{ "type": "bundle", "id": "bundle--1b9c2f9b-2283-4a46-a4f3-de38306e0345", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--a96f8bbb-0501-4026-a441-edfe31375afa", "created": "2025-12-03T00:51:50.222128Z", "modified": "2025-12-03T00:53:40.15867Z", "name": "OSM", "identity_class": "organization" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--2f602576-1f4f-43ab-8c8a-59e5a66545b1", "value": "api.trongrid.io" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--e26580cb-b6a4-443f-ad9c-8ae8392d47a8", "value": "fullnode.mainnet.aptoslabs.com" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--1764f823-df0c-41f5-b085-5ee9c708f5d8", "value": "onrender.com" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--965d33d0-7bcd-43b9-8040-c5fc872310ee", "created": "2026-06-24T22:42:30.514554Z", "modified": "2026-06-24T22:42:30.514554Z", "name": "YARA Rule", "pattern": "rule rmcej_otb_payload {\r\nmeta:\r\ndescription = \"Detects rmcej%otb% shuffle-cipher JS payload injected into config files (original variant only)\"\r\nauthor = \"OpenSourceMalware.com\"\r\ndate = \"2026-03-07\"\r\nseverity = \"high\"\r\nstrings:\r\n$marker = \"rmcej%otb%\"\r\n$global = \"global['!']\"\r\n$seed1 = \"2857687\"\r\n$seed2 = \"2667686\"\r\n$varname = \"_$_1e42\"\r\ncondition:\r\n$marker or ($global and $seed1) or ($varname and $seed2)\r\n}", "pattern_type": "yara", "valid_from": "2026-04-11T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b16118c0-0bc6-477c-ae0d-a620e8c7c0ca", "created": "2026-06-24T22:42:30.515352Z", "modified": "2026-06-24T22:42:30.515352Z", "name": "YARA Rule", "pattern": "rule polinrider_payload {\r\nmeta:\r\ndescription = \"Detects PolinRider shuffle-cipher JS payloads \u2014 both rmcej%otb% (v1) and Cot%3t=shtP (v2) variants\"\r\nauthor = \"OpenSourceMalware.com\"\r\ndate = \"2026-04-10\"\r\nseverity = \"high\"\r\nstrings:\r\n// Original variant (rmcej%otb%)\r\n$marker_v1 = \"rmcej%otb%\"\r\n$seed1_v1 = \"2857687\"\r\n$seed2_v1 = \"2667686\"\r\n$varname_v1 = \"_$_1e42\"\r\n$global_bang = \"global['!']\"\r\n// New variant (Cot%3t=shtP)\r\n$marker_v2 = \"Cot%3t=shtP\"\r\n$seed1_v2 = \"1111436\"\r\n$seed2_v2 = \"3896884\"\r\n$varname_v2 = \"MDy\"\r\n$global_V = \"global['_V']\"\r\n// Common across variants\r\n$global_r = \"global['r'] = require\"\r\n$global_m = \"global['m'] = module\"\r\ncondition:\r\nany of ($marker_*) or\r\n($global_bang and ($seed1_v1 or $varname_v1)) or\r\n($global_V and ($seed1_v2 or $varname_v2)) or\r\n($global_r and $global_m and (any of ($seed1_*)))\r\n}", "pattern_type": "yara", "valid_from": "2026-04-11T00:00:00Z" }, { "type": "url", "spec_version": "2.1", "id": "url--938e6f5d-1b6e-42de-a358-27d0651d4905", "value": "https://fullnode.mainnet.aptoslabs.com/v1/accounts/0xbe037.../transactions" }, { "type": "url", "spec_version": "2.1", "id": "url--288cb7d1-6933-49ff-b076-38aa780c074e", "value": "https://wolf-studios-frontend.vercel.app/" }, { "type": "url", "spec_version": "2.1", "id": "url--d322e057-7b25-4eac-9703-892058cfe99a", "value": "https://api.trongrid.io/v1/accounts/TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP/transactions" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--4cb4ad18-8623-477d-a9ee-e84112c24753", "value": "gowreesh-vt.github.io" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--e305d9e4-4a63-4f60-98e5-ca6bc9710200", "value": "shop.ceenami.com" }, { "type": "url", "spec_version": "2.1", "id": "url--a43554da-6bfe-4f94-8d2f-c3ff1573c001", "value": "https://api.trongrid.io/v1/accounts/" }, { "type": "url", "spec_version": "2.1", "id": "url--a31c9dc8-d5ba-48b0-8b26-f9afdf03d7dc", "value": "https://fullnode.mainnet.aptoslabs.com/v1/accounts/" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--b8216169-b8d5-438c-8646-d30abd0a1cd8", "value": "bsc-dataseed.binance.org" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--e2fd9333-7fae-497e-b014-9fadffa31950", "value": "bsc-rpc.publicnode.com" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--21a5efde-6a09-5457-b095-3687a21fa8b8", "created": "2026-06-24T22:42:30.52996Z", "modified": "2026-06-24T22:42:30.52996Z", "name": "PolinRider" }, { "type": "report", "spec_version": "2.1", "id": "report--357c7a16-ecbf-4e85-bf3f-c08689a37c41", "created_by_ref": "identity--a96f8bbb-0501-4026-a441-edfe31375afa", "created": "2026-06-24T22:42:30.53111Z", "modified": "2026-06-24T22:42:30.53111Z", "name": "PolinRider: DPRK Threat Actor Implants Malware in Hundreds of GitHub Repos", "published": "2026-04-11T00:00:00Z", "object_refs": [ "identity--a96f8bbb-0501-4026-a441-edfe31375afa", "domain-name--2f602576-1f4f-43ab-8c8a-59e5a66545b1", "domain-name--e26580cb-b6a4-443f-ad9c-8ae8392d47a8", "domain-name--1764f823-df0c-41f5-b085-5ee9c708f5d8", "indicator--965d33d0-7bcd-43b9-8040-c5fc872310ee", "indicator--b16118c0-0bc6-477c-ae0d-a620e8c7c0ca", "url--938e6f5d-1b6e-42de-a358-27d0651d4905", "url--288cb7d1-6933-49ff-b076-38aa780c074e", "url--d322e057-7b25-4eac-9703-892058cfe99a", "domain-name--4cb4ad18-8623-477d-a9ee-e84112c24753", "domain-name--e305d9e4-4a63-4f60-98e5-ca6bc9710200", "url--a43554da-6bfe-4f94-8d2f-c3ff1573c001", "url--a31c9dc8-d5ba-48b0-8b26-f9afdf03d7dc", "domain-name--b8216169-b8d5-438c-8646-d30abd0a1cd8", "domain-name--e2fd9333-7fae-497e-b014-9fadffa31950", "threat-actor--21a5efde-6a09-5457-b095-3687a21fa8b8" ], "external_references": [ { "source_name": "source", "url": "https://github.com/OpenSourceMalware/PolinRider" } ] } ] }