{ "type": "bundle", "id": "bundle--2b786029-c346-421b-97c3-cd488b41aa5a", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--8295942d-4cbd-4ecc-b7b9-f3ba36c08d91", "created": "2024-08-05T09:59:57.607038Z", "modified": "2024-08-05T10:00:30.665623Z", "name": "HackersEye", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d044d8fd-9d0a-44f2-b107-e1549c68b13a", "created": "2026-06-24T17:25:09.029249Z", "modified": "2026-06-24T17:25:09.029249Z", "name": "YARA Rule", "pattern": "rule MeshAgent_Config\r\n{\r\nmeta:\r\ndescription = \"Detects the CheckMesh configuration file\"\r\nauthor = \"HackersEye\"\r\ndate = \"2024-07-04\"\r\nstrings:\r\n$config_string1 = \"MeshName=Remote\" ascii\r\n$config_string2 = \"MeshType=2\" ascii\r\n$config_string3 = \"MeshID=0x\" ascii\r\n$config_string4 = \"ServerID=\" ascii\r\n$config_string5 = \"MeshServer=wss://\" ascii\r\n$config_string6 = \"\\\"agent\\\":\\\"Agent\\\"\" ascii\r\n$config_string7 = \"\\\"install\\\":\\\"Install\\\"\" ascii\r\n$config_string8 = \"\\\"setup\\\":\\\"Setup\\\"\" ascii\r\ncondition:\r\nfilesize < 10KB and\r\nall of ($config_string1, $config_string2, $config_string3, $config_string4, $config_string5) and\r\nany of ($config_string6, $config_string7, $config_string8)\r\n}", "pattern_type": "yara", "valid_from": "2024-07-09T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8ffd3f22-2b42-4234-a864-65dffa7ad916", "created": "2026-06-24T17:25:09.030089Z", "modified": "2026-06-24T17:25:09.030089Z", "name": "YARA Rule", "pattern": "rule MeshAgent_ELF\r\n{\r\nmeta:\r\ndescription = \"Detects the CheckMesh attack\"\r\nauthor = \"HackersEye\"\r\ndate = \"2024-07-04\"\r\nstrings:\r\n$elf_magic = { 7f 45 4c 46 02 01 01 00 }\r\n$mesh_string1 = \"meshcore/KVM/Linux/linux_kvm.c\" ascii\r\n$mesh_string2 = \"meshcore: %s\" ascii\r\n$mesh_string3 = \"meshcore/agentcore.c\" ascii\r\n$mesh_string4 = \"meshagent\" ascii\r\n$mesh_string5 = \"--meshServiceName=\" ascii\r\n$mesh_string6 = \"/var/run/meshagent.pid\" ascii\r\ncondition:\r\nuint32(0) == 0x464c457f and\r\nfilesize < 10MB and\r\nall of ($elf_magic, $mesh_string1, $mesh_string2, $mesh_string3, $mesh_string4,\r\n$mesh_string5, $mesh_string6)\r\n}", "pattern_type": "yara", "valid_from": "2024-07-09T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--8990490c-770d-406c-ae40-89cbca883c57", "hashes": { "SHA-256": "1134af27bea8518c62444a56f4bd4bcc95db40a9bb6132688cf31515da08b9aa" } }, { "type": "file", "spec_version": "2.1", "id": "file--a57ea093-ebf2-4fc7-acf7-bb80326ca2f5", "hashes": { "SHA-256": "3840acb15880f6cb0a77347d4a3893c5a3fbfcc2167bd5e3f86e2ce0f7cdbf19" } }, { "type": "file", "spec_version": "2.1", "id": "file--4e97dbac-d41c-4ea1-8993-31cf848995cf", "hashes": { "MD5": "277e376f8e521b5127d45da965a5a43d" } }, { "type": "file", "spec_version": "2.1", "id": "file--fa442410-9e34-419c-ab72-4a7372a57877", "hashes": { "SHA-1": "b1b15e09ea98228203e110456d514327ce6b7438" } }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--85dde9b7-7961-4d4d-af06-6e638d665a78", "value": "gupdate.net" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--02bae07a-ead3-4604-8b9b-8500e3d3b2c5", "value": "api.gupdate.net" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--7761276a-2e23-49eb-ab98-bc4dcc502397", "value": "51.16.51.81" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--ac047f1f-22ee-4100-bea6-e47e41abfd8e", "value": "78.141.238.182" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--4dc70b8a-b289-53ba-8129-9db976a65816", "created": "2026-06-24T17:25:09.039346Z", "modified": "2026-06-24T17:25:09.039346Z", "name": "LilacSquid" }, { "type": "report", "spec_version": "2.1", "id": "report--2d1bb82d-cdc2-4c67-adbb-f4f9601bfbec", "created_by_ref": "identity--8295942d-4cbd-4ecc-b7b9-f3ba36c08d91", "created": "2026-06-24T17:25:09.042112Z", "modified": "2026-06-24T17:25:09.042112Z", "name": "CheckMesh: Hidden Threats in Your FW", "published": "2024-07-09T00:00:00Z", "object_refs": [ "identity--8295942d-4cbd-4ecc-b7b9-f3ba36c08d91", "indicator--d044d8fd-9d0a-44f2-b107-e1549c68b13a", "indicator--8ffd3f22-2b42-4234-a864-65dffa7ad916", "file--8990490c-770d-406c-ae40-89cbca883c57", "file--a57ea093-ebf2-4fc7-acf7-bb80326ca2f5", "file--4e97dbac-d41c-4ea1-8993-31cf848995cf", "file--fa442410-9e34-419c-ab72-4a7372a57877", "domain-name--85dde9b7-7961-4d4d-af06-6e638d665a78", "domain-name--02bae07a-ead3-4604-8b9b-8500e3d3b2c5", "ipv4-addr--7761276a-2e23-49eb-ab98-bc4dcc502397", "ipv4-addr--ac047f1f-22ee-4100-bea6-e47e41abfd8e", "threat-actor--4dc70b8a-b289-53ba-8129-9db976a65816" ], "external_references": [ { "source_name": "source", "url": "https://hackerseye.net/all-blog-items/checkmesh/" } ] } ] }