VirusTotal, the multi-engine URL and file scanner

HalluSquatting is here, and manual URL checks are not enough

Palo Alto Networks put a name to a threat security teams had been reporting quietly for months. HalluSquatting is the practice of registering domains that AI models tend to hallucinate: package names that do not exist on npm or PyPI, product landing pages that AI assistants confidently invent, support URLs that look plausible but never existed. Registering the domain first turns the hallucination into a working phishing surface.

The seven URL safety checking apps below cover the pieces a defender needs to spot HalluSquatting and adjacent tactics before a click. Reputation lookups. Sandbox visits that render the target page without your browser. Real-time blocking at the browser layer. Every entry is a working desktop tool in 2026, not a promise.

What to look for in a URL safety checking app

Four criteria worth caring about.

Quick comparison

AppBest forFree planDelivery
VirusTotalMulti-engine reputation500 lookups/dayWeb + API
URLVoidBlocklist aggregation1000 lookups/dayWeb
Bitdefender TrafficLightBrowser-level blockingFreeBrowser extension
Google Safe BrowsingBaseline browser protectionFreeBuilt into Chromium
Malwarebytes Browser GuardAd and tracker blockingFreeBrowser extension
urlscan.ioSandboxed page rendering100 scans/dayWeb + API
OpenTip by KasperskyThreat intel lookups200 lookups/dayWeb + API

The apps

1. VirusTotal, the multi-engine reputation baseline

VirusTotal submits a URL against roughly 90 different reputation engines at once, from Google Safe Browsing to Sophos and Emsisoft. The result is a color-coded matrix that shows which engines flag the domain, when it was first seen, and what other files have referenced it.

Where it falls short: the free tier is limited to non-commercial use. Enterprise and API-heavy usage requires a paid plan.

Pricing: free for personal use. VT Enterprise pricing on request.

Platforms: web-first. API accessible from any script or automation.

Download: virustotal.com

Bottom line: the pick as your first-line reputation check for any suspicious URL.

2. URLVoid, the aggregated blocklist check

URLVoid cross-references a URL against about 30 major blocklist and threat intelligence sources. Faster than VirusTotal for a quick verdict, less coverage on obscure engines, and cleaner if you just want a yes-or-no answer.

Where it falls short: does not sandbox or render the page. Verdicts only.

Pricing: free web tier at 1000 lookups per day. Commercial API pricing separate.

Platforms: web-first.

Download: urlvoid.com

Bottom line: the pick when you want a second opinion faster than VirusTotal loads.

3. Bitdefender TrafficLight, live browser blocking

Bitdefender TrafficLight is a browser extension that scores every URL as you load it and blocks phishing and malware domains before the page finishes rendering. It also inspects links inside Gmail, X, and Facebook feeds without a full page navigation.

Where it falls short: Chromium-focused. The Firefox extension has more limited features than the Chrome and Edge versions.

Pricing: free.

Platforms: Chrome, Edge, Firefox extensions.

Download: bitdefender.com

Bottom line: install it on any browser you use for email or messaging. It is a zero-friction daily-driver defense.

4. Google Safe Browsing, the built-in baseline

Google Safe Browsing is the reputation feed already baked into Chrome, Edge, Firefox, and Safari. Every URL the browser is about to load is checked against Google’s rolling blocklist of phishing, malware, and unwanted-software domains.

Where it falls short: Safe Browsing is passive. It blocks what Google’s crawlers have already flagged. Fresh HalluSquat domains slip through until they are indexed.

Pricing: free, built into major browsers.

Platforms: every major browser.

Download: safebrowsing.google.com

Bottom line: confirm the setting is on in Chrome or Edge and treat it as the floor, not the ceiling, of URL safety.

5. Malwarebytes Browser Guard, ad and phishing filter

Malwarebytes Browser Guard blocks phishing pages, malicious ads, tech-support scams, and known trackers at the browser layer. The block rule set overlaps with TrafficLight but leans harder into scam and unwanted-content patterns.

Where it falls short: the block list can flag legitimate ad-supported sites aggressively. A false positive here means a broken page, not a security incident.

Pricing: free.

Platforms: Chrome, Edge, Firefox, Safari extensions.

Download: malwarebytes.com

Bottom line: pair with TrafficLight for defense in depth. They flag slightly different categories.

6. urlscan.io, the sandbox renderer

urlscan.io loads a URL inside a sandboxed headless browser and returns a screenshot, a DOM tree, the network activity, and every third-party resource the page pulls. You never have to visit the URL yourself. HalluSquat domains that appear legitimate at first glance often reveal themselves in the sandbox render.

Where it falls short: the sandbox is public by default, so anything sensitive should use the private scan option (paid).

Pricing: free at 100 scans per day, public. Pro tier at $15 per user per month for private scans.

Platforms: web-first, extensive API.

Download: urlscan.io

Bottom line: the pick when the URL is suspicious enough that you want to see it, but not enough to visit it.

7. OpenTip by Kaspersky, threat intel lookup

OpenTip is Kaspersky’s free threat intelligence portal for URLs, IPs, and hashes. Results include the categorization Kaspersky assigns to the domain, historical WHOIS pivot data, and links to related indicators of compromise.

Where it falls short: Kaspersky’s brand is politically loaded in some jurisdictions. Enterprise use may face restrictions.

Pricing: free at 200 lookups per day. Paid API tiers for higher volume.

Platforms: web-first, API accessible.

Download: opentip.kaspersky.com

Bottom line: the pick when you want a specialist’s perspective on the same URL alongside VirusTotal.

How to pick the right one

If you are picking one only, install Bitdefender TrafficLight in every browser you use for email. It is passive, free, and blocks a real percentage of HalluSquat URLs before the page loads. Add VirusTotal as your first web-lookup reflex when a URL looks off.

If you actually investigate suspicious URLs as part of your work, add urlscan.io to see the page render without visiting it, and add OpenTip as a second-opinion threat intelligence check. URLVoid rounds out reputation coverage.

Google Safe Browsing and Malwarebytes Browser Guard are the browser-layer minimum. They should already be running. If they are not, turn them on before you install anything else.

FAQ

What is HalluSquatting? Registering domains, package names, or product URLs that generative AI models are known to hallucinate. When a user asks an AI assistant for a link and the model invents one, an attacker who registered that hallucinated domain in advance now controls it.

Which URL safety app catches HalluSquat domains fastest? Sandbox tools like urlscan.io and multi-engine tools like VirusTotal typically catch newly registered squatters within 24 to 48 hours. Google Safe Browsing lags, because it relies on crawler-driven detection.

Is a browser extension enough on its own? For most users, yes. Bitdefender TrafficLight or Malwarebytes Browser Guard combined with Google Safe Browsing covers most common phishing surfaces. Add manual checks when a URL comes from an unusual source.

Can I check a URL without visiting it? Yes. urlscan.io renders the URL in a public sandbox and returns a screenshot. VirusTotal and URLVoid do reputation checks without loading the page in your browser.

Are any of these URL safety tools open-source? Bitdefender TrafficLight, Malwarebytes Browser Guard, VirusTotal, urlscan.io, and OpenTip are proprietary. The client-side blocklists in browsers (Safe Browsing) are proprietary as well. Open-source alternatives exist (PhishTank, OpenPhish) but ship as data feeds rather than desktop apps.