All news with #virustotal tag

🔍 VirusTotal's AI Code Insight detected a sophisticated phishing campaign that hid malicious JavaScript inside SVG images to impersonate Colombia's judicial system. The SVGs rendered fake portal pages with a bogus download progress bar and displayed a password for a protected ZIP archive that contained malware artifacts. The archive included a renamed Comodo Dragon executable, a malicious DLL, and two encrypted files; when the executable runs the DLL is sideloaded to install further malware. After adding SVG support, VirusTotal found 523 related SVGs that had evaded traditional antivirus detection.

🔎 Our colleague Joseliyo Sánchez, together with SentinelOne researcher Aleksandar Milenkoski, will present a hands-on workshop at Labscon on automating large-scale threat hunting using the VirusTotal Enterprise API. Attendees will employ Python and Google Colab to process massive datasets, track APT behaviors, and apply LLMs to enhance analysis, query building, and visualizations. The session targets CTI analysts, threat hunters, incident responders, SOC analysts, and security researchers. A follow-up blog post will publish example exercises and materials for further learning.

⚠️ Cybersecurity researchers warn of a phishing campaign using Scalable Vector Graphics (SVG) files that embed JavaScript to decode and inject a Base64-encoded HTML page impersonating Colombia's Fiscalía General de la Nación. VirusTotal identified 44 unique SVG samples that evaded antivirus detection and reported a total of 523 SVGs seen in the wild, with the earliest from August 14, 2025. Attackers relied on obfuscation, polymorphism, and large volumes of junk code to bypass static detections and used a fake progress/download flow to trigger a background ZIP download. The disclosure coincides with separate macOS-focused campaigns distributing the AMOS information stealer via cracked-software lures and Terminal-based installers that attempt to circumvent Gatekeeper protections.

🔍 VirusTotal’s Code Insight now parses SWF and SVG formats and quickly uncovered an undetected campaign impersonating the Colombian justice system. The tool differentiated a benign, heuristic-flagged SWF game from a malicious SVG that evaded all AV engines by hiding inline JavaScript which decodes and injects a Base64 phishing page and a ZIP dropper. Code Insight plus VirusTotal Intelligence exposed dozens of polymorphic SVGs and enabled a retrohunt linking hundreds of samples to the same campaign.

🔎 VirusTotal has extended Code Insight to analyze disassembled and decompiled code via a new API endpoint that returns a concise summary and a detailed description for each queried function. The endpoint accepts prior requests as a history input so analysts can chain, correct, and refine context across iterations. An updated VT-IDA plugin for IDA Pro demonstrates integration inside an analyst notebook, allowing selection of functions, iterative review, and acceptance of insights into a shared corpus. The feature is available in trial mode; results have been promising in testing but are not guaranteed complete or perfectly accurate, and community feedback is encouraged.

🛡️ VirusTotal ran a large-scale audit of 17,845 GitHub projects implementing the MCP (Model Context Protocol) using Code Insight powered by Gemini 2.5 Flash. The automated review initially surfaced an overwhelming number of issues, and a refined prompt focused on intentional malice marked 1,408 repos as likely malicious. Manual checks showed many flagged projects were demos or PoCs, but the analysis still exposed numerous real attack vectors—credential harvesting, remote code execution via exec/subprocess, supply-chain tricks—and recurring insecure practices. The post recommends treating MCP servers like browser extensions: sign and pin versions, sandbox or WASM-isolate them, enforce strict permissions and filter model outputs to remove invisible or malicious content.

🚀YARA-X 1.0.0 is now stable, delivering a Rust-based, memory-safe engine while preserving broad compatibility with existing YARA rules. YARA-X runs heavy regular expressions and deep loops roughly 5–10× faster than the legacy YARA 4.x engine and returns clearer, line-accurate error messages. The CLI adds colored output, JSON/YAML dumps, shell completions and a built-in formatter to improve tooling and developer workflows. VirusTotal reports stable, production use in Livehunt and Retrohunt at scale and encourages users to test and provide feedback.

🛡️ VirusTotal’s Code Insight now analyzes a broader set of software supply chain formats — including CRX, XPI, VSIX, Python WHL, NPM packages, and MCP protocol integrations. The tool inspects code logic to detect obfuscation, dynamic code fetching, credential theft, and remote command execution in extensions and packages. Recent findings include malicious Chrome and Firefox extensions, a deceptive VS Code extension, and compromised Python and NPM packages. This capability complements traditional signature- and ML-based classification by surfacing behavior-based risks.

🛡️ VirusTotal has extended Code Insights to analyze PDF files by correlating the document’s visible content with its internal object structure. The AI inspects object trees, streams, actions, and the human-facing layer (text/images) to surface both technical exploits and pure social-engineering lures. In early testing it flagged numerous real-world scams—fake debt notices, QR-based credential traps, vishing alerts, and fraudulent tax-refund notices—that traditional engines missed when files contained no executable logic.