Release Highlights: VMRay Platform 2025.2.0

Introduction

The first release of 2025 is already behind us, but we’re just getting started. We hope you’ve enjoyed the features delivered in recent months, including searchable threat names, clipboard access detection, enhanced LNK analysis, and residential traffic support via Geofence VPN in Cloud instances.

Now, we’re happy to share the next round of updates to the VMRay Platform and give you a glimpse into what’s to come. Let’s dive into the details!

Picture This – SVG File Analysis is on!

Recently, our Labs team has observed a growing trend in phishing attacks that exploit SVG files, often delivered as email attachments. In a typical phishing campaign using SVGs, the attached file either tricks users into clicking a malicious link or displays a fake login form to steal credentials.

Historically, SVG files haven’t been widely used in cyberattacks, which means many security solutions lacked robust support for scanning them, allowing these threats to slip through undetected. Moreover, SVG attachments in emails are uncommon, making them both suspicious and surprisingly effective for attackers.

Why are SVGs attractive to threat actors?

Unlike traditional image formats (PNG, JPG), SVGs are XML text-based, meaning they can contain embedded scripts and links, making them ideal for obfuscation and phishing tactics.

1. Phishing via embedded links: attackers can hide malicious URLs inside the file.
2. JavaScript-based payloads: malicious scripts can execute when the SVG is opened in a browser.
3. Lower detection rates: SVGs are less likely to be flagged by security tools compared to PDFs and DOCX files.
4. On top of that: no execution warnings – unlike macros in DOCX or EXE files, opening an SVG typically doesn’t alert the user.

That being said, we’re happy to announce that the VMRay Platform now supports SVG file analysis—enabling static, web, and reputation analysis. Try it out today and uncover the true nature of your SVG files.

 

 

Enhanced Visibility into Advanced Injection Techniques: Spotting DLL Hollowing and beyond

This release also brings a major upgrade to our Dynamic Analysis engine, focused on detecting one of malware’s sneakiest tricks: DLL Hollowing and similar advanced code injection techniques.

What prompted the change?

Some advanced malware samples were bypassing our detection—and both we and our customers flagged the gaps. These threats leveraged techniques like stealthy process creation, thread manipulation, and remote code injection to evade visibility. Our existing monitoring logic didn’t fully capture the lower-level behaviors enabling these tactics.

What’s new?

We expanded our behavioral visibility to cover these stealthy tactics. Specifically, we now dynamically monitor system libraries when suspicious changes are detected, such as:

• A system library being newly loaded into memory

• Permissions of a module being altered (e.g., from read-only to executable)

• Shellcode or modified content being written into the module

• Execution jumping into those modified regions

This enhancement allows us to catch malware mid-act, even if it’s hiding in plain sight inside legitimate system components. This update improves our ability to detect evasive threats like HijackLoader, which rely on sophisticated injection methods to avoid detection.

From Sydney to Stavanger: New VPN Endpoints on EU Cloud

Advanced malware often stays inactive until it detects it’s running in a specific region—using clues like IP geolocation, system language, or time zone. To help our customers stay one step ahead of these location-aware threats, we expanded our Geofence VPN capabilities on the EU Cloud Platform.

2025.2 release features three new Geofence VPN endpoints:

• Norway

• Portugal

• Australia

With these additions, customers can now simulate traffic from even more geographic regions while staying within the secure boundaries of the EU Cloud. This means:

• Better evasion resistance

• Broader malware detonation scenarios

• More accurate threat intelligence from geo-targeted campaigns

These endpoints are now live and ready to use, giving you greater flexibility to detect, analyze, and respond to threats that rely on regional triggers.

 

Prioritized Live Interaction Analysis

Live Interaction is one of VMRay’s standout features, allowing analysts to actively engage with a running virtual machine during Web or Dynamic Analysis. While VMRay’s Adaptive Browsing Simulation (for phishing) and Automatic User Interaction (for malware) emulate human-like behavior during unattended analyses, Live Interaction helps uncover threats that require targeted, manual engagement.

Often, analysts can’t wait for their scheduled analysis to complete, especially after submitting multiple suspicious files in advance. When they choose to take a closer look, they need the ability to interact after minimal waiting time. To support this need, we reworked how our system handles Live Interaction submissions in the account queue. 

Live Interaction jobs now get a significantly higher scheduling priority. That means faster access to the VM and less waiting for analysts ready to dive in. We also ensured that recursive jobs spawned by Live Interaction inherit a priority boost, keeping the analysis pipeline efficient end-to-end. These improvements mark the first step in our broader effort to enhance the user experience of Live Interaction.

Final Thoughts

As mentioned in the Live Interaction update, enhancing this feature remains our top priority; we’re committed to delivering a faster, more seamless experience so you can get the most out of every interactive analysis.

But that’s not all. We’re excited to give you a preview of what’s coming next: a new Threat Intelligence Feed by VMRay designed to deliver high-confidence, noise-free threat data. This marks a major step forward in our journey into the Cyber Threat Intelligence space. Delivered via TAXII 2.1 and supporting formats like STIX 2.1, JSON, CSV, and MISP Extended Format, our Threat Feed is built for easy integration into your existing security tools and workflows. Stay tuned—our marketing team will be sharing more details soon.

Wishing you a secure and productive May, and as always, thank you for being part of the VMRay community.