Public API sandbox requests now have an "auto" option, which enables you to automatically fill the configuration for dynamic scan. This simplifies the submission process and ensures optimal scan settings.

Submission Report Configuration Visibility

Submission report configuration is now visible in the submission page! Get complete transparency into how your scans are configured.

Submission Entrypoint Visibility

Submission entrypoint is now available in the submission page! You can see which file has been selected in ZIP, RAR, TAR.GZ, and other countless compressed files to be executed in the dynamic scan environment and other analysis

Now files that you’ve sent is can be double checked by Dynamic MIMEType Checker! Enable it to analyze file by its real extension!

Static Scanner is Accepting All Kinds of Files!

Last release we have released Threat.Zone Static Scanner and it is loved by our users. But extension limitation was there and it really bothered us. Now Threat.Zone Static Scanner accepts all kinds of files!

Download HTML Report from Public API!

We had the functionality of downloading the HTML Report from the UI but one of our API users told us that it would be awesome to have this functionality in Public API too, so we added it!

Enhancements

• Two Factor Modal’s look has changed!

Bug Fixes

• CSI Module had a Start Action problem, fixed.

• Login modal had a problem that it was appearing to the authenticated users, fixed.

• 500 page was appearing on not-buggy situations, fixed.

Since we’ve added new functionality to our system, which is Static Scan, we want our scan page to be much more flexible. Check it out at this link!

Automatic Hash Detection at Submissions

We had a search bar where you choose the hash type and type the hash, click the search button blah blah. Now just copy and paste the hash to the search table, and you are good to go!

New Submissions Page UI!

Public and My Submissions pages are critical for us and our users cause’ it is the place where you discover new malware samples. So we thought that maybe we can create a better experience by adding filtering to labels and doing minor UI changes. You can check it out and give us feedback!

Re-Analyze Submission Has a Brand New Experience Right Now!

Since we add Static Scan to our system, it was obvious that re-analyze should change too. We changed the whole experience about it and right now you can scan both statically and dynamically a submission, depending on their size/extension too.

Download Samples from Public API!

We had the functionality of downloading the sample from the UI but one of our API users told us that it would be awesome to have this functionality in Public API too, so we added it!

Enhancements

• PCAP Analyzer is tracking network requests much more precisely right now.

Bug Fixes

• There were some extension problems while trying to install additional files from Public API, fixed.

• Listing submissions from the Public API functionality had some problems with MIMETypes, fixed.

‍

From now on, we’ve enabled our Free Plan users to download Additional Files(Memory Dumps, PCAP Dumps), Submission Sample and HTML Report!

Filter Submissions via clicking to Charts!

We got some feedback from our users that was about the charts above the public/my submissions tables. They told us that it would be awesome if pie chart become clickable and has filtering function, we thought the same and did it, check it out from this link!

Install Additional Files from Public API!

Now you can install additional files from our Public API! Check our plans page to see which of our plans have API Support!

Check our VM Timer!

In submission cycle, we have a part that you can connect to the VM environment via VNC and see what is going on inside the VM, now you can see how many time remains before VM is killed! Experience it by submitting a file to the Threat.Zone!

Enhancements

• Added Plan & Modules to the Settings Section! Now you can see how many modules you have, details about your plan and modules.

• Now you can undo filters at Submissions section!

Bug Fixes

• Public API had a problem about sending document links, fixed.

• There was an error about public submissions order in Public API, fixed.

• Threat.Zone Public API had a wrong date issue while submitting files, fixed.

• Public API had a mimetype problem, fixed.

• Submissions Search Bar had a problem that results in disfunctionality in “enter” key, fixed.

Here is a quick review of how we show Real Filename & SHA256 of the given file, also "benign" tag is added after the file is found on the database!

Bug Fixes

Cookie Error in the Firefox browser has been resolved, improving the overall browsing experience within our analysis environment.

Scroll to the Infinity - Strings

Now you are able to see strings part as a infinite scroll page! All you have to do is scroll at the strings part, you can see all of the strings that file has.

14 Days of Comfort - Research Plan Free Trial!

Now you can try research plan for 14 days! Just go to the Plans page and click the button, and charm happens!

Download Report by Parts

Since the previous version released users are able to download files about the submission but not the report itself. Now you can download the report parts just by clicking the button next to the report part headings!

Enhancements

• CSI Module has a timer now! You can see the remaining time of your session at the top-right corner.

• Modules at the Market section has videos! Now you can see the modules in the action before buying them.

• Navigator at the top-right is updated.

Bug Fixes

• A bug at the behaviour part, which results in users couldn’t type after coming from the Mitre ATT&CK table, fixed.

• Filename regex had a special character problem, fixed.

• Threat.Zone Public API had a wrong date issue while submitting files, fixed.

While developing Threat.Zone, we have focused on both preemptive measures and post-incident responses. Alongside our detailed submission page for gathering submission details, we have also introduced a new module called "Hunting.”

In the Hunting module, we began development with the YARA Generator Engine. Now, for every submission sent to Threat.Zone, a YARA Rule will be automatically generated.

This allows you to view YARA Rule generated for the sample and download it!

‍

Network Configurations | Proxy, OpenVPN and Wireguard

Malware often checks the victim's region, utilizing this information in diverse ways. With the new Network Configuration page on Threat.Zone, you now have the freedom to use Proxy or VPN configuration you prefer in your Dynamic Analysis.

Once you click on the configurations tab, you can view your existing network configurations and create new ones. We provide three options for changing the network configuration for your analysis VM, Proxy OpenVPN and Wireguard.

Once you've created a configuration, when you start a new scan process, you'll find your created network configurations at the bottom. Upon selection and submission, your interactive VM will utilize this configuration for its network settings.

‍

Static Scan Improvements | YARA Match & Strings

We've made significant enhancements to the scoring capabilities of Threat.Zone's Static Scan. By refining the YARA rules, we've seen a remarkable increase in scoring accuracy and matching capabilities.

Additionally, when you submit samples to Threat.Zone's Static Scan, you'll now notice that your submission is tagged with possible malware families and types.

These updates are designed to equip you with amazing tools and insights to enhance your threat analysis endeavors. We remain dedicated to continually improving Threat.Zone to better address your security requirements. If you haven't registered yet, you can do so here.

First of all you will be given the default email & password, at first it would be these:

Email: [email protected]

Password: Will be given to you.

Once logged in, you will be directed to the main interface where you can submit files for analysis:

As you can see, in this page you will send the file to the system and start the analysis journey. After you've send the submission, there would be two main options:

1. If file is a Compressed File:

System will get your Compressed file(tar.gz, zip, tar, rar etc.) and ask an optional password from you. After you pass your password, if the password is correct, you will see a page like this:

The entrypoint of a compressed file is used for executing which file when doing the Dynamic Analysis.

Static Analysis of the compressed files could be limited, because the whole compressed file is passed to the Static Analyzer, would be a good idea to send the entrypoint directly to the Static Analyzer to get the appropriate result from it.

You will see the config screen after selecting the entrypoint.

1. If file is Not a Compressed File - Config Screen

Now, you will see the analysis options, you can change them based of your choices.

After clicking the "Launch the Submission" button, your submission will start and system will update the statuses of the both Dynamic & Static Analysis in live mode, so make sure your browser supports Websocket.

Admin Panel Access

The admin panel of the Threat.Zone would be accessible at:

$IP_OR_DOMAIN:9443/

You can access the main page of the admin after passing the default credentials:

Email: [email protected]

Password: Malwation123!

Admin panel is the main control mechanism above Threat.Zone, you can:

• Create New Users: New users can access to Threat.Zone by adding them via Admin Panel and assigning plans to them or they can register from the main panel(443) and admin can assign them appropriate plans.

• Assigning Plan to the User(s): By default, new users will be assigned to the Free plan, you can change it from the "Users>User Detail>Plan and Modules"

• Checking Worker Core Count: Core count is critic when dealing with big loads of submissions & troubleshooting the "Received" state of the submission(s).

• Checking Submissions

• Creating Organizations

Minor Issues & Solutions

Worker Service Stuck Cores - Submissions at "Received" State

ThreatZone efficiently manages concurrent file processing by allocating CPU cores per submission in Dynamic Analysis (no restrictions apply to Static Scan or CDR). By default, the system imposes limits on maximum concurrent processing to optimize performance. These are the maximum concurrent limitations on sandboxes:

• Windows Sandbox: 20

• Linux Sandbox: 10

• MacOS Sandbox: 10

• Android Sandbox: 10

When you hit that count, wait for them to finish, or for new submission Threat.Zone will automatically queues them.

VNC Connection Break Problem

If you encounter an error while accessing a machine’s VNC during an "In Progress" submission (e.g., "There is an unexpected error"), it may be due to a broken connection. The simplest solution is to refresh the page.

For further assistance, please contact the support team.

Installation Steps

1. Run Installation Script

2. User Inputs Required

Proxy Configuration (Optional)

• y: Continue to proxy setup

• n: Skip proxy configuration

If y selected:

• Enter proxy server IP/hostname (e.g., 192.168.1.100 or proxy.company.com)

• Enter proxy port (1-65535, e.g., 3128, 8080)

• Confirm configuration

Example:

File Replacement Confirmations

During proxy configuration, the script may find existing configuration files. You'll see prompts like:

Recommendations:

• y: Replace with new proxy settings (recommended for new installations)

• n: Keep existing configuration (use if you have custom settings)

Note: Original files are automatically backed up with timestamps (e.g., 99proxy.backup.20250804_143022)

Server IP Address

• Enter the external IP address where ThreatZone will be accessible

• This IP will be used for SSL certificates and service configuration

Examples:

• Public IP: 203.0.113.45

• Private network IP: 192.168.1.100

• Domain name: threatzone.company.com (if DNS is configured)

Important: Use the IP/domain that users will access ThreatZone from

SSL Certificate Configuration

If y selected:

• Provide full path to your private key file

• Provide full path to your certificate file

Examples:

Requirements:

• Files must exist and be readable

• Key file should be unencrypted

• Certificate should match the server IP/domain entered earlier

If n selected:

• Self-signed certificate will be generated automatically using the provided IP address

• Certificate will be valid for 365 days

• Browser will show security warnings (normal for self-signed certificates)

Installation Process

After user inputs, the script will:

1. Configure system proxy settings (if enabled)

2. Install Docker and configure proxy

3. Install K3s Kubernetes

4. Deploy all ThreatZone services

5. Configure networking and certificates

6. Start all required components

Post-Installation

• Reboot server when installation completes

• Access ThreatZone via: https://[EXTERNAL_IP]

Notes

• Installation takes 30-60 minutes depending on network speed

• All services will auto-start after reboot

• Proxy settings apply system-wide if configured

Troubleshooting

Common Issues

Invalid Proxy Port

Solution: Enter a numeric port between 1-65535 (common ports: 3128, 8080, 1080)

Missing Certificate Files

Solution: Verify certificate file paths exist and are accessible

File Permission Errors

Solution: Ensure running script with sudo for system file modifications

Configuration File Locations

After installation, proxy settings are stored in:

• /etc/apt/apt.conf.d/99proxy - APT package manager

• /etc/profile.d/proxy.sh - Shell environment

• /etc/systemd/system/docker.service.d/http-proxy.conf - Docker daemon

• /etc/systemd/system/containerd.service.d/http-proxy.conf - Containerd daemon

• /etc/systemd/system/k3s.service.env - Kubernetes

• /etc/environment - System-wide environment variables

• /threatzone/threatzone_proxy_config - Passed proxy host & port is stored here

Backup Files

All replaced configuration files are backed up with timestamps:

• Format: filename.backup.YYYYMMDD_HHMMSS

• Location: Same directory as original file

• Use these to restore previous settings if needed