📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays
💪 Detection highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules and malware configuration extractors. This week, we focused on improving coverage for existing malware families. We updated 11 YARA rules and 2 configuration extractors. A few examples of families we updated our coverage for are: VIDAR, POISONPLUG.SHADOW, and GLUPTEBA.
These updates ensure you have the latest indicators that were extracted by our configuration extraction systems and YARA rules.
🆕 Ransomware Data Leaks endpoint exposed. The Ransomware Data Leaks dashboard is our threat intelligence tool focused on aggregating data from numerous leak sites (DLS) to track extortion trends, victim volume, and active threat actor brands that serves as a strategic "command center" for cybersecurity teams. Now the new endpoint allows customers to programmatically retrieve the raw data powering the dashboard, enabling the seamless integration of ransomware intelligence into automated security workflows, custom reporting, and internal SOAR platforms. Our documentation provides practical examples to help you get started with this endpoint.
🆕 New URL search modifiers. The Intelligence Search feature allows users to execute complex and powerful queries against our expansive dataset of malicious indicators, enabling threat hunters to uncover infrastructure, track campaigns, and identify evolving threats. We have introduced three new search modifiers for URL entities: last_modified, last_modification_date, and lm. These modifiers allow analysts to filter URL indicators based on the exact time they were last updated in our database.
See example.
🆕 Saved Searches. The Intelligence Search feature allows users to execute complex and powerful queries against our expansive dataset of malicious indicators, enabling threat hunters to uncover infrastructure, track campaigns, and identify evolving threats. Instead of manually reassembling the required search modifiers for a specific use case every time a search has to be performed, now users can save queries by creating Saved Searches to efficiently reuse or frequently execute threat intelligence searches across our vast database of IoC analysis reports (files, URLs, domains, IP addresses).
🆕 Agentic can now construct intelligence searches / queries. Agentic is the AI-powered assistant within GTI, designed to simplify and streamline complex threat intelligence tasks. Users can now leverage natural language to automatically generate complex intelligence searches / queries for IoCs (files, URLs, domains, IP addresses). This new capability eliminates the previous requirement for analysts to manually consult and apply a wide array of search modifiers, significantly speeding up IoC investigation and improving search accuracy. Additionally, the tool allows users to:
Copy the resulting query
Open it in the platform without running it to be able to modify it needed before running it
Execute it
Compute commonalities of the matched IoCs
📢Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays
💪 Detection highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's detection content. This week, we focused on updating existing malware family coverage with both YARA and malware configuration extractors. The teams updated our detections for malware families like VIDAR, POISONPLUG.SHADOW, and PAPERPUCK. These updates ensure you have the latest indicators that were extracted by our configuration extraction systems.
💪 Enhanced PE and ELF Binary Behavior Detections.CAPA, a tool maintained by the FLARE team , provides human-readable explanations of suspicious behavior that a binary may exhibit when executed. Our platform runs CAPA on all PE and ELF binaries, displaying results in the BEHAVIOR tab of the UI. Lately CAPA has been updated with 21 new and 10 improved behavior detection rules, which have been fully integrated into our supported file analysis process. This enhancement adds new rules focused on defense evasion, anti-analysis, and system manipulation observed in malware, including:
🆕 Intelligence at Speed - Instant Executive Briefs Powered by Agentic. We have integrated the Agentic Conversational AI platform across all major Threat Intelligence object list views (such as Threat Actors, Malware & Tools, Campaigns, IoC Collections, Reports, and Vulnerabilities). This new capability is accessed via a single Brief button. After selecting a set of objects, clicking the Brief button automatically initiates a conversation within the Agentic interface, allowing the AI to produce an executive summary focused specifically on the selected entities' recent activity.
🆕 Download Dropped Files from Private Sandboxes. Our Private Scanning service captures the complete runtime profile of analyzed files. By executing samples in multiple private sandboxes, we record all dropped files, network traffic, and system modifications, which are detailed in the BEHAVIOUR tab of each file analysis report. You can now download a single, aggregated ZIP file containing all dropped files generated during a private dynamic analysis execution. This new functionality simplifies the transition from our platform to a local, isolated environment for deeper, hands-on forensic investigation of related artifacts.
💪 Improved OSINT articles context. OSINT threat intelligence articles are sourced and integrated automatically from a collection of pre-vetted, reliable publishers, or ingested by users. These articles serve as an invaluable asset for threat intelligence, converting a massive volume of publicly available threat information into contextual, high-value, and immediately usable insights. This enables security teams to engage in proactive defense measures and inform their strategic security planning. Now the OSINT articles are associated with Threat Actors and Malware Families as curated reports are, significantly enhancing their utility by providing direct links to relevant entities within the threat landscape, making it easier for analysts to track and understand campaigns, tooling, and adversaries.
See example.
📢 Google TI Mondays & Month of UNLIMITED UI Searches. Quick reminder that for the entire month of November, all Google Threat Intelligence and VirusTotal customers will benefit from unlimited, uncapped searches when performing manual queries through the web interface (GUI) using the core VirusTotal / GTI search feature. Follow the Google TI Mondays and Month Of GoogleTI Search series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays, #MonthOfGoogleTISearch.
💪 Detection highlights. This week, the Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules. We’ve released YARA rules covering 3 newly tracked malware families and updated YARA rules for 6 existing families. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.
As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:
HELLCAT.GO: a HELLCAT ransomware variant written in Go that is capable of encrypting files on local and network drives using the RSA and ChaCha20 algorithms. The extension .HC is appended to the file name for each encrypted file. HELLCAT.GO is also capable of spreading to other networked machines, using spot encryption for file types associated with virtual machines, killing specified processes and services, skipping specified files and directories, wiping event logs, and deleting volume shadow copies. It drops a ransom note titled README_HELLCAT.txt after the encryption process is complete.
SHINYSPIDER: ransomware written in Go that uses RSA and ChaCha20 for encryption. An 8-character extension is generated for each encrypted file, and depending on the file size, files are either partially or fully encrypted. SHINYSPIDER is also capable of encrypting files on local and network drives, spreading to other networked systems, killing specified processes and services, wiping event logs, disabling hooks added by security tools and deleting volume shadow copies.
ASHCLOUD: a disruption wiper utility and dataminer disguised as a security scan application that scans all connected drives for particular file-types, AES encrypts the file's content using a single AES session key and prepends the AES IV to the encrypted file, RSA encrypts the AES session key with an embedded public key, and exfiltrates the encrypted AES session key as well as the encrypted files to an attacker-controlled Dropbox. Once the data theft routine is complete, or immediately upon receiving a "skip_backup" command from the Telegram C2, ASHCLOUD uses secure deletion algorithms to irreversibly wipe the local files. Additionally, ASHCLOUD provides the ability to execute a command on the victim's system, allowing the attacker to maintain persistence and execute arbitrary system commands via a Telegram bot.
In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like LOCKBIT, MISTPEN, and SUO5. These updates ensure you have the latest indicators.
🆕 Tagging and Search for Agentic Prompts.Agentic Prompts are reusable query templates within the Agentic conversational AI platform. They allow security analysts to create standardized, structured instructions for the AI agents to automate and accelerate recurring threat investigation, malware analysis, and reporting workflows in Google TI. Users can now assign custom tags when creating or modifying an Agentic prompt. This feature introduces a new, powerful search and filtering capability in the prompt library, allowing analysts to quickly locate prompts based on criteria like Analysis, Briefings, Trends, Vulnerability and New prompts, or any other word from the prompt description.
📢 Google TI Mondays & Month of UNLIMITED UI Searches. Quick reminder that for the entire month of November, all Google Threat Intelligence and VirusTotal customers will benefit from unlimited, uncapped searches when performing manual queries through the web interface (GUI) using the core VirusTotal / GTI search feature. Follow the Google TI Mondays and Month Of GoogleTI Search series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays, #MonthOfGoogleTISearch.
💪 Detection highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules and malware configuration extractors. This week, we’ve released YARA rules for 9 newly tracked malware families and updated existing YARA rules for 31 families. We've also enhanced our configuration extraction platform with updates for 1 existing malware family. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top Google TI search trends.
As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:
RAINWIZARD: a Windows backdoor written in Rust. RAINWIZARD uses OneDrive Graph API for command and control. Backdoor capabilities include file download, upload, file listing, command execution using cmd.exe or PowerShell and Windows registry run key modification.
SAGEWAVE: a launcher written in Java that acts as a servlet filter. SAGEWAVE registers a specific URL pattern to receive attacker traffic over HTTP to a compromised Java web server and expects to receive an encrypted Java class from an attacker in the HTTP request. The payload is decrypted using AES-128-CBC with a hard-coded key and IV and is parsed as a ZIP file. SAGEWAVE loads Java class files into memory from the decrypted ZIP archive, and then executes the "httpReq" method from a class with a filename ending in ".Cli". SAGEWAVE has been observed being dropped by SAGELEAF and is suspected to be used to deploy a payload similar to GOLDTOMB. See its curated YARA detection rules.
CHARON: a ransomware written in C++ that uses multiple threads to partially encrypt files on the localhost as well as in network shares. Samples have been observed terminating services and processes related to endpoint-agents and backup services. The targeted services belong to software made by eastern and western companies. CHARON samples also include an embedded driver, Dark-Kill, to gain kernel privileges and terminate more tamper-resistant AV and EDR software. See its curated YARA detection rules.
In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like OXEEYE, DONUT, and UPATRE. These updates ensure you have the latest indicators, including those extracted by our configuration extraction systems.
💡 Remember! Private Scanning + Code Insight. Private Scanning is a dedicated service that allows organizations to submit suspicious files and URLs for analysis while guaranteeing that IoCs, their execution data, and the resulting report remain completely confidential and are not shared publicly / with the community.
Remember that you can choose between static analysis only or static and dynamic detonation via the "Try to detonate in dynamic analysis sandboxes" checkbox.
Remember that the Code Insight analysis, which uses Gemini AI to assist malware analysts by generating natural language summaries of a file's functionality, is provided for private file analysis reports whenever possible.
💪 Improved trends visibility via Agentic.Agentic, our nextgen autonomous threat intelligence foundation that delivers instant, contextual, and actionable threat intelligence by fielding complex, natural language queries about security topics, indicators, and entities, has been upgraded to provide immediate visibility into prevalent threat data by running advanced queries to identify top trends over specific periods of time. Examples of supported queries include:
"Give me the mutexes most used by Emotet in the USA in the last 2 weeks."
"Give me the vhash most used by APT44 in the last month in the USA."
"Give me the countries where APT44 has used 035056655d155512e1z14z7dhz1020022fz most in the last month."
🆕 Providing clarity regarding Google TI objects + web citations vs artifact attachments in Agentic.
We have improved the organization of contextual data within the Agentic conversations. Instead of a single source button, two new, distinct buttons are now displayed:
Sources button, at the end of the conversation, dedicated to accessing the Threat Intelligence objects and external web citations used to formulate the conversation responses.
An attachments button next to the Share one, is now your way to view files and other artifacts uploaded during the conversation.
Sources and artifacts are no longer separated into two tabs. Instead, each item is displayed and accessed via its own dedicated button.
🆕 New outbound 3rd-party integrations. Integrations are vital to operationalizing Google Threat Intelligence (GTI), converting raw security insights into immediate, effective defensive action. These crucial integrations help organizations eliminate siloed data and dramatically enhance their security ecosystem, boosting efficiency and accelerating Mean Time to Resolution (MTTR).
💪 AI-enhanced sandbox detonation for deeper behavioral analysis. The Behavior tab within a file's analysis report showcases detailed behavioral insights, which are generated by executing the uploaded file across Google Threat Intelligence's multi-environment sandboxes. We've introduced AI-driven interaction capabilities to our detonation engine. This enhancement allows the sandbox to autonomously click and interact with samples, ensuring they fully execute and reveal their hidden behaviors, resulting in more complete and in-depth behavioral reports. File types affected by this improvement are:
💪 IoC Stream Notification Retention Extended to 30 Days. IoC Stream is our IoC centralized notification hub that aggregates all IoCs coming from Livehunt or Retrohunt matches, Threat Profile and FollowedThreat Intelligence Objects (Threat Actor, Campaigns, Malware & Software, IoC Collections, Reports, Vulnerabilities) that were updated with new IoCs. The retention period for IoC notifications in the IoC Stream has been significantly increased from 1 week (7 days) to 30 days. This update provides users with a substantially longer historical buffer, offering greater flexibility for data synchronization, analysis, and comprehensive retrospective threat hunting.
📢 Google TI Mondays & Month of UNLIMITED UI Searches. Quick reminder that for the entire month of November, all Google Threat Intelligence and VirusTotal customers will benefit from unlimited, uncapped searches when performing manual queries through the web interface (GUI) using the core VirusTotal / Search feature. Follow the Google TI Mondays and Month Of GoogleTI Search series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. Follow us to ensure you never miss the most current intelligence! #GoogleTIMondays, #MonthOfGoogleTISearch,
💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules and malware configuration extractors. Over this period, we’ve released YARA rules covering 9 newly tracked malware families, and enhanced our configuration extraction platform to cover 2 existing malware families. Additionally, we've updated YARA rules for 23 other known threats. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.
As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:
TOXICDUST: a Windows launcher written in C/C++. TOXICDUST is capable of reading a payload file, decoding it by performing bitwise NOT operation and base64, and finally executing the resulting shellcode in memory. TOXICDUST uses SysWhispers2 to perform direct system calls. TOXICDUST is capable of evading AV and EDR software by patching BitDefender Hooking DLL and unhooking NTDLL.DLL. See its curated YARA detection rules.
EGGJSE: a JScript Encoded dropper. It contains payloads, usually double Base64-encoded, which it decodes, drops, and runs. See its curated YARA detection rules.
PIPEDOWN.DRIVE: a variant of the PIPEDOWN code family. It is a backdoor written in C++ that communicates using the Google Drive API to implement its functionality. Its capabilities include interacting with a hard-coded Google Drive resource to perform file upload, file download, file execution, and performing file listing. See its curated YARA detection rules.
In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like OXEEYE, BEAVERTAIL, and POISONPLUG.SHADOW. These updates ensure you have the latest indicators and YARA rules for evolving threats, some of which were extracted by our configuration extraction systems.
💪 Enhanced PE and ELF Binary Behavior Detections. CAPA, a tool maintained by the FLARE team , provides human-readable explanations of suspicious behavior that a binary may exhibit when executed. Our platform runs CAPA on all PE and ELF binaries, displaying results in the BEHAVIOR tab of the UI. Lately CAPA has been updated with 22 new and 46 improved behavior detection rules, which have been fully integrated into our supported file analysis process. This enhancement adds new rules heavily focused on detecting defense evasion techniques observed in malware, including:
🆕 Google Threat Intelligence Browser Extension. We evolved the popular VT4Browsers Extension to include the power of Google Threat Intelligence to provide actionable Threat Intelligence directly in your Browser. It empowers analysts with immediate threat context & triage, investigate in-depth without context switching and seamless collaboration & tracking to stay on top of threats, scan downloads all by providing actionable Threat Intelligence directly within your browser.
Now users with a valid Google Threat Intelligence API key can activate a new, integrated investigation experience.
New Interface: the extension adopts the visual style of the official Google Threat Intelligence interface.
Live Investigation: IoCs are automatically highlighted/enriched on the page as you navigate, providing a Quick Summary (Hover) and Deep Dive (Click) into the GTI Widget side-panel powered by Google Threat intelligence.
View Summary of all IoCs: a new feature to automatically collect all the detected IoCs on a webpage and open a new investigation window in the Google TI platform. You can add specific IoCs in this window directly into a new IoC collection to unlock powerful use-cases, to stay on top of the threats.
Want to try the enhanced investigation experience? Download or update the extension now:
🆕 Audit Logging. The new Audit Log is an essential security and administrative tool within Google Threat Intelligence, exclusively accessible to Group Administrators. Its primary function is to track, record, and preserve a time-stamped history of all sensitive administrative actions taken across your organization’s Google TI group, covering activities performed via both the web UI and the API.
💪Extended malware configuration extraction with displayed messages. Google Threat Intelligence processes all files submitted to VirusTotal, as well as some other Mandiant/Google sources, and identifies popular malware families, invoking malware configuration extractors where applicable. We’ve updated our extractors to also include any messages displayed back to users, such as ransom notes. See example.
💪 Agentic now has the capability to provide mitigation advice. Our Agentic conversational assistant designed to provide instant, contextual, and actionable threat intelligence by answering complex, natural language queries about security topics, indicators, and entities has been improved to answer specific mitigation strategies and defensive controls related to a given MITRE ATT&CK TTP, CAPEC ID, or CWE ID. This enhancement allows for faster pivoting from threat identification to defense planning by providing immediate, actionable guidance on how to prevent or limit the impact of specific attacker behaviors and vulnerabilities.
📢Google TI Mondays. Tune in every Monday as we share quick, actionable practitioner tips and product adoption advice across our social platforms. These knowledge "pills" are designed to boost your efficiency, follow us to make sure you never miss the latest insights!
📢Month of UNLIMITED UI Searches. Check with VirusTotal / Search is the core searching feature providing access to our platform's massive IoC dataset, enabling users to execute advanced queries with specific modifiers to investigate malware campaigns, track threat actors, and analyze threat infrastructure. In November, all Google TI and VirusTotal customers will enjoy unlimited, uncapped searches when performing manual queries through the web interface (GUI). These searches will not consume any of the customer’s existing search quota.
💪Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules. Over this past week, we’ve released YARA rules covering 11 newly tracked malware families and updated YARA rules for 20 existing families. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.
As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:
FIREPLUG: a backdoor written in Go that is capable of command execution, file upload and download, traffic relaying using SOCKS5 and port forwarding. See its curated YARA detection rules.
LOSTSEA: a downloader that sets persistence by scheduling a task named IconCache. It collects and sends basic system information like user and hostname to the command and control (C2 or C&C) server. The response is expected to be an encoded next-stage payload. See its curated YARA detection rules.
CHROMEPUSH: a dataminer written in C/C++ that targets multiple browsers (Chrome, Brave, Arc, Edge) and steals sensitive data, including screen captures, browser cookies, and keylogger data. It is also capable of installing a malicious Chrome browser extension. See its curated YARA detection rule.
UDPSHELL: a Linux backdoor written in C. UDPSHELL communicates with command and control server using QUIC protocol. The backdoor capabilities include shell command execution, file upload and download, SOCKS5 proxy. See its curated YARA detection rule.
In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like DONUT, CHINACHOP, and POSHC2. These updates ensure you have the latest indicators.
🆕 Enhanced Clarity and Accessibility of Registration Data with RDAP Format. The Whois lookup information in IP addresses and domains analysis reports provides deep insight into the registration, ownership, and administrative contacts for both IoC types. It is a crucial component for threat intelligence and incident response, allowing analysts to pivot investigations based on infrastructure ownership. We have introduced support for the standardized Registration Data Access Protocol (RDAP) to enhance the information provided from Whois lookups. It provides registration data in a machine-readable, standardized format (JSON), leading to greater data consistency and easier automated processing. See example.
🆕 URL Private Scan check for Public Report availability. The Private Scanning feature allows users to analyze URLs in a dedicated, private environment. This is essential for inspecting sensitive URLs and performing in-depth analysis, such as interactive sandbox detonation, without contributing the results to the public corpus. The platform now provides an immediate notification when a public report for a requested URL is already available, right before initiating a private scan. This allows users to decide whether they still require a private scan for specific reasons (e.g., interact with the sandbox during URL detonation or configuring a certain browser agent), or if the public report is sufficient, thereby preserving their Private Scanning quota.
💪 Enhanced GTI Scoring with Human-Verified Intelligence to reduce False Positives/False Negatives. The GTI Score is a proprietary, unified risk assessment metric that objectively quantifies an indicator's (file, URL, domain, IP) maliciousness for fast decision-making and alert prioritization. The model has been significantly improved by incorporating manual analysis insights from the ATI (Advanced Threat Intelligence) team, which systematically corrects edge cases, thus reducing False Positives (FP) and improving False Negatives (FN) coverage for a more accurate score.
🆕 Agentic now uses existing detections and generates new YARA-L rules. Agentic, our conversational AI platform powered by Google Threat Intelligence (TI), now features enhanced YARA-L rule generation capability. This improvement is driven by Agentic's streamlined access to our comprehensive library of existing detection rules, enabling the creation of more sophisticated and precise new rules for countering complex threats and ensuring reliable resources for rapid threat response.
After you prompt the agent to create a new YARA-L rule (to track a specific threat or malware family), the interface gives you the power to act right away to:
Copy the rule content.
Download the rule file locally.
Leverage our entire dataset to massively boost your detection power, then integrate the results into Google SecOps in minutes.
📢 Google TI Mondays. Tune in every Monday as we share quick, actionable practitioner tips and product adoption advice across our social platforms. These knowledge "pills" are designed to boost your efficiency, follow us to make sure you never miss the latest insights!
💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules and malware configuration extractors. Over this period, we've released YARA rules covering 8 newly tracked malware families, and provided updates to YARA rules for 20 existing families and configuration extractors for 2 existing families. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.
As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:
BADTILE: a .NET based file utility that connects to a remote server via HTTP-Dmtp. It can accept tasking to transfer a file, send a Dmtp handshake to ping a specified client, and perform a system survey. BADTILE also has the ability to use TCP-Dmtp. See its curated YARA detection rule.
SYSTEMBC.PERL: a tunneler written in Perl that retrieves proxy-related commands from a command-and-control (C2 or C&C) server using a custom binary protocol over TCP. A C2 server directs SYSTEMBC.PERL to act as a proxy between the C2 server and a remote system. See its curated YARA detection rule.
FARCRY: an XMPP chat backdoor that communicates over the GoogleTalk service. It is capable of encrypted file transfers and remote command execution. See its curated YARA detection rules.
DAYSHROUD: a backdoor written in C++ built using Neutralinojs. This backdoor functions as a wrapper for JavaScript code, as well as other resources, contained within the other file extracted by Calendaromatic.exe. This backdoor disguises itself as a desktop calendar application called Calendaromatic, but utilizes stenography to covertly download and execute additional JavaScript code in hidden holiday data. See its curated YARA detection rules.
OILPEN: a backdoor. It creates itself as a service to establish persistence. OILPEN has capabilities to include: reading and writing files, uninstalling itself, and updating its configuration file. See its curated YARA detection rule.
In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like CHUNKPILE, SQUIDGATE, and SQUIDSLEEP. These updates ensure you have the latest indicators for these evolving threats, leveraging both YARA rules and configuration extraction systems.
🆕 CAPE sandbox executable payload extraction and feedback loop. Google Threat Intelligence detonates files in multiple home-grown and 3P sandboxes. Our CAPE-derived sandboxes classify samples through automated dynamic malware unpacking and subsequent YARA-based classification of the captured, unpacked payloads. We now automatically extract and submit these unpacked payloads to the platform for separate detonation. This process creates explicit relationships between the parent file and the extracted payloads, and tags the payloads with payload tag for easy identification.
A new tag search modifier, tag:payload, is now available to help you efficiently manage and search for unpacked payloads.
The web interface also displays these relationships:
When viewing a packed file (parent) analysis report, you will find the unpacked payloads listed under the RELATIONS tab -> Payload Files.
When viewing an unpacked payload analysis report, you will find its packed parent under the RELATIONS tab -> Payload Parents.
This representation of new relationships is replicated in the API: use the payload_parents relationship to get parent files and payloads_extracted to get unpacked files.
See example.
Stay tuned, soon we will use this process to better characterize and provide more explainability on the parent/packed files.
💪 Agentic now answers documentation related questions. Agentic, our conversational AI platform powered by Google TI, instead of relying solely on static training data, employs Retrieval Augmented Generation (RAG). This technique allows the agent to dynamically retrieve the most relevant and up-to-date threat intelligence from all our sources (VirusTotal, Mandiant finished intelligence, industry/community reports, Safe Browsing, GTI-G threat actor knowledge base, etc).
Agentic is constantly evolving. We've added our comprehensive documentation portal as a new data source for RAG. This ensures Agentic can now provide answers that are fully consistent with our latest product features and guidelines.
With this improvement you can now:
Ask Agentic about the product and available features:
“What are threat profiles? Why should I use them?”
Discover API functionality:
“How can I download feeds using Google Threat Intelligence API?”
“What threat lists are available for consumption?”
Ask Agentic to API generate scripts:
“Can you help me generate a Python script to consume Threat Lists?”
“Can you demonstrate how to fetch IoCs for a specific threat actor with a Python script?”
🆕 Submit Your Own OSINT Articles to be processed by Google TI. OSINT (community/industry) articles in Google TI are automatically ingested from a set of trusted sources. They act as a powerful source of Threat Intelligence, transforming vast amounts of public threat data into actionable, contextualized insights that security teams can use for proactive defense and strategic planning. Users can now use the Submit your OSINT button in the Reports & Analysis left navbar menu option to share the URL. Upon submission, the system automatically processes the article to:
Extract categorization fields (e.g., associated threat actor, malware families, targeted region, and industry) for reports where this information can be confidently identified.
Generate a summary of the content via Gemini.
Extract all mentioned IoCs (files, URLs, domains, IPs).
Generate relationships between the new report object and other Threat Intelligence objects.
Additionally, users can track the history and status of their submissions in the new MY OSINT tab.
🆕 New Code Insight code analysis endpoint for automation. We’ve launched a new Code Insight endpoint that significantly reduces reverse engineering workload by providing analysts with an AI assistant that instantly returns natural language descriptions of code functionality and supports analysis chaining to accelerate time-to-verdict. See example here and our dedicated post. This endpoint is used by our very own VIrusTotal IDA Pro plugin, powering summaries and descriptions of functions.
Google TI Mondays. Tune in every Monday as we share quick, actionable practitioner tips and product adoption advice across our social platforms. These content "pills" are designed to boost your efficiency, so follow us to make sure you never miss the latest insights!
Threat Hunting with Google Threat Intelligence - Episode 5. If you missed our latest webinar on how AI is transforming threat hunting? You can now watch the full recording at your convenience! Catch up on all the major announcements, including how AI is making investigations more effective in less time than ever before. In the webinar, we:
Unveiled the groundbreaking Agentic Platform (now in public preview).
Demoed the Ransomware Data Leaks dashboard for fresh insights into extortion trends.
Showcased Code Insight, our AI-powered tool that converts complex code into clear, natural-language explanations.
Detection Highlights. Google Threat Intelligence consistently updates our YARA rules and malware configuration extractors. Over the past week, we've released YARA rules covering multiple malware families, and expanded our configuration extraction platform to cover new malware families. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top Google TI search trends.
As we track new malware families found during Mandiant investigations, we build and release detection signatures. Some recent examples include:
DEEPBREATH: data miner written in Swift that targets macOS systems. It manipulates the Transparency, Consent, and Control (TCC) database to gain broad file system access, enabling it to steal credentials from the system keychain; browser data from Chrome, Brave, and Edge; and user data from two different versions of Telegram and Apple Notes. See its curated YARA detection rule.
New rules for SOGU.SEC, a variant of the SOGU backdoor. It can extract sensitive system information, upload and download files, and execute a remote command shell. See its curated YARA detection rules.
NOROBOT: downloader utility which retrieves the next stage from a hardcoded C2 address and prepares the system for the final payload. It has been observed undergoing regular development from May through September 2025. The earliest version of NOROBOT made use of cryptography in which the key was split across multiple components and needed to be recombined in a specific way in order to successfully decrypt the final payload. See its curated YARA detection rule.
BRICKSTEAL: credential stealer written in Java. It is deployed by a JSP dropper and masquerades as a legitimate VMware vCenter Single Sign-On (SSO) component, using the package name com.vmware.identity. See its curated YARA detection rules.
COLDCOPY: a ClickFix lure which masquerades as a custom CAPTCHA. COLDCOPY prompts the target to download and execute a DLL using rundll32, while trying to disguise itself as a CAPTCHA by including text to verify that the user is not a robot. See its curated YARA detection rule.
YESROBOT: Python backdoor which uses HTTPS to retrieve commands from a hardcoded C2. The commands are AES encrypted with a hardcoded key. System information and username are encoded in the User-Agent header of the request. See its curated YARA detection rules.
MAYBEROBOT: toehold Powershell backdoor. It uses a hardcoded C2 and a custom protocol that supports 3 commands: download and execute from a specified URL, execute the specified command using cmd.exe, and execute the specified Powershell block. It is likely a more flexible replacement for YESROBOT. See its curated YARA detection rules.
New MITRE ATT&CK map view for file behavior analysis. The MITRE ATT&CK Tactics and Techniques section in the file behavior report has been upgraded from a list view to an interactive, visual map. This new interface displays the detected TTPs using a color-coded matrix, allowing you to instantly visualize the tactics used across the execution chain, just like a heat map in the MITRE Navigator. You can also use new filters by severity (info, low, medium, high) to focus on the most relevant or severe techniques. By simply clicking on the TTP card, you can then visualize the specific commands or activities (the Procedures) associated with that technique. See example.
New render rule fluid UI component in Agentic to easily interact with Livehunt and Retrohunt. Agentic, the conversational AI platform grounded in Google Threat Intelligence's comprehensive security dataset, has already seen improvements during its first week in public preview. It now includes detection rule retrieval and deployment. You can ask the agent to provide crowdsourced or curated detection rules (such as YARA rules) to track a specific threat or malware family. When a curated YARA rule is returned, the interface provides immediate actions, allowing you to:
Import the rule directly into your Retrohunt or Livehunt environment.
Copy the rule content.
Download the rule file locally.
New render MITRE Tree fluid UI component in Agentic. A new rendering tool was added to the Agentic platform to display TTP analysis in a visual MITRE ATT&CK map, similar to the visualization in the file behavior reports. When you ask Agentic to provide a TTPs matrix of a threat actor, the output is no longer a simple text list, but rather an interactive map where you can filter TTPs by severity (info, low, medium, high). This visualization also includes two key metrics not available in a file behavior tab, because in this case the metrics come from several files, specifically from all the files associated to the threat actor from the image below:
Prevalence: Shows how globally common the technique is.
Matches: Indicates the number of files related to the threat actor whose behaviour analysis detected any of the procedures within each technique.
New OpenID Connect (OIDC) Single Sign-On (SSO) authentication support. Google TI offers a robust Single Sign-On (SSO) mechanism to secure and facilitate users authentication through organization’s identity provider (IdP) via SAML protocol. We are now expanding this capability by incorporating OpenID Connect (OIDC) authentication layer built on top of OAuth 2.0, increasing flexibility and security of the authentication process.
Core use cases and best practices for Google Threat Intelligence. We have added a dedicated Use Cases and Other Resources section to the official Google TI documentation. This section provides detailed guidance on how to leverage the platform's tools and data for core security workflows, including:
Advanced Hunting: searching for suspicious activity using entity pivoting and investigative tools.
Incident Response: accelerating investigations with enriched indicators and threat actor context.
Phishing & Brand Monitoring: identifying domain abuse and impersonation campaigns.
Vulnerability Management: prioritizing vulnerabilities using real-world exploitation data.
New API endpoint for Org/Group consumption by user and feature. We created a new API endpoint designed for Org/Group administrators to gain detailed visibility into their organization's usage. This endpoint retrieves consumption metrics for a group's various features, broken down by individual user, covering both UI (Web Interface) and API usage, for a time range spanning the current month and the two previous months, providing essential historical context. Check out the endpoint documentation and examples at the bottom.
VirusTotal’s analysis with Hugging Face’s AI Hub. As AI adoption grows, we see familiar threats taking new forms, from tampered model files and unsafe dependencies to data poisoning and hidden backdoors. These risks are part of the broader AI supply chain challenge, where compromised models, scripts, or datasets can silently affect downstream applications. We are now scanning Hugging Face models and flagging unsafe models, read more.
Google TI Mondays. We are publishing concise product knowledge pills on our social channels every Monday. These are practitioner tips and product adoption boosters, check out our latest content and don't forget to follow us:
Detection Highlights. The FLARE team and Google Threat Intelligence Group consistently update Google TI's YARA rules and malware configuration extractors. Over Q3, we've released YARA rules covering 345 newly tracked malware families, and expanded our configuration extraction platform to cover 15 new malware families. This update prioritizes malware families actively observed in Mandiant incident response engagements, Google SecOps customer environments, and top Google TI search trends.
As we track new malware families found during Mandiant investigations, we build and release detection signatures. Some recent examples include:
HAMMERDROP: This malware is used to drop Windows drivers to bypass endpoint security solutions and has been found in ransomware investigations.
SELFDRIVE: This Node.js malware has been observed being distributed with trojanized software installers and downloads and executes additional Javascript files.
TOOLSHELL: This webshell has been observed being installed onto on-premise servers that were exploited by an attacker.
In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like QUASARRAT, WARZONE, and SHADOWLADDER. These updates ensure you have the latest indicators that were extracted by our configuration extraction systems.
Google TI Score enhancements. We have significantly enhanced the Google Threat Intelligence (GTI) Score to improve your threat prioritization and triage efficiency. The updated score now incorporates new contextual factors like threat actor motivation and malware family roles for all IoC types (files, URLs, domains and IP addresses). Furthermore, network IoCs benefit from more granular threat categories based on crowdsourced insights, and URL severity is boosted by detailed data from Google Webrisk. This refinement, including more granular severity levels for suspicious indicators, ensures you can prioritize potential threats more efficiently.
Threat Profiles now generally available (GA). All Threat Profiles in legacy experience migrated to the new look and feel. Includes automatic and holistic visibility of relevant threats, flexible curation to tune and incorporate your own threat intelligence artifacts, enhanced collaboration and sharing, and tactical actionability via out of the box detections and tailored + recent IOC feeds. Now they also provide quick access to an overview explanation of each threat and a scatter plot designed to help you prioritize threats by instantly showing a threat's global prevalence versus its specific relevance within the confines of the dimensions of a given threat profile. Learn more in this webinar.
Google TI Agentic public preview. Built on Large Language Models (LLMs) and grounded in Google Threat Intelligence's comprehensive security dataset, the Agentic Platform simplifies and democratizes threat intelligence. This conversational interface lets you interact directly with specialized AI agents to quickly analyze threats, accelerate security investigations, and receive immediate, precise answers. It was released as a public preview to Enterprise and Enterprise+ customers.
Code Insight now supports SWF and SVG file types. Code Insight is an advanced, Gemini AI-driven capability that serves as an automated assistant for malware analysts and reverse engineers. It uses artificial intelligence to generate natural language summaries that clearly describe a file's intent and overall functionality. We've extended it to support more file formats such as SWF and SVG.
Code Insight experimentation with executables. We continue experimentation with Windows Executables, Linux Executables and OS X Executables and are now ramping up the volume of files processed. Examples:
New Crowdsourced AI Contributor: Exodia Labs. The new Exodia Labs integration adds an independent AI analysis stream for Chrome extension (.CRX) files, complementing Code Insight by providing a clear security verdict and detailed reports that outline suspicious actions (like credential theft), with all results fully searchable via new platform operators. Results from Exodia Labs are fully searchable by using the exodialabs_ai_verdict:malicious | suspicious | benign or exodialabs_ai_analysis:<keywords> search modifiers, allowing users to pivot across and find large campaigns of malicious Chrome extensions. See example report. See example search.
Private collection sharing across organizations. Private collections allows users to create a "container" for artifacts like indicators that then inherit automated associations, analytics, telemetry and additional actions. We have extended the functionality so that customers may now share threat information like indicators across trusted circles – i.e. users that are not part of their current organization. Note, you will need to identify and add either the Google TI organization name or username directly in order to share with others outside of your organization.
Multi-CVE search. Google TI's CVE cards offer crucial information on individual vulnerabilities such as severity, risk rating, exploitation state, and exploit availability. This data helps organizations prioritize patching and mitigation efforts by providing empirical risk scoring. The new multi-search functionality significantly improves workflow efficiency by allowing users to quickly gather and compare intelligence on several CVEs in parallel, streamlining the process of tracking widespread threats by allowing users to add multiple vulnerabilities to a threat profile for consolidated tracking. Similarly, multi-CVE search allows security analysts to prioritize a list of vulnerabilities that may have been identified by 3P tools based on in-the-wild exploitation and thus impact likelihood. See example.
New curated GTI-G/Mandiant authored hunting YARA rules. YARA Rules are a powerful, pattern-matching tool used by security professionals to identify and classify malware and suspicious files. We are now including a new set of Hunting YARA Rules within our published Google Threat Intelligence threat Reports, that are easily recognized by their naming convention, which always starts with "G_Hunting_". These rules are designed to help your team uncover activity potentially related to a specific attack technique or malware, providing initial detections that require further verification to confirm malicious intent. Think of them as an extra tool for deeper searching, helping you find more subtle signs of a threat in your environment and stay ahead of emerging risks. See example.
Enhanced dynamic analysis / sandbox capabilities. Files uploaded to Google Threat Intelligence are executed across multiple sandboxes to generate detailed behavioral insights in the analysis report's Behavior tab of the UI. On this front we have many announcements:
New file type supported. Added support for ELF shared objects with an entrypoint detonation.
Enhanced detonations. Improved analysis and reporting for the following filetypes:
VBA (Visual Basic for Applications)
SVG (Scalable Vector Graphics)
MSC (Microsoft Management Console Snap-ins)
MSHTA, HTA (Microsoft HTML Applications)
New OS versions deployed in the Zenbox sandbox. Windows 11 and Android 13.
We've expanded our file detonation capabilities by adding the Google Safe Browsing sandbox to our dynamic analysis systems. See example.
AI registry key summary. We've incorporated an AI-powered explanation to help users quickly understand the impact, intent and significance of the reported registry-related actions. See example.
New integrations and implementation/dev kits. Integrations are absolutely crucial for operationalizing Google Threat Intelligence and transforming raw insights into immediate defensive action. We are fully committed to breaking down these silos and significantly improving our integration ecosystem to drive efficiency and speed up your Mean Time to Resolution (MTTR).
Google TI Integration Dev Kit Released. Provides example scripts and guidance for custom workflows. This is designed to accelerate your technical discussions and streamline the process of solution design.
Ransomware data leaks dashboard. According to a commissioned study conducted by Forrester Consulting on behalf of Google Cloud (The Threat Intelligence Benchmark), ransomware/multifaceted extortion continues to be one of the threats/attacks that cybersecurity leaders are most concerned about as they look out into the next 12 months. Google Threat Intelligence tracks and documents hundreds of ransomware malware families in its threat landscape module, provides ransomware-specific threat lists/feeds, alerts on ransomware activity against your organization via its Digital Threat Monitoring module, allows you to search through its malware corpus for ransomware variants to dissect, and much more. In addition to this functionality, The Google Threat Intelligence Group (GTIG, formerly Mandiant Intelligence) tracks numerous data leak sites (DLS) dedicated to releasing victim data following data theft extortion incidents, with or without ransomware deployment, in which victims refuse to pay a ransom demand. These websites are intended to pressure victims to pay the ransom demand or give threat actors additional leverage during ransom negotiations. We are now exposing this data to our users via the new Ransomware data leaks dashboard to provide insights into the extortion ecosystem.
Multi-tenancy in Google Threat Intelligence. We are pleased to announce the general availability of multi-tenancy for Google Threat Intelligence. This new architecture supports the creation of multiple distinct GTI sub-orgs, known as "tenants," under a single parent account, ensuring each tenant's data and configurations are securely segmented. Key features include:
Tenant Isolation: Each tenant is an isolated entity, ensuring that data and configurations are not shared or viewable by other tenants.
Centralized Management: Parent organizations can get an overview of their tenants, while each tenant maintains its own independent GTI environment.
Flexible Onboarding: Supports various onboarding scenarios, including adopting existing GTI customers as tenants or creating new "organic" tenants that share the parent's quota.
Note that multi-tenancy is not intended to overcome limitations with RBAC or ACLs, if you are facing limitations on those fronts, please file a feature request.
Sharepoint vulnerability checks in ASM. On-premises Microsoft SharePoint servers are currently facing widespread, active exploitation due to multiple vulnerabilities. Threat actors have been observed chaining CVE-2025-53770 with an authentication bypass vulnerability, CVE-2025-49706, in an exploit chain codenamed "ToolShell". This chain is used to deploy ASPX web shells using PowerShell. The primary post-exploitation objective is to steal the server's MachineKey, which enables adversaries to forge __VIEWSTATE payloads for persistent access and lateral movement. GTI reacted in a timely fashion implementing the pertinent vulnerability checks in our attack surface management module. This check goes far beyond a CPE match, the check tries to inject an unharmful marker in a SharePoint component, If in the SharePoint server response this marker is found, the host is marked as potentially vulnerable.
New Integrations for Elastic, IBM QRadar, and Splunk. We have extended Google Threat Intelligence (GTI) capabilities with new, dedicated integrations across key security platforms. These updates allow security teams to seamlessly leverage GTI's comprehensive threat intelligence within their existing ecosystems, providing deeper context, powerful automation, and a more proactive security posture.
Elastic. A new integration is now available to facilitate the direct ingestion of GTI feeds. This allows you to continuously analyze your security telemetry against Google's high-fidelity Indicators of Compromise (IOCs) to enhance threat detection and analysis within your Elastic environment.
IBM QRadar. We have released two new extensions for IBM QRadar. QRadar SIEM enriches threat detection by correlating your internal security data with GTI's real-world intelligence. This provides deeper context for events and helps security analysts more accurately identify and prioritize critical threats. QRadar SOAR delivers powerful automation and orchestration for your incident response workflows. This integration allows you to ingest and sync back Attack Surface Management (ASM) issues and Digital Threat Monitoring (DTM) alerts, ingest IOC streams to enrich incidents with detailed context, including malware families, threat actor profiles, and sandbox analysis reports.
Splunk SOAR. A new application for Splunk SOAR enables robust automation and enrichment for your security operations. It provides a rich set of playbook actions, including the ability to scan files and URLs, retrieve detailed reports for IPs, domains, and hashes, and automatically enrich artifacts with critical context from Google's vast threat database.
