Post by VMRay

7,845 followers

Attackers are getting better at hiding in plain sight. Payloads tucked inside environment variables, never visible in the command line. Phishkits that look like a dozen legitimate behaviors until you see them together. Legitimate remote management tools delivered through fake brand pages. https://lnkd.in/e7W_3cJW Catching this kind of activity comes down to one thing: understanding how it behaves. Tomorrow at Patrick Staubmann, Threat Analysis Team Lead at VMRay, walks through the latest detection work from VMRay Labs. What's on the agenda: šŸ”¹ A four-signal meta-VTI that identifies #phishkit behavior by correlating individually-benign signals, tuned for #EvilProxy-style activity šŸ”¹ PowerShell executed from environment variables, a staging technique built to stay out of the command line šŸ”¹ Windows #Defender emulator evasion via NtIsProcessInJob, observed in SquidLoader šŸ”¹ #Phishing pages delivering legitimate RMM tools through fake brand pages šŸ”¹ Updated config extractors for ArechClient2/SectopRAT and Gh0stRAT šŸ”¹ 30+ new #YARA rules across stealers, loaders, backdoors, #ransomware, and emerging phishing, including fake Claude installer lures targeting macOS Built for #SOC analysts tracking evasion and security engineers hardening their detection pipelines. Practical, behavioral, and to the point. šŸ”— https://lnkd.in/e7W_3cJW #Webinar #PhishingDetection #MalwareAnalysis

Post content