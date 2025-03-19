Forcepoint X-Lab Researcher Discovers Use of Virtual Hard Disk Image File for VenomRAT malware

March 2025 by Forcepoint

The researchers at Forcepoint X-Labs on a new technique threat actors use to bypass security measures, deliver malware, infect systems and exfiltrate data—all by using a virtual hard disk image file to host and distribute the VenomRAT malware.

In this technical post, Prashhant Kumar, Security Researcher explains how the VenomRAT campaign starts as a phishing email that uses a purchase order as a lure to convince users to open the attachment. The email contains an archive attachment when extracted shows a hard disk Image (.vhd) file. Upon opening, the file mounts itself as a hard disk drive. This disk drive image contains a batch script that performs malicious activities using PowerShell and sends sensitive information to malicious C2s.

RATs like VenomRAT are pretty common these days and they will continue to use new techniques to deliver malware. In a unique twist, hackers delivered the malware using a virtual hard disk image file to evade detection.