YARA rules for APT3
117 rules · scoped to actor · back to APT3
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.
rule APT30_Sample_22 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "0d17a58c24753e5f8fd5276f62c8c7394d8e1481"
id = "6c1b3dd2-4383-51a2-9185-2365a4d1e784"
strings:
$s1 = "(\\TEMP" fullword ascii
$s2 = "Windows\\Cur" fullword ascii
$s3 = "LSSAS.exeJ" fullword ascii
$s4 = "QC:\\WINDOWS" fullword ascii
$s5 = "System Volume" fullword ascii
$s8 = "PROGRAM FILE" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_F {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "09010917cd00dc8ddd21aeb066877aa2"
hash2 = "4c10a1efed25b828e4785d9526507fbc"
hash3 = "b7b282c9e3eca888cbdb5a856e07e8bd"
hash4 = "df1799845b51300b03072c6569ab96d5"
id = "cff8b921-9afc-5a52-84cb-825de33fc86e"
strings:
$s0 = "\\~zlzl.exe" ascii
$s2 = "\\Internet Exp1orer" ascii
$s3 = "NodAndKabIsExcellent" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_23 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "9865e24aadb4480bd3c182e50e0e53316546fc01"
id = "9366dd34-9967-5b40-935e-4b0d8f2f5e9e"
strings:
$s0 = "hostid" ascii
$s1 = "\\Window" ascii
$s2 = "%u:%u%s" fullword ascii
$s5 = "S2tware\\Mic" ascii
$s6 = "la/4.0 (compa" ascii
$s7 = "NameACKernel" fullword ascii
$s12 = "ToWideChc[lo" fullword ascii
$s14 = "help32SnapshotfL" ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_24 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "572caa09f2b600daa941c60db1fc410bef8d1771"
id = "aed2201d-b557-56ec-aa53-fff5b1e17dbd"
strings:
$s1 = "dizhi.gif" fullword ascii
$s3 = "Mozilla/4.0" fullword ascii
$s4 = "lyeagles" fullword ascii
$s6 = "HHOSTR" ascii
$s7 = "#MicrosoftHaveAck7" ascii
$s8 = "iexplore." fullword ascii
$s17 = "ModuleH" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_25 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "44a21c8b3147fabc668fee968b62783aa9d90351"
id = "8b2f2ba2-e9cc-5b3c-8af9-4217d662bc3f"
strings:
$s1 = "C:\\WINDOWS" fullword ascii
$s2 = "aragua" fullword ascii
$s4 = "\\driver32\\7$" ascii
$s8 = "System V" fullword ascii
$s9 = "Compu~r" fullword ascii
$s10 = "PROGRAM L" fullword ascii
$s18 = "GPRTMAX" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_26 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "e26588113417bf68cb0c479638c9cd99a48e846d"
id = "aa80a142-c8fc-504e-b475-e9838607bec6"
strings:
$s1 = "forcegue" fullword ascii
$s3 = "Windows\\Cur" fullword ascii
$s4 = "System Id" fullword ascii
$s5 = "Software\\Mic" fullword ascii
$s6 = "utiBy0ToWideCh&$a" fullword ascii
$s10 = "ModuleH" fullword ascii
$s15 = "PeekNamed6G" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Generic_D {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "35dfb55f419f476a54241f46e624a1a4"
hash2 = "4fffcbdd4804f6952e0daf2d67507946"
hash3 = "597805832d45d522c4882f21db800ecf"
hash4 = "6bd422d56e85024e67cc12207e330984"
hash5 = "82e13f3031130bd9d567c46a9c71ef2b"
hash6 = "b79d87ff6de654130da95c73f66c15fa"
id = "9b8d8a60-a357-5cfd-8ff1-6264144ad7be"
strings:
$s0 = "Windows Security Service Feedback" fullword wide
$s1 = "wssfmgr.exe" fullword wide
$s2 = "\\rb.htm" ascii
$s3 = "rb.htm" fullword ascii
$s4 = "cook5" ascii
$s5 = "5, 4, 2600, 0" fullword wide
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_27 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "959573261ca1d7e5ddcd19447475b2139ca24fe1"
id = "22815745-086f-59ee-aac1-f35e49aa5835"
strings:
$s0 = "Mozilla/4.0" fullword ascii
$s1 = "dizhi.gif" fullword ascii
$s5 = "oftHaveAck+" ascii
$s10 = "HlobalAl" fullword ascii
$s13 = "$NtRND1$" fullword ascii
$s14 = "_NStartup" ascii
$s16 = "GXSYSTEM" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule APT30_Sample_28 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash1 = "e62a63307deead5c9fcca6b9a2d51fb0"
hash2 = "5b590798da581c894d8a87964763aa8b"
id = "1bc8c68f-ebbb-58b1-92aa-5954318096a0"
strings:
$s0 = "www.flyeagles.com" fullword ascii
$s1 = "iexplore.exe" fullword ascii
$s2 = "www.km-nyc.com" fullword ascii
$s3 = "cmdLine.exe" fullword ascii
$s4 = "Software\\Microsoft\\CurrentNetInf" fullword ascii
$s5 = "/dizhi.gif" ascii
$s6 = "/connect.gif" ascii
$s7 = "USBTest.sys" fullword ascii
$s8 = "/ver.htm" fullword ascii
$s11 = "\\netscv.exe" ascii
$s12 = "/app.htm" fullword ascii
$s13 = "\\netsvc.exe" ascii
$s14 = "/exe.htm" fullword ascii
$s18 = "MicrosoftHaveAck" fullword ascii
$s19 = "MicrosoftHaveExit" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and 7 of them
}
rule APT30_Sample_29 {
meta:
description = "FireEye APT30 Report Sample"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
date = "2015/04/13"
hash = "44492c53715d7c79895904543843a321491cb23a"
id = "24334885-fcb4-5a13-82e8-c8465f97361e"
strings:
$s0 = "LSSAS.exe" fullword ascii
$s1 = "Software\\Microsoft\\FlashDiskInf" fullword ascii
$s2 = ".petite" fullword ascii
$s3 = "MicrosoftFlashExit" fullword ascii
$s4 = "MicrosoftFlashHaveExit" fullword ascii
$s5 = "MicrosoftFlashHaveAck" fullword ascii
$s6 = "\\driver32" ascii
$s7 = "MicrosoftFlashZJ" fullword ascii
condition:
filesize < 100KB and uint16(0) == 0x5A4D and all of them
}
rule SUSP_LNX_Sindoor_ELF_Obfuscation_Aug25 {
meta:
description = "Detects ELF obfuscation technique used by Sindoor dropper related to APT 36"
author = "Pezier Pierre-Henri"
date = "2025-08-29"
score = 70
reference = "Internal Research"
hash = "6879a2b730e391964afe4dbbc29667844ba0c29239be5503b7c86e59e7052443"
strings:
$s1 = "UPX!"
condition:
filesize < 10MB
and uint16(0) == 0
and uint16(4) > 0
and $s1 in (0xc0..0x100)
}
rule SUSP_LNX_Sindoor_DesktopFile_Aug25 {
meta:
description = "Detects ELF obfuscation technique used by Sindoor dropper related to APT 36"
author = "Pezier Pierre-Henri"
date = "2025-08-29"
score = 70
reference = "Internal Research"
hash = "9943bdf1b2a37434054b14a1a56a8e67aaa6a8b733ca785017d3ed8c1173ac59"
strings:
$hdr = "[Desktop Entry]"
$s1 = "printf '\\\\x7FELF' | dd of"
$s2 = "Future_Note_Warfare_OpSindoor.pdf"
condition:
filesize < 100KB
and $hdr
and any of ($s*)
}
rule MAL_Sindoor_Decryptor_Aug25 {
meta:
description = "Detects AES decryptor used by Sindoor dropper related to APT 36"
author = "Pezier Pierre-Henri"
date = "2025-08-29"
score = 80
reference = "Internal Research"
hash = "9a1adb50bb08f5a28160802c8f315749b15c9009f25aa6718c7752471db3bb4b"
strings:
$s1 = "Go build"
$s2 = "main.rc4EncryptDecrypt"
$s3 = "main.processFile"
$s4 = "main.deriveKeyAES"
$s5 = "use RC4 instead of AES"
condition:
filesize < 100MB
and (
uint16(0) == 0x5a4d // Windows
or uint32be(0) == 0x7f454c46 // Linux
or (uint32be(0) == 0xcafebabe and uint32be(4) < 0x20) // Universal mach-O App with dont-match-java-class-file hack
or uint32(0) == 0xfeedface // 32-bit mach-O
or uint32(0) == 0xfeedfacf // 64-bit mach-O
)
and all of them
}
rule MAL_Sindoor_Downloader_Aug25 {
meta:
description = "Detects Sindoor downloader related to APT 36"
author = "Pezier Pierre-Henri"
date = "2025-08-29"
score = 80
reference = "Internal Research"
hash = "38b6b93a536cbab5c289fe542656d8817d7c1217ad75c7f367b15c65d96a21d4"
strings:
$s1 = "Go build"
$s2 = "main.downloadFile.deferwrap"
$s3 = "main.decrypt"
$s4 = "main.HiddenHome"
$s5 = "main.RealCheck"
condition:
filesize < 100MB
and (
uint16(0) == 0x5a4d // Windows
or uint32be(0) == 0x7f454c46 // Linux
or (uint32be(0) == 0xcafebabe and uint32be(4) < 0x20) // Universal mach-O App with dont-match-java-class-file hack
or uint32(0) == 0xfeedface // 32-bit mach-O
or uint32(0) == 0xfeedfacf // 64-bit mach-O
)
and all of them
}
rule HKTL_Buckeye_Osinfo {
meta:
description = "Detects OSinfo tool used by the Buckeye APT group"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
date = "2016-09-05"
score = 70
id = "e40a86d1-fd1a-5430-b7b7-8cc7ca128cc5"
strings:
$s1 = "-s ShareInfo ShareDir" fullword ascii
$s2 = "-a Local And Global Group User Info" fullword ascii
$s3 = "-f <infile> //input server list from infile, OneServerOneLine" fullword ascii
$s4 = "info <\\server> <user>" fullword ascii
$s5 = "-c Connect Test" fullword ascii
$s6 = "-gd Group Domain Admins" fullword ascii
$s7 = "-n NetuseInfo" fullword ascii
condition:
uint16(0) == 0x5a4d and 3 of ($s*)
}
rule Pirpi_1609_A {
meta:
description = "Detects Pirpi Backdoor - and other malware (generic rule)"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/igxLyF"
date = "2016-09-08"
hash1 = "2a5a0bc350e774bd784fc25090518626b65a3ce10c7401f44a1616ea2ae32f4c"
hash2 = "8caa179ec20b6e3938d17132980e0b9fe8ef753a70052f7e857b339427eb0f78"
id = "72b996e2-56cf-5a8d-8d8b-97eda7105d26"
strings:
$x1 = "expand.exe1.gif" fullword ascii
$c1 = "expand.exe" fullword ascii
$c2 = "ctf.exe" fullword ascii
$s1 = "flvUpdate.exe" fullword wide
$s2 = "www.ThinkWorking.com" fullword wide
$s3 = "ctfnon.exe" fullword ascii
$s4 = "flv%d.exe" fullword ascii
$s5 = "HARDWARE\\DESCRIPTION\\System\\BIOS" fullword ascii
$s6 = "12811[%d].gif" fullword ascii
$s7 = "GetApp03" fullword wide
$s8 = "flvUpdate" fullword wide
$s9 = "%d-%4.4d%d" fullword ascii
$s10 = "http://%s/%5.5d.html" fullword ascii
$s11 = "flvbho.exe" fullword wide
$op1 = { 74 08 c1 cb 0d 03 da 40 eb }
$op2 = { 03 f5 56 8b 76 20 03 f5 33 c9 49 }
$op3 = { 03 dd 66 8b 0c 4b 8b 5e 1c 03 dd 8b 04 8b 03 c5 }
condition:
( uint16(0) == 0x5a4d and filesize < 200KB and ( $x1 or all of ($c*) or all of ($op*) ) ) or ( 8 of them )
}
rule Pirpi_1609_B {
meta:
description = "Detects Pirpi Backdoor"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://goo.gl/igxLyF"
date = "2016-09-08"
hash1 = "498b98c02e19f4b03dc6a3a8b6ff8761ef2c0fedda846ced4b6f1c87b52468e7"
id = "caf63b97-efd7-5cd4-8954-b86db4d93cf5"
strings:
$s1 = "tconn <ip> <port> //set temp connect value, and disconnect." fullword ascii
$s2 = "E* ListenCheckSsl SslRecv fd(%d) Error ret:%d %d" fullword ascii
$s3 = "%s %s L* ListenCheckSsl fd(%d) SslV(-%d-)" fullword ascii
$s4 = "S:%d.%d-%d.%d V(%d.%d) Listen On %d Ok." fullword ascii
$s5 = "E* ListenCheckSsl fd(%d) SslAccept Err %d" fullword ascii
$s6 = "%s-%s N110 Ssl Connect Ok(%s:%d)." fullword ascii
$s7 = "%s-%s N110 Basic Connect Ok(%s:%d)." fullword ascii
$s8 = "tconn <ip> <port>" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 1000KB and 2 of them ) or ( 4 of them )
}