQ0MTUyNTQ3MDRiMmY2NTMwNmY1MTc2NDk3NzM2NmY1OTQxNzM0YzQzNjc3NTcwN2E2MzM4MzM0ZTQ0NDc2ZDMzNzU2NjcxNGY3MjUyNDk3MjM5MzY1NjYzMzc1NTNkNDY0OTRlNDk1MzQ4MDAwMDAwMDAwMDAwMDAwMDAw" target="_blank" rel="nofollow noopener">gchq.github.io/CyberChef/#rec… 🧬IoCs: - 79326544757d48a9f0fc0cfd9628df712a92271fa85e1194c5132fa465896e72 - Contract: 0xbd75e2f339d4aebf72ff13f3af4c27096f709a4d - AES Key: VOqkXCYMgproaIQIj50Z2tsBru1ULFzXeKKKg19WMTs= - C2:138[.]226[.]238[.]96:443 🌐BSC API endpoints - hxxps[:]//bsc-dataseed1[.]binance[.]org - hxxps[:]//bsc-dataseed2[.]binance[.]org - hxxps[:]//bsc-dataseed3[.]binance[.]org - hxxps[:]//bsc-dataseed4[.]binance[.]org - hxxps[:]//bsc-dataseed1[.]ninicoin[.]io - hxxps[:]//bsc-dataseed2[.]ninicoin[.]io - hxxps[:]//bsc-dataseed1[.]defibit[.]io - hxxps[:]//bsc-dataseed2[.]defibit[.]io - hxxps[:]//bsc-dataseed3[.]defibit[.]io - hxxps[:]//bsc-dataseed4[.]defibit[.]io

The dashboards got better. The detections did not. What looked like a comprehensive security platform turns out to be a sophisticated aggregation layer sitting on top of thin analytical capabilities. For more than a decade, the cybersecurity industry has optimized for consolidation. Fewer vendors. Single panes of glass. Unified platforms. And the result has often been impressive: polished interfaces, sophisticated workflows, endless threat feeds. But when a real incident happens, and analysts have to explain exactly how an attack worked, the answers are frequently shallow. Incomplete. Hard to defend. This is Part 1 of our new series for CISOs: Strategic Decisions for CISOs. In this first piece, we examine - the core competence the industry quietly underinvested in, - why analysis quality is becoming the metric that separates real security from the appearance of it, and - what a growing number of organizations are discovering when they actually put their platforms to the test. Analysis is a craft. Consolidation alone cannot replace it. 🔗 vmray.com/strategic-deci…

Ransomware is still the final payload. But how it gets onto the device... That changes almost weekly. vmray.com/malware-phishi… Defenders aren't just fighting malware; they are tackling the ever-evolving delivery mechanisms. In our H2 2025 Threat Landscape Report, VMRay Labs breaks down the exact shifts in attacker behavior that are bypassing static defenses. The biggest takeaway? Attackers are increasingly pushing the execution step onto the user. In our report you'll find details on: 🔹 The evolution of ClickFix and fake CAPTCHAs to force user-driven execution. 🔹 The Top 10 Malware Families: The remote access trojans and stealers dominating the landscape, and why they still work. 🔹 Shifting Vectors: From SVG phishing to malicious supply chain dependencies. For the full breakdown of how to detect these evasive techniques, read the complete report: 🔗 vmray.com/malware-phishi…

The teams building and running security automation don't need more data. They need data they can act on, without spending hours validating it first. vmray.com/customer-succe… That distinction matters most at scale. When your workflows span EDR, SOAR, and a Threat Intelligence Platform across a 100,000+ person organization, every unreliable verdict creates friction that compounds across the entire pipeline. High-fidelity analysis isn't a nice-to-have in that environment. It's what automation runs on. Read the full story → vmray.com/customer-succe…

VMRay has joined the Microsoft Intelligent Security Association (MISA). Our integrations with Microsoft Sentinel and Microsoft Defender for Endpoint bring deep, behavior-based malware and phishing analysis into the workflows security teams already rely on; helping them triage faster, cut through noise, and respond to evasive threats with greater confidence. Glad to be part of an ecosystem built around making security work better for defenders.

Security automation is only as effective as the intelligence feeding it. If you automate incident response based on noisy data, you just create faster mistakes. Microsoft just featured VMRay in their RSAC 2026 update on Microsoft Sentinel connector ecosystem, highlighting how our integration brings automated sandbox analysis and behavior-based threat intelligence directly into Sentinel workflows. aka.ms/SentinelIntegr… We built this connector to solve a specific operational bottleneck: bridging the gap between initial detection and high-fidelity investigation. The integration allows SOC teams to automatically route suspicious files and phishing URLs from Sentinel directly to VMRay for dynamic analysis. What returns isn't a raw data dump. It’s validated, high-confidence IOCs streamed straight into Sentinel’s Threat Intelligence repository, giving your analysts the exact context they need to correlate threats, and providing your workflows with the reliable inputs required to actually trigger a response. Less manual triage. Faster, accurate detection. Read Microsoft's full ecosystem update here: 🔗 aka.ms/SentinelIntegr… Explore the VMRay connector in the Microsoft Security Store: 🔗 securitystore.microsoft.com/solutions/vmra…

User-reported phishing is one of the highest-volume, most time-consuming tasks a SOC team deals with. Most of what gets reported is benign. But the ones that aren't; demand fast and accurate triage. And that's exactly where the process tends to break down. zoom.us/webinar/regist… On March 24, join Serge Haumont from our team, for our March Detection & Intelligence Highlights webinar. The main demo: how VMRay's integration with Microsoft Defender for Office helps SOC teams efficiently investigate and manage user-reported phishing: cutting through the noise without cutting corners. Alongside that, Serge will walk through the latest detection innovations from VMRay Labs: 🔹 DLL injection detection: surfacing malware hiding inside trusted Windows processes 🔹 SyncAppvPublishingServer & ntdll.dll abuse: catching proxy execution used to evade monitoring 🔹 WMI uptime checks: detecting sandbox-aware malware before it goes quiet 🔹 ClickFix & pastejacking: AutoUI updates that automatically uncover social-engineering chains 🔹 New YARA rules & config extractors: expanded coverage across malware families Practical and to the point. Built for SOC analysts, CTI teams, detection engineers, and threat hunters. 🔗 zoom.us/webinar/regist…

🏛️ When you're defending a 100,000+ person organization, scaling security automation requires more than just connecting your tools: it requires reliable data. vmray.com/customer-succe… This major European government department had the orchestration in place: EDR, SOAR, Threat Intelligence Platform. But their automated workflows needed something more precise at the analysis layer. Standard sandboxing wasn't delivering the verdict accuracy, IOC quality, and clarity required to reduce manual review cycles at scale. They integrated @vmray as a specialized analysis component. Not to replace what they had built, but to make it work better. The result: significantly reduced manual triage, cleaner inputs into SOAR playbooks and SIEM, and an automation pipeline that could finally run at the pace the threat landscape demands. __________ The key takeaways from their deployment: 🔹 Evasion resistance is non-negotiable: You cannot automate a response to a threat you cannot fully observe. 🔹 Filter the noise: Standard sandboxes often output raw data dumps. True automation requires filtering out benign activity to produce automation-safe IOCs. 🔹 API-first orchestration: Intelligence must flow directly into existing playbooks to eliminate manual review cycles. __________ Full story → vmray.com/customer-succe…