📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Make the most out of Code Insight
• Hunting PowerShell & VBS with Google TI

📢 Mastering the Hunt: New Practitioner-Oriented Content. Monitoring cybercrime actors on the dark web is a complex, labor-intensive process, constantly disrupted by forum seizures and the rapid emergence of new platforms. To help you navigate this shifting landscape, our latest blog post demonstrates how to leverage Agentic and the new Deep and Dark Web (DDW) module to streamline your investigations. We showcase real-world use cases and internal hunting techniques that utilize natural language and new search modifiers to pivot through diverse data sources, eliminating the need to manually track fragmented forums.

• Active dark web monitoring with Google Threat Intelligence and Agentic TI

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team continue to expand Google TI’s detection surface by developing custom YARA rules and malware configuration extractors. This week, our researchers focused on updating our existing detections for many popular malware families. A few examples include:

• SQUIDSLEEP: This family was updated to include the latest indicators observed in recent campaigns and threat actor activity. See its curated YARA detection rules.
• HAVOCDEMON: Updates to this family include expanded malware configuration extraction to better identify command-and-control infrastructure.See its curated YARA detection rules.
• ZIGZAG: We have refined the YARA signatures for this family based on new samples identified through our research into active campaigns. See its curated YARA detection rules.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🔄 Enhanced Security Control: Two-Factor Authentication (2FA) Enforcement. The Group Management suite within the Google Threat Intelligence platform allows administrators to oversee their organization's users, service accounts, and settings. It provides a centralized interface to ensure that access to the platform aligns with corporate security policies.

The Group Administrators can now mandate Two-Factor Authentication (2FA) for all members of their group. When enabled, this group-level setting prevents users from accessing Google Threat Intelligence features until they have configured a secondary authentication method (such as an authenticator app or offline code) on their individual accounts.

This safeguards sensitive data against credential theft while maintaining administrative control. If a user loses their 2FA device, administrators can perform a secure reset to facilitate seamless re-enrollment without impacting the user's existing collections or research.

🔄 Private Scanning Network Control: New Regional Routing through Chile. Private Scanning is a core capability within Google Threat Intelligence that allows organizations to analyze suspicious files and URLs in a completely isolated environment. This ensures that the analysis remains confidential and that no data is shared with the public community or third parties.
We are expanding our global egress infrastructure by introducing Chile as a new routing option for Private Scanning. This marks our first network exit point in Latin America, allowing users to route the network traffic generated during dynamic analysis through a localized Chilean IP space.
The new Chilean egress node enables Localized Evasion Testing, allowing analysts to bypass "geo-fencing" by observing how threats interact specifically with users in the LATAM region.

💡 Remember! Network Livehunt Rules + Typosquatting. YARA is the de facto pattern-matching tool for threat intel and malware research. Google Threat Intelligence extends YARA beyond file content matching to include incoming URLs, domains, and IP addresses. By configuring Livehunt rulesets, researchers can define complex behavioral indicators to identify emerging threats and receive real-time detection notifications before they impact their environment.

Remember that now instead of manually listing dozens of permutations for a single domain, analysts can use a specific syntax to flag domains that are visually or typographically similar to their target brand or high-value infrastructure via the vt.net.domain.permutation_of module to specify a "distance" or "similarity" score.
Fine-tune your detections by applying flags for specific techniques:

• vt.Domain.Permutation.TYPO: Detects common keyboard misspellings.
• vt.Domain.Permutation.HOMOGLYPH: Flags look-alike characters (e.g., using "0" for "o").
• vt.Domain.Permutation.HYPHENATION: Identifies unauthorized additions of hyphens.
• vt.Domain.Permutation.SUBDOMAIN: Spots brand names repurposed as subdomains.
• vt.Domain.Permutation.BITSQUATTING: Detects domains resulting from single-bit errors in hardware memory.

💪 Enriched Mitigations in Agentic via OWASP Integration. Agentic is an AI-powered analysis interface built to automate complex investigative workflows. By leveraging specialized agents with direct access to Google Threat Intelligence datasets and analysis engines, users can rapidly summarize threats and pivot through malicious infrastructure.

We have integrated OWASP (Open Worldwide Application Security Project) documentation directly into Agentic to streamline your defense strategy. While investigating potential threats, you can now ask for mitigation advice and receive standard-aligned security guidance and best practices based on the OWASP framework.

💪 Enhanced Agentic Interaction for Dark Web Saved Searches. We’ve improved how Agentic handles Saved Searches for the Dark Web. You can now request an intelligence digest using natural language, prompting the agent to cross-reference forums, pastes, etc, to deliver actionable insights based on your specific saved logic.

💪Enhanced Visibility in Agentic: Data Visualization and Real-time Analysis Tracking. We have introduced two major visibility upgrades to Google TI’s Agentic tool:

• We’ve added a live progress indicator for background malware analyses. Users can now see the progress of background Malware Analysis in real-time.

• We've upgraded how you interpret threat data with the addition of automated chart generation. When requesting statistical breakdowns, the platform now renders Pie Charts, Bar Charts, and World Maps directly in the UI, delivering an immediate, 'at-a-glance' understanding of data trends.

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• The Relevance System

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team continue to expand Google TI’s detection surface by developing custom YARA rules and malware configuration extractors. This week, our researchers have released detection content for 35 newly tracked malware families and updated protections for 49 existing threats. We prioritize our detection engineering efforts based on the latest malware identified during Mandiant incident response engagements, telemetry from Google SecOps customer environments, and high-interest Google TI search trends.

As we identify new threats through our research, we develop and deploy dedicated detection signatures. Some recent examples of newly tracked families include:

• UDADOS: a Windows executable written in C++ that connects to a command-and-control (C2 or C&C) server to receive commands to perform distributed denial-of-service (DDoS) attacks against victims. It can receive C2 server updates by abusing various third-party services (GitHub, Bitbucket, Dropbox) and can also receive C2 updates via the Ethereum blockchain as URLs hidden inside transactions. See its curated YARA detection rules.
• SIDEFOX: a specialized infostealer that harvests passwords, credit cards, and session tokens. By injecting code into browsers and targeting apps like Discord, Steam, and Telegram, it allows attackers to bypass user protections and hijack accounts almost instantly. See its curated YARA detection rules.
• SANTASTEAL: a C-based malware-as-a-service (MaaS) designed for stealth, operating entirely in memory to bypass traditional detection. Functioning as a rebranding of the Blueline Stealer project, it harvests sensitive data from browsers, crypto wallets, and messaging platforms like Discord and Telegram. See its curated YARA detection rules.
• NULLTAP: a ransomware written in Rust capable of using a hybrid cryptographic scheme to encrypt files. The encryption logic is largely implemented via third-party crates. Extended capabilities may include updating the current desktop background. See its curated YARA detection rules.

In addition to tracking emerging threats, we consistently refine our detections for established malware to account for evolving variants. This week, we updated our YARA rules and configuration extraction capabilities for several prominent threats, including SYSTEMBC, ARECHCLIENT2, and HAVOCDEMON. These updates ensure that our systems can continue to extract critical indicators of compromise even as threat actors modify their tools.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

💪 Visual Insights: Enhanced Industry and Country Reporting in Agentic. Agentic is the conversational AI platform for Google Threat Intelligence that orchestrates specialized security agents to automate complex investigative workflows. By grounding its responses in Google’s massive security dataset, it allows analysts to move from raw data to finished intelligence through natural language.

Agentic now supports Visual Dashboards for Country and Industry profiles, automatically populating reports with key visual insights such as:

• World Maps: Visualizing the geographic distribution of threat activity.
• Geographical and Industrial Breakdowns: Instant visualization of which sectors and regions are being targeted.
• Categorical Charts: Breaking down threats by motivation, malware family, actor group, etc.

This update transforms text-heavy intelligence into actionable, "at-a-glance" visual data. Analysts can now immediately identify geographical hotspots and industry-specific trends, making it easier to communicate risks to stakeholders and prioritize defense strategies based on visual density and frequency of threats.

💪 Agentic Integration for Saved Searches. We have expanded Agentic’s capabilities to include native support for Saved Searches. This integration allows the agent to list, filter, and execute the custom queries you and your organization have already built within the Google Threat Intelligence environment.

By operationalizing saved searches through natural language, security teams can significantly reduce "time-to-insight." Analysts can instantly generate intelligence digests based on proven query logic, ensuring high-priority threats are never overlooked during an AI session. This automation allows Agentic to process and summarize results on the fly, accelerating your investigative workflow.

Prompt examples:

• "What are my saved searches?"
• "Show me the saved searches shared with my organization."
• "Run my 'Critical Log4j' saved search and summarize the findings from the last 24 hours."

🔄 Update to SCIM Authentication Token Format. Following feedback and requests from our customers to align with industry-standard authentication protocols, we have updated the format of the SCIM Secret Token.
The token is now provided with the Bearer prefix: Bearer <token>
This update ensures that the configuration within your Identity Provider matches the standard Authorization header requirements.

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Exposing the Underground: New Dark Web Searches

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team continue to expand Google TI's detection capabilities through the development of YARA rules and malware configuration extractors. This week, we have introduced YARA rules for 8 newly tracked malware families and updated configuration extraction support for 2 existing families. Our team prioritizes the creation of this content based on threats identified during Mandiant incident response engagements, activity within Google SecOps customer environments, and trending searches within Google TI.

As our research uncovers new malware families, we develop and deploy detection signatures to provide immediate visibility. Recent additions include:

• WAVESHAPER.V2: a cross-platform backdoor family targeting Windows, Linux, and macOS. It is identified by a standardized Command and Control (C2) architecture featuring a 60-second beaconing interval, 16-character unique victim IDs, and a platform-agnostic User-Agent used for all C2 communication. This shared framework enables consistent remote capabilities across all variants, including host reconnaissance, directory enumeration, and the staging of secondary scripts or binaries. See its curated YARA detection rule.
• MOONBOX: a ransomware written in C++ that encrypts both documents and database files along with virtual machine related files. The ransomware uses the ChaCha20 stream cipher algorithm for file encryption, generating a unique key for each file which is then encrypted using an embedded RSA public key and appended to the locked file. The ransomware accepts multiple command-line arguments to modify its behavior, including "--fast" to encrypt only the first 1MB of files, "--gpo" to spread the ransomware via Group Policy Object, and "--psexec" to attempt self-propagation within the network. MOONBOX drops a ransom note named "YOU ARE UNDER ATTACK!.html". In some cases the target files are appended with the ".locked" extension while in other analyzed samples encrypted files are appended with the ".exitium" file extension.
• SILKBELL: an obfuscated dropper written in JavaScript deployed inside malicious NPM packages. The dropper is capable of profiling the victim's operating system (Windows, Linux, or macOS) and downloadING secondary payloads. See its curated YARA detection rules.

Beyond tracking new threats, we consistently refine our detections for established malware to ensure high-fidelity intelligence. We have recently updated our detection and configuration extraction coverage for SYSTEMBC.LINUX and ROADSIGN. These updates provide users with the most current indicators and extracted configurations to better defend against persistent threats.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

💪 Unmasking Obfuscated Malware: Agentic Now Supports AutoIt Deobfuscation. Agentic is the conversational AI platform for Google Threat Intelligence that coordinates specialized security agents for advanced malware analysis. By leveraging Code Insight, an AI-driven analysis engine, it can now interpret the logic of AutoIt-compiled executables. This process automatically extracts and deobfuscates the underlying source code, which is a critical step since attackers frequently use AutoIt to hide malicious intent.

🔄 Improved Role-Based Access Control Management. The Group Management suite within the Google Threat Intelligence platform allows administrators to oversee their organization’s users, service accounts, features allowance and consumption and all group settings. It provides a centralized interface to control who has access to the platform and what specific modules they can interact with.
Group administrators can now define preset roles and permissions that are automatically assigned to new members. While these settings apply by default, administrators retain the flexibility to manually override them for individual or bulk onboarding via the Add User form.

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Hunting LLM-Enabled Malware Part 2

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team continuously develop and refine YARA rules and malware configuration extractors to enhance Google Threat Intelligence's detection capabilities. This week, we have introduced detections for 5 newly tracked malware families and updated detection content for 14 existing threats. We prioritize the development of new and updated content by analyzing malware identified during Mandiant incident response engagements, telemetry from Google SecOps customer environments, and emerging Google TI search trends.

As we identify and research new malware families, we develop and deploy detection signatures to provide immediate visibility. Some recent examples of newly tracked families include:

• SANDCLOCK: a credential stealer written in Python that communicates via HTTP and HTTPS. The malware targets cloud environments to extract AWS credentials, Kubernetes ServiceAccount tokens, local environment variables, and cryptocurrency wallets. Harvested data is symmetrically encrypted and uploaded to a remote server. SANDCLOCK also escapes containerized environments by deploying a privileged Kubernetes pod to the underlying host, where it writes a script to disk that downloads and executes additional payloads. See its curated YARA detection rules.
• FLATBANANA: a cross-platform lightweight backdoor written in Go. FLATBANANA uses GitHub API for command and control. FLATBANANA is capable of collecting system information, executing system shell commands, and using a configured GitHub repository to upload and download files. See its curated YARA detection rules.
• DEADLOCK: a ransomware family that impacts Windows systems, appending the .dlock extension to encrypted files. DEADLOCK uses the Polygon blockchain smart contracts to host and rotate proxy command-and-control (C2 or C&C) URLs, a technique known as "EtherHiding," for resilience to takedown efforts. For defense evasion, it has been observed using "Bring Your Own Vulnerable Driver" (BYOVD) tactics, specifically exploiting a vulnerable Baidu Antivirus driver to terminate endpoint detection and response (EDR) processes. See its curated YARA detection rule.
• ROSEBOX: a Rust-based ransomware that by default encrypts files in the C:\Users directory. The ransomware accepts multiple command-line arguments that allows the operator to customize the execution including specifying which directories to encrypt or the percentage of the files to encrypt. ROSEBOX leverages AES and RSA encryption and requires an external RSA public key file. In at least some cases the ransomware renames encrypted files with the extension ".flk". See its curated YARA detection rule.

In addition to tracking new threats, we consistently update our detection systems for known malware to ensure coverage against evolving variants. Recent updates have been applied to families such as BEACON, FOUDRE, and SILVERLIME. These updates include expanded YARA coverage and enhanced configuration extraction to provide the most current indicators of compromise.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

📢 New Agentic Prompt Templates. Agentic is an AI-powered analysis interface designed to automate complex investigative workflows. By leveraging specialized agents with direct access to Google Threat Intelligence datasets and analysis engines, it shifts the paradigm from manual, static research to dynamic, AI-driven investigation.

We have significantly expanded our Agentic Prompt Template library to automate increasingly complex investigative workflows. This update introduces specialized templates for Deep Analysis of Go-Compiled Malware and Reverse Engineering ELF Binaries, alongside advanced tools for Persistence Mechanism Analysis and Bulk IOC Triage. Additionally, researchers can now leverage a dedicated GTI Query Builder for Malware Hunting and generate comprehensive DDoS Activity Reports.

💪 Code Insight Support for LNK Files. Code Insight is an advanced, Gemini AI-driven capability within Google Threat Intelligence that serves as an automated assistant for malware analysts and reverse engineers. It leverages artificial intelligence to generate natural language summaries that clearly describe a file's true intent and overall functionality.

We have extended Code Insight’s analysis to include LNK files. The tool now evaluates what the shortcut actually does from a security perspective, looking past the "claimed" target to provide analysts with a concise, security-first description of its real behavior, including any hidden commands or remote fetches.

See examples here.

🆕 Introducing My Landscape: Personalized, High-Fidelity Intelligence. My Landscape is a new Public Preview capability within Google Threat Intelligence, powered by the Relevance System. It acts as a personalized lens for security operations, automatically filtering Google’s global frontline intelligence to surface threats specific to your business context, industry, and technology stack. By leveraging Gemini-powered analysis, the tool generates automated alerts with plain-language summaries, ensuring your team understands exactly why a specific threat was flagged and why it matters to your organization.

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Hunting LLM-Enabled Malware Part 1

📢 New Adoption Guide: Introduction to Incident Response with Google Threat Intelligence. We’ve released a step-by-step operational playbook with a Remcos RAT infection as a blueprint. This guide walks you through rapid triage and complex payload analysis to streamline your incident response.

• Adoption Guide: Introduction to Incident Response with Google Threat Intelligence

💪 Detection Highlights. This week, the Google Threat Intelligence Group and FLARE team have enhanced Google TI's detection capabilities by releasing YARA rules for 4 newly tracked malware families and updating detection content for 28 existing families. This includes expanding our configuration extraction platform to cover 1 new malware family. Our prioritization for new and updated detection content focuses on malware actively observed in Mandiant incident response engagements, Google SecOps customer environments, and top Google TI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• DINODANCE: operates by utilizing an MSI installer to drop VBScript and PowerShell components. The VBS component executes the PowerShell component through the Shell.Run method, while the PowerShell component downloads and installs Deno, a JavaScript runtime environment, to execute the embedded JavaScript component. See its curated YARA detection rules.
• SKIPIPE: a backdoor with the capability to download a second stage, communicate with a command and control (C2 or C&C), establish named pipes, and execute commands on a compromised system. See its curated YARA detection rules.
• GHOSTBLADE: a dataminer written in JavaScript that collects and exfiltrates a wide variety of data from a compromised device, including messages, account/device identifiers, photos, files, cryptocurrency wallet data, and more. GHOSTBLADE must be deployed following a successful exploit chain building arbitrary kernel memory read/write primitives to function properly. Data collected by GHOSTBLADE is exfiltrated to an attacker-controlled server over HTTP(S). See its curated YARA detection rule.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for known threats like HAVOCDEMON, COOLWIPE, and CHILLWIPE. These updates ensure you have the latest YARA signatures and configuration extraction capabilities.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🔄 Google TI Integration Guide for Splunk. The Google TI App for Splunk bridges Google TI’s massive threat repository with Splunk. It enables real-time correlation of internal logs with global intelligence, automatically enriching events, including IPs, domains, URLs, and hashes, with reputation scores and threat categories to accelerate triage and eliminate manual research. We have published a significantly more detailed Integration Guide, which provides a comprehensive, step-by-step walkthrough for security administrators.

• Splunk integration guide

🆕 Automated User Deprovisioning via SCIM. Google TI now supports SCIM (System for Cross-domain Identity Management), a standard protocol used to automate the exchange of user identity information between identity domains and IT systems. This integration acts as a webhook that connects your Identity Provider (IdP) directly to your organization’s group management settings, to automatically removes deactivated users from your Google TI group, ensuring that former employees or unauthorized users lose access to sensitive threat intelligence.

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Optimizing SecOps SOAR with Google TI

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules and malware configuration extractors. Over the past week, we've released YARA rules covering 2 newly tracked malware families, and expanded our detection capabilities by updating existing YARA rules and configuration extractors for 41 malware families. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top Google TI search trends.

Some recent examples of updates to our detections include: DAVESHELL, ASYNCRAT, and SYSTEMBC. These updates ensure you have the latest indicators that were extracted by our configuration extraction systems.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🆕 Advanced Search Support for Dark Web Entities. The Dark Web module within Google Threat Intelligence provides deep visibility into encrypted and unindexed layers of the web, including underground forums, messaging channels (like Telegram), paste sites, and onion-hosted marketplaces. It normalizes illicit data into actionable intelligence, allowing security teams to monitor environments where cybercriminals trade credentials, leak data, and plan attacks.
The Intelligence Search capability, previously exclusive to IoCs and threat intelligence objects (like malware families and campaigns), have been expanded to include Dark Web entities or communications.
Users can now execute complex queries using the entity:ddw operator to scope searches specifically to the Deep and Dark Web communications. We have introduced a comprehensive library of search modifiers to filter by different attributes such as:

• Author & Identity: Filter by author name or even its avatar MD5 hash.
• Channel & Source: Search by communication channel names, descriptions, or invite URLs.
• Content & Type: Narrow results by specific communication types (Forum Posts, Messages, Pastes, and Web Content) or search directly within their body.

Explore the full list of Dark Web search modifiers and documentation here.

💪 Dark Web Data now available within Agentic. Agentic is an AI-powered analysis interface built to automate complex investigative workflows. By leveraging specialized agents with direct access to Google Threat Intelligence datasets and analysis engines, users can rapidly summarize threats and pivot through malicious infrastructure.

By integrating the Dark Web dataset into Agentic, now users are allowed to query Google Threat Intelligence’s vast archives of deep and dark web content, including forum posts, messaging services like Telegram, paste sites, and illicit marketplaces, using natural language.

💪 Ransomware DLS Activity now integrated into Agentic. Now that we have integrated the Ransomware Data Leaks dashboard and Agentic tool, users can query live extortion trends, victimology data, and ransomware group activities through natural language prompts instead of manual dashboard filtering.

💪 Strategic Country & Industry Profiles now integrated within Agentic. We have integrated Agentic with Countries and Industry Profiles. This update allows users to perform high-level strategic queries using natural language to extract immediate insights from specific geographic or sectoral lenses. Instead of manually pivoting through different modules, you can now ask Agentic to synthesize broad landscape overviews directly.

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Country & Industry Profiles

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team continuously enhance Google TI's detection capabilities through new YARA rules and updated malware configuration extractors. This week, we've released YARA rules covering 15 newly tracked malware families and updated detection content for 53 existing families, including one with an updated configuration extractor. Our prioritization focuses on malware families actively observed in Mandiant incident response engagements, Google SecOps customer environments, and top GTI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• POTATOWALL: a backdoor written in Rust that uses Telegram for command and control. POTATOWALL leverages the Rust libraries Tokio for asynchronous runtime and Teloxide for Telegram functionality. POTATOWALL contains a hard-coded Telegram bot token, which it uses to periodically poll for new command messages. POTATOWALL supports commands to change its working directory, execute a command using Windows cmd.exe, and execute a command using PowerShell. See its curated YARA detection rules.
• BINDCOUPE: a lightweight backdoor written in C++ that communicates to hard-coded command-and-control (C2 or C&C) servers using raw TCP sockets. It is capable of collecting basic system information, downloading files, taking screenshots, and executing arbitrary shell commands. See its curated YARA detection rules.
• DARKFLIP: a backdoor written in C++. DARKFLIP parses an external configuration file for its C2. DARKFLIP supports several commands including: update sleep value, re-register victim with C2, run Windows shell command, run PowerShell command, download file to victim, and delete file. DARKFLIP leverages AES-GCM to decrypt its configuration and for C2 communications. See its curated YARA detection rules.
• DRIVECLEAN: a disruptive payload written in C that is executed as a Windows Native Application masquerading as a system updater. DRIVECLEAN is responsible for enumerating all mapped drives (A-Z) and overwriting the content of files in those drives with NULL bytes. See its curated YARA detection rules.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats we commonly see. This week, we updated SOGU, ICEFOG, and BRICKSTORM.

These updates ensure you have the latest indicators and enhanced detection capabilities, with configuration extraction systems updated where applicable.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

📢 Vulnerability Intelligence for Standard Licenses. The Vulnerability Intelligence module is a specialized component of Google Threat Intelligence designed to move security teams beyond static CVSS scores. It provides a centralized hub to search, filter, and prioritize vulnerabilities (CVEs) enriched with internally calculated risk ratings and real-world visibility into exploitation in the wild. Previously exclusive to Enterprise and Enterprise Plus tiers, the Vulnerability Intelligence module is now available to Standard licensed customers as well. This update empowers a broader range of security teams to implement smarter, threat-driven patching programs.

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Hunting for LOLBins Part 2

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team are dedicated to enhancing Google TI's detection capabilities through continuous updates to YARA rules and malware configuration extractors. This week, we've released YARA rules covering 7 newly tracked malware families, and expanded our detection capabilities for 35 existing families, which includes updates to YARA rules and configuration extractors. Our prioritization focuses on threats actively observed in Mandiant incident response engagements, Google SecOps customer environments, and prominent Google TI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• ROTORWIPE: a disruptive payload written in C++ which makes use of the Mersenne Twister algorithm to compute a random buffer which is used to overwrite data on the victim's device. ROTORWIPE identifies and enumerates the device's logical drives; it then enumerates files and folders on the given drive and begins overwriting the data while aiming to ignore files in specific root directories. After parsing all child directories, each file is then overwritten with random data from the Mersenne Twister algorithm in 16-byte chunks. After overwriting the files, ROTORWIPE sleeps for 5 seconds before enumerating the drives and attempting to delete each file. After the file deletion activity is complete, the malware exits. See its curated YARA detection rules.
• MISTBRICK: a post-exploitation agent written in Java, designed to target Ivanti MobileIron appliances. It employs a multi-stage loader that reassembles an encoded JAR file on disk before utilizing the Java Attach API to inject malicious bytecode into a running Tomcat process. The malware uses the Javassist library to patch the com.mi.filter.CacheFilter class in memory, creating a passive backdoor that intercepts HTTP requests containing a specific hard-coded UUID header. Communication is secured using AES-256-CBC encryption with a hard-coded key and IV. MISTRBRICK supports a custom binary protocol, allowing for the fileless loading and execution of arbitrary Java classes directly from memory. The malware operates as a memory-resident implant and does not establish persistence beyond the runtime of the hijacked service. See its curated YARA detection rules.
• CRYSOME: a Delphi-based Remote Access Trojan (RAT) and Loader. It utilizes a custom UDP-based command-and-control (C2) protocol for system espionage and remote execution. The malware features a modular architecture, enabling the deployment of additional functional plugins to minimize the initial static footprint of the loader. See its curated YARA detection rule.

In addition to providing detection rules for new and emerging threats, we continuously enhance our detection systems for known threats, including updates to YARA rules and configuration extractors. This week, we've updated YARA rules for 34 families and improved configuration extraction for the SENDSTATE family. These updates ensure you have the latest indicators and enhanced visibility into evolving threats. Some examples of families with recent YARA rule updates include: SHADOWLADDER, SOGU, and WARPWIRE.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🆕 New Countries and Industries Profiles. Complementary to Threat Profiles, our newest Countries and Industries Profiles provide quarterly, AI-synthesized intelligence tailored to specific geographic or sectoral threats. By consolidating expert-curated data and OSINT into intuitive visual analytics, these profiles eliminate manual data triaging, allowing you to command a clear view of your specific threat landscape.

🆕 New Hacktivist DDoS Activity Dashboard. The Hacktivist DDoS Activity dashboard is a specialized monitoring interface within Google Threat Intelligence that tracks distributed denial-of-service threats claimed by a curated list of hacktivist groups. It integrates telemetry from actor-controlled botnet command-and-control (C2) infrastructure and data harvested from hacktivist Telegram channels. This specialized interface empowers analysts to monitor Channel Activity Trends and identify the Geographic and Industrial distribution of victims at a glance. By surfacing these targeted statistics, the dashboard enables organizations to move from general awareness to a tailored, industry-specific defensive posture.

🔄 Livehunt Rule Now Tagged on Network Indicator Reports. Livehunt is the real-time detection engine within Google Threat Intelligence, designed to monitor the continuous stream of incoming IoCs. While built on YARA, traditionally used to classify files based on binary patterns, our platform significantly expands this technology. Livehunt has evolved beyond files to support network indicators, enabling YARA rules to match against URL, domain, and IP address patterns within their generated analysis reports as they are scanned and ingested.

Active Livehunt rules that trigger on network indicators are now explicitly identified within their analysis reports. Rule names are tagged directly below the indicator and listed under a dedicated section of the DETECTION tab, providing immediate context. This update allows you to instantly see which specific hunt or threat actor campaign flagged an indicator during its analysis.

🔄 Enhanced Time-Range Precision for Time Search Modifiers. The Intelligence Search tool within Google TI allows security researchers to hunt for IoCs (files, URLs, domains, IP addresses) across a massive historical dataset using advanced modifiers like fs, ls, la (first submission, last submission, last analysis).

Previously, using the fs:YYYY-MM-DD modifier would only return IoCs submitted at exactly 00:00:00 on that date. With this update, entering a date such as fs:2025-02-19 now returns all IoCs submitted during the entire day.

Additionally, to provide better clarity, the Google TI user interface will automatically expand your query to the range format fs:2025-02-19+ fs:2025-02-20-. This visual change confirms that the search covers the full window from the start of the selected day to the start of the next.

Try it: entity:file gti_score:100 fs:2025-02-19!

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Hunting for LOLBins using Advanced Searches

💪 Detection Highlights. This weekly update from the Google Threat Intelligence Group and FLARE team includes new and enhanced detection content for Google Threat Intelligence. We've released YARA rules covering 17 newly tracked malware families and updated YARA rules for 35 existing families. Additionally, we've enhanced our configuration extraction capabilities for 2 known malware families. Our prioritization for these updates is driven by malware actively observed in Mandiant incident response engagements, Google SecOps customer environments, and top Google TI search trends.

As part of our ongoing research into emerging threats, we've developed and released new YARA detection signatures for several malware families. Notable additions include:

• SANTASTEAL: SANTASTEAL is a C-based malware-as-a-service (MaaS) designed for stealth, operating entirely in memory to bypass traditional detection. Functioning as a rebranding of the Blueline Stealer project, it harvests sensitive data from browsers, crypto wallets, and messaging platforms like Discord and Telegram. See its curated YARA detection rules.
• SIDEFOX: SIDEFOX is a specialized infostealer that harvests passwords, credit cards, and session tokens. By injecting code into browsers and targeting apps like Discord, Steam, and Telegram, it allows attackers to bypass user protections and hijack accounts almost instantly. See its curated YARA detection rules.
• ROTORWIPE: ROTORWIPE is a disruptive payload written in C++ which makes use of the Mersenne Twister algorithm to compute a random buffer which is used to overwrite data on the victim's device. ROTORWIPE identifies and enumerates the device's logical drives; it then enumerates files and folders on the given drive and begins overwriting the data while aiming to ignore files in specific root directories. After parsing all child directories, each file is then overwritten with random data from the Mersenne Twister algorithm in 16-byte chunks. After overwriting the files, ROTORWIPE sleeps for 5 seconds before enumerating the drives and attempting to delete each file. After the file deletion activity is complete, the malware exits. See its curated YARA detection rule.

Beyond tracking new threats, we continuously enhance our detection capabilities for established malware families. This week, we've focused on improving our configuration extraction systems for threats such as: MIRAI and UPATRE. These updates ensure you have the latest indicators that were extracted by our configuration extraction systems.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🆕 Enhanced Private Scanning: Clipboard Keystroke Injection. Private Scanning provides a dedicated, isolated environment for analyzing files and URLs. This ensures that Indicators of Compromise (IoCs) and their reports remain strictly confidential and are never shared with the public community.

Beyond advanced configuration settings, users can interact with the sandbox in real-time during file detonation. This interactive experience now includes a virtual clipboard: simply open the options menu on the left of the interface and select the "Clipboard" option to paste content directly into the sandbox.

💪 Seamless File Integration for Agentic Context. Agentic is an AI-powered analysis interface built to automate complex investigative workflows. By leveraging specialized agents with direct access to Google Threat Intelligence datasets and analysis engines, users can rapidly summarize threats and pivot through malicious infrastructure.

We have streamlined how you upload context files to Agentic as an expansion of your prompt such as a list of IoCs to summarize threats and explain complex logic, or a code snippet to explain its purpose. You can now instantly upload files to your session using 2 new intuitive methods:

• Drag-and-Drop (New): simply drag files from your local system directly into the Agentic conversation box.
• Copy and Paste (New): Use standard keyboard shortcuts (copy/paste) to paste files instantly to the chat.
• Manual Upload: you can still click the + button below the Agentic conversation box followed by the Upload file as context option to select files from your device.

🔄 Agentic Updates: New Report Tag for Prompt Templates. Agentic Prompts are reusable query templates within the Agentic conversational AI platform. They allow security analysts to create standardized, structured instructions for the AI agents to automate and accelerate recurring threat investigation, malware analysis, and reporting workflows in Google TI.

We have introduced a Reports tag as a new prompt template category. This tag is automatically applied to templates crafted by the Google TI team that are specifically designed to generate structured outputs such as emerging threat profiles, cybersecurity news summaries, and in-depth analysis. Users can now filter by this tag within the Prompts view to instantly locate report-specific templates, streamlining the transition from raw intelligence to finished documentation.

🔄 Bulk User Management for Group Administrators. The Group Management suite within the Google Threat Intelligence platform allows administrators to oversee their organization’s users, service accounts, features allowance and consumption and all group settings. It provides a centralized interface (and API) to control who has access to the platform and what specific modules they can interact with.

Group administrators can now perform administrative tasks in bulk, significantly reducing the manual effort required to manage large-scale environments. Specifically:

• Bulk Onboarding: administrators can add multiple users to a group simultaneously by providing a comma-separated list of email addresses. New users receive an automated invitation, while existing users are added immediately.
• Bulk Privilege Management: group roles (Admin vs. User) and module-specific permissions (for DTM, ASM and Private Scanning) can now be managed collectively.

📢 Google TI Mondays. Quick reminder to Follow the Google TI Mondays series across our social platforms every week for quick, actionable practitioner tips and product adoption advice designed to enhance your efficiency. These actionable tips are essential. #GoogleTIMondays

• Operationalizing Agentic AI

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules and malware configuration extractors. This week, we've released YARA rules covering 11 newly tracked malware families. We've also enhanced our detection capabilities for 3 known malware families by expanding our configuration extraction platform, and updated YARA rules for many existing families. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• SIDEFOX: a specialized infostealer that harvests passwords, credit cards, and session tokens. By injecting code into browsers and targeting apps like Discord, Steam, and Telegram, it allows attackers to bypass user protections and hijack accounts almost instantly. See its curated YARA detection rules.
• ROTORWIPE: a disruptive payload written in C++ which makes use of the Mersenne Twister algorithm to compute a random buffer which is used to overwrite data on the victim's device. ROTORWIPE identifies and enumerates the device's logical drives; it then enumerates files and folders on the given drive and begins overwriting the data while aiming to ignore files in specific root directories. After parsing all child directories, each file is then overwritten with random data from the Mersenne Twister algorithm in 16-byte chunks. After overwriting the files, ROTORWIPE sleeps for 5 seconds before enumerating the drives and attempting to delete each file. After the file deletion activity is complete, the malware exits. See its curated YARA detection rule.
• CHROMEDREAM: a credential-stealing malware written in Rust. Its primary function is to locate the victim's Chrome browser's saved username and password credentials, extract them from the Login Data and Local State files, decrypt the passwords, and then display the recovered information in the console window. See its curated YARA detection rule.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like SYSTEMBC, DANABOT, and EMOTET. These updates ensure you have the latest indicators that were extracted by our configuration extraction systems.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

💪 Code Insight now supports OpenClaw skill packages. As a Gemini-powered assistant for malware analysts and reverse engineers, Code Insight uses AI to strip away obfuscation and generate clear, natural language summaries of a file’s true intent. With OpenClaw skills rapidly emerging and abused by malicious actors as a supply-chain threat delivery channel, we’ve extended our analysis to OpenClaw skill packages looking past a package’s "claimed" purpose. Instead, Code Insight evaluates what the skill actually does from a security perspective. This provides analysts with a concise, security-first description of real behavior, making it easy to identify malicious patterns hidden behind seemingly helpful functionality.

As described in the blog posts below, this initiative has analyzed more than 3,016 OpenClaw skill packages, unmasking a variety of malicious behaviors: sensitive data exfiltration, remote control via backdoors, direct malware installation and techniques for persistence and propagation.

1. From Automation to Infection: How OpenClaw AI Agent Skills Are Being Weaponized
2. From Automation to Infection (Part II): Reverse Shells, Semantic Worms, and Cognitive Rootkits in OpenClaw Skills

Search for samples with the following advanced query: entity:file has:codeinsight codeinsight:"Type: OpenClaw Skill" codeinsight_verdict:malicious

💡 Remember! Private Scanning + Livehunt Rules. Private Scanning is a dedicated service that allows organizations to analyze files and URLs in total isolation. This ensures that IoCs and resulting reports remain strictly confidential and are never shared with the public community.

• Remember that when scanning URLs and files with Private Scanning, your IoCs are checked against not only crowdsourced YARA, SIGMA, and IDS rules, but also your own active Livehunt YARA rules.