Webinar Description
Key Takeaways
- VMRay Labs presents new detection capabilities including a four-signal meta-detection set for identifying phishkit behaviour
- Coverage of newly developed configuration extractors for ArechClient2/SectopRAT and Gh0stRAT malware families
- More than 30 new YARA rules targeting stealers, loaders, backdoors, ransomware and emerging phishing campaigns
- Technical focus on evasion techniques including PowerShell execution hidden within environment variables and Windows Defender emulator bypass methods
- Relevant for SOC analysts, threat researchers and security engineers working on detection engineering
Introduction
VMRay Labs is hosting a technical session on 30 June 2026 focused on recent additions to its threat detection capabilities. Led by Patrick Staubmann, Threat Analysis Team Lead at VMRay, the presentation addresses the ongoing challenge of identifying malicious behaviour as attackers increasingly abuse legitimate tools and employ sophisticated evasion techniques. The session is designed for security operations centre analysts and detection engineers seeking to understand current threat actor methodologies and corresponding defensive measures.
About This Event
This monthly detection highlights session from VMRay Labs provides a technical overview of newly developed threat identification mechanisms. The presentation draws on continuous analysis of real-world malware samples and intelligence gathered from across the security research community. Rather than focusing on individual malware samples in isolation, the session emphasises behavioural patterns that enable detection of entire attack categories.
The format combines explanation of specific detection logic with practical context about how these capabilities translate into operational security improvements. Attendees can expect detailed technical discussion rather than high-level product overviews.
VMRay Threat Identifiers and Phishkit Detection
A central focus of the session is the introduction of new VMRay Threat Identifiers, the behavioural signals that VMRay’s analysis platform uses to classify malicious activity. The most significant addition is a four-signal meta-detection set specifically engineered to identify phishkit behaviour. Phishkits—pre-packaged toolsets that enable attackers to rapidly deploy credential harvesting infrastructure—have become increasingly sophisticated, often incorporating anti-analysis features and dynamic content generation that complicates traditional detection approaches.
By combining multiple behavioural indicators into a meta-detection framework, the new capability aims to identify phishing infrastructure based on characteristic operational patterns rather than relying solely on static indicators that attackers can easily modify. This approach reflects a broader industry shift toward behavioural analysis as signature-based detection struggles to keep pace with attacker innovation.
Evasion Technique Coverage
The session addresses several evasion techniques that have gained prominence in recent malware campaigns. One notable method involves concealing PowerShell execution within environment variables, a technique that can bypass security controls monitoring for obvious PowerShell invocation patterns. By storing malicious commands in environment variables and executing them indirectly, attackers can evade detection mechanisms that rely on command-line argument inspection.
Another technique covered is Windows Defender emulator evasion through the NtIsProcessInJob API call. Security products often execute suspicious files within emulated environments to observe behaviour before allowing execution on production systems. Malware authors have developed various methods to detect these emulated environments and alter their behaviour accordingly. The NtIsProcessInJob technique represents one such sandbox detection method, and VMRay’s new detection capabilities are designed to identify when malware employs this specific evasion approach.
The presentation also covers detection of phishing pages that deliver remote management tools. This attack pattern has become increasingly common as threat actors leverage legitimate remote access software to establish persistent access to compromised systems, blending malicious activity with tools that organisations may already use for legitimate purposes.
Configuration Extractors for Remote Access Trojans
Configuration extractors represent a critical capability for threat intelligence operations, enabling analysts to automatically retrieve command-and-control server addresses, encryption keys, and other operational parameters from malware samples. The session covers updated extractors for two remote access trojan families: ArechClient2 (also known as SectopRAT) and Gh0stRAT.
ArechClient2/SectopRAT is an information-stealing trojan that has been active in various campaigns targeting credentials and sensitive data. Gh0stRAT, originally developed over a decade ago, continues to appear in modified forms across numerous threat actor operations, particularly those attributed to groups operating from East Asia. Maintaining current configuration extractors for these families enables security teams to quickly identify infrastructure associated with active campaigns and implement appropriate blocking measures.
Expanded YARA Rule Coverage
The session details more than 30 new YARA rules developed by VMRay Labs. YARA remains the de facto standard for pattern-based malware identification, and these rules expand detection coverage across multiple threat categories including information stealers, malware loaders, backdoors, and ransomware variants.
Of particular note is coverage for emerging phishing campaigns that use fake Claude installer lures targeting macOS users. As artificial intelligence tools have gained mainstream adoption, threat actors have begun exploiting user interest in these applications to distribute malware. The fake installer approach capitalises on users seeking to download popular software, redirecting them to malicious payloads instead. The inclusion of macOS-specific detection reflects the growing attention threat actors are paying to Apple’s operating system as enterprise Mac deployment continues to expand.
Who Should Attend
The session is designed for security professionals with hands-on responsibilities in threat detection and response. SOC analysts tracking evasion techniques will benefit from understanding the specific methods attackers are currently employing and how behavioural analysis can surface these activities. Security engineers responsible for detection pipeline development can apply the discussed concepts to strengthen their own detection logic, whether using VMRay’s platform or developing complementary capabilities.
Threat intelligence analysts and malware researchers will find value in the configuration extractor updates and YARA rule expansions, which provide immediate practical utility for ongoing investigations. The technical depth of the presentation assumes familiarity with malware analysis concepts and detection engineering principles.