📢Google TI Mondays. Tune in every Monday as we share quick, actionable practitioner tips and product adoption advice across our social platforms. These knowledge "pills" are designed to boost your efficiency, follow us to make sure you never miss the latest insights!

• Crowdsource Sigma Rules in GoogleThreatIntelligence

📢Month of UNLIMITED UI Searches. Check with VirusTotal / Search is the core searching feature providing access to our platform's massive IoC dataset, enabling users to execute advanced queries with specific modifiers to investigate malware campaigns, track threat actors, and analyze threat infrastructure. In November, all Google TI and VirusTotal customers will enjoy unlimited, uncapped searches when performing manual queries through the web interface (GUI). These searches will not consume any of the customer’s existing search quota.

• Google TI customers: 30 Days of UNLIMITED Searching with Google Threat Intelligence
• VT customers: November is the Month of Searches: Explore, Learn, and Share with #MonthOfVTSearch

💪Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules. Over this past week, we’ve released YARA rules covering 11 newly tracked malware families and updated YARA rules for 20 existing families. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• FIREPLUG: a backdoor written in Go that is capable of command execution, file upload and download, traffic relaying using SOCKS5 and port forwarding. See its curated YARA detection rules.
• WAVESHAPER: a backdoor written in C++ supports downloading and executing arbitrary payloads from the C2. See its curated YARA detection rules.
• LOSTSEA: a downloader that sets persistence by scheduling a task named IconCache. It collects and sends basic system information like user and hostname to the command and control (C2 or C&C) server. The response is expected to be an encoded next-stage payload. See its curated YARA detection rules.
• CHROMEPUSH: a dataminer written in C/C++ that targets multiple browsers (Chrome, Brave, Arc, Edge) and steals sensitive data, including screen captures, browser cookies, and keylogger data. It is also capable of installing a malicious Chrome browser extension. See its curated YARA detection rule.
• UDPSHELL: a Linux backdoor written in C. UDPSHELL communicates with command and control server using QUIC protocol. The backdoor capabilities include shell command execution, file upload and download, SOCKS5 proxy. See its curated YARA detection rule.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like DONUT, CHINACHOP, and POSHC2. These updates ensure you have the latest indicators.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🆕 Enhanced Clarity and Accessibility of Registration Data with RDAP Format. The Whois lookup information in IP addresses and domains analysis reports provides deep insight into the registration, ownership, and administrative contacts for both IoC types. It is a crucial component for threat intelligence and incident response, allowing analysts to pivot investigations based on infrastructure ownership. We have introduced support for the standardized Registration Data Access Protocol (RDAP) to enhance the information provided from Whois lookups. It provides registration data in a machine-readable, standardized format (JSON), leading to greater data consistency and easier automated processing. See example.

🆕 URL Private Scan check for Public Report availability. The Private Scanning feature allows users to analyze URLs in a dedicated, private environment. This is essential for inspecting sensitive URLs and performing in-depth analysis, such as interactive sandbox detonation, without contributing the results to the public corpus. The platform now provides an immediate notification when a public report for a requested URL is already available, right before initiating a private scan. This allows users to decide whether they still require a private scan for specific reasons (e.g., interact with the sandbox during URL detonation or configuring a certain browser agent), or if the public report is sufficient, thereby preserving their Private Scanning quota.

💪 Enhanced GTI Scoring with Human-Verified Intelligence to reduce False Positives/False Negatives. The GTI Score is a proprietary, unified risk assessment metric that objectively quantifies an indicator's (file, URL, domain, IP) maliciousness for fast decision-making and alert prioritization. The model has been significantly improved by incorporating manual analysis insights from the ATI (Advanced Threat Intelligence) team, which systematically corrects edge cases, thus reducing False Positives (FP) and improving False Negatives (FN) coverage for a more accurate score.

🆕 Agentic now uses existing detections and generates new YARA-L rules. Agentic, our conversational AI platform powered by Google Threat Intelligence (TI), now features enhanced YARA-L rule generation capability. This improvement is driven by Agentic's streamlined access to our comprehensive library of existing detection rules, enabling the creation of more sophisticated and precise new rules for countering complex threats and ensuring reliable resources for rapid threat response. After you prompt the agent to create a new YARA-L rule (to track a specific threat or malware family), the interface gives you the power to act right away to:

• Copy the rule content.
• Download the rule file locally.

Leverage our entire dataset to massively boost your detection power, then integrate the results into Google SecOps in minutes.

📢 Google TI Mondays. Tune in every Monday as we share quick, actionable practitioner tips and product adoption advice across our social platforms. These knowledge "pills" are designed to boost your efficiency, follow us to make sure you never miss the latest insights!

• Introducing Agentic, an AI-powered assistant for Google Threat Intelligence

💪 Detection Highlights. The Google Threat Intelligence Group and FLARE team consistently update Google TI's YARA rules and malware configuration extractors. Over this period, we've released YARA rules covering 8 newly tracked malware families, and provided updates to YARA rules for 20 existing families and configuration extractors for 2 existing families. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.

As we track new malware families found through our research, we build and release detection signatures. Some recent examples include:

• BADTILE: a .NET based file utility that connects to a remote server via HTTP-Dmtp. It can accept tasking to transfer a file, send a Dmtp handshake to ping a specified client, and perform a system survey. BADTILE also has the ability to use TCP-Dmtp. See its curated YARA detection rule.
• SYSTEMBC.PERL: a tunneler written in Perl that retrieves proxy-related commands from a command-and-control (C2 or C&C) server using a custom binary protocol over TCP. A C2 server directs SYSTEMBC.PERL to act as a proxy between the C2 server and a remote system. See its curated YARA detection rule.
• FARCRY: an XMPP chat backdoor that communicates over the GoogleTalk service. It is capable of encrypted file transfers and remote command execution. See its curated YARA detection rules.
• DAYSHROUD: a backdoor written in C++ built using Neutralinojs. This backdoor functions as a wrapper for JavaScript code, as well as other resources, contained within the other file extracted by Calendaromatic.exe. This backdoor disguises itself as a desktop calendar application called Calendaromatic, but utilizes stenography to covertly download and execute additional JavaScript code in hidden holiday data. See its curated YARA detection rules.
• OILPEN: a backdoor. It creates itself as a service to establish persistence. OILPEN has capabilities to include: reading and writing files, uninstalling itself, and updating its configuration file. See its curated YARA detection rule.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like CHUNKPILE, SQUIDGATE, and SQUIDSLEEP. These updates ensure you have the latest indicators for these evolving threats, leveraging both YARA rules and configuration extraction systems.

See latest malware family profiles added to the knowledge base and the complete list of curated YARA rules in our database.

🆕 CAPE sandbox executable payload extraction and feedback loop. Google Threat Intelligence detonates files in multiple home-grown and 3P sandboxes. Our CAPE-derived sandboxes classify samples through automated dynamic malware unpacking and subsequent YARA-based classification of the captured, unpacked payloads. We now automatically extract and submit these unpacked payloads to the platform for separate detonation. This process creates explicit relationships between the parent file and the extracted payloads, and tags the payloads with payload tag for easy identification.

A new tag search modifier, tag:payload, is now available to help you efficiently manage and search for unpacked payloads.

The web interface also displays these relationships:

• When viewing a packed file (parent) analysis report, you will find the unpacked payloads listed under the RELATIONS tab -> Payload Files.
• When viewing an unpacked payload analysis report, you will find its packed parent under the RELATIONS tab -> Payload Parents.

This representation of new relationships is replicated in the API: use the payload_parents relationship to get parent files and payloads_extracted to get unpacked files. See example.

Stay tuned, soon we will use this process to better characterize and provide more explainability on the parent/packed files.

💪 Agentic now answers documentation related questions. Agentic, our conversational AI platform powered by Google TI, instead of relying solely on static training data, employs Retrieval Augmented Generation (RAG). This technique allows the agent to dynamically retrieve the most relevant and up-to-date threat intelligence from all our sources (VirusTotal, Mandiant finished intelligence, industry/community reports, Safe Browsing, GTI-G threat actor knowledge base, etc). Agentic is constantly evolving. We've added our comprehensive documentation portal as a new data source for RAG. This ensures Agentic can now provide answers that are fully consistent with our latest product features and guidelines.

With this improvement you can now:

• Ask Agentic about the product and available features:
  • “What are threat profiles? Why should I use them?”
• Discover API functionality:
  • “How can I download feeds using Google Threat Intelligence API?”
  • “What threat lists are available for consumption?”
• Ask Agentic to API generate scripts:
  • “Can you help me generate a Python script to consume Threat Lists?”
  • “Can you demonstrate how to fetch IoCs for a specific threat actor with a Python script?”

🆕 Submit Your Own OSINT Articles to be processed by Google TI. OSINT (community/industry) articles in Google TI are automatically ingested from a set of trusted sources. They act as a powerful source of Threat Intelligence, transforming vast amounts of public threat data into actionable, contextualized insights that security teams can use for proactive defense and strategic planning. Users can now use the Submit your OSINT button in the Reports & Analysis left navbar menu option to share the URL. Upon submission, the system automatically processes the article to:

• Extract categorization fields (e.g., associated threat actor, malware families, targeted region, and industry) for reports where this information can be confidently identified.
• Generate a summary of the content via Gemini.
• Extract all mentioned IoCs (files, URLs, domains, IPs).
• Generate relationships between the new report object and other Threat Intelligence objects.

Additionally, users can track the history and status of their submissions in the new MY OSINT tab.

🆕 New Code Insight code analysis endpoint for automation. We’ve launched a new Code Insight endpoint that significantly reduces reverse engineering workload by providing analysts with an AI assistant that instantly returns natural language descriptions of code functionality and supports analysis chaining to accelerate time-to-verdict. See example here and our dedicated post. This endpoint is used by our very own VIrusTotal IDA Pro plugin, powering summaries and descriptions of functions.

Google TI Mondays. Tune in every Monday as we share quick, actionable practitioner tips and product adoption advice across our social platforms. These content "pills" are designed to boost your efficiency, so follow us to make sure you never miss the latest insights!

• YARA in Google Threat Intelligence: Hunting Beyond Files

Threat Hunting with Google Threat Intelligence - Episode 5. If you missed our latest webinar on how AI is transforming threat hunting? You can now watch the full recording at your convenience! Catch up on all the major announcements, including how AI is making investigations more effective in less time than ever before. In the webinar, we:

• Unveiled the groundbreaking Agentic Platform (now in public preview).
• Demoed the Ransomware Data Leaks dashboard for fresh insights into extortion trends.
• Showcased Code Insight, our AI-powered tool that converts complex code into clear, natural-language explanations.

Watch the Webinar On Demand Now: English version, Spanish version

Detection Highlights. Google Threat Intelligence consistently updates our YARA rules and malware configuration extractors. Over the past week, we've released YARA rules covering multiple malware families, and expanded our configuration extraction platform to cover new malware families. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top Google TI search trends.

As we track new malware families found during Mandiant investigations, we build and release detection signatures. Some recent examples include:

• DEEPBREATH: data miner written in Swift that targets macOS systems. It manipulates the Transparency, Consent, and Control (TCC) database to gain broad file system access, enabling it to steal credentials from the system keychain; browser data from Chrome, Brave, and Edge; and user data from two different versions of Telegram and Apple Notes. See its curated YARA detection rule.
• New rules for SOGU.SEC, a variant of the SOGU backdoor. It can extract sensitive system information, upload and download files, and execute a remote command shell. See its curated YARA detection rules.
• NOROBOT: downloader utility which retrieves the next stage from a hardcoded C2 address and prepares the system for the final payload. It has been observed undergoing regular development from May through September 2025. The earliest version of NOROBOT made use of cryptography in which the key was split across multiple components and needed to be recombined in a specific way in order to successfully decrypt the final payload. See its curated YARA detection rule.
• BRICKSTEAL: credential stealer written in Java. It is deployed by a JSP dropper and masquerades as a legitimate VMware vCenter Single Sign-On (SSO) component, using the package name com.vmware.identity. See its curated YARA detection rules.
• COLDCOPY: a ClickFix lure which masquerades as a custom CAPTCHA. COLDCOPY prompts the target to download and execute a DLL using rundll32, while trying to disguise itself as a CAPTCHA by including text to verify that the user is not a robot. See its curated YARA detection rule.
• YESROBOT: Python backdoor which uses HTTPS to retrieve commands from a hardcoded C2. The commands are AES encrypted with a hardcoded key. System information and username are encoded in the User-Agent header of the request. See its curated YARA detection rules.
• MAYBEROBOT: toehold Powershell backdoor. It uses a hardcoded C2 and a custom protocol that supports 3 commands: download and execute from a specified URL, execute the specified command using cmd.exe, and execute the specified Powershell block. It is likely a more flexible replacement for YESROBOT. See its curated YARA detection rules.

See latest malware family profiles added to the knowledge base.

New MITRE ATT&CK map view for file behavior analysis. The MITRE ATT&CK Tactics and Techniques section in the file behavior report has been upgraded from a list view to an interactive, visual map. This new interface displays the detected TTPs using a color-coded matrix, allowing you to instantly visualize the tactics used across the execution chain, just like a heat map in the MITRE Navigator. You can also use new filters by severity (info, low, medium, high) to focus on the most relevant or severe techniques. By simply clicking on the TTP card, you can then visualize the specific commands or activities (the Procedures) associated with that technique. See example.

New render rule fluid UI component in Agentic to easily interact with Livehunt and Retrohunt. Agentic, the conversational AI platform grounded in Google Threat Intelligence's comprehensive security dataset, has already seen improvements during its first week in public preview. It now includes detection rule retrieval and deployment. You can ask the agent to provide crowdsourced or curated detection rules (such as YARA rules) to track a specific threat or malware family. When a curated YARA rule is returned, the interface provides immediate actions, allowing you to:

• Import the rule directly into your Retrohunt or Livehunt environment.
• Copy the rule content.
• Download the rule file locally.

New render MITRE Tree fluid UI component in Agentic. A new rendering tool was added to the Agentic platform to display TTP analysis in a visual MITRE ATT&CK map, similar to the visualization in the file behavior reports. When you ask Agentic to provide a TTPs matrix of a threat actor, the output is no longer a simple text list, but rather an interactive map where you can filter TTPs by severity (info, low, medium, high). This visualization also includes two key metrics not available in a file behavior tab, because in this case the metrics come from several files, specifically from all the files associated to the threat actor from the image below:

• Prevalence: Shows how globally common the technique is.
• Matches: Indicates the number of files related to the threat actor whose behaviour analysis detected any of the procedures within each technique.

New OpenID Connect (OIDC) Single Sign-On (SSO) authentication support. Google TI offers a robust Single Sign-On (SSO) mechanism to secure and facilitate users authentication through organization’s identity provider (IdP) via SAML protocol. We are now expanding this capability by incorporating OpenID Connect (OIDC) authentication layer built on top of OAuth 2.0, increasing flexibility and security of the authentication process.

Core use cases and best practices for Google Threat Intelligence. We have added a dedicated Use Cases and Other Resources section to the official Google TI documentation. This section provides detailed guidance on how to leverage the platform's tools and data for core security workflows, including:

• Advanced Hunting: searching for suspicious activity using entity pivoting and investigative tools.
• Incident Response: accelerating investigations with enriched indicators and threat actor context.
• Phishing & Brand Monitoring: identifying domain abuse and impersonation campaigns. Vulnerability Management: prioritizing vulnerabilities using real-world exploitation data.

New API endpoint for Org/Group consumption by user and feature. We created a new API endpoint designed for Org/Group administrators to gain detailed visibility into their organization's usage. This endpoint retrieves consumption metrics for a group's various features, broken down by individual user, covering both UI (Web Interface) and API usage, for a time range spanning the current month and the two previous months, providing essential historical context. Check out the endpoint documentation and examples at the bottom.

VirusTotal’s analysis with Hugging Face’s AI Hub. As AI adoption grows, we see familiar threats taking new forms, from tampered model files and unsafe dependencies to data poisoning and hidden backdoors. These risks are part of the broader AI supply chain challenge, where compromised models, scripts, or datasets can silently affect downstream applications. We are now scanning Hugging Face models and flagging unsafe models, read more.

Latest learning materials published:

• VTPRACTITIONERS{SEQRITE}: Tracking UNG0002, Silent Lynx and DragonClone
• JA4 fingerprinting in GTI
• Advanced Threat Hunting: Automating Large-Scale Operations with LLMs

Google TI Mondays. We are publishing concise product knowledge pills on our social channels every Monday. These are practitioner tips and product adoption boosters, check out our latest content and don't forget to follow us:

• Dynamic analysis with Google Threat Intelligence.
• Threat Profile in Google Threat Intelligence.
• Advanced search modifiers cheat sheet.
• YARA in action.
• Scale your file hunts with YARA.

Detection Highlights. The FLARE team and Google Threat Intelligence Group consistently update Google TI's YARA rules and malware configuration extractors. Over Q3, we've released YARA rules covering 345 newly tracked malware families, and expanded our configuration extraction platform to cover 15 new malware families. This update prioritizes malware families actively observed in Mandiant incident response engagements, Google SecOps customer environments, and top Google TI search trends.

As we track new malware families found during Mandiant investigations, we build and release detection signatures. Some recent examples include:

• HAMMERDROP: This malware is used to drop Windows drivers to bypass endpoint security solutions and has been found in ransomware investigations.
• SELFDRIVE: This Node.js malware has been observed being distributed with trojanized software installers and downloads and executes additional Javascript files.
• TOOLSHELL: This webshell has been observed being installed onto on-premise servers that were exploited by an attacker.

In addition to providing detection rules for new and emerging threats, we continue to update our detection systems for threats like QUASARRAT, WARZONE, and SHADOWLADDER. These updates ensure you have the latest indicators that were extracted by our configuration extraction systems.

Google TI Score enhancements. We have significantly enhanced the Google Threat Intelligence (GTI) Score to improve your threat prioritization and triage efficiency. The updated score now incorporates new contextual factors like threat actor motivation and malware family roles for all IoC types (files, URLs, domains and IP addresses). Furthermore, network IoCs benefit from more granular threat categories based on crowdsourced insights, and URL severity is boosted by detailed data from Google Webrisk. This refinement, including more granular severity levels for suspicious indicators, ensures you can prioritize potential threats more efficiently.

Threat Profiles now generally available (GA). All Threat Profiles in legacy experience migrated to the new look and feel. Includes automatic and holistic visibility of relevant threats, flexible curation to tune and incorporate your own threat intelligence artifacts, enhanced collaboration and sharing, and tactical actionability via out of the box detections and tailored + recent IOC feeds. Now they also provide quick access to an overview explanation of each threat and a scatter plot designed to help you prioritize threats by instantly showing a threat's global prevalence versus its specific relevance within the confines of the dimensions of a given threat profile. Learn more in this webinar.

Google TI Agentic public preview. Built on Large Language Models (LLMs) and grounded in Google Threat Intelligence's comprehensive security dataset, the Agentic Platform simplifies and democratizes threat intelligence. This conversational interface lets you interact directly with specialized AI agents to quickly analyze threats, accelerate security investigations, and receive immediate, precise answers. It was released as a public preview to Enterprise and Enterprise+ customers.

Code Insight now supports SWF and SVG file types. Code Insight is an advanced, Gemini AI-driven capability that serves as an automated assistant for malware analysts and reverse engineers. It uses artificial intelligence to generate natural language summaries that clearly describe a file's intent and overall functionality. We've extended it to support more file formats such as SWF and SVG.

Code Insight experimentation with executables. We continue experimentation with Windows Executables, Linux Executables and OS X Executables and are now ramping up the volume of files processed. Examples:

• Windows Executable
• OS X Executable
• Linux Executable
• Search for terms within Code Insight: type:peexe codeinsight:infostealer p:5+

New Crowdsourced AI Contributor: Exodia Labs. The new Exodia Labs integration adds an independent AI analysis stream for Chrome extension (.CRX) files, complementing Code Insight by providing a clear security verdict and detailed reports that outline suspicious actions (like credential theft), with all results fully searchable via new platform operators. Results from Exodia Labs are fully searchable by using the exodialabs_ai_verdict:malicious | suspicious | benign or exodialabs_ai_analysis:<keywords> search modifiers, allowing users to pivot across and find large campaigns of malicious Chrome extensions. See example report. See example search.

Private collection sharing across organizations. Private collections allows users to create a "container" for artifacts like indicators that then inherit automated associations, analytics, telemetry and additional actions. We have extended the functionality so that customers may now share threat information like indicators across trusted circles – i.e. users that are not part of their current organization. Note, you will need to identify and add either the Google TI organization name or username directly in order to share with others outside of your organization.

Multi-CVE search. Google TI's CVE cards offer crucial information on individual vulnerabilities such as severity, risk rating, exploitation state, and exploit availability. This data helps organizations prioritize patching and mitigation efforts by providing empirical risk scoring. The new multi-search functionality significantly improves workflow efficiency by allowing users to quickly gather and compare intelligence on several CVEs in parallel, streamlining the process of tracking widespread threats by allowing users to add multiple vulnerabilities to a threat profile for consolidated tracking. Similarly, multi-CVE search allows security analysts to prioritize a list of vulnerabilities that may have been identified by 3P tools based on in-the-wild exploitation and thus impact likelihood. See example.

New curated GTI-G/Mandiant authored hunting YARA rules. YARA Rules are a powerful, pattern-matching tool used by security professionals to identify and classify malware and suspicious files. We are now including a new set of Hunting YARA Rules within our published Google Threat Intelligence threat Reports, that are easily recognized by their naming convention, which always starts with "G_Hunting_". These rules are designed to help your team uncover activity potentially related to a specific attack technique or malware, providing initial detections that require further verification to confirm malicious intent. Think of them as an extra tool for deeper searching, helping you find more subtle signs of a threat in your environment and stay ahead of emerging risks. See example.

Enhanced dynamic analysis / sandbox capabilities. Files uploaded to Google Threat Intelligence are executed across multiple sandboxes to generate detailed behavioral insights in the analysis report's Behavior tab of the UI. On this front we have many announcements:

• New file type supported. Added support for ELF shared objects with an entrypoint detonation.
• Enhanced detonations. Improved analysis and reporting for the following filetypes:
  • VBA (Visual Basic for Applications)
  • SVG (Scalable Vector Graphics)
  • MSC (Microsoft Management Console Snap-ins)
  • MSHTA, HTA (Microsoft HTML Applications)
• New OS versions deployed in the Zenbox sandbox. Windows 11 and Android 13.
• We've expanded our file detonation capabilities by adding the Google Safe Browsing sandbox to our dynamic analysis systems. See example.
• AI registry key summary. We've incorporated an AI-powered explanation to help users quickly understand the impact, intent and significance of the reported registry-related actions. See example.

New integrations and implementation/dev kits. Integrations are absolutely crucial for operationalizing Google Threat Intelligence and transforming raw insights into immediate defensive action. We are fully committed to breaking down these silos and significantly improving our integration ecosystem to drive efficiency and speed up your Mean Time to Resolution (MTTR).

• New integrations released:
  • ServiceNow SOAR integration for Google TI (Google Threat Intelligence for SecOps)
  • Google TI integration for OpenCTI
  • Google TI integration for Anomali ThreatStream
  • New Google TI integration for ThreatQ
• Integration updates:
  • Google Threat Intelligence App for ServiceNow Vulnerability Response
• Adoption, implementation and customer enablement:
  • Detailed MISP install and usage guide to ensure faster and smoother deployments improving time-to-value.
  • Google TI Integration Dev Kit Released. Provides example scripts and guidance for custom workflows. This is designed to accelerate your technical discussions and streamline the process of solution design.

Ransomware data leaks dashboard. According to a commissioned study conducted by Forrester Consulting on behalf of Google Cloud (The Threat Intelligence Benchmark), ransomware/multifaceted extortion continues to be one of the threats/attacks that cybersecurity leaders are most concerned about as they look out into the next 12 months. Google Threat Intelligence tracks and documents hundreds of ransomware malware families in its threat landscape module, provides ransomware-specific threat lists/feeds, alerts on ransomware activity against your organization via its Digital Threat Monitoring module, allows you to search through its malware corpus for ransomware variants to dissect, and much more. In addition to this functionality, The Google Threat Intelligence Group (GTIG, formerly Mandiant Intelligence) tracks numerous data leak sites (DLS) dedicated to releasing victim data following data theft extortion incidents, with or without ransomware deployment, in which victims refuse to pay a ransom demand. These websites are intended to pressure victims to pay the ransom demand or give threat actors additional leverage during ransom negotiations. We are now exposing this data to our users via the new Ransomware data leaks dashboard to provide insights into the extortion ecosystem.

Multi-tenancy in Google Threat Intelligence. We are pleased to announce the general availability of multi-tenancy for Google Threat Intelligence. This new architecture supports the creation of multiple distinct GTI sub-orgs, known as "tenants," under a single parent account, ensuring each tenant's data and configurations are securely segmented. Key features include:

• Tenant Isolation: Each tenant is an isolated entity, ensuring that data and configurations are not shared or viewable by other tenants.
• Centralized Management: Parent organizations can get an overview of their tenants, while each tenant maintains its own independent GTI environment.
• Flexible Onboarding: Supports various onboarding scenarios, including adopting existing GTI customers as tenants or creating new "organic" tenants that share the parent's quota.

Note that multi-tenancy is not intended to overcome limitations with RBAC or ACLs, if you are facing limitations on those fronts, please file a feature request.

Sharepoint vulnerability checks in ASM. On-premises Microsoft SharePoint servers are currently facing widespread, active exploitation due to multiple vulnerabilities. Threat actors have been observed chaining CVE-2025-53770 with an authentication bypass vulnerability, CVE-2025-49706, in an exploit chain codenamed "ToolShell". This chain is used to deploy ASPX web shells using PowerShell. The primary post-exploitation objective is to steal the server's MachineKey, which enables adversaries to forge __VIEWSTATE payloads for persistent access and lateral movement. GTI reacted in a timely fashion implementing the pertinent vulnerability checks in our attack surface management module. This check goes far beyond a CPE match, the check tries to inject an unharmful marker in a SharePoint component, If in the SharePoint server response this marker is found, the host is marked as potentially vulnerable.

New Integrations for Elastic, IBM QRadar, and Splunk. We have extended Google Threat Intelligence (GTI) capabilities with new, dedicated integrations across key security platforms. These updates allow security teams to seamlessly leverage GTI's comprehensive threat intelligence within their existing ecosystems, providing deeper context, powerful automation, and a more proactive security posture.

• Elastic. A new integration is now available to facilitate the direct ingestion of GTI feeds. This allows you to continuously analyze your security telemetry against Google's high-fidelity Indicators of Compromise (IOCs) to enhance threat detection and analysis within your Elastic environment.
• IBM QRadar. We have released two new extensions for IBM QRadar. QRadar SIEM enriches threat detection by correlating your internal security data with GTI's real-world intelligence. This provides deeper context for events and helps security analysts more accurately identify and prioritize critical threats. QRadar SOAR delivers powerful automation and orchestration for your incident response workflows. This integration allows you to ingest and sync back Attack Surface Management (ASM) issues and Digital Threat Monitoring (DTM) alerts, ingest IOC streams to enrich incidents with detailed context, including malware families, threat actor profiles, and sandbox analysis reports.
• Splunk SOAR. A new application for Splunk SOAR enables robust automation and enrichment for your security operations. It provides a rich set of playbook actions, including the ability to scan files and URLs, retrieve detailed reports for IPs, domains, and hashes, and automatically enrich artifacts with critical context from Google's vast threat database.

These integrations build upon the hundreds of technology integrations already available for Google Threat Intelligence.

Threat Profiles 2.0 Preview. Threat Profiles allows users to focus on the threats that matter most to them based on varying dimensions like customer’s industry, location of operation, source regions, targeted regions, etc. We have been hard at work moving Threat Profile to the new single unified UX surface, as part of that, Threat Profile is receiving major improvements:

• Complete visibility: gain comprehensive insights with automated recommendations across all GTI content, including Mandiant, partner and community intelligence.
• Enhanced collaboration: share threat profiles with your team members as editors and viewers, fostering a collaborative environment for focusing on priority threats.
• Automated operationalization: automatically generate custom IOC feeds for swift actionability, enabling focused threat hunting and detection in your environment.
• Deeper customization: tailor threat profiles with expanded dimensions such as actor motivation, source country, and malware categories, aligning with your unique threat model.
• Actionable insights: utilize the MITRE TTP analysis tool to understand tactics, techniques, and procedures (TTPs) and analyze relevant reports from Mandiant and other trusted sources.
• Workflow automation: leverage API accessibility to create, manage, and set up alerts for changes to your threat profiles.
• Unlimited profiles: Google TI Enterprise and Enterprise+ tiers now enjoy unlimited threat profiles.

The new threat profile is accesible here, we are early in the journey and are looking for for feedback to continue shaping the evolution of GTI's relevance driving engine.

New prioritization visualization in Vulnerability Intelligence cards. GTI is a holistic threat intelligence suite that covers all use cases and data types. Its Vulnerability Intelligence modules allows users to implement smart patching programs by focusing their resources on addressing vulnerabilities that are actively being weaponized or exploited in-the-wild. Vulnerability knowledge cards now include a clear visualization communicating the risk rating. This rating is derived from factors such as in-the-wild exploitation status, exploit availability, and overall exploitation state, empowering users to make smarter, threat-driven prioritization decisions.

Advanced network configuration options for URL analysis. Similar to the enhanced network environment control introduced for file sandbox detonation, users can now leverage advanced Internet connection options during URL analysis in the interactive sandbox environment. This provides granular control to simulate various network conditions for comprehensive analysis and to prevent cloaking.

User agent selection in Private Scanning. Malicious websites or servers often present different content or behaviors to a user based on their browser "user agent" string. To overcome this common cloaking technique users can now choose among a set of user agents or provide their own custom string:

URL analysis report deletion in Private Scanning. Private Scanning allows its users to analyze URLs and files in a non-shareable fashion, including reputational analysis, static analysis, dynamic analysis in sandboxes and vetting with {YARA, Sigma, IDS} rules. User's have always been able to delete both scanned files and their associated reports at any point in time, including before their TTL specified at upload time. Users can now also delete submitted URLs at any time post-submission.

Google Threat Intelligence MCP Server for Google Unified Security. At RSA 2025 we announced the open-sourcing of MCP servers for Google Unified Security. As part of such announcement we released runnable Python MCP server examples for Google Threat Intelligence, providing standardized AI access to Google's frontline threat intelligence on indicators of compromise, threat actors, and campaigns. You can find the GitHub repository here, it includes the Google Threat Intelligence MCP server. It was never easier to build workflows leveraging our vast intelligence.

Google Threat Intelligence integration widget for third-party products / interfaces (Preview). Inspired by VirusTotal's VT AUGMENT widget, the GTI widget is an official, compliant, and recommended way to integrate VirusTotal data into third-party applications. Essentially, it's a tool that allows developers and security vendors to embed the rich threat intelligence and analysis capabilities of Google Threat Intelligence directly into their own platforms, security products, or dashboards. Forget about engineering heavy lifting to enrich indicators of compromise (IPs, URLs, domains, files / hashes), GTI seamlessly serves a UI component that is ready to be integrated in 3rd-party interfaces, this component can be custom styled to match your own interface.

📘

Access a demo of the GTI widget here.

Generating the GTI widget is exclusively available to GTI customers. The process involves two steps: first, an ephemeral URL must be generated, and second, this URL is then used within your user interface.

GET https://www.virustotal.com/api/v3/gtiwidget?query=630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

Where the query can be a sha256 file hash, a domain, an IPv4 address or an url. This step is usually done in the 3rd-party product backend and it requires a GTI API key to call the endpoint. Response example:

{
  "data": {
    "id": "630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da",
    "type": "file",
    "url": "https://www.virustotal.com/gtiwidget/ABMXx8NjMwMzI1Y2FjMDlhYzNmYWI5MDhmOTAzZTNiMDBkMGRhZGQ1ZmRhYTA4NzVlZDg0OTZmY2JiOTdhNTU4ZDBkYXx8ZmlsZXx8djN8fDE3NDI5ODAzMjF8fDY5ZjZlYjI4ODNiNDdiOTc0ZjJkZGExMjU0OGJhNjkyMzdjODY1NTA1NzM0NDA1ZmJhZTdhNDAwNTRjMTY1OWU"
	}
}

This URL is valid for 24 hours and does not require any kind of authentication to call it.

The second call involves embedding the widget in your own interface via an iframe:

For optimal display of the widget, a width of 900px is recommended. The widget includes both dark and light themes. The dark theme is the default. To use the light theme, include the query parameter theme=light in the API call. Similarly, the widget allows advanced style customization. Please reach out to us should you want to dive deeper into the GTI widget during this preview phase.

RBAC controls: ASM NO ACCESS GTI is a vast suite addressing all threat intelligence use cases, including Digital Risk Protection and Attack Surface Management. Indeed, Attack Surface Management is eventually the module that allows us to understand your Internet exposed assets and identify which threats should matter the most based on this understanding. We do acknowledge that attack surface management is not always a responsibility of CTI teams and may often identify sensitive information such as exploitable assets. To adhere to strong security practices and enforce the principle of least privilege, we are rolling out a new RBAC control to restrict access to ASM.

Malware detection highlights. In our ongoing effort to enhance malware detection capabilities in Google Threat Intelligence, we've significantly expanded coverage this quarter. We've introduced and updated detection for over 80 key malware families with automated configuration extraction and added YARA rules for over 250 new malware families, dramatically improving the identification of existing and emerging threats. This update prioritizes malware families actively observed in Mandiant incident response engagements, SecOps customer environments, and top GTI search trends.

For example, recent Mandiant investigations led to enhanced detections for:

• CHAINVERB, a downloader that hides its download URL within a digital certificate that deploys a remote access tool on infected systems.
• ODORDAHLIA, a sophisticated backdoor used to target several industries including healthcare and construction & engineering.
• SWITCHBLADE, an evasive dropper that deploys popular backdoors and credential stealers.

We've also updated detections for prevalent threats like CobaltStrike's BEACON implant, NJRAT, and XWORM, ensuring continued effectiveness against these widely used tools. To learn how to leverage these detection capabilities for proactive threat hunting, be sure to read our recent blog post on threat hunting with malware configurations.

Live interaction with URLs in Private Scanning (sandbox detonation). Private Scanning allows its users to analyze URLs and files in a non-shareable fashion, including dynamic analysis in sandboxes and vetting with {YARA, Sigma, IDS} rules. We have extended this capability to allow for live interaction with URLs during sandbox detonation. This new feature builds upon the existing interactive malware analysis capabilities and enables analysts to directly interact with web pages within the sandbox environment. This allows for a more comprehensive analysis of dynamic web content, including navigating multi-step processes, solving captchas, submitting forms, and observing behavior triggered by user interaction, which may be missed by automated analysis. Similarly, it also allows analysts to visit potentially harmful content in a safe manner, without having to install local virtual machines or an analysis lab.

Support for .onion domains in Private URL scanning. Private URL scanning enables users to submit websites for analysis, identifying redirection chains, web trackers, downloaded files, and other dynamic properties. We have now extended this functionality to specifically include support for .onion domains within the live interaction URL scanning feature. This enhancement allows users to leverage the interactive sandbox environment to analyze websites hosted on the Tor network, providing visibility into potentially malicious content or infrastructure that is otherwise difficult to access and analyze. This support is exclusive to the interactive scanning mode, enhancing the depth of analysis for these often obfuscated resources.

Enhanced network environment control in Private Scanning. As previously described, Private Scanning empowers users to conduct in-depth analysis of files and URLs within isolated static + dynamic sandbox environments. Building upon this dynamic analysis capability, we are introducing advanced Internet connection options during file sandbox detonation. This new functionality provides granular control over the network connectivity of the sandbox, allowing analysts to simulate various network conditions and observe how threats react. The available options include:

• No Internet: completely isolates the sandbox from the internet.
• Direct connection to Internet: provides a standard internet connection for the sandbox.
• Interception of HTTPS/TLS connections: enables the capture and analysis of encrypted network traffic, e.g. to identify HTTPS URLs used for CnC purposes or to download additional malicious payloads.
• Internet routed through Tor network: allows analysis of malware behavior when communicating through the Tor anonymity network.
• OpenVPN custom configuration: supports the use of custom OpenVPN configurations to simulate specific network environments. Documentation on self hosted and 3rd party VPN connectivity.
• Traffic routing through {Germany, Japan, Singapore, US East, United Kingdom}: enables the routing of sandbox network traffic through geographically diverse exit nodes to circumvent cloaking/evasion techniques or to understand region-specific malware customizations.

This enhancement is accessible within the Private Scanning interactive malware analysis capabilities.

Netblocks support in YARA Livehunt. YARA is de-facto pattern matching tool for threat intel analysts and malware researchers. As previously described, Google Threat Intelligence extends YARA beyond file content matching to be able to match incoming URLs, domains and IPs. We are adding support for matching against netblocks within our "vt" YARA module. This new feature allows users to create YARA rules that can identify network traffic or indicators associated with specific IP address ranges or CIDR blocks. This enhancement can be valuable for threat hunting and identifying activity originating from or communicating with known malicious infrastructure or threat actor-associated netblocks. See examples:

import "vt"
rule ip_in_some_IPv4_range {
  condition:
    vt.net.ip.in_range("192.168.1.0/24")
}

import "vt"
rule ip_in_some_IPv6_range {
  condition:
    vt.net.ip.in_range("2001:db8::1/32")
}

Curated (GTI-G developed) YARA rules in Campaign and Software Toolkit/Tool knowledge cards. Actionability is one of GTI’s strategic imperatives. GTI provides in-depth monographic views for threat actors, malware & tools, campaigns and other significant events. These “cards” include information such as region/industry targeting, motivations, TTPs, etc. Malware knowledge cards and finished intelligence reports include high fidelity YARA rules developed by GTI-Group analysts, formerly known as Mandiant Intelligence. We’ve extended curated YARA rule development efforts to threat campaigns and other kinds of software toolkits used by attackers. See example.

Track relevant vulnerabilities in your threat profile. Threat Profile allows Google Threat Intelligence users to customize what matters most to them and focus on relevant threat actors, malware, campaigns, etc. We now have the ability to track and add vulnerability objects manually to any threat profile, allowing customers to follow trending vulnerabilities they read about in the news, significant events and beyond. This represents the first stepping stone towards technology watchlists and CMDB/SBOM connectors later in the year.

Public preview of categorized threat lists / feeds. Categorized threat lists are real-time IoC lists that can be used to drive hunting/detection/blocking workflows in different technologies. They are grouped into categories that can be used to target specific technologies/tech stacks/threats: ransomware, malicious network infrastructure, mobile, OS X, TOP + Trending IoCs, etc. GTI Users can now test the new functionality.

Gemini summary for all finished intelligence reports. Google Threat Intelligence incorporates finished intelligence reporting with the differentiated frontline visibility of our Mandiant experts. Based on Mandiant’s 1k+ yearly incident responses, comprehensive underground collection strategy, fusion centers, etc. analysts produce hundreds of intelligence reports each week focusing on topic areas that span cyber crime, cyber espionage, DDoS, healthcare, etc. and report types go all the way from threat activity alerts to quarterly industry focused intelligence. We’ve extended Gemini AI summarization beyond 3rd-party articles and any kind of online references ingested through direct connection to the Google crawler (OSINT articles). Now all finished intelligence content includes AI summaries, accelerating users ability to understand whether a given article is relevant to them.

Semantic search across {threat actors, malware profiles, campaigns, vulnerabilities, finished intelligence reports}. Many describe GTI as the “Google search engine” for all kinds of attacker behavior. Indeed, users can make use of both free text searches and advanced faceted queries to identify interesting threat objects. We’ve improved search matching over written content and profiles with semantic searching, which leverages ML and embeddings to understand queries and find relevant content even when there is no exact keyword matches. Example searches:

• Threats against the energy industry in Qatar
• Most active threat actors targeting Spain
• Malware that executes powershell

Search improvements are work in progress and we continue to execute towards full blown agentic search (reasoning included) against all our threat corpuses, including deep dark web visibility.

Private Scanning UK storage region.Private Scanning allows its users to “see files through Google Threat Intelligence’s eyes” without making those files or their reports downloadable/visible to any 3rd-party beyond their own organizations, i.e. in a non-shareable fashion. All standard platform analysis components are included (reputation, static, dynamic - sandboxes, code, similarity analysis) except for VirusTotal multi-antivirus scanning. We’ve extended the available file storage regions (US, Canada, Europe) and added the UK as an option, which will help in certain regulated environments.

Private URL scanning. We’ve extended the aforementioned private scanning functionality to also act on URLs. Users can now submit any website and effortlessly identify redirection chains, web trackers, downloaded files, etc. The analysis pipeline visits the pertinent URL with a Chrome headless instance, screenshots the site and extracts dynamic properties such as the DOM tree, Javascript variables, HTTP transactions, etc. All of the extracted data points are pivotable and allow you to identify similar threats across the open GTI dataset, which becomes instrumental in performing attribution or identifying the malware behind a given network infrastructure. Similarly. Private Scanning optionally allows you to open up the URL in our dynamic analysis environments (sandboxes), enhancing analysis of potential downloaded files.

Private URL scanning is also exposed through API endpoints in order to power automations and programmatic workflows.

Private URL scanning in Palo Alto XSOAR. The aforementioned programmatic URL private scanning endpoint has now been added to the GTI Palo Alto XSOAR integration, making it even easier to build automated workflows and threat detection / incident response playbooks.

DTM RBAC NO ACCESS. Google Threat Intelligence strives to tackle all threat intelligence use cases, including Digital Risk Protection, including our Digital Threat Monitoring component (DTM) focused on deep dark web visibility. DTM provides alerts about compromised credentials, data leaks, credit card theft, domain abuse and other potential risks. Given that DTM often surfaces sensitive leaked/compromised organizational data, GTI administrators often desire to limit its access across their org. We’ve released new role based access controls in order to address such needs. If you are a GTI org administrator, you can find user listings and RBAC controls in the org profile view, accessible via the dropdown below your username in the top right hand corner of the platform.

DTM smart alert clustering. Google Threat Intelligence strives to tackle all threat intelligence use cases, including Digital Risk Protection, including our Digital Threat Monitoring component (DTM) focused on deep dark web visibility. DTM provides alerts about compromised credentials, data leaks, credit card theft, domain abuse and other potential risks. In an effort to reduce alert fatigue we are extending the smart alert grouping logic of the compromised credentials monitor to the entire DTM surface. Now, each alert will have a similarity score, if that score is 90% or higher to another alert (two alerts have mostly the same data in them), then they will be grouped together. Read more about alert grouping in our documentation.

DTM Gemini AI alert summarization. DTM alert views & alert lists now provide a short AI generated summary so that users can efficiently investigate external threats to their organization. This LLM output is provided in English and it is similar to the output of a capable junior SOC analyst - reliable and accurate, with enough distilled to enable the user to arrive at a correct judgment about what to do with the alert (close, follow up, etc). Read more about DTM alerts in our documentation.

Expanded trusted community detection contributions. Google Threat Intelligence’s differentiated threat visibility is built on Mandiant’s frontline engagements, VirusTotal’s industry + community aggregation and Google’s exhaustive internet visibility. As part of our efforts to continue to consolidate all of the industry’s knowledge about threats we have deployed new crowdsourced Sigma rules. As a refresher, crowdsourced Sigma rules act on the EVTX logs derived from sandbox file detonations and the corresponding matches are displayed in the Detection tab of the corresponding files. We’ve extended the pre-existing Sigma rule sources with RussianPanda’s Sigma rules, check out this example of a file with matches.

New (searchable) file behavior tags. Google Threat Intelligence detonates all the files it sees in home grown, open source and third-party sandboxes (dynamic analysis setups) that record actions such as network communication, registry activity, file process activity, etc. We map particularly interesting behaviors to tags for quick searching, for example: behavior_tags:calls_wmi. We have released new behavior tags such as qrcode that flags files that have displayed a QR code when executed, as identified in the pertinent sandbox screenshots. Full set of behavior modifiers:_big_upstream, calls_wmi, checks_bios, checks_cpu_name, checks_disk_space, checks_gps, checks_hostname, checks_memory_available, checks_network_adapters, checks_pci_bus, checks_usb_bus checks_user_input, clipboard, crypto, decrypts_exe, detect_debug_environment, direct_cpu_clock_access, eval_function, executes_dropped_file, ftp_communication, hosts_modifier, idle, installs_browser_extension, irc_communication, listens, long_sleeps, macro_anti_analysis, macro_copy_file, macro_create_dir, macro_create_file, macro_create_ole, macro_download_url, macro_enum_windows, macro_environ, macro_handle_file, macro_hide_app, macro_open_file, macro_powershell, macro_registry, macro_run_dll, macro_run_file, macro_save_workbook, macro_send_keys, macro_write_file, mysql_communication, obfuscated, password_dialog, persistence, qr_code, reflection, repeated_clock_access, runtime_modules, self_delete sends_sms, service_scan, sets_process_name, smtp_communication, ssh_communication, sudo, suspicious_dns, suspicious_udp, telephony, telnet_communication, tunneling.

Malware behavior Catalog for file detonations. One of Google Threat Intelligence’s strategic imperatives revolves around providing superior context and explainability about threats. We are now mapping all file dynamic analysis sandbox detonations to the Malware behavior Catalog (MBC), similar to the mappings that we already do to the MITRE ATT&CK Matrix. MBC is usually more effective at describing concrete malware behavior than ATT&CK given that ATT&CK applies to broader attacker activity. Refer to the “Malware Behavior Catalog tree” section of this file report in order to see an example. This information is also exposed via API by retrieving the behavior_mbc_trees relationship for file objects.

Search for files with a specific Malware behavior Catalog classification. Google Threat Intelligence allows its users to search across its massive IoC dataset with advanced search modifiers/facets describing reputational/static/dynamic/code/content properties. We’ve extended the available search modifiers with one named “mbc”, it matches the MBC catalog id and allows you to pinpoint files that exhibit a given MBC behavior, example: mbc:C0002.018 searches for files that start an HTTP server.

Malware behavior Catalog matching in Livehunt. Google Threat Intelligence allows its to write YARA rules that are matched against the incoming live stream of files uploaded to VirusTotal and other threat sources across Google properties, it is what we call Livehunt. In line with the MBC mapping described above we are now allowing users to match MBC output in Livehunt with the "vt" module. Example:
import "vt"

rule mbc_example {  
  condition:  
    for any catalog in vt.behavior.mbc: (  
        catalog.id == "C0002.018"  
    )  
}

Livehunt and Retrohunt upgraded to YARA-X. YARA-X is a re-incarnation of YARA, our home-grown pattern matching tool designed with malware researchers in mind. This new incarnation intends to be faster, safer and more user-friendly than its predecessor. The ultimate goal of YARA-X is to serve as the future replacement for YARA. We have upgraded the Livehunt and Retrohunt clusters with YARA-X, this immediately exposes new modules for use within our Hunting component and makes development of new custom modules far easier.

Macho YARA module now supported in Livehunt & Retrohunt. As previously mentioned, Google Threat Intelligence allows its users to match its malware corpus with YARA rules, be it in a real-time fashion (Livehunt) or back in time (Retrohunt). The rules can act on any file type, including the more than 12K+ net new Mac OS X exceutables that we receive on a daily basis. The aforementioned move to YARA-X means that you can now use the “macho” module in order to match against advanced static and structural features of Mac OS X executables.

String and time YARA modules now supported in Livehunt & Retrohunt. Similar to the macho module, the upgrade to YARA-X has opened up the use of the string and time YARA modules.

Upgrade to MITRE v16.1. Google Threat Intelligence focuses on all types of threat intelligence: technical, tactical, operational, strategic. We build thorough curated profiles for threat actors, campaigns and malware families through Mandiant’s differentiated frontline visibility. These profiles include MITRE ATT&CK matrices to describe attacker activity. The techniques and tactics available on actor, malware, campaign, and TTP analysis objects are being updated to reflect MITRE version 16.1. This update introduces new and improved attacker technique classifications, including better characterization of Cloud-based adversary activity. Check this example to see where this information surfaces within profiles.

Improvements in searching within MITRE matrices. MITRE matrices on the aforementioned threat actor, campaign, malware family and TTP analysis views are now searchable. The search box above the matrix allows you to provide either a technique / subtechnique name/id and the matrix gets automatically updated to reflect your search criteria.

Detection Highlights. Mandiant is enhancing Google Threat Intelligence's detection capabilities by integrating Yara rules and malware configuration extraction. Our configuration extraction team currently supports 400+ malware families and is constantly expanding this support to include new families discovered through Mandiant investigations (IR, underground monitoring, OSINT exploration, etc.). These families surface as malware profiles and IoC associations in product. In September, the team added support for BASTA, PALEBEAM, HAVOCDEMON, and XMRIG, and updated plugins for BOLDBADGER, DONUT, and TOUGHROW. We will continue to keep you informed as we roll out new configuration extractors and Yara rule integrations.

Google Threat Intelligence score searches and YARA matching. Google Threat Intelligence is an opinionated solution, we produce a maliciousness verdict, threat severity score and human readable assessment for every IoC that we see. This opinion brings together multiple proprietary systems into a single determination: the GAVS Google Antivirus engine that acts on systems such as Drive or GMail, Google Safe Browsing, Google Web Risk, Gemini Code Insight, VirusTotal metadata, threat actor/malware/campaign associations, Mandiant analyst investigations, etc. We've made the GTI score searchable and it can now be combined with the myriad of facets that allow you to go from property to IoCs sharing it, example: type:docx AND behaviour:powershell AND gti_score:30+. Similarly, the GTI score is now exposed in Livehunt for matching with YARA rules:

This effectively allows users to create tailored custom IoC threat feeds based on Google's curated threat data, for instance, high scores will be indicative of associations to threat actors as assessed by Mandiant / the Google Threat Intelligence Group.

Threat Profile recommendation and customization enhancements. Threat Profile allows Google Threat Intelligence users to customize what matters most to them and focus on relevant threat actors, malware, campaigns, vulnerabilities, etc. We are now giving customers more deterministic levers to surface threats that matter to them.

• Customize the categories that must match within your Threat Profile. Default is that there must be an interest match within at least one category. A narrower view would be configuring to "must match at least 2 categories". Categories historically included industry and target region – stay tuned for new customization options soon, hint in the screenshot!
• Enhanced expectation setting during Threat Profile customization, such as showing the customer where there will be limited results and offering an opt-in option to broaden the scope.
• Finally, we have better aligned the logic to customer expectations, surfacing "up to" a maximum number of threats in the Threat Profile view.

Capa Explorer. Google Threat Intelligence not only analyzes files, domains, IP addresses and URLs with multiple antivirus vendors and blocklists, we also run a myriad of home-grown, open source and 3rd-party tools on these artifacts, including dynamic analysis sandboxes. One such analysis system is Mandiant capa, which provides a framework for the community to encode, recognize, and share behaviors that have been seen in malware to figure out what a program does. The FLARE team recently rolled out capa Explorer Web, a browser-based tool to display the capabilities found by capa. The capa Explorer Web UI provides an intuitive and interactive way to visualize the capa analysis results. We've integrated capa Explorer in Google Threat Intelligence and now users can directly jump into capa Explorer by following a link in the Capabilities header of file dynamic analysis behavior reports (example).

JA4 fingerprinting and reverse IoC searches over the entire threat dataset. JA4 is a suite of network fingerprinting methods that include both human and machine readable to facilitate more effective threat-hunting and analysis. The use-cases for these fingerprints include scanning for threat actors, malware detection, session hijacking prevention, compliance automation, location tracking, DDoS detection, grouping of threat actors, reverse shell detection, and many more. An increasing number of vendors such as Cloudflare or AWS are starting to offer JA4 fingerprinting and allowing their users to block on them. Google Threat Intelligence has started to produce JA4 fingerprints for TLS communications seen in the detonation of processed files in dynamic analysis sandboxes.

Users can also pivot over these fingerprints in order to to track and identify malicious files based on the unique characteristics of their TLS client communications, example -behaviour_network:t10d070600_c50f5591e341_1a3805c3aa63. This pivoting can power multiple use cases, for instance, getting more context in terms of the tooling and actors behind anomalous patterns seen in your network perimeter as portrayed by tools such as the aforementioned Cloudflare capability.

Our home-grown "vt" YARA module now also supports JA4 matching: