November is the Month of Searches: Explore, Learn, and Share with #MonthOfVTSearch

This November, we’re celebrating the power of VirusTotal Enterprise search!
All VirusTotal customers will enjoy uncapped searches through the GUI — no quota consumption for the entire month so long as it is manual searches via the web interface.

Whether you’re investigating malware campaigns, analyzing infrastructure, or tracking threat actor activity, this is your chance to search freely and explore advanced use cases using VirusTotal Intelligence.

Experiment with powerful VT search modifiers to uncover patterns, hunt for related samples, and pivot across hashes, domains, IP addresses, or URLs — without worrying about your quota.

What’s happening

• No quota consumption for all GUI searches during November (API interaction will continue to consume).
• Every day, we’ll share interesting and creative search queries on our LinkedIn and X channels using the hashtag #MonthOfVTSearch.
• We invite you to try these searches, interact with us, and share your own search tips and findings with the community.

Learn and level up

Make the most of this month to sharpen your threat-hunting skills:

• 📘 VirusTotal Documentation
• 🧾 VirusTotal Search Cheat Sheet

VT Intelligence Modifiers:

• File Search Modifiers
• URL Search Modifiers
• Domain Search Modifiers
• IP Search Modifiers

Example: Day 1 Search Query

To kick off #MonthOfVTSearch, here’s the first advanced query we’re sharing with the community:

(type:document) and (behavior_processes:*.ru* and behavior_processes:*DavSetCookie* and behavior_processes:*http*) and (behavior_network:*.ru* or embedded_domain:*.ru* or embedded_url:*.ru*)

What this query does:

This search helps identify document files that, when executed in a sandbox environment, show behavior consistent with potential malicious activity involving .ru infrastructure. It specifically looks for:

• Documents (type:document) that were uploaded to VT.
• During execution, they show process behavior containing:
• HTTP traffic (behavior_processes:*http*)
• The string DavSetCookie (often observed in HTTP request headers or custom cookie operations)
• And references to .ru domains
• And additionally, they show network or embedded indicators related to .ru domains via:
• Behavior-based network connections (behavior_network:*.ru*), or
• Embedded domains or URLs within the file (embedded_domain:*.ru*, embedded_url:*.ru*)

Join the community

Let’s make November a month of discovery and collaboration! Tag your posts with #MonthOfVTSearch, share your favorite searches, and show the world how you use VirusTotal to explore and understand the threat landscape.

In the meantime, if you have any feedback you can contact us.

Read More