Big update for CelesTLSH! Since the last post in September, we’ve added new malware families, new scanner features, and rebuilt the backend infrastructure.
The corpus now covers 479 Unique Types of Malware / Attack Tools and 148,121 Unique TLSH Hashes.
New Scanner Features
Automatic Impacted Host Discovery — When CelesTLSH detects a match, it now automatically identifies every host in your org that has the same binary using LimaCharlie Insight. The summary alert includes an impacted_hosts list with hostname and sensor ID pairs, so you immediately know the blast radius without manual hunting.
Per-Host Alerts — Optionally generate a separate alert for each impacted host. Useful for triggering per-endpoint D&R rules or ticketing workflows. Configurable limit (default 25) to keep alert volume manageable. You can optionally keep them all in a single event with all of the hosts/sids listed as well - whichever works better for you.
Signed Binary Exclusions — Two new toggles:
- Exclude ALL Signed — Skip any signed binary from scanning, cutting noise from legitimate software.
- Exclude Microsoft Signed — Skip only Microsoft-signed binaries. Helpful if you want to keep scanning third-party signed files but drop the Windows system noise.
Retroactive Scan — Available from the Actions tab. Scan all historical binaries collected by Insight against the latest CelesTLSH corpus. Set a lookback window (up to 365 days) and optionally include previously detected matches.
Manual TLSH Lookup — Also on the Actions tab. Check a single TLSH hash against the full database on-demand.
New Malware Families
SantaStealer, MaskGramStealer, Smoke Loader, GoLoader, EpsilonStealer, Efimer, EternalRocks, NirCmd, SliverFox, ToxicEye, ScarfaceStealer, CountLoader, DattoRMM, OffLoader, DarkMe, CHStealer, VenomStealer, RatonRAT, ChromElevator, N-able, KongTuke, SilverFox, GoStealer
Permissions Note
The impacted host discovery, per-host alerts, and retroactive scan features require a new permission set. If you subscribed before these features were added, you’ll need to unsubscribe and resubscribe to grant the new permission. Your existing detection rules and configuration won’t be affected — everything continues working as-is without resubscribing. You just won’t have access to the new capabilities until you do. So no rush or urgency behind it.
More updates coming soon — and as always, feel free to ping me with feature requests!