📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Leveraging TTP Analysis

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently enhance Google TI's detection capabilities. This week, we've released YARA rules covering 5 newly tracked malware families. We've also enhanced our detection capabilities for 19 existing malware families, including updates to YARA rules for 17 families and configuration extractors for 2 families. Our prioritization for new and updated content focuses on malware families actively observed in Mandiant incident response engagements, Google SecOps customer environments, and top GTI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• FROSTCANOPY: a shell script that injects malicious PHP code into legitimate device management web pages. The injected code can harvest credentials and facilitate the remote exfiltration of stolen data via a secret URL. Furthermore, this tool incorporates functions to perform timestomping and erasing traces of file modification. See its curated YARA detection rules.
• ANGRYPICKLE: a downloader written in JavaScript. After performing multiple layers of internal deobfuscation, the code will download a next stage JavaScript script from a remote server and execute that code within the confines of the ANGRYPICKLE's process space. The code uses ActiveX VBScript to interact with the victim's computer from within the JavaScript process. See its curated YARA detection rule.
• LUNAMIST: a C-based backdoor with capabilities for command execution and the bidirectional transfer (upload and download) of files. It initiates communication by issuing HTTP POST requests to its command-and-control (C2 or C&C) infrastructure; the subsequent responses contain commands encapsulated within RSA-encrypted JSON data for execution on the compromised system. See its curated YARA detection rule.

In addition to providing detection rules for new and emerging threats, we continuously update our detection systems for known threats. Recent updates include: SLIVER, SNOWLIGHT, and FAKETREFF. These updates ensure you have the latest indicators and enhanced detection capabilities, including those extracted by our configuration extraction systems.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🔄 Updated Conversation Retention Policy in Agentic. Agentic, our AI-powered assistant designed to streamline complex security workflows, now features an automated cleanup process.
We are introducing a new retention policy to keep your workspace organized and focused on active investigations. Conversations inactive for 30 days will now be automatically removed from your Recent sessions. As long as you continue to interact with a specific conversation, it will remain accessible, ensuring your ongoing investigations are preserved while clearing out stale data.

💪 Vulnerabilities Cards: Enhanced Identification with MVE IDs. The Vulnerability Intelligence module within Google TI aggregates and contextualizes security vulnerabilities. It provides a comprehensive view of each vulnerability, including exploitation state, consequence and vectors, risk ratings, mitigations, and direct links to related malware families, threat actors, and active campaigns if possible. Vulnerability cards now include MVE IDs (Mandiant Vulnerability Enumeration) as alternative names. This integration provides a more comprehensive view of vulnerabilities by bridging the gap between standard CVE identifiers and Mandiant’s proprietary research, ensuring analysts can find relevant intelligence regardless of the naming convention used in their source reports.
See example.

🔄 Topic-Based News Analysis Reports. Google Threat Intelligence offers curated analyst Reports, OSINT articles and real-time insights, helping organizations stay ahead of an ever-changing threat landscape. News Analysis curated reports are now organized by topic. This way, instead of focusing on individual news articles, we cover OSINT topics more holistically, generating titles and summaries based on all available OSINT (including blogs, whitepapers, vendor advisories, and more). While the visual style remains consistent, the Media Summary section now features source URLs and text-based timelines where applicable, making it easier to track and verify information.
See example.

We will continue to iterate on this product to ensure we are providing customers with the best possible information available and relating OSINT topics to our vast library of knowledge.

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Malware config extractor

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules and malware configuration extractors. This week, we've released YARA rules covering 7 newly tracked malware families, and enhanced our detection capabilities for 26 existing families through updated YARA rules and configuration extractors. Our updates prioritize malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• POLLREGISTER: is a backdoor written in C++ that provides a persistent communication channel to its controller using WebSocket Secure (WSS) after an initial HTTPS connection to register the host with its controller. The backdoor is capable of executing arbitrary shell commands; loading arbitrary dynamic-link libraries (DLLs); and performing file manipulation, file uploading and downloading, process listing, process termination, and drive enumeration. See its curated YARA detection rule.
• SIDEFOX: is a specialized infostealer that harvests passwords, credit cards, and session tokens. By injecting code into browsers and targeting apps like Discord, Steam, and Telegram, it allows attackers to bypass user protections and hijack accounts almost instantly. See its curated YARA detection rule.
• DARKKEY.LOCKER: is a backdoor written in PowerShell and supports arbitrary PowerShell command execution. DARKKEY.LOCKER obtains its C2 address from the DNS TXT records of another domain and communicates with the C2 using JSON over a Secured WebSocket (WSS). DARKKEY.LOCKER establishes persistence via a registry run key, can perform keylogging, access clipboard data, screen monitor, and perform self deletion. See its curated YARA detection rules.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like EMOTET, SLIVER, and MIRAI. These updates ensure you have the latest indicators that were extracted by our configuration extraction systems and YARA rules.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🔄 Unified Support: Google Threat Intelligence Joins the GCP Support Process. The Google TI Support Portal is the dedicated channel for technical assistance, troubleshooting, account queries and users feedback. It has now been fully integrated into the Google Cloud Platform (GCP) Support ecosystem to provide a unified experience across Google Cloud services.

🔄 Consolidation of vulnerability reporting. Google Threat Intelligence provides continuously updated, in-depth insights to help organizations navigate the evolving cyber threat landscape via curated Reports written by Google Threat Intelligence analysts. In order to reduce duplicative reporting, we are consolidating the following reports into the existing Weekly Vulnerability Exploitation Report (WVER):

• OT Vulnerability Exploitation Roundup
• Industrial Control Systems and Medical Vulnerability Advisories Reported by CISA
• Cloud Vulnerabilities

By adding new dedicated fields, such as Affects OT and Affects Cloud, to the WVER reports, we ensure you receive the same critical data with greater frequency and in a single, comprehensive view.

🆕 CAPE sandbox executable payload extraction now in Private Scanning. Leveraging CAPE-based sandboxing, our platform automates dynamic malware unpacking and YARA classification of captured payloads. This capability has been expanded to Private Scanning, where unpacked payloads now feature an Analysis button for independent detonation. This workflow defines parent-child relationships within the Payload Files section of the RELATIONS tab using their SHA256 hashes.

💪 Agentic AI Now Integrates with IoC Stream. Agentic is the AI-powered assistant within Google Threat Intelligence, designed to streamline complex security workflows. Acting as a force multiplier, Agentic enables security teams to leverage natural language to query expansive datasets, automate investigations, and synthesize technical reports. Agentic is now integrated with the IoC Stream, your centralized IoCs notification hub. This connection allows you to investigate notification statuses and extract immediate insights directly through the Agentic interface.

💪 Bulk IoC Investigations in Agentic Google TI. Agentic, our AI-powered assistant, now supports Bulk IoCs, enabling users to search for multiple indicators of compromise simultaneously. By uploading a context file containing your IoC list, you can now trigger a comprehensive batch investigation, significantly reducing response times and accelerating the identification of relevant threats.

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Behavior signature hunting
• Hunting Holiday Threats in late December Campaigns
• Private IoC Collections

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently enhance Google TI's YARA rules and malware configuration extractors. Over the past week, we've released YARA rules covering 5 newly tracked malware families and updated YARA rules for 8 existing families. Additionally, we've expanded our configuration extraction platform to cover 1 new malware family. These updates prioritize malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.

As we track new malware families identified through our research, we develop and release detection signatures. Some recent examples include:

• BOATBRICK: a malicious JavaScript-based credential harvesting extension, distributed as a .crx archive, specifically targeting the Chrome environment. This extension is designed to facilitate illicit activities such as user-agent spoofing, search hijacking, and sophisticated advertising fraud. Its primary objective is to covertly exfiltrate the entire contents of the victim's Chrome user profile databases. See its curated YARA detection rules.
• BOATMOOR: a credential stealer written in C#. The stealer exfiltrates sensitive user data including saved passwords, cookies, browsing history, and bookmarks from Mozilla Firefox, Microsoft Edge, Opera, and Opera GX. Data is merged into a local Google Chrome user profile database prior to exfil by BOATBRICK. See its curated YARA detection rule.
• COLDSAUCE: a fully featured Windows backdoor written in C/C++. COLDSAUCE communicates with its command-and-control (C2 or C&C) server using QUIC. COLDSAUCE capabilities include system information collection, screenshot capture, keystrokes capture, file system operations, and file upload and download. COLDSAUCE also provides an interactive shell that supports a number of commands that are custom implementations of common Windows command-line tools. See its curated YARA detection rules.

In addition to providing detection rules for new and emerging threats, we continuously update our detection systems for known threats such as:GAFGYT, TIMEDRAIN, and FLASHHOOK.

These updates ensure you have the latest indicators, including those extracted by our configuration extraction systems.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

💪 New Middle East Storage Region for Private Scanning. Private Scanning is a dedicated service within Google Threat Intelligence that allows organizations to submit suspicious files and URLs for both static and dynamic analysis. Unlike public submissions, this service ensures that all IoCs, execution data, and resulting analysis reports remain completely confidential and are never shared with the public or the broader community. To support local data residency and governance requirements, we have expanded our global infrastructure to include the Middle East as a new region for temporary storage. This update offers regional customers greater flexibility in aligning their security operations with local compliance standards.

🆕 Agentic Workflows Supercharged with Gemini 3. Agentic is the AI-powered assistant integrated within Google Threat Intelligence, designed to simplify and streamline complex threat intelligence tasks. It acts as a force multiplier for security teams, allowing them to interact with Google TI’s expansive dataset using natural language to automate investigations, generate complex queries, and synthesize technical reports. We have upgraded the underlying engine of Agentic from Gemini 2.5 to Gemini 3, bringing significant advancements to the system's reasoning capabilities and overall behavior.

🆕 New OCR detection in Agentic. Agentic, our AI-powered assistant, now supports file uploads as context, allowing for deeper analysis. This update includes OCR support for PDF files, and we are actively expanding this capability to other file types, so stay tuned for updates.

💪 Intelligence at Speed - Instant Executive Briefs Powered by Agentic. We have integrated the Agentic Conversational AI platform across all major IoC analysis reports (files, URLs, domains, IP addresses). This new capability is accessed via a single 'Brief' button. After selecting a set of IoC analysis reports, clicking the 'Brief' button automatically initiates a conversation within the Agentic interface, allowing the AI to produce an executive summary focused specifically on the selected entities' recent activity.

🆕 New outbound 3rd-party integrations. Integrations are vital to operationalizing Google Threat Intelligence, converting raw security insights into immediate, effective defensive action. These crucial integrations help organizations eliminate siloed data and dramatically enhance their security ecosystem, boosting efficiency and accelerating Mean Time to Resolution (MTTR).

New integrations released:

• Google SecOps - see user guide here
• Wiz - see user guide here
• FortiSOAR - see documentation here

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team regularly enhance Google TI's YARA rules to provide comprehensive malware detection. In this update, we've released YARA rules covering 6 newly tracked malware families and updated detections for 30 existing families. Our content development is prioritized based on malware actively observed in Mandiant incident response engagements, Google SecOps customer environments, and top GTI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• SANDGLASS: SANDGLASS is a backdoor written in Python capable of arbitrary command execution and different file operations.
• GRIMROUTE.V2: GRIMROUTE.V2 is a cross-platform ransomware family written in Rust that targets Windows and Linux VMware ESXi environments. Operating as a command-line utility, GRIMROUTE.V2 requires specific runtime arguments to define its execution scope. It employs a high-performance, multi-threaded architecture to encrypt files using the ChaCha12-Poly1305 stream cipher. GRIMROUTE has dropped ransom notes identifying itself as AETHERION ransomware.
• CRUDEEXCLUDE: CRUDEEXCLUDE is a utility written in Delphi that comes packaged with a basic GUI application that tries to masquerade as a chat application. Rather than download or drop a payload, CRUDEEXCLUDE instead sets up the staging directories that have historically housed HEAVYGRAM and SHADEGENES and sets them as exclusions for Microsoft Defender. CRUDEEXCLUDE then beacons a message to a hard-coded Telegram chat ID using a hard-coded bot token. The message is formatted like the following, PC Name:<pc_name> Excluded!. The response from Telegram is not used in any way, so this may indicate the purpose of CRUDEEXCLUDE is to simply masquerade as a chat application and setup the environment for HEAVYGRAM and/or SHADEGENES.
• SLEEKSTROKE: SLEEKSTROKE is a passive backdoor written in C++ designed to operate on Citrix NetScaler devices. During startup the backdoor creates a PHP webshell component in a web accessible location and uses it to receive commands via named pipes. Supported backdoor commands include system command execution, file listing, file removal and directory creation. The backdoor is capable of monitoring Apache HTTP logs and removing entries indicating access to the webshell component.
• SURFCAKE: SURFCAKE is a downloader written in JavaScript that communicates over HTTPS or HTTP. SURFCAKE is capable of process termination, user enumeration, registry modification, self-update, and installation.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like SNOWLIGHT, INVISIBLEFERRET, and BEAVERTAIL. These updates ensure you have the latest YARA-based detections for these persistent threats.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Saved Searches in Google Threat Intelligence
• Private IoC Collections

💪 Detection highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules and malware configuration extractors. This week, we focused on improving coverage for existing malware families. We updated 11 YARA rules and 2 configuration extractors. A few examples of families we updated our coverage for are: VIDAR, POISONPLUG.SHADOW, and GLUPTEBA.

These updates ensure you have the latest indicators that were extracted by our configuration extraction systems and YARA rules.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🆕 Ransomware Data Leaks endpoint exposed. The Ransomware Data Leaks dashboard is our threat intelligence tool focused on aggregating data from numerous leak sites (DLS) to track extortion trends, victim volume, and active threat actor brands that serves as a strategic "command center" for cybersecurity teams. Now the new endpoint allows customers to programmatically retrieve the raw data powering the dashboard, enabling the seamless integration of ransomware intelligence into automated security workflows, custom reporting, and internal SOAR platforms. Our documentation provides practical examples to help you get started with this endpoint.

🆕 New URL search modifiers. The Intelligence Search feature allows users to execute complex and powerful queries against our expansive dataset of malicious indicators, enabling threat hunters to uncover infrastructure, track campaigns, and identify evolving threats. We have introduced three new search modifiers for URL entities: last_modified, last_modification_date, and lm​​. These modifiers allow analysts to filter URL indicators based on the exact time they were last updated in our database.
See example.

🆕 Saved Searches. The Intelligence Search feature allows users to execute complex and powerful queries against our expansive dataset of malicious indicators, enabling threat hunters to uncover infrastructure, track campaigns, and identify evolving threats. Instead of manually reassembling the required search modifiers for a specific use case every time a search has to be performed, now users can save queries by creating Saved Searches to efficiently reuse or frequently execute threat intelligence searches across our vast database of IoC analysis reports (files, URLs, domains, IP addresses).

🆕 Agentic can now construct intelligence searches / queries. Agentic is the AI-powered assistant within GTI, designed to simplify and streamline complex threat intelligence tasks. Users can now leverage natural language to automatically generate complex intelligence searches / queries for IoCs (files, URLs, domains, IP addresses). This new capability eliminates the previous requirement for analysts to manually consult and apply a wide array of search modifiers, significantly speeding up IoC investigation and improving search accuracy. Additionally, the tool allows users to:

• Copy the resulting query
• Open it in the platform without running it to be able to modify it needed before running it
• Execute it
• Compute commonalities of the matched IoCs

📢Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Regional Ransomware Triage
• Crowdsourced IDS rules in Google Threat Intelligence

💪 Detection highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's detection content. This week, we focused on updating existing malware family coverage with both YARA and malware configuration extractors. The teams updated our detections for malware families like VIDAR, POISONPLUG.SHADOW, and PAPERPUCK. These updates ensure you have the latest indicators that were extracted by our configuration extraction systems.

💪 Enhanced PE and ELF Binary Behavior Detections. CAPA, a tool maintained by the FLARE team , provides human-readable explanations of suspicious behavior that a binary may exhibit when executed. Our platform runs CAPA on all PE and ELF binaries, displaying results in the BEHAVIOR tab of the UI. Lately CAPA has been updated with 21 new and 10 improved behavior detection rules, which have been fully integrated into our supported file analysis process. This enhancement adds new rules focused on defense evasion, anti-analysis, and system manipulation observed in malware, including:

• behavior_signature:"get .NET assembly entry point": resolve assembly entry point to dynamically execute code.
• behavior_signature:"patch Antimalware Scan Interface function": tamper with AMSI to evade detection.
• behavior_signature:"acquire load driver privileges": enable privileges to load kernel drivers.
• behavior_signature:"detect mouse movement via activity checks on Windows": detect mouse movement to evade sandboxes.
• behavior_signature:"enumerate minifilter drivers": list filesystem filter drivers.
• behavior_signature:"create routing table entry": modify network routing tables.
• behavior_signature:"communicate using FTP": transfer data via FTP.
• behavior_signature:"packed with DXPack": identify binaries packed with DXPack.
• behavior_signature:"decrypt data using AES via .NET": decrypt AES data using .NET APIs.

See example.

Check out CAPA’s full release notes for more details.

🆕 Intelligence at Speed - Instant Executive Briefs Powered by Agentic. We have integrated the Agentic Conversational AI platform across all major Threat Intelligence object list views (such as Threat Actors, Malware & Tools, Campaigns, IoC Collections, Reports, and Vulnerabilities). This new capability is accessed via a single Brief button. After selecting a set of objects, clicking the Brief button automatically initiates a conversation within the Agentic interface, allowing the AI to produce an executive summary focused specifically on the selected entities' recent activity.

🆕 Download Dropped Files from Private Sandboxes. Our Private Scanning service captures the complete runtime profile of analyzed files. By executing samples in multiple private sandboxes, we record all dropped files, network traffic, and system modifications, which are detailed in the BEHAVIOUR tab of each file analysis report. You can now download a single, aggregated ZIP file containing all dropped files generated during a private dynamic analysis execution. This new functionality simplifies the transition from our platform to a local, isolated environment for deeper, hands-on forensic investigation of related artifacts.

💪 Improved OSINT articles context. OSINT threat intelligence articles are sourced and integrated automatically from a collection of pre-vetted, reliable publishers, or ingested by users. These articles serve as an invaluable asset for threat intelligence, converting a massive volume of publicly available threat information into contextual, high-value, and immediately usable insights. This enables security teams to engage in proactive defense measures and inform their strategic security planning. Now the OSINT articles are associated with Threat Actors and Malware Families as curated reports are, significantly enhancing their utility by providing direct links to relevant entities within the threat landscape, making it easier for analysts to track and understand campaigns, tooling, and adversaries.
See example.

📢 Google TI Mondays & Month of UNLIMITED UI Searches. Quick reminder that for the entire month of November, all Google Threat Intelligence and VirusTotal customers will benefit from unlimited, uncapped searches when performing manual queries through the web interface (GUI) using the core VirusTotal / GTI search feature. Follow the Google TI Mondays and Month Of GoogleTI Search series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays, #MonthOfGoogleTISearch.

• Hunting LockBit 3.0 ELF Payload
• Tracking Gamaredon Infrastructure
• Geopolitical Hunting: Government Phishing
• Hunting AI Evasion & Prompt Injection
• Hunting Cobalt Strike C2 by User-Agent
• Malware Using Email Channels
• Submit Your Own OSINT to Google TI

💪 Detection highlights. This week, the Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules. We’ve released YARA rules covering 3 newly tracked malware families and updated YARA rules for 6 existing families. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• HELLCAT.GO: a HELLCAT ransomware variant written in Go that is capable of encrypting files on local and network drives using the RSA and ChaCha20 algorithms. The extension .HC is appended to the file name for each encrypted file. HELLCAT.GO is also capable of spreading to other networked machines, using spot encryption for file types associated with virtual machines, killing specified processes and services, skipping specified files and directories, wiping event logs, and deleting volume shadow copies. It drops a ransom note titled README_HELLCAT.txt after the encryption process is complete.
• SHINYSPIDER: ransomware written in Go that uses RSA and ChaCha20 for encryption. An 8-character extension is generated for each encrypted file, and depending on the file size, files are either partially or fully encrypted. SHINYSPIDER is also capable of encrypting files on local and network drives, spreading to other networked systems, killing specified processes and services, wiping event logs, disabling hooks added by security tools and deleting volume shadow copies.
• ASHCLOUD: a disruption wiper utility and dataminer disguised as a security scan application that scans all connected drives for particular file-types, AES encrypts the file's content using a single AES session key and prepends the AES IV to the encrypted file, RSA encrypts the AES session key with an embedded public key, and exfiltrates the encrypted AES session key as well as the encrypted files to an attacker-controlled Dropbox. Once the data theft routine is complete, or immediately upon receiving a "skip_backup" command from the Telegram C2, ASHCLOUD uses secure deletion algorithms to irreversibly wipe the local files. Additionally, ASHCLOUD provides the ability to execute a command on the victim's system, allowing the attacker to maintain persistence and execute arbitrary system commands via a Telegram bot.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like LOCKBIT, MISTPEN, and SUO5. These updates ensure you have the latest indicators.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🆕 Tagging and Search for Agentic Prompts. Agentic Prompts are reusable query templates within the Agentic conversational AI platform. They allow security analysts to create standardized, structured instructions for the AI agents to automate and accelerate recurring threat investigation, malware analysis, and reporting workflows in Google TI. Users can now assign custom tags when creating or modifying an Agentic prompt. This feature introduces a new, powerful search and filtering capability in the prompt library, allowing analysts to quickly locate prompts based on criteria like Analysis, Briefings, Trends, Vulnerability and New prompts, or any other word from the prompt description.

📢 Google TI Mondays & Month of UNLIMITED UI Searches. Quick reminder that for the entire month of November, all Google Threat Intelligence and VirusTotal customers will benefit from unlimited, uncapped searches when performing manual queries through the web interface (GUI) using the core VirusTotal / GTI search feature. Follow the Google TI Mondays and Month Of GoogleTI Search series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays, #MonthOfGoogleTISearch.

• VT4Browsers + Google TI
• Hunting Malware with Valid Signatures
• Sigma Hunter: Find the Gaps
• Hunting Recently Registered DGA domains
• Hunting Stealers via PDB Metadata

💪 Detection highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules and malware configuration extractors. This week, we’ve released YARA rules for 9 newly tracked malware families and updated existing YARA rules for 31 families. We've also enhanced our configuration extraction platform with updates for 1 existing malware family. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top Google TI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• RAINWIZARD: a Windows backdoor written in Rust. RAINWIZARD uses OneDrive Graph API for command and control. Backdoor capabilities include file download, upload, file listing, command execution using cmd.exe or PowerShell and Windows registry run key modification.
• SAGEWAVE: a launcher written in Java that acts as a servlet filter. SAGEWAVE registers a specific URL pattern to receive attacker traffic over HTTP to a compromised Java web server and expects to receive an encrypted Java class from an attacker in the HTTP request. The payload is decrypted using AES-128-CBC with a hard-coded key and IV and is parsed as a ZIP file. SAGEWAVE loads Java class files into memory from the decrypted ZIP archive, and then executes the "httpReq" method from a class with a filename ending in ".Cli". SAGEWAVE has been observed being dropped by SAGELEAF and is suspected to be used to deploy a payload similar to GOLDTOMB. See its curated YARA detection rules.
• CHARON: a ransomware written in C++ that uses multiple threads to partially encrypt files on the localhost as well as in network shares. Samples have been observed terminating services and processes related to endpoint-agents and backup services. The targeted services belong to software made by eastern and western companies. CHARON samples also include an embedded driver, Dark-Kill, to gain kernel privileges and terminate more tamper-resistant AV and EDR software. See its curated YARA detection rules.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like OXEEYE, DONUT, and UPATRE. These updates ensure you have the latest indicators, including those extracted by our configuration extraction systems.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

💡 Remember! Private Scanning + Code Insight. Private Scanning is a dedicated service that allows organizations to submit suspicious files and URLs for analysis while guaranteeing that IoCs, their execution data, and the resulting report remain completely confidential and are not shared publicly / with the community.

• Remember that you can choose between static analysis only or static and dynamic detonation via the "Try to detonate in dynamic analysis sandboxes" checkbox.
• Remember that the Code Insight analysis, which uses Gemini AI to assist malware analysts by generating natural language summaries of a file's functionality, is provided for private file analysis reports whenever possible.

💪 Improved trends visibility via Agentic. Agentic, our nextgen autonomous threat intelligence foundation that delivers instant, contextual, and actionable threat intelligence by fielding complex, natural language queries about security topics, indicators, and entities, has been upgraded to provide immediate visibility into prevalent threat data by running advanced queries to identify top trends over specific periods of time. Examples of supported queries include:

• "Give me the mutexes most used by Emotet in the USA in the last 2 weeks."
• "Give me the vhash most used by APT44 in the last month in the USA."
• "Give me the countries where APT44 has used 035056655d155512e1z14z7dhz1020022fz most in the last month."

🆕 Providing clarity regarding Google TI objects + web citations vs artifact attachments in Agentic. We have improved the organization of contextual data within the Agentic conversations. Instead of a single source button, two new, distinct buttons are now displayed:

• Sources button, at the end of the conversation, dedicated to accessing the Threat Intelligence objects and external web citations used to formulate the conversation responses.
• An attachments button next to the Share one, is now your way to view files and other artifacts uploaded during the conversation.

Sources and artifacts are no longer separated into two tabs. Instead, each item is displayed and accessed via its own dedicated button.

🆕 New outbound 3rd-party integrations. Integrations are vital to operationalizing Google Threat Intelligence (GTI), converting raw security insights into immediate, effective defensive action. These crucial integrations help organizations eliminate siloed data and dramatically enhance their security ecosystem, boosting efficiency and accelerating Mean Time to Resolution (MTTR).

New integrations released:

• Cyware - See demo here
• Sumologic
• CrowdStrike

💪 AI-enhanced sandbox detonation for deeper behavioral analysis. The Behavior tab within a file's analysis report showcases detailed behavioral insights, which are generated by executing the uploaded file across Google Threat Intelligence's multi-environment sandboxes. We've introduced AI-driven interaction capabilities to our detonation engine. This enhancement allows the sandbox to autonomously click and interact with samples, ensuring they fully execute and reveal their hidden behaviors, resulting in more complete and in-depth behavioral reports. File types affected by this improvement are:

• SVG (Scalable Vector Graphics)
• MSC (Microsoft Management Console Snap-ins)
• HTA (Microsoft HTML Applications)
• Emails

See example

💪 IoC Stream Notification Retention Extended to 30 Days. IoC Stream is our IoC centralized notification hub that aggregates all IoCs coming from Livehunt or Retrohunt matches, Threat Profile and Followed Threat Intelligence Objects (Threat Actor, Campaigns, Malware & Software, IoC Collections, Reports, Vulnerabilities) that were updated with new IoCs. The retention period for IoC notifications in the IoC Stream has been significantly increased from 1 week (7 days) to 30 days. This update provides users with a substantially longer historical buffer, offering greater flexibility for data synchronization, analysis, and comprehensive retrospective threat hunting.

📢 Google TI Mondays & Month of UNLIMITED UI Searches. Quick reminder that for the entire month of November, all Google Threat Intelligence and VirusTotal customers will benefit from unlimited, uncapped searches when performing manual queries through the web interface (GUI) using the core VirusTotal / Search feature. Follow the Google TI Mondays and Month Of GoogleTI Search series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. Follow us to ensure you never miss the most current intelligence! #GoogleTIMondays, #MonthOfGoogleTISearch,

• Infrastructure, Brand and External Threats
• Hunting Trusted Domain Abuse
• Hunting LNK-triggered Powershell fetches
• Hunting Emerging C2 Infrastructure

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules and malware configuration extractors. Over this period, we’ve released YARA rules covering 9 newly tracked malware families, and enhanced our configuration extraction platform to cover 2 existing malware families. Additionally, we've updated YARA rules for 23 other known threats. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• TOXICDUST: a Windows launcher written in C/C++. TOXICDUST is capable of reading a payload file, decoding it by performing bitwise NOT operation and base64, and finally executing the resulting shellcode in memory. TOXICDUST uses SysWhispers2 to perform direct system calls. TOXICDUST is capable of evading AV and EDR software by patching BitDefender Hooking DLL and unhooking NTDLL.DLL. See its curated YARA detection rules.
• EGGJSE: a JScript Encoded dropper. It contains payloads, usually double Base64-encoded, which it decodes, drops, and runs. See its curated YARA detection rules.
• GLOWDISK: a dropper that contains an embedded decoy and executable that it drops to disk and runs. See its curated YARA detection rule .
• PIPEDOWN.DRIVE: a variant of the PIPEDOWN code family. It is a backdoor written in C++ that communicates using the Google Drive API to implement its functionality. Its capabilities include interacting with a hard-coded Google Drive resource to perform file upload, file download, file execution, and performing file listing. See its curated YARA detection rules.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like OXEEYE, BEAVERTAIL, and POISONPLUG.SHADOW. These updates ensure you have the latest indicators and YARA rules for evolving threats, some of which were extracted by our configuration extraction systems.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

💪 Enhanced PE and ELF Binary Behavior Detections. CAPA, a tool maintained by the FLARE team , provides human-readable explanations of suspicious behavior that a binary may exhibit when executed. Our platform runs CAPA on all PE and ELF binaries, displaying results in the BEHAVIOR tab of the UI. Lately CAPA has been updated with 22 new and 46 improved behavior detection rules, which have been fully integrated into our supported file analysis process. This enhancement adds new rules heavily focused on detecting defense evasion techniques observed in malware, including:

• behavior_signature:"disable System Restore features via registry on Windows": modify the registry to disable system recovery.
• behavior_signature:"disable system features via registry on Windows": modify the registry to disable administrative tools like Task Manager, Windows Update, and UAC.
• behavior_signature:"disable Device Guard features via registry on Windows": modify the registry to disable virtualization-based security and code integrity policies.
• behavior_signature:"disable Windows Defender features via registry on Windows": modify the registry to disable Windows Defender.
• behavior_signature:"disable firewall features via registry on Windows": modify the registry to disable Windows Firewall.
• behavior_signature:"unload sysmon": unload sysmon minifilter driver to disable Windows System Monitor.
• behavior_signature:"unload minifilter driver": unload minifilter driver to disable kernel functionality.
• behavior_signature:"enter debug mode in .NET": enable debug privileges to manipulate processes.
• behavior_signature:"encrypt data using TripleDES in .NET": encrypt data using the TripleDES algorithm to conceal data.

Check out CAPA’s full release notes for more details.

🆕 Google Threat Intelligence Browser Extension. We evolved the popular VT4Browsers Extension to include the power of Google Threat Intelligence to provide actionable Threat Intelligence directly in your Browser. It empowers analysts with immediate threat context & triage, investigate in-depth without context switching and seamless collaboration & tracking to stay on top of threats, scan downloads all by providing actionable Threat Intelligence directly within your browser.
Now users with a valid Google Threat Intelligence API key can activate a new, integrated investigation experience.

• New Interface: the extension adopts the visual style of the official Google Threat Intelligence interface.
• Live Investigation: IoCs are automatically highlighted/enriched on the page as you navigate, providing a Quick Summary (Hover) and Deep Dive (Click) into the GTI Widget side-panel powered by Google Threat intelligence.
• View Summary of all IoCs: a new feature to automatically collect all the detected IoCs on a webpage and open a new investigation window in the Google TI platform. You can add specific IoCs in this window directly into a new IoC collection to unlock powerful use-cases, to stay on top of the threats.

Want to try the enhanced investigation experience? Download or update the extension now:

• Google Chrome / Microsoft Edge
• Firefox

🆕 Audit Logging. The new Audit Log is an essential security and administrative tool within Google Threat Intelligence, exclusively accessible to Group Administrators. Its primary function is to track, record, and preserve a time-stamped history of all sensitive administrative actions taken across your organization’s Google TI group, covering activities performed via both the web UI and the API.

💪Extended malware configuration extraction with displayed messages. Google Threat Intelligence processes all files submitted to VirusTotal, as well as some other Mandiant/Google sources, and identifies popular malware families, invoking malware configuration extractors where applicable. We’ve updated our extractors to also include any messages displayed back to users, such as ransom notes. See example.

This field has also been indexed and allows you to hunt for specific malware families, for example: malware_config:"guarantee that we won't scam you".

💪 Agentic now has the capability to provide mitigation advice. Our Agentic conversational assistant designed to provide instant, contextual, and actionable threat intelligence by answering complex, natural language queries about security topics, indicators, and entities has been improved to answer specific mitigation strategies and defensive controls related to a given MITRE ATT&CK TTP, CAPEC ID, or CWE ID. This enhancement allows for faster pivoting from threat identification to defense planning by providing immediate, actionable guidance on how to prevent or limit the impact of specific attacker behaviors and vulnerabilities.

📢Google TI Mondays. Tune in every Monday as we share quick, actionable practitioner tips and product adoption advice across our social platforms. These knowledge "pills" are designed to boost your efficiency, follow us to make sure you never miss the latest insights!

• Crowdsource Sigma Rules in GoogleThreatIntelligence

📢Month of UNLIMITED UI Searches. Check with VirusTotal / Search is the core searching feature providing access to our platform's massive IoC dataset, enabling users to execute advanced queries with specific modifiers to investigate malware campaigns, track threat actors, and analyze threat infrastructure. In November, all Google TI and VirusTotal customers will enjoy unlimited, uncapped searches when performing manual queries through the web interface (GUI). These searches will not consume any of the customer’s existing search quota.

• Google TI customers: 30 Days of UNLIMITED Searching with Google Threat Intelligence
• VT customers: November is the Month of Searches: Explore, Learn, and Share with #MonthOfVTSearch

💪Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules. Over this past week, we’ve released YARA rules covering 11 newly tracked malware families and updated YARA rules for 20 existing families. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• FIREPLUG: a backdoor written in Go that is capable of command execution, file upload and download, traffic relaying using SOCKS5 and port forwarding. See its curated YARA detection rules.
• WAVESHAPER: a backdoor written in C++ supports downloading and executing arbitrary payloads from the C2. See its curated YARA detection rules.
• LOSTSEA: a downloader that sets persistence by scheduling a task named IconCache. It collects and sends basic system information like user and hostname to the command and control (C2 or C&C) server. The response is expected to be an encoded next-stage payload. See its curated YARA detection rules.
• CHROMEPUSH: a dataminer written in C/C++ that targets multiple browsers (Chrome, Brave, Arc, Edge) and steals sensitive data, including screen captures, browser cookies, and keylogger data. It is also capable of installing a malicious Chrome browser extension. See its curated YARA detection rule.
• UDPSHELL: a Linux backdoor written in C. UDPSHELL communicates with command and control server using QUIC protocol. The backdoor capabilities include shell command execution, file upload and download, SOCKS5 proxy. See its curated YARA detection rule.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like DONUT, CHINACHOP, and POSHC2. These updates ensure you have the latest indicators.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🆕 Enhanced Clarity and Accessibility of Registration Data with RDAP Format. The Whois lookup information in IP addresses and domains analysis reports provides deep insight into the registration, ownership, and administrative contacts for both IoC types. It is a crucial component for threat intelligence and incident response, allowing analysts to pivot investigations based on infrastructure ownership. We have introduced support for the standardized Registration Data Access Protocol (RDAP) to enhance the information provided from Whois lookups. It provides registration data in a machine-readable, standardized format (JSON), leading to greater data consistency and easier automated processing. See example.

🆕 URL Private Scan check for Public Report availability. The Private Scanning feature allows users to analyze URLs in a dedicated, private environment. This is essential for inspecting sensitive URLs and performing in-depth analysis, such as interactive sandbox detonation, without contributing the results to the public corpus. The platform now provides an immediate notification when a public report for a requested URL is already available, right before initiating a private scan. This allows users to decide whether they still require a private scan for specific reasons (e.g., interact with the sandbox during URL detonation or configuring a certain browser agent), or if the public report is sufficient, thereby preserving their Private Scanning quota.

💪 Enhanced GTI Scoring with Human-Verified Intelligence to reduce False Positives/False Negatives. The GTI Score is a proprietary, unified risk assessment metric that objectively quantifies an indicator's (file, URL, domain, IP) maliciousness for fast decision-making and alert prioritization. The model has been significantly improved by incorporating manual analysis insights from the ATI (Advanced Threat Intelligence) team, which systematically corrects edge cases, thus reducing False Positives (FP) and improving False Negatives (FN) coverage for a more accurate score.

🆕 Agentic now uses existing detections and generates new YARA-L rules. Agentic, our conversational AI platform powered by Google Threat Intelligence (TI), now features enhanced YARA-L rule generation capability. This improvement is driven by Agentic's streamlined access to our comprehensive library of existing detection rules, enabling the creation of more sophisticated and precise new rules for countering complex threats and ensuring reliable resources for rapid threat response. After you prompt the agent to create a new YARA-L rule (to track a specific threat or malware family), the interface gives you the power to act right away to:

• Copy the rule content.
• Download the rule file locally.

Leverage our entire dataset to massively boost your detection power, then integrate the results into Google SecOps in minutes.