{ "type": "bundle", "id": "bundle--4f7457d6-f06a-4ad8-82dc-2aa532cdd947", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5", "created": "2023-03-08T12:51:41.595163Z", "modified": "2023-03-08T14:31:55.177985Z", "name": "GregLesewich", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c24918a3-0738-485f-bbfb-94f513fca3ea", "created": "2026-06-24T18:08:53.0428Z", "modified": "2026-06-24T18:08:53.0428Z", "name": "YARA Rule", "pattern": "rule APT_NK_TA444_CosmicRust { meta: author = \"Greg Lesnewich\" description = \"track CosmicRust backdoor\" date = \"2024-01-04\" version = \"1.0\" hash = \"5115be816d0cd579915d079573bfa384d78ac0bd33cc845b7a83a488b0fc1b99\" hash = \"045959bcc47fc8c3d4fdfe4e065bfbc18cf7c3101d2fafbea0c9160e7e0805bc\" hash = \"3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a\" strings: $name = \"bot_client\" ascii $method = \"basicinfo\" ascii $func1 = \"get_boottime\" ascii $func2 = \"get_arch\" ascii $func3 = \"get_version\" ascii $func4 = \"get_cwd\" ascii $func5 = \"home_dir\" ascii $func6 = \"set_cwd\" ascii $func7 = \"decode_string\" ascii $func8 = \"encode_string\" ascii $func9 = \"process_request\" ascii $func10 = \"process_response\" ascii condition: ( uint32(0) == 0xfeedface or // Mach-O MH_MAGIC uint32(0) == 0xcefaedfe or // Mach-O MH_CIGAM uint32(0) == 0xfeedfacf or // Mach-O MH_MAGIC_64 uint32(0) == 0xcffaedfe or // Mach-O MH_CIGAM_64 uint32(0) == 0xcafebabe or // Mach-O FAT_MAGIC uint32(0) == 0xbebafeca // Mach-O FAT_CIGAM ) and ($name or $method) and 6 of ($func*) }", "pattern_type": "yara", "valid_from": "2024-01-04T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--b449c607-ce5f-4c2b-ac15-06ecca77beed", "hashes": { "SHA-256": "3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a" } }, { "type": "file", "spec_version": "2.1", "id": "file--8ddb22e2-9672-4385-b4d6-0a095877eb48", "hashes": { "MD5": "16396c63d8de359d88297dbbe9f94663" } }, { "type": "file", "spec_version": "2.1", "id": "file--dca55360-9f26-4d3c-9c9a-fa365cd7c339", "hashes": { "SHA-256": "045959bcc47fc8c3d4fdfe4e065bfbc18cf7c3101d2fafbea0c9160e7e0805bc" } }, { "type": "file", "spec_version": "2.1", "id": "file--d72c60e2-1400-44cb-acab-d285c4bd0e2b", "hashes": { "SHA-256": "5115be816d0cd579915d079573bfa384d78ac0bd33cc845b7a83a488b0fc1b99" } }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--adcc8e95-a44f-55f4-953b-224a76d65b44", "created": "2026-06-24T18:08:53.048128Z", "modified": "2026-06-24T18:08:53.048128Z", "name": "TA444" }, { "type": "report", "spec_version": "2.1", "id": "report--a80ac8ae-bc08-417b-b1ac-bf0847e068cd", "created_by_ref": "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5", "created": "2026-06-24T18:08:53.053343Z", "modified": "2026-06-24T18:08:53.053343Z", "name": "100DaysofYARA - CosmicRust", "published": "2024-01-04T00:00:00Z", "object_refs": [ "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5", "indicator--c24918a3-0738-485f-bbfb-94f513fca3ea", "file--b449c607-ce5f-4c2b-ac15-06ecca77beed", "file--8ddb22e2-9672-4385-b4d6-0a095877eb48", "file--dca55360-9f26-4d3c-9c9a-fa365cd7c339", "file--d72c60e2-1400-44cb-acab-d285c4bd0e2b", "threat-actor--adcc8e95-a44f-55f4-953b-224a76d65b44" ], "external_references": [ { "source_name": "source", "url": "https://g-les.github.io/yara/2024/01/04/100DaysofYARA-CosmicRust.html" } ] } ] }