List Threats

🚧

Special privileges required

Threat Actors and Campaigns are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

This endpoint allows us to search and filter Threat Intelligence objects effectively. It returns a list of Threat objects with a collection_type parameter whose value can be one of the followings:

  • collection: Collections of Indicators of Compromise are grouped together based on their observed usage in the wild in malicious campaigns or their association with specific malware families. This OSINT and also curated information is provided by our users and certain trusted partners and security researchers, automatically created based on Reports from the cybersecurity community or by our Google TI experts. UI
  • threat-actor: Threat Actors curated information exposed by our Google TI experts tracking them or by certain trusted partners and security researchers. UI
  • malware-family: Curated information related to malware families. This information is provided by our Google TI experts and certain trusted partners and security researchers. UI
  • software-toolkit: Curated information related to malicious software or toolkits used in threat campaigns. This information is provided by our Google TI experts. UI
  • campaign: Curated information related to threat campaigns. This information is provided by our Google TI experts. UI

Searches observations:

  • if you don't filter by the collection_type this endpoint will return a single list with all the objects that meet the filters and of any of the following types grouped together: Vulnerabilities, Reports, Threat Actors, Malware families, Software or Toolkits, Campaigns or IoC Collections.
  • filers' values are case-insensitive
  • several filters can be combined together in a more complex and specific search
  • boolean operators can be used in more complex searches: AND, OR, NOT
  • quotes are needed for filters' values with spaces: description:"Phishing campaign"
  • wildcards (*) can be used for partial matches: name:Ransom*
  • date filters formats: YYYY-MM-DD, YYYY-MM-DDTHH-mm-ss
  • date relative formats: 60d (for days), 10m (for minutes)
  • date ranges can be specified with + or -: last_modification_date:7d+, creation_date:2024-01-01-

Allowed filters by object collection_type:

filterscollectionthreat-actormalware-familysoftware-toolkitcampaignfilter description
Open searchβœ“βœ“βœ“βœ“βœ“Text without modifiers matching against object's name or description
nameβœ“βœ“βœ“βœ“βœ“Object's name
descriptionβœ“βœ“βœ“βœ“βœ“Object's description
creation_dateβœ“βœ“βœ“βœ“βœ“Object's creation date
last_modification_dateβœ“βœ“βœ“βœ“βœ“Object's last modification date
originβœ“βœ“βœ“βœ“βœ“Object's origin. Available options: Partner for objects curated by trusted partners and security researchers , Crowdsourced for OSINT objects from the community or Google Threat Intelligence for objects curated by our Google TI experts
ownerβœ“βœ“βœ“βœ“βœ“Owner's username
suspected_threat_actorβœ“Threat actor suspected to be part of a larger group
merged_actorβœ“Threat actors confirmed to be part of a larger group
motivationβœ“βœ“Threat actors and IoC collection's campaigns motivations
source_regionβœ“βœ“βœ“Region from which the threat actor or the an IoC collection's campaign are known to originate
targeted_regionβœ“βœ“βœ“Region targeted by a specific campaign, threat actor or an IoC collection's malicious activity
targeted_industryβœ“βœ“βœ“βœ“βœ“Industry targeted by a specific campaign, malware family, software or toolkit, threat actor or by an IoC collection's malicious activity
targeted_industry_groupβœ“βœ“βœ“βœ“βœ“Group of industries targeted by a specific campaign, malware family, software or toolkit, threat actor or by an IoC collection's malicious activity
capabilityβœ“βœ“Capabilities associated to threat actors' or malware families' associated files
operating_systemβœ“βœ“Operating system affected by a malware family or a software and toolkit
detectionβœ“βœ“Detections associated to a malware family's or a software or toolkit's associated files
malware_roleβœ“βœ“Object's associated malware role
software_toolkitβœ“βœ“βœ“βœ“Software or Toolkit name associated to the object
shared_with_meβœ“Private IoC Collection objects that are shared with me or my group

Allowed orders:

  • order:name+: sorts objects alphabetically by name, ascending + or descending -.
  • order:creation_date-: sorts objects descending - (default) by most recently created objects first, or ascending + by oldest objects first.
  • order:last_modification_date-: sorts objects descending - by most recently modified objects first, or ascending + by firstly modified objects first.
  • order:lookups_trend-: sorts objects ascending + or descending - based on the trend of the daily distinct-user lookups over the IoCs of the object in the last 14 days.
  • order:submissions_trend-: sorts objects ascending + or descending - based on the trend of the daily distinct-user submissions of IoCs of the object in the last 14 days.
  • order:relevance+: sorts objects ascending + or descending - based on the relevance of the object.
  • order:exploitation_state+: sorts objects ascending + or descending - based on the exploitation state of the vulnerability.
  • order:risk_rating+: sorts objects ascending + or descending - based on the risk rating of the vulnerability.

Examples

Get the list of all Threat, Reports and Vulnerbilities objects created in the last week. Note that in this first example, the collection_type filter is not used as in the rest of the examples.

import requests
import urllib

filters = "creation_date:7d+"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Get the list of all private IoC collections that are shared with me or my Google TI group.

import requests
import urllib

filters = "collection_type:collection (shared_with_me:true or owner:my_user_id)"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Get the list of all IoC Collections describing malicious activity espionage motivated and targeting the Canada governments.

import requests
import urllib

filters = "collection_type:collection motivation:espionage targeted_industry:government targeted_region:CA"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Get the list of all russian financially motivated Threat Actors utilizing backdoors in their attacks and sort the results by relevance.

import requests
import urllib

filters = "collection_type:threat-actor motivation:financial source_region:RU threat_category:backdoor"
order = "relevance-"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Get the list of all Malware families curated by the Google TI specialists, targeting the Linux operating system and whose information was updated in the last 60 days. Then sort results by the last modification date.

import requests
import urllib

filters = "collection_type:malware-family operating_system:linux owner:'Google Threat Intelligence' last_modification_date:60d+"
order = "last_modification_date-"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Get the list of all Software or Toolkits targeting the Windows operating system which are backdoors used in botnets. Then sort results by relevance providing first the most relevant objects.

import requests
import urllib

filters = "collection_type:software-toolkit operating_system:windows detection:backdoor malware_role:botnet"
order = "relevance-"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)

Get the list of all Campaigns targeting China and whose name or description mention the "ransomware" word. Then sort results ascending based on their last modification date.

import requests
import urllib

filters = "collection_type:campaign (name:ransomware or description:ransomware) targeted_region:CN"
order = "last_modification_date+"
url = f"https://www.virustotal.com/api/v3/collections?filter={urllib.parse.quote(filters)}&order={order}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)
Language
Click Try It! to start a request and see the response here!