top title background image

Joe Sandbox v43 - Green Sapphire

Joe Security's Blog

Published on: 28.08.2025


Today, we are proud to release Joe Sandbox 43 under the code name Green Sapphire! This release is packed with many new detection signatures and important features to improve Joe Sandbox.






Our Joe Sandbox Cloud ProBasic, and OEM servers have recently been upgraded to Green Sapphire.


If you wish to upgrade your on-premise Joe Sandbox installation, please follow the instructions in the chapter on "Updating" in the user guide which you find in our customer portal. 


423 new Signatures


Green Sapphire comes with a very large number of new Yara and Behavior signatures to detect new malware families like Morpheus Loader, Lighthouse, Gremlin Stealer, Vanhelsing, Devman, D0glun, Odyssey Stealer, phantomprayers, CVE-2025-53770, Hpingbot and PlayPraetor and many more. In addition, we added 30 new Malware Configuration Extractors, e.g. for PredatorStealer, H4wkStealer, Dacic, DuplexSpyRat, Obj3ctivity Stealer, Aurotun Stealer and Celestial Rat, to name a few:










Dark Mode


Dark Mode is now available for the Web Interface and all Windows analysis reports. This new feature makes it easier to concentrate at night and reduces eye strain, providing a more comfortable user experience.





To enable Dark Mode, click the moon icon at the top of the navigation bar.


AI Reports


We have developed new reports that contain only AI-related information. These reports include AI signature hits and all reasoning texts, providing a clean and focused dataset.

AI Reports serve as the primary source of information for feeding into LLMs. They are also integrated with the recently published Joe Sandbox MCP server, ensuring seamless compatibility and advanced AI-driven analysis.








Protection Against Clipboard-Based Attacks


Recent social engineering attacks that trick users into pasting malicious commands into a shell have become mainstream. Two notable malware families abusing this technique are ClickFix and Fake Captcha.

ClickFix, for example, presents victims with deceptive prompts that encourage them to copy and paste commands into a terminal or console. Once executed, these commands install malware or open the system to further compromise, all without the victim realizing the danger.

With Joe Sandbox v43, we introduced clipboard activity monitoring and automation. This enables Joe Sandbox to detect clipboard modifications and automatically simulate the user actions typically required by such attacks. As a result, these scenarios can now be fully analyzed without requiring any manual interaction, providing deeper visibility and more efficient detection.





Full Analysis Report.


Microsoft Defender for Endpoint Integration


We’re excited to announce our new integration between Microsoft Defender for Endpoint and Joe Sandbox.

The connector automatically collects alerts and evidence from Defender, analyzes them in Joe Sandbox, and enriches alerts with:

  • Severity score
  • Detection type
  • Threat name
  • Link to the full analysis

Benefits for Customers:

  • Deeper insight: Richer, context-driven alerts.
  • Faster response: Instant access to Joe Sandbox results.
  • Seamless workflow: Stay within Defender for Endpoint.
  • Better accuracy: Reduce false positives and focus on real threats.



The integration is available on the Microsoft Azure market place and on Github.

Final Words


In this blog post, we highlighted the most important features of Joe Sandbox Green Sapphire. These core improvements mark a significant step forward in automation, detection, and usability.

Beyond the features covered here, Green Sapphire also includes a variety of other enhancements and refinements. 


  • Added command line option for Live Interaction

  • Added support for PBIX (PowerBI) and PPKG files

  • Improved EML / MSG file parser

  • Improved Javascript tracing in Chrome

  • Improved download file auto start in Chrome

  • Improved Joe Sandbox ML (dynamic behavior data)

  • Improved prevention of various VM detections


Together, all these advancements ensure that analysts and security teams can investigate threats more efficiently, uncover deeper insights, and stay one step ahead in the ever-evolving malware landscape.

Would you like to try Joe Sandbox? Register for a free account on Joe Sandbox Cloud Basic or contact us for an in-depth technical demo!