Tweak tokenizer strings (#982)

egibs · web-flow · commit 819bdbeca5d5 · 2025-06-04T13:55:44.000Z
Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/rules/anti-behavior/blocklist/user.yara b/rules/anti-behavior/blocklist/user.yara
@@ -48,7 +48,10 @@ rule common_username_block_list: critical {
     $not_wireshark  = "wireshark.org"
     $gpt_tokenizer1 = "GPTTokenizer"
     $gpt_tokenizer2 = "GPT-4"
+    $gpt_tokenizer3 = "const bpe = c0.concat();"
+    $gpt_tokenizer4 = "const bpe = c0.concat(c1);"
+    $gpt_tokenizer5 = "export default bpe;"
 
   condition:
-    8 of them and none of ($not*) and (#gpt_tokenizer1 < 3 and #gpt_tokenizer2 < 65)
+    8 of them and none of ($not*) and none of ($gpt_tokenizer*)
 }
diff --git a/rules/exfil/stealer/wallet.yara b/rules/exfil/stealer/wallet.yara
@@ -35,9 +35,12 @@ rule crypto_stealer_names: critical {
     $not_geth_site   = "https://geth.ethereum.org"
     $gpt_tokenizer1  = "GPTTokenizer"
     $gpt_tokenizer2  = "GPT-4"
+    $gpt_tokenizer3  = "const bpe = c0.concat();"
+    $gpt_tokenizer4  = "const bpe = c0.concat(c1);"
+    $gpt_tokenizer5  = "export default bpe;"
 
   condition:
-    filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and (#gpt_tokenizer1 < 3 and #gpt_tokenizer2 < 65)
+    filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and none of ($gpt_tokenizer*)
 }
 
 rule crypto_extension_stealer: critical {
