Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

← Blog

Managed upgrades. Enhance malware analysis efficiency with Group-IB Malware Detonation Platform updates

New and modified malware detonation capabilities in Group-IB’s Managed XDR and Business Email Protection solutions for precise threat detection and analysis

May 2, 2023 · min to read · Technologies
Malware Detonation Platform
Managed XDR

Malware detonation is a core process that Group-IB uses for automated malware analysis. The technology is natively embedded in Managed XDR and Business Email Protection. The tool delivers a unique detection rate, extracts indicators of compromise (IoCs) automatically, discovers threat actors’ TTPs, and attributes threats. In order to keep up with the ever-changing threat landscape, Group-IB constantly updates and evolves its Malware Detonation Platform to ensure that its clients are aware of any new and unknown threats and have all the tools to respond to them.

Refined Virtual Machine Morphing Technology allows for exact imitation of real environment

Morphing profile creation in the interface of Group-IB Business Email Protection

Figure 1: Morphing profile creation in the interface of Group-IB Business Email Protection

With the Group-IB Malware Detonation Platform, a user can apply arbitrary settings for virtual machines (VM) that are designated for use in malware analysis. The technology enables the setup of a morphing profile that enables the virtual machine to appear almost identical to an organization’s real infrastructure.

The VM Morphing Technology allows the virtual machines to connect with a domain controller (DC) with a specific name, using arbitrary usernames and computer names, or changing the system language to one that matches your company’s OS images and location. In order to provide maximum coverage for our clients, we have added over 30 new languages:

  • Arabic
  • Bulgarian
  • Chinese (Simplified)
  • Chinese (Traditional)
  • Croatian
  • Czech
  • Danish
  • Dutch
  • Estonian
  • Finnish
  • French
  • German
  • Greek
  • Hebrew
  • Hungarian
  • Italian
  • Japanese
  • Korean
  • Latvian
  • Lithuanian
  • Norwegian
  • Polish
  • Portuguese (Brazil)
  • Portuguese (Portugal)
  • Romanian
  • Serbian (Latin)
  • Slovak
  • Slovenian
  • Spanish
  • Swedish
  • Thai
  • Turkish
  • Ukrainian

Once a morphing profile is created, you can use it to automatically analyze email attachments, network traffic, endpoints, and other sources supported with Managed XDR integrations, as well as for files uploaded via API or manually.

Virtual machine morphing technology helps to detect advanced attacks even if adversaries use evasion techniques, such as system checks, to discover virtual environments. With Group-IB Managed XDR, you can identify such threats, detonate suspicious files, and extract actionable intelligence from the samples.

In Figures 2 and 3 below (sha1: 93619242ed888edfa3871035e0668cffa3643420), Magniber – a highly targeted ransomware strain designed to attack targets exclusively in South Korea – is executed and detonated correctly only when run on a machine with a Korean locale. The attack can be detected statically, but Group-IB Managed XDR provides a considerably better result. With a pre-configured morphing profile, the attack is executed automatically, and important intelligence is extracted subsequently.

Unsuccessful detonation of the Magniber ransomware on the default image

Figure 2: Unsuccessful detonation of the Magniber ransomware on the default image

Solid detection and complete detonation of the Magniber ransomware

Figure 3: Solid detection and complete detonation of the Magniber ransomware on the image with Korean locale

Computer vision and other features to analyze human interaction attacks

Detonation of a file in the Managed XDR interface

Figure 4: Detonation of a file that requires human interaction (click) in the Managed XDR interface

Social engineering attacks usually require human interaction, such as clicking a button to execute a malicious macro, tapping a link that redirects a specific target to the payload, or others. Group-IB’s Malware Detonation Platform is packed with multiple technologies that allow for the successful detonation of such files efficiently and automatically:

  • Computer vision for button recognition, even including decoy images masquerading as buttons
  • Feature for auto-running macros depending on user behavior
  • Interactive access to the virtual machine desktop for performing any manual interaction

For example, the file displayed in the below Figure 5 runs a macro only if an image mimicking a button is clicked. Group-IB Managed XDR automatically recognizes the image as a button and detonates the file. The screenshots below outline the differences when computer vision button recognition feature is enabled, as to when it is disabled.

Malware analysis completed when Managed XDR

Figure 5: Malware analysis completed when Managed XDR’s button recognition feature is disabled.

Malware analysis completed when Managed XDR

Figure 6: Malware analysis completed when Managed XDR’s button recognition feature is enabled

If any other arbitrary interaction is needed, users can easily connect directly to the virtual machine desktop in the runtime and perform the required action. This feature is accessed through the embedded RDP client or with a .rdp file and any native RDP client software.

Automated malware artifacts and configs extraction

Another new feature added to the Malware Detonation Platform report now allows analysts to access all artifacts related to malware detonation, including files from the file structure, files created during malware detonation, registry keys, mutexes, network indicators, as well as memory fragments. End-to-end search and related processes mapping options are available. This data can be exported via API and used in external systems for threat hunting and automated response processes.

The example below (Figure 7) shows the successful detonation of the Loki PWS malware sample (sha1: 8247a571f464aadfc1ccbed4c3221316246a1fcc). The system automatically extracted a number of artifacts, including the malware’s configuration and its predefined commands, along with a C&C servers list.

Detonation and automated extraction of artifacts from the Loki PWS sample

Figure 7: Detonation and automated extraction of artifacts from the Loki PWS sample

Conclusion

With the new and enhanced functionalities of Group-IB’s Malware Detonation Platform, analysts can conduct a more accurate and in-depth assessment of malicious files and links, detect complex attacks using detection evasion techniques, and automatically extract analysis results. These features allow you to significantly improve your defense against cyber attacks and save your company’s resources.

The Malware Detonation Platform comes as a part Group-IB Managed XDR and Business Email Protection. The Managed XDR solution monitors the entire company’s infrastructure to identify cyber threats and empowers information security professionals to respond to attacks immediately.

Detect and analyze cyber threats with Group-IB Managed XDR

Respond to attacks with unprecedented speed and accuracy

Request demo
More posts
Multi-Stage Phishing Kit
November 13, 2025
Uncovering a Multi-Stage Phishing Kit Targeting Italy’s Infrastructure
November 5, 2025
Ghosts in /proc: Manipulation and Timeline Corruption
October 31, 2025
Detecting the NPM Supply Chain Compromise Before It Spread
View all
Table of contents