Spectra Analyze, Spectra Core Provide Deeper Detection, Smarter Analysis

Detection posture isn't static. Attackers adjust their techniques — often faster than security teams can retool. Quishing campaigns are scaling because most file inspection pipelines ignore image-embedded content.

AI model files are also proliferating in production environments with almost no security scrutiny. QR codes have become a reliable social engineering vector precisely because the industry spent years building defenses that didn't account for them.

The latest updates to Spectra Analyze and Spectra Core address these gaps directly. This post walks through what shipped, why each capability matters — and what it means for your detection coverage.

Quishing Had an Analysis Gap — Now It Doesn't

QR code phishing — quishing — works because it exploits a weak point in how most organizations inspect email-borne threats. Traditional attachment and link analysis is text-oriented. Image files, PDFs with embedded visual content, and QR codes have largely been treated as pass-through artifacts. Attackers noticed.

Spectra Analyze now includes full quishing analysis. Optical character recognition (OCR) extracts URLs, IP addresses, and domains from images and PDF documents. QR codes embedded in those files are decoded and their resolved destinations are assessed for threat indicators. The result is a security assessment that treats image content as what it actually is: a potential delivery mechanism for malicious links.

This closes a category of gap that attackers have been exploiting with increasing regularity. If your environment routes phishing reports through Spectra Analyze — or if you're using it for email threat triage — QR codes are no longer a blind spot.

Similarity Search Changes How You Pivot From a Single Sample

TLSH and SSDEEP similarity search are now available in Spectra Analyze. For analysts who spend time pivoting from known samples to related ones, this is a meaningful workflow change.

Both algorithms are locality-sensitive hashing methods. TLSH (Trend Micro Locality Sensitive Hash) generates a hash from file content in a way that preserves similarity relationships — two files that are 80% identical will produce hashes that are measurably close. SSDEEP uses context-triggered piecewise hashing to produce comparable results. Together, they give analysts two complementary methods for finding files that share substantial code overlap with a known malicious sample.

The practical value is in triage speed and attribution confidence. When you identify a new sample — a dropper, a loader, a modified infostealer — you no longer need to rely solely on exact hash matching or YARA rule coverage to find related files. Submit the sample, run a similarity search, and surface the cluster. That cluster often tells you whether you're dealing with an isolated incident or a campaign.

For threat hunting, it changes the aperture. Instead of searching for a specific file, you're searching for a family of files. That's a fundamentally different — and more productive — analytical posture.

Configurable Risk Tolerance Levels Give Analysts Control Over Verdict Logic

Detection confidence is rarely binary. A file can be flagged by one sandbox, missed by another, partially matched by a YARA rule, and labeled clean by a threat intelligence feed — all in the same triage workflow. The question every analyst faces is: how do I weigh these signals?

Spectra Analyze now includes Risk Tolerance Levels — four configurable settings that control how cloud sandbox results, threat intelligence data, YARA classifications, and third-party sandbox signals contribute to final verdicts. This is explicit, tunable verdict logic rather than a single opaque score.

The value here is organizational alignment. Different environments have different risk thresholds. A financial services SOC and a software development shop have different tolerances for false positives versus false negatives. Risk Tolerance Levels let your team configure verdict behavior to match the actual risk posture of your environment — and change that configuration when your threat landscape or operational context shifts.

It also reduces the friction between analysts and tooling. When verdict logic is visible and configurable, analysts spend less time second-guessing automated outputs and more time acting on them.

Microsoft Defender EDR Connector Completes Bidirectional Enrichment Across Major Platforms

Spectra Analyze has long supported bidirectional enrichment with leading EDR platforms. That integration now extends to Microsoft Defender. The full connector set — CrowdStrike Falcon, Palo Alto Cortex XDR, SentinelOne, and now Defender — covers the platforms that dominate enterprise endpoint deployments.

Bidirectional enrichment matters because it eliminates manual pivot steps. When an EDR alert surfaces a suspicious file, analysts can push that artifact directly into Spectra Analyze for deep static and dynamic analysis without leaving their workflow. When Spectra Analyze surfaces a verdict, that context flows back into the EDR platform to enrich the alert record and inform response decisions.

The Defender connector means organizations that standardized on Microsoft's security stack can now close the loop between endpoint detection and file-level analysis — without building custom integrations or managing separate workflows. For SecOps teams running hybrid environments, it also means consistent enrichment coverage regardless of which EDR platform a given endpoint reports to.

196 New Static Behavior Indicators Extend Coverage Across Platforms and File Types

Spectra Core, the analysis engine underlying the Spectra platform, shipped 196 new static behavior indicators in this release. Coverage spans PowerShell, JavaScript, .NET, Ruby, Linux, and Windows — plus eight indicators specific to iCalendar-based phishing.

The iCalendar coverage is worth calling out. Calendar invite abuse has emerged as a reliable phishing vector: malicious .ics files that deliver links or payloads through meeting invitations bypass many email security tools because they're treated as benign scheduling content rather than potential delivery mechanisms. Extending static behavior indicator coverage to iCalendar files addresses a delivery method that has seen growing adoption by threat actors.

The broader expansion across PowerShell, .NET, and scripting environments reflects where detection gaps persist. Static behavior indicators analyze file structure and content before execution — no sandbox, no detonation required. Expanding indicator coverage in these categories improves the ability to identify suspicious patterns at rest, which matters for environments where dynamic analysis throughput is constrained or where speed of verdict is a priority.

YARA Coverage Expands to Nine New Families, Including Four Infostealers

YARA rules for nine new malware families shipped in this release. The breakdown:

• Four infostealers: NosyHistorian, SilverScreen, SalatStealer, MorbiusStealer
• Four RATs and backdoors: PulsarRAT, DKnife, GhostPenguin, GopherRAT
• One trojan: LittleDaemon

Infostealer detections deserve particular attention. The credential theft ecosystem has expanded significantly over the past two years, with new stealer families entering distribution through malvertising, trojanized installers, and open-source package poisoning. Each of the four infostealers covered in this release represents an active family — coverage that translates directly to earlier detection and reduced dwell time in environments where these tools appear.

The RAT and backdoor coverage extends detection across both Windows and Linux targets. GhostPenguin and GopherRAT target Linux environments — a category where detection tooling often lags behind Windows-focused coverage.

AI Model File Analysis Now Covers Six Additional Formats

The expansion of AI model file analysis is one of the more forward-looking elements of this release. Spectra Core now covers ONNX, Safetensors, GGUF, HDF5, NPY/NPZ, and Pickle formats — in addition to previously supported types.

The Pickle format entry is particularly significant. Pickle serialization is the default mechanism for saving PyTorch models, and it carries a well-documented risk: Pickle files can embed arbitrary Python code that executes on deserialization. This is not a theoretical vulnerability. Malicious Pickle-serialized models have been identified in public model repositories, including Hugging Face. Spectra Core now detects unsafe deserialization in Pickle-serialized models — a detection capability that most security tools do not yet have.

As organizations adopt machine learning pipelines and integrate open-source models into production workflows, the attack surface around AI model files grows. Developers pulling models from public repositories face the same supply chain risk that affected open-source software packages — the difference is that the security tooling for model files is far less mature. Expanded format coverage in Spectra Core brings AI model files under the same analysis rigor applied to other file types.

Explore the full Spectra Analyze product page: reversinglabs.com/products/spectra-analyze

What This Release Means for Your Detection Posture

Taken together, this release extends coverage in three directions simultaneously: new threat vectors (quishing, AI model abuse, iCalendar phishing), new analytical methods (similarity search, configurable verdict logic), and expanded ecosystem integration (Defender EDR connector).

None of these are incremental refinements to capabilities you already had. Each addresses a category of gap that attackers have either been exploiting or are positioned to exploit as detection tooling in those areas remains immature.

If you're running Spectra Analyze in your SOC or threat intelligence workflow, reviewing how each of these capabilities maps to your current detection coverage is the logical next step. The release notes document the full technical detail. For teams evaluating Spectra Analyze for the first time, this release is a good moment to look at what the platform can do across the full file analysis workflow.

Request a demo: reversinglabs.com/demo