Bug Fixes

• A critical bug related to Forgot Password has been resolved, huge thanks to @xryptc

Syscall Matches in Indicators

Indicators now produce syscall matches! You can identify which syscall has been called when an indicator is found in the system. This powerful correlation feature enhances your ability to understand malware behavior and system interactions.

Extended Static Scan Support

We've expanded our Static Scan capabilities to include APK and ELF file formats. You can now analyze Android applications and Linux executables without execution, providing deeper insights into potential threats across multiple platforms.

Public API Enhancement

Public API now provides access to behaviors! You can programmatically access submission behaviors, enabling better integration with your security workflows and automated analysis systems.

Bug Fixes

Concurrency issues that occasionally affected submissions have been resolved.

Threat.Zone is Launched!

Our newest platform is called Threat.Zone was launched on the 19th of August.

Open In Browser Feature

Open In Browser is here! Now, you can put a URL and open this URL in the dynamic scan environment to observe its behavior in a controlled setting.

Bug Fixes

Several important fixes have been implemented. We've fixed the URL Analysis IP Check, resolved submission chart performance issues, addressed URL Analysis protocol detection, and corrected User Agent problems affecting URL access.

Bug Fixes

• Static Scan Report had a color problem that resulted in grey colors when Malicious/Suspicious/Informative file comes, solved.

New Network Pages!

We've completely revamped our network analysis capabilities with dedicated pages for different network protocols. These enhanced views provide much more detailed analysis of malware network communication patterns.

Enhanced Network Analysis Capabilities

Our new network analysis pages provide comprehensive visibility into malware communications. View HTTP requests, monitor DNS queries for C2 detection, track TCP/UDP communications, identify network threats, and use our integrated Wireshark interface for detailed packet analysis.

Bug Fixes

Dynamic MIMEType check had some difficulties when determining the extension of some office (CFB) files. This issue has been resolved, ensuring more accurate file type detection and appropriate handling of various Microsoft Office formats.

URL Analysis Introduced!

We're excited to announce our new URL Analysis feature! Now you can easily analyze suspicious URLs directly in Threat.Zone, examining domain details, IP information, WHOIS data, and threat intelligence without risking your systems. The comprehensive dashboard provides detailed insights into website metadata, blacklist status, DNS records, SSL certificates, and extracted files.

Coming Soon: Virustotal URL Engine is on the way!

Filename Sanitization in Public API

Public API now sanitizes filenames, which resolves initialization errors during submission start. This ensures smoother operation when handling files with special characters or problematic names.

NSRL Database Check Added

We've added NSRL (National Software Reference Library) Database Check to Static Scan! This allows you to quickly identify known & benign files and focus on potentially malicious content.

Here is a quick review of how we show Real Filename & SHA256 of the given file, also "benign" tag is added after the file is found on the database!

Bug Fixes

Cookie Error in the Firefox browser has been resolved, improving the overall browsing experience within our analysis environment.

Threat.Zone Static Scan is Live!

Since we begin we only scanned the files in a sandbox, which we call dynamic scan. From now on, you can scan your files statically too! It is much faster, it can do static code analysis on your sample and returns with a comprehensive report.

New Scan Page UI!

Chunk-by-Chunk Upload Mechanism

For high file uploads, we've introduced a chunk-by-chunk upload mechanism. This allows for more reliable uploading of large files.

Download Optimization

Syscalls Monitoring Introduced

We've introduced comprehensive syscalls monitoring! Track system calls made by malware to gain deeper insights into its behavior and interaction with the operating system.

New Register Experience!

Some of our customers had problems while trying to register to our system, so we’ve created a brand new system. Right now users are getting verification code to their mails, which is much more easier!

Dynamic MIMEType Checker Implementation!

Now files that you’ve sent is can be double checked by Dynamic MIMEType Checker! Enable it to analyze file by its real extension!

Static Scanner is Accepting All Kinds of Files!

Last release we have released Threat.Zone Static Scanner and it is loved by our users. But extension limitation was there and it really bothered us. Now Threat.Zone Static Scanner accepts all kinds of files!

Download HTML Report from Public API!

We had the functionality of downloading the HTML Report from the UI but one of our API users told us that it would be awesome to have this functionality in Public API too, so we added it!

Enhancements

• Two Factor Modal’s look has changed!

Bug Fixes

• CSI Module had a Start Action problem, fixed.

• Login modal had a problem that it was appearing to the authenticated users, fixed.

• 500 page was appearing on not-buggy situations, fixed.

URL Analysis Added to Public API

URL Analysis capability is now available through our Public API! Integrate URL scanning directly into your security workflows and applications. You can access the docs here: https://app.threat.zone/public-api/docs

Auto Configuration for Dynamic Scan - Public API

Public API sandbox requests now have an "auto" option, which enables you to automatically fill the configuration for dynamic scan. This simplifies the submission process and ensures optimal scan settings.

Submission Report Configuration Visibility

Submission report configuration is now visible in the submission page! Get complete transparency into how your scans are configured.

Submission Entrypoint Visibility

Submission entrypoint is now available in the submission page! You can see which file has been selected in ZIP, RAR, TAR.GZ, and other countless compressed files to be executed in the dynamic scan environment and other analysis

🎯 FRIDAY UPDATE

We’ve just raised the bar for dynamic malware analysis — again.

Threat.Zone now supports files up to 3 GB for detonation, the highest limit among global sandboxes. Security teams in critical environments can finally analyze massive archives, installers, and virtual-disk images without size-related blind spots.

🚀 What’s New in This Release

Expanded File Support

• Up to 3 GB file detonation — no more blind spots for large installers, archives, or disk images.

Deep Artifact Harvesting

• Memory and file dumps from every run are now automatically processed and indexed for easier analysis.

Malware Config Extractor

• Extract campaign IDs, C2 servers, and other runtime configs directly from both samples and artifacts.

YARA Rule Matcher & Generator

• Instant rule matching against our internal rule-set.

• One-click custom YARA rule creation from any artifact with ease.

IoC Extractor

• Automatic extraction of domains, IPs, and hashes across samples, RAM, and dumped files.

Recursive Archive Handling

• Submit ZIP/RAR files, and each embedded file is detonated separately—no need for manual unpacking.

Full REST API Coverage

• Access indicators, YARA hits, artifacts, hybrid-analysis scores, and more via API—ready for SOAR, SIEM, or EDR pipelines.

Varist Hybrid Analyzer Integration

• Enhanced hybrid analysis, combining static and dynamic insights for deeper threat visibility.

🎬 See It in Action

• Multi-file archive demo →

• CryptoLocker sample with memory and file dumps →

We’re thrilled to help defenders eliminate size constraints and surface richer telemetry—enabling faster, more precise threat response. Got questions or feedback? Let’s talk!

🧠 Introducing ThreatZone MCP Server

We've published ThreatZone MCP—an MCP server that connects AI assistants directly with Threat.Zone's holistic malware analysis platform.

Key Capabilities:

• Submit files for analysis from within AI tools.

• Query results and reports using natural language.

• Retrieve IOCs, behavioral data, threat intelligence, execution logs, and network traffic.

• Generate automated threat assessment reports.

📥 Getting Started

Clone the MCP server repo and dive in:

📄 Ready for Production?

This release is packed with powerful upgrades aimed at empowering SOC, IR, and forensic teams. We recommend updating to v2.8.0 to take full advantage of:

• Superior file size support

• Enhanced telemetry and artifact processing

• Seamless integration via REST API and MCP for AI‑driven workflows

NEW UI! Market & Plans

Old plans page had a much more boring look, so we decided to change that. We also added the much popular plan that our users use!

Submission cycle has a fresh look!

Some of our users told us that submission cycle page (the page that you see after submitting a file) is too big for little data. Now it has a much more fresh look, check it with submitting a file to the !

Scroll to the Infinity - Strings

Now you are able to see strings part as a infinite scroll page! All you have to do is scroll at the strings part, you can see all of the strings that file has.

14 Days of Comfort - Research Plan Free Trial!

Now you can try research plan for 14 days! Just go to the page and click the button, and charm happens!

Download Report by Parts

Since the previous version released users are able to download files about the submission but not the report itself. Now you can download the report parts just by clicking the button next to the report part headings!

Enhancements

• CSI Module has a timer now! You can see the remaining time of your session at the top-right corner.

• Modules at the Market section has videos! Now you can see the modules in the action before buying them.

• Navigator at the top-right is updated.

Bug Fixes

• A bug at the behaviour part, which results in users couldn’t type after coming from the Mitre ATT&CK table, fixed.

• Filename regex had a special character problem, fixed.

• Threat.Zone Public API had a wrong date issue while submitting files, fixed.

Compressed File Entrypoint for Every Analysis

Previously, the entrypoint selected via the UI was used only for determining which file within a compressed archive to execute during Dynamic Scan analysis. However, the entire compressed file was sent to other analysis engines such as Static Scan, Emulations, and YARA Generator. With this latest update, we've enhanced our system so that the user-selected entrypoint is now also utilized by these analysis engines. This improvement simplifies and streamlines your analysis workflow, particularly when handling compressed files.

Landing Page Has a Fresh Look Now!

We've made a quite big update on our landing page! Check it out from here:

Dynamic MIMEType Check for Zip Content

When zip files are uploaded to our system, we now check the MIMETypes of the files inside the zip and set the extensions based on it. This ensures proper analysis of compressed content and improves detection accuracy.

Search Submissions by Tag

Now you can search through submissions with their tags! This powerful filtering option makes it easier to find and organize related samples for more efficient threat analysis.

Advanced Malware Traffic Analysis

With the new Advanced Malware Traffic Analysis feature, you will be able to access incredible amount of data regarding the malwares’ network related actions. You can access this feature after you go to the Dynamic Scan report, network tab.

You can now inspect the packets within the Dynamic Scan VM and apply filters. For guidance on filtering, check out the filtering guide here: Wireshark Filtering Guide

‍

Hunting Module | YARA Rule Generator

While developing Threat.Zone, we have focused on both preemptive measures and post-incident responses. Alongside our detailed submission page for gathering submission details, we have also introduced a new module called "Hunting.”

In the Hunting module, we began development with the YARA Generator Engine. Now, for every submission sent to Threat.Zone, a YARA Rule will be automatically generated.

This allows you to view YARA Rule generated for the sample and download it!

‍

Network Configurations | Proxy, OpenVPN and Wireguard

Malware often checks the victim's region, utilizing this information in diverse ways. With the new Network Configuration page on Threat.Zone, you now have the freedom to use Proxy or VPN configuration you prefer in your Dynamic Analysis.

Once you click on the configurations tab, you can view your existing network configurations and create new ones. We provide three options for changing the network configuration for your analysis VM, Proxy OpenVPN and Wireguard.

Once you've created a configuration, when you start a new scan process, you'll find your created network configurations at the bottom. Upon selection and submission, your interactive VM will utilize this configuration for its network settings.

‍

Static Scan Improvements | YARA Match & Strings

We've made significant enhancements to the scoring capabilities of Threat.Zone's Static Scan. By refining the YARA rules, we've seen a remarkable increase in scoring accuracy and matching capabilities.

Additionally, when you submit samples to Threat.Zone's Static Scan, you'll now notice that your submission is tagged with possible malware families and types.

These updates are designed to equip you with amazing tools and insights to enhance your threat analysis endeavors. We remain dedicated to continually improving Threat.Zone to better address your security requirements. If you haven't registered yet, you can do so .

Get Promotions along with Plans!

Starting from today, you will be able to get promotions if you buy a plan! Right now Researcher plan comes with CDR and CSI modules, Hunter Plan is coming with all of our 3 modules, which are MemProcFS, CDR and CSI.

Free Users can Download Files Now!

From now on, we’ve enabled our Free Plan users to download Additional Files(Memory Dumps, PCAP Dumps), Submission Sample and HTML Report!

Filter Submissions via clicking to Charts!

We got some feedback from our users that was about the charts above the public/my submissions tables. They told us that it would be awesome if pie chart become clickable and has filtering function, we thought the same and did it, check it out from !

Install Additional Files from Public API!

Now you can install additional files from our Public API! Check our page to see which of our plans have API Support!

Check our VM Timer!

In submission cycle, we have a part that you can connect to the VM environment via VNC and see what is going on inside the VM, now you can see how many time remains before VM is killed! Experience it by submitting a file to the !

Enhancements

• Added Plan & Modules to the Settings Section! Now you can see how many modules you have, details about your plan and modules.

• Now you can undo filters at Submissions section!

Bug Fixes

• Public API had a problem about sending document links, fixed.

• There was an error about public submissions order in Public API, fixed.

• Threat.Zone Public API had a wrong date issue while submitting files, fixed.

• Public API had a mimetype problem, fixed.