VMRay

🚨Alert: New cryptocurrency stealer likely written in Zig 🔬Report: vmray.com/analyses/vidar… We found a multi-stage infection chain delivering what appears to be a new cryptocurrency clipper, likely written in Zig. The infection begins with Vidar, which drops a heavily obfuscated AutoIt script that injects and executes the Zig-based stealer. This stealer resolves its C2 address through a BSC smart contract, a technique known as EtherHiding. Its primary purpose appears to be replacing cryptocurrency addresses in the clipboard with an attacker-controlled wallet. 🔎 In a nutshell: -Vidar → SFX → AutoIt Loader → Zig Crypto Stealer -The AutoIt script is heavily obfuscated, the next-stage payload is RC4-decrypted then LZNT1-decompressed at runtime before injection -Script contains junk code and performs multiple anti-sandbox and anti-AV checks, timing-based evasion, and a DNS request to a non-existing domain -C2 address is resolved via a BSC smart contract (EtherHiding) -Constantly polls clipboard for multiple cryptocurrency address formats: BTC, ETH, etc. -When a match is found: exfiltrates the victim's original address to the C2 and replaces it with attacker wallet -Likely written in Zig as some strings are uniquely associated with that language -Querying the attackers smart contract transactions, one can identify many more C2 addresses -In recent days the sample seems to drop a different payload, no longer the Zig crypto stealer 🧬 IoCs: -Zig sample SHA256: a82d031d99b15f8eb5a1d8cc24e55fec6d393d549edde8da9507f3cf17503ce1 -C2: quartermaster-sec[.]cc -Smart contract address: 0x7CC3cFC1Ac007B8c6566fD2C7419b15a75473468 via API endpoint hxxps[:]//data-seed-prebsc-1-s1[.]binance[.]org:8545 -Vidar sample SHA256: 62338c7764f4e82105ea52fab868e1f04dc2f54bb44c5a47ddac685eacd6ed3c -C2: 65.21.165[.]15 -Steam profile: hxxps[:]//steamcommunity[.]com/profiles/76561198736378968 🧩 More C2's from other smart contracts by the same creator: -artisan-advertising[.]cc -brain-game[.]cc -celebration-internet[.]cc -cmicrosoft1[.]click -devops-offensive[.]cc -ed-security-buff[.]cc -en.hugo-lapp[.]co -evil-toy[.]cc -fast-node[.]com -firewall-sentinel[.]cc -flame-guard[.]cc -kr.hugo-lapp[.]co -lavande-rocket[.]cc -quartermaster-sec[.]cc ⭐ Credits: Likely related sample documented by @0xfluxsec via fluxsec.red/analysing-an-A… (but their AutoIt script does not seem to drop the Zig crypto clipper highlighted here)

🏛️ When you're defending a 100,000+ person organization, scaling security automation requires more than just connecting your tools: it requires reliable data. vmray.com/customer-succe… This major European government department had the orchestration in place: EDR, SOAR, Threat Intelligence Platform. But their automated workflows needed something more precise at the analysis layer. Standard sandboxing wasn't delivering the verdict accuracy, IOC quality, and clarity required to reduce manual review cycles at scale. They integrated @vmray as a specialized analysis component. Not to replace what they had built, but to make it work better. The result: significantly reduced manual triage, cleaner inputs into SOAR playbooks and SIEM, and an automation pipeline that could finally run at the pace the threat landscape demands. __________ The key takeaways from their deployment: 🔹 Evasion resistance is non-negotiable: You cannot automate a response to a threat you cannot fully observe. 🔹 Filter the noise: Standard sandboxes often output raw data dumps. True automation requires filtering out benign activity to produce automation-safe IOCs. 🔹 API-first orchestration: Intelligence must flow directly into existing playbooks to eliminate manual review cycles. __________ Full story → vmray.com/customer-succe…

Next week week, VMRay's CEO & Co-founder Dr. Carsten Willems and VP of Products Uriel Cohen will be at RSAC 2026 in SanFrancisco. 🤝 If you're a security leader or practitioner looking to exchange ideas on where threat intelligence and malware analysis are heading, or if you want to explore how to bridge the gap between deep technical analysis and operational clarity, we'll be there for exactly that. To keep leading innovation in cybersecurity built on community and collaboration. See you in San Francisco! 🌉

SANS Institute provides defenders with the tactical foundation to hunt and respond to threats. But applying those skills in a noisy environment requires the ability to reliably extract high-fidelity Threat Intelligence from evasive malware and phishing threats. Next week, we are heading to SANS 2026 in Orlando to discuss how teams can integrate evasion-resistant sandboxing and precise malware analysis directly into their daily workflows. If you are attending, let’s connect to talk about reducing manual triage, filtering the noise, and extracting the IOCs that actually matter.

🛡️ Malware doesn't announce itself. It blends in, using built-in Windows tools, trusted system components, and everyday traffic like DNS and image downloads to move quietly and stay hidden. Our February 2026 Detection Highlights documents exactly how: vmray.com/february-2026-… DNS lookups used to smuggle stolen data out. Legitimate Windows components like SyncAppvPublishingServer repurposed to launch malicious PowerShell. Security vendor domains silently redirected to nowhere, cutting systems off from the tools meant to protect them. In response, the VMRay Labs team shipped 8 new threat identifiers, expanded config extractors for Telegram-based phishkits and SantaStealer, improved ClickFix coverage in AutoUI, and added 30+ fresh YARA rules — covering stealers, RATs, loaders, packers, and phishing techniques. The full breakdown, with behavioral context on each detection, is in the link below. 🔗 vmray.com/february-2026-…

🚀 @vmray and @Broadcom announce official partnership & on-premise sandbox integration vmray.com/broadcom-on-pr… 🔎 What this integration delivers: • High-fidelity malware and phishing analysis powered by VMRay • Seamless integration with Broadcom security environments • On-premise deployment for maximum data control and compliance 🤝 We’re excited to collaborate with Broadcom, Broadcom customers and their partner ecosystem to bring this solution to market. If your team is interested in participating in the Early Adopter Program, we’d be happy to connect and discuss next steps. 👉 Learn more about the integration: vmray.com/broadcom-on-pr…

If you're using @MISPProject for Threat Intelligence, this one's for you. vmray.com/setting-up-uni… To help CTI teams operationalize their data, we are launching a new technical series by Koen Van Impe @cudeso focused on getting the most out of VMRay within MISP, starting with a step-by-step guide to setting up the VMRay UniqueSignal feed. Not just a config walkthrough. It covers the kind of detail that saves you an afternoon of trial and error: - feed types, - authentication, - distribution settings, - tagging with the Admiralty Scale, - scheduling ingestion, and - building dashboard widgets to monitor feed activity Next up in the series: operationalising UniqueSignal with Microsoft Defender, Sentinel, and custom MISP workflows. 🔗 vmray.com/setting-up-uni…

One of Europe's biggest cybersecurity gatherings is just around the corner. And we'll be there. 🇫🇷 VMRay is heading to InCyber Forum in Lille (31 March – 2 April). Come talk to us about what it actually takes to detect evasive malware and phishing threats, and build Threat Intelligence you can trust, not just collect. Find us at Lille Grand Palais. Let's connect. 🤝

In ThreatIntelligence, analyzing WHO is targeted often reveals the WHY behind a campaign. Our latest collaborative research by independent researcher Pol Thill reveals a highly structured, state-sponsored targeting matrix: Water utilities. Energy grids. Government agencies. Across 8 countries — and reconnaissance reaching 200+ more. This is the footprint of Hydra Saiga (also tracked as YoroTrooper / ShadowSilk) — a state-sponsored threat actor that has been quietly active since 2021, and shows no sign of slowing down. A clear pattern emerges from the victimology: 🔹 Strategic alignment: Heavy targeting of critical water and energy infrastructure in Central Asia. 🔹 Sector footprints: Unique industry focus by region—such as Water infrastructure exclusively in the CIS, and Aviation in the Middle East & Africa. For CTI and SOC teams, mapping these overlaps helps filter noise and prioritize defensive resources based on realistic risk profiles, rather than generic global alerts. Watch the global spread below. The full execution logic, and all extracted IOCs & TTPs (now available within the VMRay UniqueSignal Threat Intelligence Feed), are detailed in our complete analysis: 🔗 vmray.com/hydra-saiga-co…

🚨 Alert: Covert payload delivery through alternative object storage platforms 🔬Report: vmray.com/analyses/cover… 📦 In a newly observed attack chain, threat actors have started exploiting lesser known object storage platforms like cubbit[.]io or ufs[.]sh as disposable payload safehouses. 🥷 The chain starts off with an obfuscated VBScript, unfolding into an obfuscated PowerShell downloader. The PS1 script downloads a seemingly harmless image file, pulled from one of these object storage platform providers. Using simple steganography, a Base64 .NET Injector payload is concealed as appended bytes at the end of the image file. The smuggled .NET Injector is then reflectively loaded into RegAsm.exe and a final Agent Tesla payload is downloaded. This attack chain shows how modern delivery chains are constantly looking for alternative platforms to host and conceal their payload. 🔎 Key takeaways: - VBS → PS1 → GuLoader / Image (steganography) → .NET Assembly → Payload on cubbit[.]eu → RegAsm.exe → Agent Tesla -  Initial VBScript utilized junk code, Base64 obfuscation, word slicing, reverse string, and character substitution - Dropped PowerShell script (Base64 encoded), uses character replacement to thwart static analysis - Downloads a payload (usually GuLoader) from hosting site ufs[.]sh - Pulls an image file from firebasestorage.googleapis[.]com, which has a - Base64 blob at the end (steganography) - PowerShell parses the Base64 blob, decodes it and uses Reflection.Assembly to load the revealed executable (protected with SmartAssembly) - Dynamically locates a method named 'runss' on a type called 'Homees', invokes it with a remote payload hosted on cubbit[.]io - Injects the remote payload (Agent Tesla) into RegAsm.exe 🧬 IoCs: 1c216dc51330c5f56cc37f7e37b3516e57b172bd83f787788f80dcdb88b5545b hxxps://firebasestorage.googleapis[.]com/v0/b/remasd-6c702.firebasestorage.app/o/image.jpg?alt=media&token=b9d8bf3e-b1eb-4c56-9434-d4af570d4a91 hxxps://au72nuxzv2.ufs[.]sh/f/4LhV5B1sDCwIrgzpCwYKXE4gwWVSzU8Dck1rs5tJYqhnmpx6 hxxps://zip1.s3.cubbit[.]eu/SCANNED%20COPIES%20OF%20FINAL%20CONTRACT%20PDFupload.txt

VMRay profiles Hydra Saiga - an espionage actor active since 2021 & compromising at least 34 organisations across 8 countries - linking the activity to Kazakhstan state interests. The tooling leans on Telegram-based C2 & a mix of Rust, Go & Python implants vmray.com/hydra-saiga-co…

🔎 Tracking state-sponsored tradecraft in critical infrastructure? This is worth your time. vmray.com/hydra-saiga-co… Our latest in-depth research dives into Hydra Saiga — a covert espionage actor targeting government entities and critical utilities across Central Asia. Authored by threat researcher Pol Thill, this analysis goes beyond attribution headlines and focuses on what practitioners actually need: 🎯 Post-exploitation behaviors inside energy, water & government networks 🧰 Blends of commodity malware and custom tooling 📡 C2 architecture, evasion patterns, and operational habits 🧠 Actionable telemetry for CTI teams, hunters, IR and detection engineers If you’re mapping government cyber threats, tracking infrastructure-focused campaigns, or refining detection logic against espionage actors, this research provides concrete tradecraft insights — not just narrative. A recommended read for CTI and frontline defenders alike. vmray.com/hydra-saiga-co…

The infrastructure attackers trust most in 2026? The same platforms your users rely on every day. zoom.us/webinar/regist… In February’s Detection & Intelligence Highlights, we’re unpacking how both cybercriminals and state-sponsored actors are abusing trusted platforms — from phishing kits to C2 and data exfiltration. What you’ll walk away with: 📡 How Telegram is being weaponized end-to-end — phishing kits, C2, data exfiltration ⛓️ A new identifier for spotting blockchain/Web3-based comms (incl. ClearFake-style campaigns) 🧠 Why Clickfix and Pastejacking are becoming the default delivery for infostealers like Vidar — and how to catch them 📋 Anti-monitoring VTIs for catching clipboard-stealing keyloggers 🎯 A CTI spotlight on Hydra Saiga’s post-exploitation tradecraft targeting energy, water & government sectors You'll walk away with new YARA rules, sandbox detection updates, and a clearer picture of where the line between cybercrime and state-sponsored espionage is dissolving. SOC analysts and CTI teams — this one's built for you. Join us and bring your questions. zoom.us/webinar/regist…

🌏 VMRay at the 2026 FIRST Regional Symposium – Central Asia We’re proud to join this year’s event as a Gold Sponsor, taking place 26–27 February. Our team will be on site to connect with the regional CSIRT and security community. If you’re attending, let’s discuss how advanced malware analysis and high-fidelity Threat Intelligence help teams stay ahead of increasingly evasive threats. Looking forward to the conversations.

🔍 New from VMRay Labs: Climbing the Pyramid of Lumma Pain vmray.com/climbing-the-p… Infostealers like Lumma aren’t just widespread — they’re evolving fast. In this new Labs blog, Julian Wolf breaks down how Lumma operates across delivery, evasion, and monetization, and what defenders can do to move from reactive cleanup to meaningful disruption. If you’re tracking infostealers, CTI trends, or detection gaps, this one’s worth your time. 👉 Read the full analysis: vmray.com/climbing-the-p…

🔥 Alert: New UmbralStealer variant, RahidStealer, spotted in the wild 📄 Report: vmray.com/analyses/rahid… RahidStealer is a newly observed infostealer variant closely related to UmbralStealer, focusing on credential harvesting and session theft from popular browsers, messengers, and gaming platforms, but also incorporating RAT-like features for remote control, and additional capabilities like MBR crippling and ransomware-like behavior achieved through manipulating boot configuration via bcedit. RahidStealer preserves UmbralStealer’s anti‑analysis characteristics such as virtual machine checks and abuse of Defender exclusions: the open-source nature of UmbralStealer allows threat actors to quickly change anything in the source code to alter the infostealer to their needs, allowing minor protocol and configuration changes. The developer - named Raxid - also offers a Downloader, a "BitJoiner", and a Crypter as separate programs. 💡 Key takeaways: - Malware config extracted, internal config is both Base64 obfuscated and AES-GCM encrypted - Sinkholes most AV/EDR vendor websites to 0.0.0.0 in /etc/hosts file - Uses WMI queries for system discovery (Win32_VideoController, Win32_DiskDrive, Win32_Processor, etc.) - Tries to detect sandbox/analysis environment (System Informer, Process Hacker, etc.) - Takes screenshot and disables Windows Task Manager - Changes Windows Defender settings to disable real-time monitoring - Reconfigures boot options via bcdedit.exeSets up scheduled task for persistence and places a hardcoded mutex - Exfiltrates the gathered data via either Telegram API or Discord Webhook IoCs: ee1ed16a95f403719260eaaa0de75e1b5d9210e6dcc8f66af8fb03253cd1ba21 (RahidStealer)13a5f1531e032e9ee4bf247ceff325077908c17eea7096dd6a7138c67eba5f82 (RaxidDownloader)e17bc55b0e5ff597820b1dd4e123dc750981d92d26b432117c707caad3fb9b58 (RaxidCrypter)c25a6eb11eec85b67bd7e253a3a06568fc97e8b3e57bba1b753254261ce31ac8 (BitJoiner)

We’ll be at the TF-CSIRT Joint Regional Symposium Europe this week 🇪🇸 From 4–6 February, you’ll find the VMRay team at our booth in Jerez de la Frontera—come by to talk evasion, malware analysis, and what actually works against today’s threats. 🎤 Day 1 highlight: Patrick Staubmann will present “Turning Evasion Techniques Against Malware”, sharing how defenders can flip attacker tradecraft to their advantage. Looking forward to connecting with the CSIRT community!

⏰ Tomorrow: Detection & Intelligence Highlights Webinar. lnkd.in/dUB7XvZH If your team is dealing with evasive phishing and infostealers, this session is built for you. We’ll break down: 🧠 Clickfix attacks — browser-based social engineering and complex redirection chains that slip past traditional controls ☁️ SharePoint & OneDrive abuse — spotting multi-stage delivery hiding in trusted cloud infrastructure 🕵️ MetaStealer config extraction — instantly pivoting on C2 and attacker infrastructure from real-world samples ⭐ Live demo highlight: See how to automate analysis of user-reported phishing emails by integrating @vmray sandbox with @KnowBe4 PhishER — turning reports into high-fidelity detections, fast. Join us tomorrow and walk away with detections, pivots, and automation you can actually use. zoom.us/webinar/regist… Read the details of the integration here: vmray.com/release-highli…

Hat tip (H/T): SafeBreach previously reported on Prince of Persia here: safebreach.com/blog/prince-of…

🚨 Alert: Previously undocumented Tornado v51 variant from Prince of Persia (Infy) APT 🔬  Report: vmray.com/analyses/infy-… We have recently spotted an infostealer sample, which shows code similarities to previous Foudre/Tonnerre malware variants from the Prince of Persia/Infy APT groups, but the infostealer seems to call itself Tornado with a v051 version marker. This would align well with previously discovered variants like the last Foudre v50 variant and how Tornado seems to be a continuation of that. Prince of Persia, also known as Infy, is an Iranian state-sponsored APT group active since at least 2007, targeting dissidents, civil society, journalists, diplomats, and critical infrastructure primarily in Iran and Europe through espionage-focused malware like Foudre and Tonnerre. Previously SafeBreach Labs' research revealed the group never truly went dormant after 2022. ----- Key takeaways: 🧬 New Foudre-like v051 variant (Tornado?) PE timestamp: 2012-06-09 13:19:49, but only uploaded to VT on 2025-12-15 22:01:45 🌪️ Places a mutex named TornadoInstaller 🧾 Exfiltrates browser cookies, saved credentials 🕵️‍♂️ Checks whether ESET/NOD32 AV is installed 🛡️ Enumerates AntiVirusProduct, BIOS, CPU, BaseBoard information, and more 📋 Collects list of installed programs, copies clipboard content 📡 Sends all previous listed information to the C2 🤖 Capability to send the report to Telegram bot 🔀 Utilizes DGA and uses a set of 4 hardcoded TLDs (.ix[.]tc, .site, .space, .hbmc[.]net) ⛓️ Potentially use blockchain for C2 domains (BTC: 1HLoD9E4SDFFPDiYfNYnkBLQ85Y51J3Zb1) ----- IoCs (SHA256): 44fc9e306763774b50b61fc7487aa1d219aa288aefa201119c7bc278e17600a8 5db4ed7d07ab028ab6ceba8efec5f667d86a419020d2a8c86e90a3125aa31bb9 8db20544f280955ed3ef3c42dc8423e3000e244fc7c8f0e3a7567fa48f7a15d9 a05c2c042dc4f54daf69b1b1441aa938b0ffc6fe979c413bd9fcae95b0bf7542 b937024b7484b26d09ba8130cc4ab04600dc18c976bb0c7724a063f1fc6f0d77 ba16a2dddbae458d85e663a773bff2f6eeb8704b6111b0c748564f48424538e8