All news with #virustotal tag

Month of VT Search: Unlimited GUI Searches in November

🔍 This November VirusTotal is offering uncapped GUI searches for all Enterprise customers, allowing manual queries through the web interface without consuming quota. Take this opportunity to experiment with VirusTotal Intelligence search modifiers to pivot across hashes, domains, IPs, and URLs, hunt for related samples, and uncover campaign infrastructure. API interactions will continue to consume quota, while daily shared queries and community tips — tagged #MonthOfVTSearch — will help users explore advanced search techniques.

Hugging Face and VirusTotal: Integrating Security Insights

🔒 VirusTotal and Hugging Face have announced a collaboration to surface security insights directly within the Hugging Face platform. When browsing model files, datasets, or related artifacts, users will now see multi‑scanner results including VirusTotal detections and links to public reports so potential risks can be reviewed before downloading. VirusTotal is also enhancing its analysis portfolio with AI-driven tools such as Code Insight and format‑aware scanners (picklescan, safepickle, ModelScan) to highlight unsafe deserialization flows and other risky patterns. The integration aims to increase visibility across the AI supply chain and help researchers, developers, and defenders build more secure models and workflows.

VirusTotal Success: SEQRITE APT Hunting Case Studies

🔎 SEQRITE's APT-Team describes how they used VirusTotal to pivot from isolated clues to comprehensive campaign mapping, tracking UNG0002, Silent Lynx, and DRAGONCLONE between May 2024 and May 2025. Their work combined malware configuration extraction, LNK metadata, code-sign certificate pivots, YARA and Sigma rules, and Livehunt queries to surface related samples and previously unreported implants. The post highlights practical hunting queries and pivots — public key and LNK-ID searches, submitter geofilters, and malware_config values — that enabled attribution and expanded detection across multiple Asian geographies.

VirusTotal simplifies access with contributor tiers

🤝 VirusTotal announces simplified access and tiered pricing to keep the platform open and sustainable. The update preserves a robust, free VT Community tier for researchers and educators while introducing a dedicated Contributor Tier for engine partners that includes blindspot feeds, priority support, and early feature access. New paid tiers (VT Lite, VT Duet) target small teams and large organizations respectively, with pricing aligned to usage and contribution.

Advanced Threat Hunting with LLMs and the VirusTotal API

🛡️ This post summarizes a hands-on workshop from LABScon that demonstrated automating large-scale threat hunting by combining the VirusTotal API with LLMs inside interactive Google Colab notebooks. The team recommends vt-py for robust programmatic access and provides a pre-built "meta Colab" that supplies Gemini with documentation and working code snippets so it can generate executable Python queries. Practical demos include LNK and CRX analyses, flattened dataframes, Sankey and choropleth visualizations, and stepwise relationship retrieval to accelerate investigations.

VirusTotal Uncovers SVG-based Judicial Portal Phishing

🔍 VirusTotal's AI Code Insight detected a sophisticated phishing campaign that hid malicious JavaScript inside SVG images to impersonate Colombia's judicial system. The SVGs rendered fake portal pages with a bogus download progress bar and displayed a password for a protected ZIP archive that contained malware artifacts. The archive included a renamed Comodo Dragon executable, a malicious DLL, and two encrypted files; when the executable runs the DLL is sideloaded to install further malware. After adding SVG support, VirusTotal found 523 related SVGs that had evaded traditional antivirus detection.

Advanced Threat Hunting Workshop — Labscon 2025 LLMs

🔎 Our colleague Joseliyo Sánchez, together with SentinelOne researcher Aleksandar Milenkoski, will present a hands-on workshop at Labscon on automating large-scale threat hunting using the VirusTotal Enterprise API. Attendees will employ Python and Google Colab to process massive datasets, track APT behaviors, and apply LLMs to enhance analysis, query building, and visualizations. The session targets CTI analysts, threat hunters, incident responders, SOC analysts, and security researchers. A follow-up blog post will publish example exercises and materials for further learning.

Integrating Code Insight into Reverse Engineering Workflows

🔎 VirusTotal has extended Code Insight to analyze disassembled and decompiled code via a new API endpoint that returns a concise summary and a detailed description for each queried function. The endpoint accepts prior requests as a history input so analysts can chain, correct, and refine context across iterations. An updated VT-IDA plugin for IDA Pro demonstrates integration inside an analyst notebook, allowing selection of functions, iterative review, and acceptance of insights into a shared corpus. The feature is available in trial mode; results have been promising in testing but are not guaranteed complete or perfectly accurate, and community feedback is encouraged.

Turning Threat Research into Practical VirusTotal Detections

🔎 Detection engineering guidance for researchers and defenders. This post shows how VirusTotal can be used to hunt for recent, sandboxed samples and derive behavioral Sigma rules by combining targeted VT queries, sandbox logs (CAPE/Zenbox), and manual analysis. Using Lummac and VenomRAT examples, the team created experimental Sigma detections for process execution (more.com/vbc.exe) and suspicious .conf file creation to aid SOCs and hunting teams.

VirusTotal IP Address Change and TLS Provider Update

🔔 VirusTotal is changing the IP address for www.virustotal.com from 74.125.34.46 to 34.54.88.138, with a gradual rollout beginning on November 25. If you currently whitelist or have hardcoded the previous IP in firewalls or proxies, update your rules to include the new address to avoid service interruptions. We are also replacing our DigiCert wildcard TLS certificate with a Google Trust Services single-host certificate—update any certificate signer or subject validations accordingly. Note that the Big Files upload flow returns URLs on bigfiles.virustotal.com, which is served via a ghs.googlehosted.com load balancer using dynamic IP resolution; ensure your controls permit DNS-based resolution for those endpoints.

JA4 Client Fingerprinting Enhances VirusTotal Hunting

🔍 VirusTotal has added JA4 client fingerprinting to improve malware tracking and analysis. By extracting stable characteristics from the TLS Client Hello — including TLS version, cipher suites, extensions, and ALPN — JA4 is designed to be resilient to the extension randomization that reduced JA3's reliability. Analysts can pivot on these fingerprints using the platform's behavior_network modifier, run wildcard queries for partial matches, and automate detections with YARA rules that leverage the vt module.