{ "type": "bundle", "id": "bundle--22abce96-d1f4-4b50-89b3-14a11467b38f", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--ee1af7fe-c2db-446e-ab28-bdb4b4e29c1c", "created": "2023-03-08T12:51:42.067091Z", "modified": "2023-03-10T04:35:51.526813Z", "name": "USCISA", "identity_class": "organization" }, { "type": "file", "spec_version": "2.1", "id": "file--08613019-028b-428a-89c3-9878dc4f18a9", "hashes": { "MD5": "760c35a80d758f032d02cf4db12d3e55" } }, { "type": "file", "spec_version": "2.1", "id": "file--c07178cb-b02e-44bd-95c4-3e24b0525e8f", "hashes": { "MD5": "e904bf93403c0fb08b9683a9e858c73e" } }, { "type": "file", "spec_version": "2.1", "id": "file--409a257a-e413-49d8-9fec-f0d53e4a38ca", "hashes": { "MD5": "4ef0ad7ad4fe3ef4fb3db02cd82bface" } }, { "type": "file", "spec_version": "2.1", "id": "file--fa5603b3-091a-4c3d-9a3c-5a851225ffdb", "hashes": { "MD5": "eb435e86604abced7c4a2b11c4637a52" } }, { "type": "file", "spec_version": "2.1", "id": "file--8368288b-a100-4904-a335-9eb585c26da1", "hashes": { "MD5": "7e48d5ba6e6314c46550ad226f2b3c67" } }, { "type": "file", "spec_version": "2.1", "id": "file--d0dd3f27-bdb0-472f-8a0a-25d0c95b8088", "hashes": { "MD5": "93bc819011b2b3da8487f964f29eb934" } }, { "type": "file", "spec_version": "2.1", "id": "file--65df7ce7-8cc9-4b8f-948d-e41d9f9d237f", "hashes": { "MD5": "7759c7d2c6d49c8b0591a3a7270a44da" } }, { "type": "file", "spec_version": "2.1", "id": "file--8a4053ab-b184-4eb1-b55d-de35b5dd1553", "hashes": { "MD5": "0bb82def661dd013a1866f779b455cf3" } }, { "type": "file", "spec_version": "2.1", "id": "file--4251833f-9e57-450d-9c56-5d6d94026f05", "hashes": { "MD5": "68a26b8eaf2011f16a58e4554ea576a1" } }, { "type": "file", "spec_version": "2.1", "id": "file--7e509448-62c1-446c-be34-cba8354d9e67", "hashes": { "MD5": "f6f48551d7723d87daeef2e840ae008f" } }, { "type": "file", "spec_version": "2.1", "id": "file--1683a541-d437-4841-8cfc-1b5d4868c926", "hashes": { "MD5": "3b9da603992d8001c1322474aac25f87" } }, { "type": "file", "spec_version": "2.1", "id": "file--0cfe6d9f-5c4b-4a9c-9c5e-02c46da78f5b", "hashes": { "MD5": "a385900a36cad1c6a2022f31e8aca9f7" } }, { "type": "file", "spec_version": "2.1", "id": "file--dfc79ad8-bf9c-46c0-90e5-0c75cc78738c", "hashes": { "MD5": "838e57492f632da79dcd5aa47b23f8a9" } }, { "type": "file", "spec_version": "2.1", "id": "file--4877d2db-8ee8-4bee-9374-e8703cf733f9", "hashes": { "MD5": "c905a30badb458655009799b1274205c" } }, { "type": "file", "spec_version": "2.1", "id": "file--e43825ba-9889-4e8a-b930-f2c6e1472ce3", "hashes": { "MD5": "11c9374cea03c3b2ca190b9a0fd2816b" } }, { "type": "file", "spec_version": "2.1", "id": "file--e1ce4e0b-d33c-4554-b77a-8129227f744d", "hashes": { "MD5": "734740b16053ccc555686814a93dfbeb" } }, { "type": "file", "spec_version": "2.1", "id": "file--8b25d846-afe4-4c87-8895-ac447cff4a74", "hashes": { "MD5": "b8ffff8b57586d24e1e65cd0b0ad9173" } }, { "type": "file", "spec_version": "2.1", "id": "file--a4bf7851-780e-4747-b3b2-d027e33732a3", "hashes": { "MD5": "9ab7f2bf638c9d911c2c742a574db89e" } }, { "type": "file", "spec_version": "2.1", "id": "file--dcd5eaf7-1388-444f-ab83-d2c2725b4185", "hashes": { "MD5": "7bea4323807f7e8cf53776e24cbd71f1" } }, { "type": "file", "spec_version": "2.1", "id": "file--08b4edf9-8ff6-433a-9fc1-ffeee030622a", "hashes": { "MD5": "0a87c6f29f34a09acecce7f516cc7fdb" } }, { "type": "file", "spec_version": "2.1", "id": "file--265ac284-8328-40cf-b0fd-ee60315ac505", "hashes": { "MD5": "194ae075bf53aa4c83e175d4fa1b9d89" } }, { "type": "file", "spec_version": "2.1", "id": "file--9e2e092b-165d-4e9f-9891-ee7f2565e344", "hashes": { "MD5": "f57e6156907dc0f6f4c9e2c5a792df48" } }, { "type": "file", "spec_version": "2.1", "id": "file--4721fb21-30c0-4224-b064-4bed023a393d", "hashes": { "MD5": "7fb0441a08690d4530d2275d4d7eb351" } }, { "type": "file", "spec_version": "2.1", "id": "file--7f62c71e-460c-4eef-8fc9-4689f4f155df", "hashes": { "MD5": "e509881b34a86a4e2b24449cf386af6a" } }, { "type": "file", "spec_version": "2.1", "id": "file--464e5812-7440-44a2-8516-b5d3687ee14c", "hashes": { "MD5": "9761dd113e7e6673b94ab4b3ad552086" } }, { "type": "file", "spec_version": "2.1", "id": "file--b43e8a10-f130-48b2-a03f-078b8d1845a8", "hashes": { "MD5": "a565e8c853b8325ad98f1fac9c40fb88" } }, { "type": "file", "spec_version": "2.1", "id": "file--a670825a-836c-4012-a304-2c6852a74f3d", "hashes": { "MD5": "25fb1e131f282fa25a4b0dec6007a0ce" } }, { "type": "file", "spec_version": "2.1", "id": "file--3346ef2c-a3bd-4419-b3a8-e7e81a350923", "hashes": { "MD5": "74982cd1f3be3d0acfb0e6df22dbcd67" } }, { "type": "file", "spec_version": "2.1", "id": "file--561c7295-b151-4d0c-a2b4-58097eaf16a4", "hashes": { "MD5": "ed7a9c6d9fc664afe2de2dd165a9338c" } }, { "type": "file", "spec_version": "2.1", "id": "file--bc0234d4-1fc0-45a2-b817-f0f452eb68b3", "hashes": { "MD5": "8dec36d7f5e6cbd5e06775771351c54e" } }, { "type": "file", "spec_version": "2.1", "id": "file--cecf09d3-797d-45aa-a824-4aa973cf5edc", "hashes": { "MD5": "40adcd738c5bdc5e1cc3ab9a48b3df39" } }, { "type": "file", "spec_version": "2.1", "id": "file--ae18a2b5-b1fd-4a91-bc22-fa244248f428", "hashes": { "MD5": "e1864a55d5ccb76af4bf7a0ae16279ba" } }, { "type": "file", "spec_version": "2.1", "id": "file--87849cb9-cefc-4c3e-bff1-16764e18c5c2", "hashes": { "MD5": "6aeac618e29980b69721158044c2e544" } }, { "type": "file", "spec_version": "2.1", "id": "file--02cd7e75-fb70-4b5c-a321-5e8cb0b8213f", "hashes": { "MD5": "86e212b7fc20fc406c692400294073ff" } }, { "type": "file", "spec_version": "2.1", "id": "file--f75db0c7-c89a-48f0-bff0-1d2af775cb65", "hashes": { "MD5": "d1c27ee7ce18675974edf42d4eea25c6" } }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--af4cb8a1-64bb-40de-b550-8a6a45868640", "value": "208.105.226.235" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--b7956185-5161-4a3b-969f-af9b2ff1994a", "value": "58.185.154.99" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--39aecd6e-67e0-4c94-bb71-f37e6d2ad00c", "value": "212.31.102.100" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--6adfa9a6-c353-46ac-8357-dc1b2bf5e8c8", "value": "217.96.33.164" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--745953c4-c073-4f2e-adc0-8d5ba867f2c7", "value": "200.87.126.116" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--6b9b9cbf-c74d-47c7-83ce-b1e51e476161", "value": "203.131.222.102" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--cdced1a3-573b-4572-a0e4-c9b0e9aa4dd4", "value": "88.53.215.64" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c5321319-d5ca-45d8-856e-edf7c3dc05b9", "created": "2026-06-24T19:37:50.385788Z", "modified": "2026-06-24T19:37:50.385788Z", "name": "YARA Rule", "pattern": "rule Malwareusedbycyberthreatactor3\r\n{\r\nstrings:\r\n$STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3a 8b 00 00 }\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--1dbdc0d2-d42d-4bfd-8150-f06c281e623c", "created": "2026-06-24T19:37:50.386457Z", "modified": "2026-06-24T19:37:50.386457Z", "name": "YARA Rule", "pattern": "rule Malwareusedbycyberthreatactor2\r\n{\r\nstrings:\r\n$str1 = \"_quit\"\r\n$str2 = \"_exe\"\r\n$str3 = \"_put\"\r\n$str4 = \"_got\"\r\n$str5 = \"_get\"\r\n$str6 =\"_del\"\r\n$str7 = \"_dir\"\r\n$str8 = { C7 44 24 18 1F F7}\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c39c5edb-98f3-4a46-8937-039a0fbb46ec", "created": "2026-06-24T19:37:50.387057Z", "modified": "2026-06-24T19:37:50.387057Z", "name": "YARA Rule", "pattern": "rule Malwareusedbycyberthreatactor1\r\n{\r\nstrings:\r\n$heapCreateFunction_0 = {33C06A003944240868001000000F94C050FF15????????85C0A3???????07436E893FEFFFF83F803A3???????0750D68F8030000E8??00000059EB0A83F8027518E8????000085C0750FFF35???????0FF15???????033C0C36A0158C3}\r\n$heapCreateFunction = { 55 8B EC B8 2C 12 00 00 E8 ?? ?? FF FF 8D 85 68 FF FF FF 53 50 C7 85 68 FF FF FF 94 00 00 00 FF 1? ?? ?? ?? ?0 85 C0 74 1A 83 BD 78 FF FF FF 02 75 11 83 BD 6C FF FF FF 05 72 08 6A 01 58 E9 02 01 00 00 8D 85 D4 ED FF F6 89 01 00 00 05 06 8? ?? ?? ?? 0F F1 5? ?? ?? ?? 08 5C 00 F8 4D 00 00 00 03 3D B8 D8 DD 4E DF FF F3 89 DD DF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 5D 4E DF FF F6 A1 65 06 8? ?? ?? ?? 0E 8? ?? ?0 00 08 3C 40 C8 5C 07 50 88 D8 5D 4E DF FF FE B4 98 D8 56 4F EF FF F6 80 40 10 00 05 05 3F F1 5? ?? ?? ?? 03 89 D6 4F EF FF F8 D8 D6 4F EF FF F7 41 38 A0 13 C6 17 C0 83 C7 A7 F0 42 C2 08 80 14 13 81 97 5E D8 D8 56 4F EF FF F5 08 D8 5D 4E DF FF F5 0E 8? ?? ?? ?? ?5 95 93 BC 37 43 E6 A2 C5 0E 8? ?? ?? ?? ?5 93 BC 35 97 43 04 08 BC 83 81 87 40 E8 03 93 B7 50 48 81 9E B0 14 13 81 97 5F 26 A0 A5 35 0E 8? ?? ?0 00 08 3C 40 C8 3F 80 27 41 D8 3F 80 37 41 88 3F 80 17 41 38 D4 5F C5 0E 89 8F EF FF F8 07 DF C0 65 91 BC 08 3C 00 35 BC 9C}\r\n$getMajorMinorLinker = {568B7424086A00832600FF15???????06681384D5A75148B483C85C9740D03C18A481A880E8A401B8846015EC3}\r\n$openServiceManager = {FF15???0?0?08B?885??74????????????????5?FF15???0?0?08B?????0?0?08BF?85F?74}\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--75561c4b-59e3-4812-bdca-45ab7d0256d9", "created": "2026-06-24T19:37:50.387635Z", "modified": "2026-06-24T19:37:50.387635Z", "name": "YARA Rule", "pattern": "rule DestructiveTargetCleaningTool8\r\n{\r\nstrings:\r\n$license = {E903FFFF820050006F007200740069006F006E007300200063006F007000790072006900670068007400200052006F006200650072007400200064006500200042006100740068002C0020004A006F007200690073002000760061006E002000520061006E007400770069006A006B002C002000440065006C00690061006E000000000000000250000000000A002200CE000800EA03FFFF8200}\r\n$PuTTY= {50007500540054005900}\r\ncondition:\r\n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $license and not $PuTTY\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2fc08feb-7d2d-48ae-8d14-f1364c976fb4", "created": "2026-06-24T19:37:50.388209Z", "modified": "2026-06-24T19:37:50.388209Z", "name": "YARA Rule", "pattern": "rule DestructiveTargetCleaningTool7\r\n{\r\nstrings:\r\n$a = \"SetFilePointer\"\r\n$b = \"SetEndOfFile\"\r\n$c = {75 17 56 ff 15 ?? ?? ?? ?? 6a 00 6a 00 6a 00 56 ff D5 56 ff 15 ?? ?? ?? ?? 56}\r\ncondition:\r\n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--2cf7c5a1-a6f0-45ba-acd3-c79885bbcad7", "created": "2026-06-24T19:37:50.38883Z", "modified": "2026-06-24T19:37:50.38883Z", "name": "YARA Rule", "pattern": "rule DestructiveTargetCleaningTool6\r\n{\r\nstrings:\r\n$MCU_INF_StartHexDec = {010346080A30D63633000B6263750A5052322A00103D1B570A30E67F2A00130952690A503A0D2A000E00A26E15104556766572636C7669642E657865}\r\n$MCU_INF_StartHexEnc = {6C3272386958BF075230780A0A54676166024968790C7A6779588F5E47312739310163615B3D59686721CF5F2120263E1F5413531F1E004543544C55}\r\ncondition:\r\n$MCU_INF_StartHexEnc or $MCU_INF_StartHexDec\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--82f15703-0496-4d72-8650-2ea818c41649", "created": "2026-06-24T19:37:50.389406Z", "modified": "2026-06-24T19:37:50.389406Z", "name": "YARA Rule", "pattern": "rule DestructiveTargetCleaningTool5\r\n{\r\nstrings:\r\n$MCU_DLL_ZLIB_COMPRESSED2 = { 5C EC AB AE 81 3C C9 BC D5 A5 42 F4 54 91 04 28 34 34 79 80 6F 71 D5 52 1E 2A 0D }\r\ncondition:\r\n$MCU_DLL_ZLIB_COMPRESSED2\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7b71d4b3-4c77-42e6-a191-0fbe7119d503", "created": "2026-06-24T19:37:50.389973Z", "modified": "2026-06-24T19:37:50.389973Z", "name": "YARA Rule", "pattern": "rule DestructiveTargetCleaningTool4\r\n{\r\nstrings:\r\n$BATCH_SCRIPT_LN1_0 = \"goto x\" fullword\r\n$BATCH_SCRIPT_LN1_1 = \"del\" fullword\r\n$BATCH_SCRIPT_LN2_0 = \"if exist\" fullword\r\n$BATCH_SCRIPT_LN3_0 = \":x\" fullword\r\n$BATCH_SCRIPT_LN4_0 = \"zz%d.bat\" fullword\r\ncondition:\r\n(#BATCH_SCRIPT_LN1_1 == 2) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7220414c-db9c-4bce-943e-b17174f5dafa", "created": "2026-06-24T19:37:50.390537Z", "modified": "2026-06-24T19:37:50.390537Z", "name": "YARA Rule", "pattern": "rule DestructiveTargetCleaningTool3\r\n{\r\nstrings:\r\n$S1_CMD_Arg = \"/install\" fullword\r\n$S2_CMD_Parse= \"\\\"%s\\\" /install \\\"%s\\\"\" fullword\r\n$S3_CMD_Builder= \"\\\"%s\\\" \\\"%s\\\" \\\"%s\\\" %s\" fullword\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--c5cc68e0-6d45-4b29-a2ff-769069f1746c", "created": "2026-06-24T19:37:50.391103Z", "modified": "2026-06-24T19:37:50.391103Z", "name": "YARA Rule", "pattern": "rule DestructiveTargetCleaningTool2\r\n{\r\nstrings:\r\n$secureWipe = { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00 89 74 24 34 89 74 24 38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ?? ?? ?? ?? 3B C6 89 44 24 1C 0F 84 (D8 | d9) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14 0F 84 (BC | BD) 01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83 E8 02 75 1C C7 44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C 24 1C 3B C7 0F 8E ( 5C | 5d ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0 B9 00 40 00 00 8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14) 33 F6 (E8 | ff 15) ?? ?? ?? ?? 88 04 1E 46 81 FE 00 00 01 00 7C ( EF | ee) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 0F 84 FA 00 00 00 8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51 6A 01 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85 C0 7C 5A 7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04 2B D7 8B EA 8B 44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B D8 7C BE 7F 08 8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C 24 48 47 83 C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83 C4 08 53 FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3 }\r\ncondition:\r\n$secureWipe\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--8076e603-3c4f-4a9f-9aed-bb904d0a5326", "created": "2026-06-24T19:37:50.391672Z", "modified": "2026-06-24T19:37:50.391672Z", "name": "YARA Rule", "pattern": "rule DestructiveTargetCleaningTool1\r\n{\r\nstrings:\r\n$s1 = {d3000000 [4] 2c000000 [12] 95000000 [4] 6a000000 [8] 07000000}\r\ncondition:\r\n(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--b9ada41e-e848-41b2-a65a-1ae37a2c8c67", "created": "2026-06-24T19:37:50.392231Z", "modified": "2026-06-24T19:37:50.392231Z", "name": "YARA Rule", "pattern": "rule DestructiveHardDriveTool1\r\n{\r\nstrings:\r\n$str0= \"MZ\"\r\n$str1 = {c6 84 24 ?? ( 00 | 01 ) 00 00 }\r\n$xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08 F3 A5 8B 7C 24 30 85 FF 7E 3A 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4 20 C3 }\r\ncondition:\r\n$str0 at 0 and $xorInLoop and #str1 > 300\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--95f95cca-134f-4be3-a113-4f084e4a214f", "created": "2026-06-24T19:37:50.392828Z", "modified": "2026-06-24T19:37:50.392828Z", "name": "YARA Rule", "pattern": "rule ProxyTool3\r\n{\r\nstrings:\r\n$STR2 = {8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF}\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $STR2\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--24c77712-83f5-4f8e-82d3-d8233f051d48", "created": "2026-06-24T19:37:50.393399Z", "modified": "2026-06-24T19:37:50.393399Z", "name": "YARA Rule", "pattern": "rule ProxyTool2\r\n{\r\nstrings:\r\n$STR1 = { 82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00 } // '%SystemRoot%\\System32\\svchost.exe -k' xor A7\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--834742b1-42a0-43c2-ad8b-9151c38fd27c", "created": "2026-06-24T19:37:50.393966Z", "modified": "2026-06-24T19:37:50.393966Z", "name": "YARA Rule", "pattern": "rule ProxyTool1\r\n{\r\nstrings:\r\n$STR1 = \"pmsconfig.msi\" wide\r\n$STR2 = \"pmslog.msi\" wide\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--097ed8a2-c6ce-4c32-972d-aa786a7895a3", "created": "2026-06-24T19:37:50.394537Z", "modified": "2026-06-24T19:37:50.394537Z", "name": "YARA Rule", "pattern": "rule LightweightBackdoor6\r\n{\r\nstrings:\r\n$STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10}\r\n$STR2 = { 8A 10 80?? 79 80 ?? 4E 88 10}\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--7e9920b7-fad9-4f48-9209-675cc1751de5", "created": "2026-06-24T19:37:50.395108Z", "modified": "2026-06-24T19:37:50.395108Z", "name": "YARA Rule", "pattern": "rule LightweightBackdoor5\r\n{\r\nstrings:\r\n$STR1 = { C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'tlvc.nls' being moved to ebp\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--d2f26c2f-c5d0-4254-9179-22f5f637fa0c", "created": "2026-06-24T19:37:50.395672Z", "modified": "2026-06-24T19:37:50.395672Z", "name": "YARA Rule", "pattern": "rule LightweightBackdoor4\r\n{\r\nstrings:\r\n$STR1 = { C6 45 F4 61 C6 45 F5 6E C6 45 F6 73 C6 45 F7 69 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'ansi.nls' being moved to ebp\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--906d801c-cdb0-414d-997e-394df049e155", "created": "2026-06-24T19:37:50.396239Z", "modified": "2026-06-24T19:37:50.396239Z", "name": "YARA Rule", "pattern": "rule LightweightBackdoor3\r\n{\r\nstrings:\r\n$STR1 = { C6 45 E8 64 C6 45 E9 61 C6 45 EA 79 C6 45 EB 69 C6 45 EC 70 C6 45 ED 6D C6 45 EE 72 C6 45 EF 2E C6 45 F0 74 C6 45 F1 62 C6 45 F2 6C } // 'dayipmr.tbl' being moved to ebp\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--fa110f19-b021-4644-a4d8-d0b70b69ba35", "created": "2026-06-24T19:37:50.396834Z", "modified": "2026-06-24T19:37:50.396834Z", "name": "YARA Rule", "pattern": "rule LightweightBackdoor2\r\n{\r\nstrings:\r\n$STR1 = \"prxTroy\" ascii wide nocase\r\ncondition:\r\n(uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--eb6735ab-3a7b-4414-8007-03d57c6dafe1", "created": "2026-06-24T19:37:50.397401Z", "modified": "2026-06-24T19:37:50.397401Z", "name": "YARA Rule", "pattern": "rule Lightweight_Backdoor1\r\n{\r\nstrings:\r\n$STR1 = \"NetMgStart\"\r\n$STR2 = \"Netmgmt.srg\"\r\ncondition:\r\n(uint16(0) == 0x5A4D) and all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0f36f211-4275-4cae-90a6-b7685e6b88f8", "created": "2026-06-24T19:37:50.397967Z", "modified": "2026-06-24T19:37:50.397967Z", "name": "YARA Rule", "pattern": "rule SMB_Worm_Tool\r\n{\r\nstrings:\r\n$STR1 = \"Global\\\\FwtSqmSession106829323_S-1-5-19\"\r\n$STR2 = \"EVERYONE\"\r\n$STR3 = \"y0uar3@s!llyid!07,ou74n60u7f001\"\r\n$STR4 = \"\\\\KB25468.dat\"\r\ncondition:\r\n( uint16(0) == 0x5A4D or\r\nuint16(0) == 0xCFD0 or\r\nuint16(0) == 0xC3D4 or\r\nuint32(0) == 0x46445025 or\r\nuint32(1) == 0x6674725C)\r\nand all of them\r\n}", "pattern_type": "yara", "valid_from": "2014-12-19T00:00:00Z" }, { "type": "report", "spec_version": "2.1", "id": "report--4bc2e001-8666-4d39-9f79-1f0810989ffd", "created_by_ref": "identity--ee1af7fe-c2db-446e-ab28-bdb4b4e29c1c", "created": "2026-06-24T19:37:50.400817Z", "modified": "2026-06-24T19:37:50.400817Z", "name": "Targeted Destructive Malware", "published": "2014-12-19T00:00:00Z", "object_refs": [ "identity--ee1af7fe-c2db-446e-ab28-bdb4b4e29c1c", "file--08613019-028b-428a-89c3-9878dc4f18a9", "file--c07178cb-b02e-44bd-95c4-3e24b0525e8f", "file--409a257a-e413-49d8-9fec-f0d53e4a38ca", "file--fa5603b3-091a-4c3d-9a3c-5a851225ffdb", "file--8368288b-a100-4904-a335-9eb585c26da1", "file--d0dd3f27-bdb0-472f-8a0a-25d0c95b8088", "file--65df7ce7-8cc9-4b8f-948d-e41d9f9d237f", "file--8a4053ab-b184-4eb1-b55d-de35b5dd1553", "file--4251833f-9e57-450d-9c56-5d6d94026f05", "file--7e509448-62c1-446c-be34-cba8354d9e67", "file--1683a541-d437-4841-8cfc-1b5d4868c926", "file--0cfe6d9f-5c4b-4a9c-9c5e-02c46da78f5b", "file--dfc79ad8-bf9c-46c0-90e5-0c75cc78738c", "file--4877d2db-8ee8-4bee-9374-e8703cf733f9", "file--e43825ba-9889-4e8a-b930-f2c6e1472ce3", "file--e1ce4e0b-d33c-4554-b77a-8129227f744d", "file--8b25d846-afe4-4c87-8895-ac447cff4a74", "file--a4bf7851-780e-4747-b3b2-d027e33732a3", "file--dcd5eaf7-1388-444f-ab83-d2c2725b4185", "file--08b4edf9-8ff6-433a-9fc1-ffeee030622a", "file--265ac284-8328-40cf-b0fd-ee60315ac505", "file--9e2e092b-165d-4e9f-9891-ee7f2565e344", "file--4721fb21-30c0-4224-b064-4bed023a393d", "file--7f62c71e-460c-4eef-8fc9-4689f4f155df", "file--464e5812-7440-44a2-8516-b5d3687ee14c", "file--b43e8a10-f130-48b2-a03f-078b8d1845a8", "file--a670825a-836c-4012-a304-2c6852a74f3d", "file--3346ef2c-a3bd-4419-b3a8-e7e81a350923", "file--561c7295-b151-4d0c-a2b4-58097eaf16a4", "file--bc0234d4-1fc0-45a2-b817-f0f452eb68b3", "file--cecf09d3-797d-45aa-a824-4aa973cf5edc", "file--ae18a2b5-b1fd-4a91-bc22-fa244248f428", "file--87849cb9-cefc-4c3e-bff1-16764e18c5c2", "file--02cd7e75-fb70-4b5c-a321-5e8cb0b8213f", "file--f75db0c7-c89a-48f0-bff0-1d2af775cb65", "ipv4-addr--af4cb8a1-64bb-40de-b550-8a6a45868640", "ipv4-addr--b7956185-5161-4a3b-969f-af9b2ff1994a", "ipv4-addr--39aecd6e-67e0-4c94-bb71-f37e6d2ad00c", "ipv4-addr--6adfa9a6-c353-46ac-8357-dc1b2bf5e8c8", "ipv4-addr--745953c4-c073-4f2e-adc0-8d5ba867f2c7", "ipv4-addr--6b9b9cbf-c74d-47c7-83ce-b1e51e476161", "ipv4-addr--cdced1a3-573b-4572-a0e4-c9b0e9aa4dd4", "indicator--c5321319-d5ca-45d8-856e-edf7c3dc05b9", "indicator--1dbdc0d2-d42d-4bfd-8150-f06c281e623c", "indicator--c39c5edb-98f3-4a46-8937-039a0fbb46ec", "indicator--75561c4b-59e3-4812-bdca-45ab7d0256d9", "indicator--2fc08feb-7d2d-48ae-8d14-f1364c976fb4", "indicator--2cf7c5a1-a6f0-45ba-acd3-c79885bbcad7", "indicator--82f15703-0496-4d72-8650-2ea818c41649", "indicator--7b71d4b3-4c77-42e6-a191-0fbe7119d503", "indicator--7220414c-db9c-4bce-943e-b17174f5dafa", "indicator--c5cc68e0-6d45-4b29-a2ff-769069f1746c", "indicator--8076e603-3c4f-4a9f-9aed-bb904d0a5326", "indicator--b9ada41e-e848-41b2-a65a-1ae37a2c8c67", "indicator--95f95cca-134f-4be3-a113-4f084e4a214f", "indicator--24c77712-83f5-4f8e-82d3-d8233f051d48", "indicator--834742b1-42a0-43c2-ad8b-9151c38fd27c", "indicator--097ed8a2-c6ce-4c32-972d-aa786a7895a3", "indicator--7e9920b7-fad9-4f48-9209-675cc1751de5", "indicator--d2f26c2f-c5d0-4254-9179-22f5f637fa0c", "indicator--906d801c-cdb0-414d-997e-394df049e155", "indicator--fa110f19-b021-4644-a4d8-d0b70b69ba35", "indicator--eb6735ab-3a7b-4414-8007-03d57c6dafe1", "indicator--0f36f211-4275-4cae-90a6-b7685e6b88f8" ], "external_references": [ { "source_name": "source", "url": "https://www.us-cert.gov/ncas/alerts/TA14-353A" } ] } ] }