All news with #virustotal tag

🔍 AI coding agents now operate across IDEs, terminals, and extension runtimes, so defenders must expand focus beyond source code to repository files, instruction and runtime settings, and third‑party extensions that shape agent behavior. VirusTotal Code Insight and agentic threat intelligence apply semantic analysis to detect malicious intent in syntactically valid artifacts and link findings to broader campaigns and supply‑chain risks. Examples—weaponized tasks.json, malicious Skill.md, redirected settings.json endpoints, and sabotaged extensions—illustrate how semantics can enable exfiltration, privilege escalation, and stealthy attacker control.

🔒 Google has been named a Leader in the 2026 Gartner Magic Quadrant for Cyberthreat Intelligence Technologies. The company highlights a unified ecosystem combining Mandiant, VirusTotal, Google infrastructure visibility and Gemini-powered agentic intelligence to detect and preempt threats. Google reports high signal accuracy, turnkey integrations with Security Operations, and combined human expertise to reduce false positives and accelerate response.

🛡️At VirusTotal we are integrating reputation and Code Insight directly into AI agent decision loops so agents can consult verdicts and context as part of their runtime behavior. Two community plugins, VT-sentinel (OpenClaw) and hermes-virustotal (Hermes), demonstrate the approach using the new VTAI API with compact responses and per-agent identities. Both MIT-licensed projects scan files, annotate hashes, and provide configurable privacy and enforcement presets so agents can quarantine, block, or proceed based on risk appetite.

🧟 A new 'Zombie ZIP' technique hides malware by declaring compressed entries as uncompressed, causing many AV and EDR engines to misinterpret DEFLATE data as raw bytes and miss signatures. Researcher Chris Aziz reported it bypassed 50 of 51 VirusTotal engines and published a PoC with sample archives. CERT/CC assigned CVE-2026-0866 and advises vendors to validate compression method fields and implement integrity checks.

🔍 Akamai links the Russia-linked actor APT28 to exploitation of CVE-2026-21513, a high-severity (CVSS 8.8) MSHTML security feature bypass that Microsoft patched in its February 2026 update. The flaw in ieframe.dll mishandles hyperlink navigation and can be weaponized by malicious HTML or LNK files to invoke ShellExecuteExW and run resources outside the browser sandbox. Akamai identified a sample uploaded to VirusTotal on 30 January 2026 tied to infrastructure associated with APT28, while Microsoft and Google intelligence teams reported real-world exploitation.

🔐 This week's briefing highlights attackers abusing trust across AI agents, update channels, and developer ecosystems. OpenClaw announced a partnership with VirusTotal to scan ClawHub skills after researchers discovered malicious packages and explosive typosquatting growth. High‑impact incidents include a 31.4 Tbps AISURU DDoS, a Notepad++ updater compromise delivering the Chrysalis backdoor, and an RCE in Docker's Ask Gordon AI assistant. Security teams should prioritize update integrity, supply‑chain controls, and agentic AI hygiene.

🔒 OpenClaw has integrated VirusTotal malware scanning into its ClawHub skills marketplace to automatically vet published skills. Packages are hashed and analyzed with Code Insight (powered by Gemini); benign skills are auto-approved, suspicious ones receive warnings, and confirmed malicious skills are blocked and re-scanned daily. The move responds to documented malicious extensions and unauthorized enterprise deployments, though OpenClaw stresses scanning is not a complete defense against prompt injection or logic abuse.

🛡️ OpenClaw has integrated VirusTotal scanning to inspect skills uploaded to its ClawHub marketplace, creating SHA-256 hashes for each skill and cross-checking them against VirusTotal's database. Bundles not matched are analyzed with VirusTotal Code Insight; benign verdicts are auto-approved, suspicious skills are flagged, and confirmed malicious items are blocked. OpenClaw also re-scans active skills daily but cautions this is not a complete defense against cleverly concealed prompt-injection payloads.

🔓 On January 9, 2026, a database containing 323,986 BreachForums user records was published on a site named after the ShinyHunters gang, exposing usernames, email addresses, password hashes and IP addresses. The leak was accompanied by a roughly 4,400‑word manifesto from someone calling themselves "James", who names alleged cybercriminals and claims responsibility. The provenance and motive remain unclear, though the dump could provide law enforcement with investigative leads and highlights the limits of perceived anonymity on criminal forums.

🔍 The new Saved Searches feature is now live in Google Threat Intelligence (GTI) and VirusTotal, enabling analysts to store complex queries for reuse. Users can save multi-clause, tuned searches and share them with colleagues across their organization to preserve investigative logic and ensure consistency. The release includes public campaign searches from the #monthofgoogletisearch to help teams get started quickly.

🔍 Acronis TRU describes practical VirusTotal hunting techniques used to track the FileFix ClickFix variant, the long-running SideWinder actor, and the Shadow Vector SVG campaign targeting Colombian users. Using Livehunt, content-based YARA rules, VT Diff, and metadata pivoting, analysts located clipboard-based web payloads, document exploits (CVE‑2017‑0199/11882), and judicial-themed SVG decoys. The post emphasizes iterative rule tuning, retrohunt for timelines, and infrastructure pivots that convert fragmented indicators into actionable intelligence.

🔎VirusTotal ran VT Code Insight, an AI-based Mach-O analysis pipeline against nearly 10,000 first-seen Apple binaries in a 24-hour stress test. By pruning binaries with Binary Ninja HLIL into a distilled representation that fits a large LLM context (Gemini), the system produces single-call, analyst-style summaries from raw files with no metadata. Code Insight flagged 164 samples as malicious versus 67 by traditional AV, surfacing zero-detection macOS and iOS threats while also reducing false positives.

🔍 This November VirusTotal is offering uncapped GUI searches for all Enterprise customers, allowing manual queries through the web interface without consuming quota. Take this opportunity to experiment with VirusTotal Intelligence search modifiers to pivot across hashes, domains, IPs, and URLs, hunt for related samples, and uncover campaign infrastructure. API interactions will continue to consume quota, while daily shared queries and community tips — tagged #MonthOfVTSearch — will help users explore advanced search techniques.

🔒 VirusTotal and Hugging Face have announced a collaboration to surface security insights directly within the Hugging Face platform. When browsing model files, datasets, or related artifacts, users will now see multi‑scanner results including VirusTotal detections and links to public reports so potential risks can be reviewed before downloading. VirusTotal is also enhancing its analysis portfolio with AI-driven tools such as Code Insight and format‑aware scanners (picklescan, safepickle, ModelScan) to highlight unsafe deserialization flows and other risky patterns. The integration aims to increase visibility across the AI supply chain and help researchers, developers, and defenders build more secure models and workflows.

🔎 SEQRITE's APT-Team describes how they used VirusTotal to pivot from isolated clues to comprehensive campaign mapping, tracking UNG0002, Silent Lynx, and DRAGONCLONE between May 2024 and May 2025. Their work combined malware configuration extraction, LNK metadata, code-sign certificate pivots, YARA and Sigma rules, and Livehunt queries to surface related samples and previously unreported implants. The post highlights practical hunting queries and pivots — public key and LNK-ID searches, submitter geofilters, and malware_config values — that enabled attribution and expanded detection across multiple Asian geographies.

🔒 As CSO for Google Public Sector, the post frames an urgency-driven approach to modern government security, emphasizing AI-powered threat detection, Zero Trust engineering, and a shared responsibility model. It highlights how Google Security Operations (FedRAMP High), fused threat intelligence from VirusTotal and Mandiant, and fast incident response strengthen mission continuity. The piece stresses that legacy defenses are insufficient against AI-enhanced adversaries and calls for proactive, intelligence-led modernization.

🤝 VirusTotal announces simplified access and tiered pricing to keep the platform open and sustainable. The update preserves a robust, free VT Community tier for researchers and educators while introducing a dedicated Contributor Tier for engine partners that includes blindspot feeds, priority support, and early feature access. New paid tiers (VT Lite, VT Duet) target small teams and large organizations respectively, with pricing aligned to usage and contribution.

🔍 VirusTotal has added Exodia Labs to its Crowdsourced AI lineup to provide automated analysis of Chrome extension (.CRX) files. The new contributor issues a clear verdict — benign, suspicious, or malicious — alongside a behavioral narrative to complement existing AI streams such as Code Insight. Exodia Labs results are indexed in VirusTotal Intelligence with dedicated search operators and surface in the web UI to help analysts rapidly triage extension-related threats.

🛡️ This post summarizes a hands-on workshop from LABScon that demonstrated automating large-scale threat hunting by combining the VirusTotal API with LLMs inside interactive Google Colab notebooks. The team recommends vt-py for robust programmatic access and provides a pre-built "meta Colab" that supplies Gemini with documentation and working code snippets so it can generate executable Python queries. Practical demos include LNK and CRX analyses, flattened dataframes, Sankey and choropleth visualizations, and stepwise relationship retrieval to accelerate investigations.

🔍 Researchers have identified two malware strains: a modular macOS backdoor named CHILLYHELL and a Go-based cross-platform RAT called ZynorRAT. Jamf Threat Labs links CHILLYHELL to UNC4487, noting extensive host profiling, multiple persistence techniques, timestomping, and multi-protocol C2 over HTTP and DNS. The notarized CHILLYHELL sample (uploaded to VirusTotal on May 2, 2025) underscores that signed binaries can be malicious. Sysdig analysis shows ZynorRAT is managed via a Telegram bot and supports file exfiltration, screenshots, system enumeration, and persistence on Linux and Windows.