2026 Volume 34 Pages 216-229
Malware security appliances are critical defenses against the growing number of malware attacks organizations face. However, malware authors have integrated sandbox evasion techniques into modern malware, enabling attacks that may bypass security appliances and products. Furthermore, adversaries can design Customized Malware that only reveals its malicious payload when the identifier of the target-specific system can be verified and bypass sandboxes and even non-targeted hosts. This approach presents another burden and challenge for malware sandbox engineers, as security has not kept pace with these developments. This paper presents a targeted attack scenario and evaluates the risk of this threat, while providing ideas for countermeasures. We introduce the idea that attackers can leverage publicly available personally identifiable information (PII) from the target system as identifiers, particularly targeting hosts that store business email addresses on their PCs. To first evaluate Applicability, we investigated a set of desktop applications and specified 18 popular applications that store email addresses in their files or directories. To evaluate Identifiability, we implemented a survey tool to access these applications and record whether email addresses were found. The survey was conducted with 218 MTurk workers. Among 143 workers using either of the applications, email addresses could be found from all of their PCs. Additionally, a test with 9 laboratory members and staff confirmed the ability to identify target-specific email address from 16 desktop applications. In addition to email addresses, usernames used on social media platforms are effective in identifying target systems. Therefore, by preparing several social networking service applications installed on a test environment, we specified 3 popular applications that store usernames in their files or directories. Finally, to evaluate Stealthiness, we implemented dummy malware samples that search for the target host's email address or usernames in the executing environment and prevents unpacking the malicious payload if the mark is absent. We show that two commercial malware security appliances and a malware analysis solution would fail to unpack the malicious payload. To mitigate this attack scenario, we discuss countermeasures from both the sandbox and user perspective, including enhanced sandbox alerts for search behavior and inserting dummy email addresses and/or usernames into target systems. We also contacted relevant security appliance vendors to inform them of the potential threat and provided proof-of-concept programs to assist in their preparation.
