December 22th, 2025 - New Integrations and Detection Highlights
🆕 New outbound 3rd-party integrations. Integrations are vital to operationalizing Google Threat Intelligence, converting raw security insights into immediate, effective defensive action. These crucial integrations help organizations eliminate siloed data and dramatically enhance their security ecosystem, boosting efficiency and accelerating Mean Time to Resolution (MTTR).
New integrations released:
💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team regularly enhance Google TI's YARA rules to provide comprehensive malware detection. In this update, we've released YARA rules covering 6 newly tracked malware families and updated detections for 30 existing families. Our content development is prioritized based on malware actively observed in Mandiant incident response engagements, Google SecOps customer environments, and top GTI search trends.
As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:
- SANDGLASS: SANDGLASS is a backdoor written in Python capable of arbitrary command execution and different file operations.
- GRIMROUTE.V2: GRIMROUTE.V2 is a cross-platform ransomware family written in Rust that targets Windows and Linux VMware ESXi environments. Operating as a command-line utility, GRIMROUTE.V2 requires specific runtime arguments to define its execution scope. It employs a high-performance, multi-threaded architecture to encrypt files using the ChaCha12-Poly1305 stream cipher. GRIMROUTE has dropped ransom notes identifying itself as AETHERION ransomware.
- CRUDEEXCLUDE: CRUDEEXCLUDE is a utility written in Delphi that comes packaged with a basic GUI application that tries to masquerade as a chat application. Rather than download or drop a payload, CRUDEEXCLUDE instead sets up the staging directories that have historically housed HEAVYGRAM and SHADEGENES and sets them as exclusions for Microsoft Defender. CRUDEEXCLUDE then beacons a message to a hard-coded Telegram chat ID using a hard-coded bot token. The message is formatted like the following,
PC Name:<pc_name> Excluded!.The response from Telegram is not used in any way, so this may indicate the purpose of CRUDEEXCLUDE is to simply masquerade as a chat application and setup the environment for HEAVYGRAM and/or SHADEGENES. - SLEEKSTROKE: SLEEKSTROKE is a passive backdoor written in C++ designed to operate on Citrix NetScaler devices. During startup the backdoor creates a PHP webshell component in a web accessible location and uses it to receive commands via named pipes. Supported backdoor commands include system command execution, file listing, file removal and directory creation. The backdoor is capable of monitoring Apache HTTP logs and removing entries indicating access to the webshell component.
- SURFCAKE: SURFCAKE is a downloader written in JavaScript that communicates over HTTPS or HTTP. SURFCAKE is capable of process termination, user enumeration, registry modification, self-update, and installation.
In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like SNOWLIGHT, INVISIBLEFERRET, and BEAVERTAIL. These updates ensure you have the latest YARA-based detections for these persistent threats.
See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.