🔥 Alert: One Russian-speaking crew, one set of servers: a malware botnet, a hands-on console for breaking into corporate networks, and an AI Telegram troll farm.
🔗 Report: https://t.co/L2Zpg1qKve
We track it as Operation STANDOFF. The starting point was a single sample that VMRay UniqueSignal flagged on behavior, not a signature or known indicator. Pivoting on the two hardcoded C2 IPs it contacted at runtime revealed the wider operation. One IP also hosted the operators' console, "STANDOFF COORD". The same Russian-speaking crew runs three revenue-generating operations from one server infrastructure: a commodity malware botnet, hands-on intrusions into corporate networks, and an AI-driven Telegram troll farm (fake accounts and GPT-written personas generating engagement at scale). Much of the C2 blends in by redirecting requests to GitHub; pivoting on that pattern uncovered 44 related Russian servers.
💡 Takeaways:
• Financial and influence operations run side-by-side. Malware steals credentials and crypto wallets, mines Monero, enrolls victims into a proxy-botnet, and supports hands-on corporate intrusions. The Telegram operation uses AI-generated personas for engagement manipulation, disinformation, promotions, scams, and audience building.
• VMRay UniqueSignal flagged the sample based on behavior and exposed two hardcoded C2 IPs (212.193.30[.]45/proxies.txt and 212.193.30[.]29/server.txt) that led to the broader infrastructure.
• The malware C2 also hosted "STANDOFF COORD", a multi-operator console containing stolen NTLM hashes, Kerberos tickets, session cookies, and private keys.
• A single loader deploys Raccoon Stealer, RedLine, Amadey, SmokeLoader, Socelars, Glupteba, and XMRig while disabling Windows Defender and Windows Update.
• Persistence is achieved through a fake csrss.exe dropped into C:\Windows\rss and installed as a startup service using VirtualBox-style names.
• Victims are enrolled into a proxy-botnet through 212.193.30[.]45/proxies.txt, creating traffic relays for operator use or resale.
• The influence operation uses AI-generated Telegram accounts connected to a Standoff 2 / PUBG Mobile gaming portal that funnels a young audience.
• The C2 hides in plain sight: 44 TimeWeb-hosted servers redirect requests to GitHub to blend in with trusted traffic.
• A malformed WinHTTP User-Agent corrupted to a single 0x02 byte provides a distinctive network signature.
• Attribution points to a Russian-speaking team through Russian-language tooling, Moscow-time scheduling, and consistent "ggstandoff" / "GG Influence" branding.
Modern phishing pages don't reveal themselves right away. A button to click. A checkbox to mark. A prompt to accept. Only after the interaction does the real payload appear. For automated analysis, that creates a gap: if the sandbox doesn't act the way a person would, the attack stays hidden. https://t.co/KNJ10749hc
Browser automation has long relied on a page's underlying structure, the DOM, to find and click elements. That works well when the structure matches what the user actually sees. It struggles when an overlay covers a button, or when something is plainly visible on screen but hard to pin down in code.
VMRay Platform 2026.3 closes that gap with AI Browsing Simulation. It adds a visual perception layer on top of the existing automation, using computer vision and OCR to read a page the way a person sees it.
Buttons, checkboxes, prompts, and labels get identified from the screenshot itself, with the visual read validating the cases where the page and its code don't line up. Fewer missed interactions on evasive, visually complex phishing pages. The model runs locally, and customer data is never used to train it.
The release also brings IR Mailbox webhooks to automate what happens after analysis, customizable submitter notifications, and KnowBe4 PhishER tag filtering to control what gets sent for analysis in the first place.
🔗 https://t.co/KNJ10749hc
Neither detail was unusual on its own. A non-standard port. A generic Microsoft HTTP server banner. Plenty of legitimate services run exactly that, so on their own, neither tells you much. Together, they were selective enough to hunt on. https://t.co/Ji0mD450BW
That is one of the more useful lessons in a recent VMRay blog investigation by independent researchers. Starting from a single RedLine C2 surfaced through VMRay UniqueSignal, the analysis pulls the C2's HTTP response from the VMRay's sandbox and turns one specific pairing, the high port and the server string, into a fingerprint.
That fingerprint becomes the pivot: a query against internet-wide scan data to find other hosts sharing it, without ever touching the target infrastructure directly, which keeps the investigation quiet.
The full investigation includes every query used, so the approach is reproducible.
🔗 https://t.co/Ji0mD450BW
Most ThreatIntelligence work stops at the blocklist. You take an indicator, confirm it's live, push it into a SIEM rule, and move on. Pivoting takes the same indicator further, and sometimes it leads somewhere you didn't expect. https://t.co/Ji0mD450BW
The new investigation on the VMRay blog starts with a single RedLine Stealer C2 IP pulled from VMRay UniqueSignal and follows it outward.
The RedLine infrastructure itself was a short thread. But the files communicating with that C2 pointed somewhere else entirely: a tailored spear-phishing campaign targeting a South Korean maritime manufacturer, delivered through business email compromise.
From there, the investigation moves to the email distribution infrastructure behind the campaign, and surfaces a cluster of attacker-owned domains and servers, each one blockable at the email gateway before the next wave lands.
🔗 https://t.co/Ji0mD450BW
🇵🇹 Despite years of investment in Secure Email Gateways, phishing is still one of the most effective ways into an organization. The question worth asking isn't why attackers keep trying. It's why they keep succeeding. https://t.co/CouA5eiWVd
Tomorrow, VMRay is at BSides Porto. And on Day 2, Andrey Voitenko takes the stage to dig into exactly that.
His talk, looks at a structural reason phishing slips through: SEGs are built for speed and scale, processing huge volumes of email with minimal latency.
That optimization comes at the cost of depth, and sophisticated campaigns are designed to exploit exactly that blind spot: Multi-stage redirect chains. QR codes. SVG images. HTML smuggling. Geolocation- and time-based payload activation.
Andrey will also cover a practical, often-overlooked fix: connecting your User-Reported Phishing program to advanced sandboxing that operates outside real-time delivery constraints. The kind that simulates real user interaction, follows complex redirect paths, and exposes evasive payloads safely, with real-world examples including QR-code attacks and ClickFix.
If you're in Porto, catch the talk. Let's have a conversation after.
Consolidation looks like a cost decision on paper. In practice, it's a trust decision. Removing a tool means relying on what remains, and a security team can only makes that move when they're confident that what's left can be trusted to hold. https://t.co/Ew3csvh6Ar
A major US financial services SOC leader pursued a clear strategic goal: optimize their investment by consolidating around Microsoft Defender for Office and Endpoint, and divest from another significant security tool.
The condition? A validation layer accurate enough to confirm Microsoft Defender's verdicts and clean enough to dismiss false positives at scale. Without it, the consolidation risked exchanging cost savings for operational drag and undetected threats.
VMRay became that layer. In the security leader's words:
"Our strategic goal was to fully utilize Microsoft Defender. We needed to ensure it was supported by trustworthy validation, and VMRay was the critical enabler that gave us that confidence."
When consolidation works, it's because the analysis foundation can carry the weight.
🔥 Alert: Weaponizing Overlord RAT — open-source Golang RAT in DocuSign-themed phishing
🔗 Report: https://t.co/u60FKomOjF
We have recently spotted a phishing campaign, which utilizes a new, open-source malware called OverlordRAT written in Go.
The chain starts with a malicious URL, which points to a domain impersonating the logistics company Global-Merx. The URI resource - utility.php - mimics an official DocuSign page and uses embedded JavaScript to trick victims into downloading a document of ACH Remittance payment, which is a malicious MSI installer, but we’ve seen the payload getting changed recently. The installer embeds a DLL stager and gets called via the CustomAction table of the fake Microsoft DirectX Runtime MSI installer. The DLL finally injects its payload to werfault.exe, decrypts the final stage Overlord RAT payload with XOR (0xA9) and executes it.
The use of Overlord RAT again reinforces our previous findings that actors are always on the lookout for adopting new tools in their attack arsenal.
🔑 Takeaways:
- URL → DocuSign phishing → MSI → DLL → EP injection (werfault.exe) → XOR (0xA9) → Overlord RAT
- MSI and DLL disguised as Microsoft DirectX Runtime files, embedded payload called via CustomAction table
- DLL stager injects to werfault.exe, decrypts Overlord RAT payload with XOR key 0xA9
- The open-source Overlord RAT handles encrypted WebSocket traffic, provides HTTPS, JWT, RBAC and MFA authentication, flexible remote desktop streaming (WebRTC, MediaMTX) and supports Windows, Linux and macOS platforms
A phishkit rarely looks malicious if you take its behaviors one by one. https://t.co/oTMEUqP2Qs
A connection to Microsoft's real authentication infrastructure: legitimate.
A reference to the genuine Microsoft password-reset page: legitimate.
A block of login-related text: legitimate.
Each behavior, on its own, appears in countless trustworthy applications.
It's when they appear together, in the same sample, that the pattern emerges.
That's the logic behind one of this month's additions from VMRay Labs: a new meta-VTI that correlates several individually-benign behaviors into a single classification, improving detection of EvilProxy-style phishkit activity, the kind built around adversary-in-the-middle credential and token theft.
The full breakdown is in the link.
🔗 https://t.co/oTMEUqP2Qs
Something gets blocked. The alert closes. Everyone moves on... That's the moment most SOC teams know the least about what just happened. https://t.co/ZlBv19Yi5l
Microsoft Defender stops threats at scale. That's what it's built for, and it does it well. But blocking an attack before it executes carries a trade-off: some of what the attacker was trying to achieve never gets observed.
The files that would have downloaded. The infrastructure it was set up to communicate with. The next move in the chain. The question is what to do with everything blocked at the perimeter: the alerts that, on closer inspection, would have a lot to teach the team.
That's what our latest post explores: where deep, evasion-resistant analysis fits alongside a strong Microsoft Security program, and why the gap between blocking and understanding is worth closing.
🔗 https://t.co/ZlBv19Yi5l
🔥 Alert: Evasion via excessive multi-cloud staging
🔗 Report: https://t.co/4kIBpvYVa4
We have recently caught a malware delivery chain, which seems to utilize numerous cloud services to host several, staged payloads that reference each other back and forth. This “cloud-hopping” strategy is making use of less-known online code-sharing and file hosting platforms and ultimately tries to evade automated systems. The excessive cloud-hopping is actually why this “manufactured complexity” stands out from standard attacks.
The multi-stage attack chain starts with an obfuscated PowerShell payload (arithmetic calculations, Deflate and Base64), then hops across PythonAnywhere, and ends at the service Pastes[.]dev. The latter pulls 4 samples from the image-hosting service image2url (which can host .exe files too), like UnixStealer or FunnyLoader, and downloads a PyInstaller executable.
A Python script is then pulled from Pastes[.]dev again, which sets up a localhost tunnel via a free service called Pinggy and deploys the open-source Gost/GoSimpleTunnel for bridging the tunnel.
💡 Takeaways:
- PowerShell loader uses arithmetic calculations, Deflate compression and Base64 encoding for obfuscation
- Script checks for username ”runneradmin” to avoid running in GitHub Actions Runners environment
- Next stage PowerShell code grabbed from PythonAnywhere, followed by another one from Pastes[.]dev
- 4 PE files fetched from image2url (UnixStealer, FunnyLoader, XWormLoader, PyInstaller)
- Another stage executes Python script from another Pastes[.]dev link, which connects to Discord C2
- Local proxy configured via downloaded Gost (GoSimpleTunnel) client and the tunneling service free.pinggy[.]io
- Code is marked with Vietnamese comments with references to: “hello sigma”, ”sigma miner”, “iamsigmaboy” and “sigmatoilet”
- Actor uses different usernames like “hai”, “haingng16“ and “haideptrai“ on several cloud platforms
- Additional stages are pulled from GitHub, GitLab, Pastefy and Codeberg along the chain to establish persistence
There's a quieter kind of phishing that doesn't steal your password at all. https://t.co/LOcju7V4x2
In device-code phishing, the victim sees a real Microsoft login page. They enter a short code. They sign in successfully. Nothing looks wrong, because nothing technically is, except the session they just authorized belongs to the attacker. No password stolen. No fake page to spot. Just a legitimate flow, abused.
This is the behavior behind EvilTokens, a Phishing-as-a-Service platform built specifically around Microsoft 365 device-code abuse and token theft. It's also one of the focus areas in this month's detection work from VMRay Labs.
April's Detection Highlights includes new VTIs for:
🔹 EvilTokens PhishKit behavior, detecting both the device-code retrieval and the polling that waits for the victim to sign in
🔹 Connections to the Microsoft Device Login Endpoint, flagged for context in credential-access investigations
🔹 cmd.exe launched with fake or misleading arguments designed to slow down triage
🔹 Network communication via AFD, a lower-level Windows interface used to reduce visibility, observed in ACRStealer activity
🔹 MIME type and filename extension mismatches, a strong signal of masquerading
🔹 Windows Defender Firewall manipulation via PowerShell
Plus AutoUI improvements for multi-stage fake CAPTCHA campaigns, and 20+ new YARA rules.
The full breakdown, with the behavioral context behind each detection, is in the link.
🔗 https://t.co/LOcju7V4x2
When threat actors host C2 infrastructure on a public blockchain, traditional takedown requests fail. The data is immutable. The infrastructure is decentralized. And the API endpoints used to access it are, by themselves, entirely legitimate. https://t.co/D6n7S8R8a2
That last point is what makes EtherHiding difficult to detect through IOC feeds. The same blockchain API endpoints used by malware to retrieve C2 configurations from smart contracts are also used for legitimate purposes — which means they can't easily be added to blocklists.
But they can be used for threat hunting.
In a new piece from the VMRay Labs team, we walk through that approach: starting from a list of public blockchain API endpoints, pivoting through sandbox analysis, and identifying both known malware families using EtherHiding and previously unknown samples surfaced through the same method.
What's in the post:
🔹 Known families confirmed using EtherHiding: SharkStealer, ArechClient2, ClearFake, and a ClickFix campaign hosting multi-stage JavaScript on smart contracts
🔹 A newer variant of ZigCryptoStealer that moved from BSC Testnet to Mainnet, with a C2 domain previously identified in other smart contracts created by the same author
🔹 Two unknown Polygon-based samples: a Java stealer, and a .NET backdoor called LoaderOnNet that uses Steam user profiles as dead-drop resolvers
🔗 https://t.co/D6n7S8R8a2
User-reported phishing is one of the highest-volume tasks a SOC team deals with. The challenge: today's phishing rarely reveals itself in the email. Fake CAPTCHAs, ClickFix prompts, QR codes inside PDFs, redirect chains that only activate three layers deep: the actual threat lives at the end of the chain, not in the inbox. https://t.co/vmpZAZd8sW
On May 28th, join us for a joint webinar with @KnowBe4 on how the new VMRay + KnowBe4 PhishER integration automates the deep analysis that used to require thirty minutes of manual work per email.
What you'll see:
🔹 How attachments and URLs from PhishER-reported emails get recursively analyzed in VMRay's sandbox
🔹 How fake CAPTCHAs, ClickFix attacks, advanced QR codes, and multi-stage chains get followed to the final payload
🔹 How clear verdicts and threat details land directly inside your PhishER console
🔹 Real-world attack scenarios walked through end to end
Built for SOC analysts and security engineers handling user-reported phishing at scale.
Practical, behavioral, and to the point.
🔗 https://t.co/vmpZAZd8sW
🇺🇸 The most valuable signal in phishing detection often comes from users themselves. The challenge is what happens next: hundreds of reports a day, complex multi-stage delivery chains, and analysts who don't have thirty minutes per email to follow every redirect.
From May 11-13, VMRay is at KB4-CON in Orlando, alongside the KnowBe4 community.
The VMRay team will be there to talk about how recursive analysis turns user-reported phishing from a queue of work into a source of intelligence.
What the latest phishing techniques look like once you follow them all the way to the actual payload.
How the VMRay integration with KnowBe4 PhishER automates triage of complex chains.
If you're attending, let's have a conversation.
🇺🇸 Risk has changed. The work of managing it has changed with it.
From June 1-3, VMRay is at the Gartner Security & Risk Management Summit in National Harbor, MD to talk about where deep malware and phishing analysis fits into that picture: how high-fidelity threat intelligence supports risk-based decisions, why analysis quality matters more than ever, and how data sovereignty and deployment flexibility are becoming central to how security tools get evaluated.
If you're attending, come find us. Worth a conversation.
Attackers are working harder than ever to stay invisible. Living off legitimate tools. Quietly probing for credentials and configs in the corners of the system most defenders don't watch. Slipping data out through trusted browser processes that look entirely benign in EDR telemetry.
Detecting that kind of activity requires understanding exactly how it behaves, and building detection logic that keeps up.
Tomorrow, Thorsten Schreiber will walk through what VMRay Labs shipped this month:
🔹 RMM tool detection: catching legitimate remote management software repurposed for persistent access
🔹 Sandbox evasion via geolocation and directory checks: surfacing malware that goes quiet in analysis environments
🔹 Chromium browser abuse: detecting headless-mode execution and App-Bound Encryption bypass from inside the browser's own trusted process
🔹 Sensitive data discovery: four new threat identifiers targeting infostealer reconnaissance against password managers, RDP configs, developer tools, and VPN clients
🔹 30+ new YARA rules and config extractors covering MuddyWater, CamaroDragon, PhantomStealer, ParallaxRAT, SalatStealer, and more
Practical, behavioral, and built for the analysts and engineers doing the work.
🔗 https://t.co/6RRF85XcF4
A few years ago, a phishing email was a phishing email. A sketchy link, a credential page, a verdict. Done. That world is gone. Today's phishing arrives as a clean email. https://t.co/LfhZOnTrAj
A clean email carrying a password-protected document.
The QR code inside redirects through legitimate services.
The malicious payload only materializes after a user opens, scans, clicks, or pastes, three or four steps removed from the original message.
By design, every individual stage looks benign enough to pass automated checks. The threat lives in the CHAIN, not in the email.
In a new piece, Andrey Voitenko, CISSP walks through what this shift means for SOC operations, why traditional gateways struggle, and what effective triage of multi-stage delivery chains actually requires.
Worth reading if user-reported phishing is part of your team's daily reality. 🔗 https://t.co/LfhZOnTrAj
🚨 Alert: New GaiaTools crypter-and-loader service spotted in stealthy multi-stage attack: https://t.co/THeTX0lh4a
🔍 This new, multi-stage attack delivery chain pivots from a Batch script to PowerShell, retrieving a staged payload via Pastee[.]dev, de-obfuscating it through layered Base64 and single-byte XOR transformations.
The attack culminates in shellcode execution and deployment of an AutoIt-based loader, ultimately injecting an encrypted payload into the legitimate charmap.exe process to evade detection. Final C2 is established through GaiaTools, a seemingly new crypter-and-loader service advertised on Telegram.
GaiaTools is promoted as being able to crypt executables at scale, with in-memory shell execution capabilities and syscall-based code execution. They also offer a small, tiny PE loader with the customer’s baked-in gate URL for fetching a final payload, a Golang infostealer this time.
🛠️ Takeaways:
⛓️ Attack chain: Batch → PowerShell → Pastee[.]dev → PowerShell → Base64 → XOR → Shellcode → AutoIt loader → Encrypted payload (XOR) → Inject to charmap.exe → GaiaTools C2
🎭 Obfuscated Batch script using env vars to build commands and strings one character at a time, using substitution / lookup table
📥 PowerShell command to grab staged loader from Pastee[.]dev
🧠 The in-memory shellcode loader is written in heavily obfuscated PowerShell with sleeps, pointless random calculations, Base64 obfuscation, and single-byte XOR-decryption (0xED)
💾 Allocates a block of RWX memory via kernel32!VirtualAlloc, copies the decrypted shellcode to it, then turns the memory address into a .NET delegate and calls it
📂 Drops several files: AutoItv3 interpreter, encrypted AutoIt loader, encrypted payload
📡 Final stage is reaching GaiaTools, a seemingly new crypter-and-loader service to pull a Golang infostealer
🗓️ Domain gaia[.]su registered on 2026-03-11 at registrar REGRU-SU
IoCs:
abe7e5da48a8a55badb87c6937c19d10561fe6f22024c2a5b3600c97706e96bd (SHA256 - 1st stage)
b73fe7ca0fd4e4e0a9e8b8f5fdecb42a95f91f7477e2fecf129f797e2892d21c (SHA256 - 2nd stage)
28ca2c00c4e2e5e9a7a1b469c264358fff209822a9dc0a74443e1eb0eb11b315 (SHA256 - 3rd stage)
hxxps://pastee[.]dev/r/6OVBx076 (2nd stage payload)
hxxps://gaia[.]su/remote-admin/api/payload/91e70b4f5f92e2f138aa8c612cfbc517[.]exe (3rd stage payload)