@@ -3,27 +3,34 @@ rule Libcef_Backdoor
33 meta :
44 id = " 2kQ17alOYwTwkkTNA8vZCX "
55 fingerprint = " v1_sha256_7a32b90fb6e962a82af808d698dc19d503c075606f5a7e52f783f0c7d71f5936 "
6- version = " 1 .0"
6+ version = " 2 .0"
77 date = " 2025-09-26 "
8- modified = " 2025-09-26 "
8+ modified = " 2025-09-30 "
99 status = " RELEASED "
1010 sharing = " TLP:WHITE "
1111 source = " BARTBLAZE "
1212 author = " @bartblaze "
13- description = " Identifies backdoored libcef.dll, used by an unknown (likely) APT. "
13+ description = " Identifies backdoored libcef.dll, used by an unknown (likely) APT. Uses Telegram for exfil. "
1414 category = " MALWARE "
1515 malware = " UNKNOWN "
1616 malware_type = " BACKDOOR "
1717 reference = " https://github.com/bartblaze/Yara-rules "
1818 hash = " a3805b24b66646c0cf7ca9abad502fe15b33b53e56a04489cfb64a238616a7bf "
1919
2020 strings :
21- $ = " Could not get process list. "
22- $ = " Please send the document now. "
23- $ = " Failed to create pipe. "
24- $ = " Failed to start process. "
25- $ = " Command executed but returned no output. "
21+ $ s1 = " Could not get process list. "
22+ $ s2 = " Please send the document now. "
23+ $ s3 = " Failed to create pipe. "
24+ $ s4 = " Failed to start process. "
25+ $ s5 = " Command executed but returned no output. "
26+ $ s6 = " Screenshot taken. "
27+ $ s7 = " Please send a document, not text. "
2628
29+ $ x1 = " No file or photo found in message. "
30+ $ x2 = " Error: Cannot create file on disk. "
31+ $ x3 = " File saved to: "
32+ $ x4 = " Error receiving file: "
33+
2734 condition :
28- 4 of them
35+ 4 of ( $ s * ) or 3 of ( $ x * )
2936
![octo-sts[bot]](https://avatars.githubusercontent.com/in/801323?v=4&size=40){kind=avatar}
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments