The Labs team at VMRay actively gathers publicly available data to identify any noteworthy malware developments that demand immediate attention. We complement this effort with our internal tracking and monitor events the security community reports to stay up-to-date with the latest changes in the cyber threat landscape.

In October 2025, the VMRay Labs team has been focused on the following areas:

1) New VMRay Threat Identifiers addressing:

• Detecting regsvr32 proxy execution
• Detecting hostname discovery
• Detecting dead drop resolver
• Detecting checking if an IP address is listed in SPAM blocklists
• Detecting disabling Windows Recovery Environment
• Detecting changing permissions with takeown and icacls
• Detecting disabling automatic system hibernation
• Detecting the use of Wusa to uninstall Windows features
• Detecting changing power settings

2) AutoUI enhancements addressing recent phishing tricks

3) Smart Link Detonation additions

4) +14 new YARA rules

New VTIs

In a series of these blog posts, we introduced you to the concept of the VMRay Threat Identifiers (VTIs). In short, VTIs identify threatening or unusual behavior of the analyzed sample and rate the maliciousness on a scale of 1 to 5, with 5 being the most malicious. The VTI score, which greatly contributes to the ultimate Verdict of the sample, is presented to you in the VMRay Platform after a completed analysis. Here’s a recap of the new VTIs that we added, or improved in the past month.

Detecting regsvr32 proxy execution

Category: Defense Evasion

MITRE ATT&CK® Technique: T1218/010/

regsvr32.exe is a small, built-in Windows utility used to register or unregister software components (usually DLLs or ActiveX controls) so that other programs can find and use them. Think of it like telling Windows: “This piece of code exists: here’s where to find it and how to use it.” Once registered, other programs can call that component when needed.

How attackers abuse regsvr32? 

Because regsvr32 is a trusted, Microsoft-signed system tool, attackers sometimes  it as a proxy to execute their own code. By tricking regsvr32 into loading a malicious DLL or remote script, malware can:

• Run under a legitimate Windows process name.
• Execute code in memory or fetch additional payloads from the network.
• Bypass basic antivirus, whitelisting, or behavior-based defenses that typically trust signed Windows binaries.

To strengthen detection against this technique, we introduced a new VTI detecting regsvr32 proxy execution.

Detecting hostname discovery

Category: Discovery

MITRE ATT&CK® Technique: T1033

In a recently observed sample, we saw the use of certain function to obtain the system hostname (the computer’s network name). Malware often queries the hostname for several possible reasons:

• Fingerprinting: Malware may check the hostname as part of system profiling, gathering details to uniquely identify the infected machine.
• Sandbox evasion: Security researchers often run malware in virtual machines or sandboxes. These environments sometimes use default or obvious hostnames (e.g., WIN-VM, MALWARE-LAB, SANDBOX, etc). Malware can detect such hostnames and alter behavior (e.g., not executing its payload, staying dormant).
• Operational decisions: Some malware families use hostname checks to decide
  • Whether the system is a high-value target (e.g., a domain controller, server, or developer workstation),
  • Whether to deploy certain payloads (e.g., ransomware might avoid certain regions or companies).

To be better equipped against these discovery technique, we added a new VTI which will trigger when a process in the analyzed sample tries to collect the hostname.

Detecting dead drop resolver

Category: Network Connection

MITRE ATT&CK® Technique: T1102/001/

Attackers constantly look for ways to communicate with their malware while staying under the radar. One such method is called a dead drop resolver — where malware uses legitimate public web services like Pastebin, GitHub, Telegram, or even YouTube to quietly retrieve its next set of instructions.

What a dead drop resolver is? 

Instead of embedding a fixed command-and-control (C2) address inside the malware, attackers hide that address within normal, public websites. , it connects to one of these services, reads a small piece of hidden or encoded data, and learns where to reach the real C2 server.

Attackers use this technique for the following reasons: 

• Stealth: Requests to popular websites look normal and are rarely blocked by firewalls.
• Flexibility: Attackers can easily update or change the hidden instructions without redeploying the malware.
• Resilience: Even if defenders block one C2 server, the operator can post a new address on the same service, and infected systems will find it automatically.

In one of our recent analyses, the malware connected to endpoints known to be abused for hosting dynamic C2 configurations, such as domains related to Steam-powered content delivery or Telegram channels. These connections served as indirect “waypoints” leading the malware to its real command server.

To counter this evasion technique, we added a new VTI triggering when the submitted sample reveals this behavior.

Detecting checking if an IP address is listed in SPAM blocklists

Category: Defense Evasion

MITRE ATT&CK® Technique: T1667

In one of our recent analyses, we observed malware performing quite clever behavior: it queried public blocklists to check whether a potential command-and-control (C2) server’s IP address was listed as malicious. In simple terms, the malware was testing its C2 options before actually connecting, making sure that the server it planned to use wasn’t already flagged or monitored by defenders.

Why attackers do this? 

Malware operators use this technique to stay stealthy and maintain control by:

1) Avoiding sinkholes or takedowns: Security teams often seize or redirect known C2 servers to “sinkholes” for tracking infections. If a C2 address appears on a blocklist, the malware will skip it to avoid revealing itself.

2) Bypassing network defenses: Many organizations use threat intelligence feeds and spam blocklists to block bad IPs. By testing first, the malware ensures it picks a C2 that won’t be automatically blocked.

This kind of behavior shows how attackers apply operational security (OPSEC) to their own infrastructure — they don’t want to get caught talking to an address defenders are already .

To improve visibility into this behavior, we added a new VTI triggering when the VMRay Platform observes a process querying public spam or IP reputation services.

Detecting disabling Windows Recovery Environment

Category: System Modification

MITRE ATT&CK® Technique: T1490

The Windows Recovery Environment (WinRE) is a built-in rescue mode in Windows – a minimal, standalone operating system used for repairing, restoring, or recovering a system that can’t boot normally. It includes tools like Startup Repair, System Restore, System Image Recovery, and Command Prompt access; essentially Windows’ built-in “first aid kit.”

In a recent analysis, we observed a malware process executing commands that disabled WinRE via command line. This is a clear defense-evasion and destructive tactic, aiming to remove the system’s ability to recover or repair itself after infection.

By disabling WinRE, attackers:

• Make recovery and remediation harder for defenders,
• Prevent victims from restoring backups or using repair tools, and
• Increase the effectiveness of ransomware or destructive payloads.

This technique is commonly associated with ransomware operators and threat actors who want to ensure that once the system is damaged by avoiding easy restore options, it stays that way.

Our new VTI triggers when the VMRay Platform observes a process attempting to disable WinRE.

Detecting changing permissions with takeown and icacls

Category: System Modification

What takeown and icacls are? 

Let’s start with that basic distinction.

takeown.exe

• Legitimate purpose: It’s a built-in Windows command-line tool used to take ownership of a file or folder.
• Typical use case: Admins use it when they need to access or repair files that belong to the system or another account (e.g., fixing permissions after a failed update).

icacls.exe

• Legitimate purpose: Used to view, modify, or grant access control lists (ACLs); basically, to manage file and folder permissions.
• Typical use case: System administrators use it to manage file and folder permissions on servers and workstations, set up or audit shared folders in enterprise environments or fix permission issues.

What’s the risk? 

When malware uses takeown and icacls, especially on system binaries (like files in C:\Windows\System32), it’s often trying to bypass Windows protections to:

• Modify, replace, or delete system binaries (e.g., to inject code or disable a protection mechanism).
• Change ownership or permissions so it can tamper with files normally locked by the OS.

Why it’s suspicious (especially with /f, /r, and grant)? 

• /f → “force”: executes the change even if permissions or warnings exist.
• /r → “recursive”: applies the change to all subfolders/files, which means widespread modification.
• grant → explicitly gives permissions (often Full Control) to non-system users, allowing tampering.

Malware doing this is essentially breaking into locked rooms of the OS, clearing the way to overwrite binaries, disable defenses, or plant persistence mechanisms.

Detecting disabling automatic system hibernation

Category: System Modification

MITRE ATT&CK® Technique: T1653

In one observed case, malware invoked powercfg.exe to set the hibernate timeout to 0 (never), so the system will not automatically hibernate while on AC power. Hibernation remains possible if a user explicitly triggers it, but the OS will no longer write RAM to disk automatically or put the system into a power-saving mode on its .

Why malware might do this? 

1) Prevent forensic capture via hibernation

If malware lives only in volatile memory, an automatic hibernation would write  artifacts to disk for later analysis. Stopping automatic hibernation lowers the chance that an unattended system will capture that memory snapshot.

2) 

Preventing the system from sleeping keeps the system reachable for the attacker at any time. Auto-hibernation would pause execution and potentially interrupt the malicious workflow.

3) Living-off-the-land stealth

Using powercfg.exe avoids introducing new binaries. It’s a signed, trusted Windows tool so activity looks legitimate in process logs if not correlated with malicious behavior.

Detecting the use of Wusa to uninstall Windows features

Category: System Modification

wusa.exe (Windows Update Standalone Installer) is a built-in Windows utility used to install, uninstall, or manage Windows Update packages (.msu files). While wusa.exe is a legitimate administrative tool, it has been observed in malicious activity. Certain malware families leverage it to uninstall Windows security updates or features, effectively weakening system defenses.

By running certain commands, an attacker can silently remove a specific Windows update. These updates often contain security fixes, mitigations, or telemetry improvements that make it harder for malware to execute undetected.

Attackers may use wusa.exe for several reasons:

• Re-enable old vulnerabilities: If a patch closed an exploit the attacker relies on, uninstalling that update reopens the door.
• Evade detection: Updates can include new signatures, heuristics, or telemetry that detect suspicious behavior. Removing them reduces alerting.
• Disrupt system stability and defense: Removing key updates can hinder security tools, break recovery mechanisms, or prevent future patches from installing correctly, effectively buying attackers more time.

VMRay’s new VTI detects attempts of abusing wusa.exe for uninstalling Windows security updates or features.

Detecting changing power settings

Category: System Modification

In a recent sample, we observed it enabling maximum system performance invoked via a powercfg.exe. Maximum performance typically disables:

• CPU frequency scaling (keeps CPU at full speed)
• Sleep or hybrid sleep
• Hibernation timeouts
• Hard disk idle spin-down

But why malware would do this? 

1) To keep malicious processes running without interruption: If the system goes idle or enters sleep mode, malicious programs (for example, crypto-miners, keyloggers) would pause or stop. At the same time, the network connection will be disconnected and thus, the attacker would lose remote control. By enabling maximum performance, the malware ensures the system never slows down or sleeps, so it can keep working — stealing data, mining cryptocurrency, or maintaining a live connection to its command-and-control server.

2) Support long-running payloads: Cryptocurrency miners, backdoors, or memory-resident malware may require the CPU to stay active for extended periods.

AutoUI Enhancements: Now Supporting Publuu[.]com

We’ve improved VMRay’s AutoUI feature to successfully click buttons on web pages hosted on Publuu[.]com. For context, Publuu is a digital publishing platform that transforms static PDFs into interactive, multimedia-rich flipbooks. Attackers have abused Publuu pages in the past: the first stage of a phishing attack was hosted there, requiring a user to click a button labeled “view document” to be redirected to the second stage of the phishing page.

With the latest improvement, AutoUI now interacts with this page successfully, enabling the complete execution of the attack chain for more accurate analysis and detection.

Smart Link Detonation (SLD) is a core component of the VMRay Platform designed to automatically analyze and safely detonate hyperlinks embedded in emails and documents. This enables security teams to detect and neutralize malicious links before they reach end users.

To keep pace with evolving threat tactics, we introduced two major enhancements to SLD. These new rules help determine which URLs to detonate based on a deeper evaluation of the email’s content, the links’ placement within the message body, and their relationship to other URLs in the same email.

YARA Rules Update

Our hunt for new, undetected malware samples never stops. Over the past months, we added more than 220 fresh YARA rules to strengthen detection across a wide range of threats. This month, we’re continuing that momentum with 14+ new rules, focused on delivering a solid drop of high-quality detections. Here’s a quick preview of what we’re shipping this month.

New YARA detections for: 

Backdoor:

• Rustonotto
• ChillyHell (macOS)

Infostealers:

• ModStealer
• AuraStealer/AuraLoader
• Skuld Stealer
• Improved existing AMOS/AtomicStealer YARA detection

Loaders: 

• Batch-based Loaders

Techniques: 

• New rule for recently backdoored NPM packages
• New rule to detect local AI model files
• New rule for phishing pages asking for email addresses

Injectors: 

• Golang Injector

Ransomware: 

• Yurei ransomware
• Lockbit 5.0 ransomware

Extended signatures for:

• Amadey
• Latrodectus v2.5+
• StealC.v2

October 2025 was a busy month for our Labs team, marked by major enhancements to our VMRay Threat Identifiers and a broadened, fine-tuned YARA rule set spanning multiple threat categories. As attackers refine their tactics, our ongoing commitment remains clear — to stay ahead of the curve, proactively enhancing detection, and equipping defenders with the tools needed to counter modern cyber threats. Stay tuned for our next edition of signature and detection updates, planned to be published in the weeks ahead.