Update third-party rules as of 2026-05-07 (#1509)

octo-sts-8[bot] · github-actions[bot] · web-flow · commit a841df932c7b · 2026-05-07T07:43:19.000-05:00
Co-authored-by: Update third-party rules &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
diff --git a/third_party/yara/elastic/RELEASE b/third_party/yara/elastic/RELEASE
@@ -1 +1 @@
-d131ea8191d1999855d61d13b708392d8c2e6a6b
+4e4cb2c4499c24c12a86ec7ef8c30bb2b7e9467a
diff --git a/third_party/yara/elastic/Windows_Trojan_AuraStealer.yar b/third_party/yara/elastic/Windows_Trojan_AuraStealer.yar
@@ -0,0 +1,21 @@
+rule Windows_Trojan_AuraStealer_5dd9a496 {
+    meta:
+        author = "Elastic Security"
+        id = "5dd9a496-f14f-4d96-a5e9-77432077374e"
+        fingerprint = "a3213eaab576c626cbb0ba99c4486ba184df6bbe4b33eca66184257597157285"
+        creation_date = "2026-04-09"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.AuraStealer"
+        reference_sample = "b06c1fe3b5f6577b03053b7ada25dc592e6e2c62e6c5d6d14799be1f955ad5aa"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a1 = { 8B 45 10 31 FF 85 C0 BE 06 00 00 00 0F 49 F0 83 7D 0C 00 0F 95 C0 89 F3 81 E3 00 04 00 00 0F 94 C2 20 C2 0F BA E6 10 0F B6 C2 8D 14 C5 00 00 00 00 }
+        $b2 = { 8A 1C 82 88 1C 81 8A 5C 82 01 88 5C 81 01 8A 5C 82 02 88 5C 81 02 8A 5C 82 03 88 5C 81 03 40 83 F8 08 75 DC B8 08 00 00 00 8A 7C 81 FC }
+    condition:
+        all of them
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_BrushLogger.yar b/third_party/yara/elastic/Windows_Trojan_BrushLogger.yar
@@ -0,0 +1,21 @@
+rule Windows_Trojan_BrushLogger_304ee146 {
+    meta:
+        author = "Elastic Security"
+        id = "304ee146-8abf-4d4d-8b50-df90a641f400"
+        fingerprint = "bd66e7980779c7065a544d3578a685007fb00d6990320001ef8869a1d0ad969e"
+        creation_date = "2026-03-25"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.BrushLogger"
+        reference_sample = "4f1ea5ed6035e7c951e688bd9c2ec47a1e184a81e9ae783d4a0979501a1985cf"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a = "%02d-%02d-%d %02d:%02d " fullword
+        $b = { 81 ?? ?? A1 00 00 00 74 09 81 ?? ?? A0 00 00 00 75 09 6A 00 6A 10 E8 }
+    condition:
+        all of them
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_BrushWorm.yar b/third_party/yara/elastic/Windows_Trojan_BrushWorm.yar
@@ -0,0 +1,21 @@
+rule Windows_Trojan_BrushWorm_7c2098ef {
+    meta:
+        author = "Elastic Security"
+        id = "7c2098ef-a426-4331-8b04-e96fa8b42cb6"
+        fingerprint = "931842bcd7cfa1afcaf5313a9f18097bc733ed52679ad9459d0e872319f85afd"
+        creation_date = "2026-03-25"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.BrushWorm"
+        reference_sample = "89891aa3867c1a57512d77e8e248d4a35dd32e99dcda0344a633be402df4a9a7"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a = "internetCheckDomain" wide fullword
+        $b = { B8 00 00 00 40 33 C9 0F A2 48 8D ?? ?? ?? 89 07 89 5F 04 89 4F 08 89 57 0C 45 33 C0 }
+    condition:
+        all of them
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_CristalLoaders.yar b/third_party/yara/elastic/Windows_Trojan_CristalLoaders.yar
@@ -0,0 +1,24 @@
+rule Windows_Trojan_CristalLoaders_652f19ab {
+    meta:
+        author = "Elastic Security"
+        id = "652f19ab-4c8c-48d0-a7a8-fdf592ea29f1"
+        fingerprint = "f6f83fe8f20a1e9780e57c58b09786403663f6fd65f3d52d47e10bb98020d899"
+        creation_date = "2026-03-18"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.CristalLoaders"
+        reference_sample = "af92ec050ba5115a057c01365af3f154336921c1891a39a0186ac4ab7d45394f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a1 = { 51 52 41 50 41 51 41 52 41 53 48 83 EC 20 B9 5D 68 FA 3C BA }
+        $a2 = { 51 52 41 50 41 51 41 52 41 53 48 83 EC 20 B9 5B BC 4A 6A BA }
+        $a3 = { 41 51 52 41 52 41 50 41 53 48 83 EC 20 B9 5B BC 4A 6A BA }
+        $b1 = { 51 52 41 50 41 51 41 52 41 53 48 83 EC 20 }
+        $b2 = { 41 5B 41 5A 41 59 41 58 5A 59 FF D0 }
+    condition:
+        1 of ($a*) or all of ($b*)
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_NodeKeylogger.yar b/third_party/yara/elastic/Windows_Trojan_NodeKeylogger.yar
@@ -0,0 +1,24 @@
+rule Windows_Trojan_NodeKeylogger_ffc7db41 {
+    meta:
+        author = "Elastic Security"
+        id = "ffc7db41-c3a2-4fb7-98db-d8d93a607ef4"
+        fingerprint = "cbaa7c21cbf33754b22b820554e7f0a355f6ea76e4799dd47ff905a0ba851b01"
+        creation_date = "2026-03-22"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.NodeKeylogger"
+        reference_sample = "e58864cc22cd8ec17ae35dd810455d604aadab7c3f145b6c53b3c261855a4bb1"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a0 = "%s,%s,%i,%i,%ld,%ld,%i" fullword
+        $a1 = "MOUSE" fullword
+        $a2 = "KEYBOARD" fullword
+        $a3 = "DOWN" fullword
+        $b0 = { 81 7D 08 08 02 00 00 [6] 81 7D 08 01 02 00 00 73 ?? 81 7D 08 05 01 00 00 74 ?? 81 7D 08 05 01 00 00 [6] 81 7D 08 04 01 00 00 }
+    condition:
+        all of them
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_PhantomPull.yar b/third_party/yara/elastic/Windows_Trojan_PhantomPull.yar
@@ -0,0 +1,25 @@
+rule Windows_Trojan_PhantomPull_e5dfd651 {
+    meta:
+        author = "Elastic Security"
+        id = "e5dfd651-5fd3-4d88-8de7-96ed5706f553"
+        fingerprint = "73d8dde2e57a9c883470c47a115ceeb194ebd39b01a1f5200b8677b25350b897"
+        creation_date = "2026-04-13"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.PhantomPull"
+        reference_sample = "70bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $GetTickCount = { 48 83 C4 80 FF 15 ?? ?? ?? ?? 83 F8 FE 75 }
+        $djb2 = { 45 8B 0C 83 41 BA A7 C6 67 4E 49 01 C9 45 8A 01 }
+        $mutex = { 48 89 EB 83 E3 ?? 45 8A 2C 1C 45 32 2C 2E 45 0F B6 FD }
+        $str_decrypt = { 39 C2 7E ?? 49 89 C1 41 83 E1 ?? 47 8A 1C 0A 44 32 1C 01 45 88 1C 00 48 FF C0 }
+        $payload_decrypt = { 4C 89 C8 83 E0 0F 41 8A 14 02 43 30 14 0F 49 FF C1 44 39 CB }
+        $url = "/v1/updates/check?build=payloads" ascii fullword
+    condition:
+        3 of them
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_PhantomPulse.yar b/third_party/yara/elastic/Windows_Trojan_PhantomPulse.yar
@@ -0,0 +1,23 @@
+rule Windows_Trojan_PhantomPulse_eaaa34fb {
+    meta:
+        author = "Elastic Security"
+        id = "eaaa34fb-eb17-433a-ba0c-f5245cb581b4"
+        fingerprint = "36f5a16a014b315dc04c4c8f59bc3b653b17d0f67b5723a6b662b58709845008"
+        creation_date = "2026-04-13"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.PhantomPulse"
+        reference_sample = "9e3890d43366faec26523edaf91712640056ea2481cdefe2f5dfa6b2b642085d"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a = "[UNINSTALL 2/6] Removing Scheduled Task..." fullword
+        $b = "PhantomInject: host PID=%lu" fullword
+        $c = "inject: shellcode detected -> InjectShellcodePhantom" fullword
+        $d = "inject: shellcode detected, using phantom section hijack" fullword
+    condition:
+        all of them
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_Remus.yar b/third_party/yara/elastic/Windows_Trojan_Remus.yar
@@ -0,0 +1,22 @@
+rule Windows_Trojan_Remus_7a39fb15 {
+    meta:
+        author = "Elastic Security"
+        id = "7a39fb15-e7d0-47a6-a817-f79dcdb82ed5"
+        fingerprint = "c1d3e07becc94ad265b6014f27403229e2e37bf5da3caccfdc5eda05006c5c67"
+        creation_date = "2026-04-08"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.Remus"
+        reference_sample = "0a8f734f10400f7ae8fef591147e78dab6350089683be84c1cb6c82113cb1319"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a1 = "# REMUS LOG" ascii fullword
+        $b1 = { 48 83 EC 10 4C 89 14 24 4C 89 5C 24 08 4D 31 DB 4C 8D 54 24 18 49 29 C2 4D 0F 42 DA 65 4C 8B 1C 25 10 00 00 00 4D 39 DA 73 ?? 66 ?? ?? ?? ?? ?? 4D 8D 9B 00 F0 FF FF 45 84 1B 4D 39 DA }
+        $b2 = { 81 3C D1 7C 65 E0 52 74 ?? 48 FF C2 48 39 D0 75 EF }
+    condition:
+        2 of them
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_Stealc.yar b/third_party/yara/elastic/Windows_Trojan_Stealc.yar
@@ -94,3 +94,23 @@ rule Windows_Trojan_Stealc_41db1d4d {
         3 of them
 }
 
+rule Windows_Trojan_Stealc_df3cdc7e {
+    meta:
+        author = "Elastic Security"
+        id = "df3cdc7e-a9ef-4719-90ce-a45106166f00"
+        fingerprint = "71c93f3ff9248b5d13bd01cfedf2f5999e39689b7553fc606a623a9beca7d281"
+        creation_date = "2026-03-16"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.Stealc"
+        reference_sample = "503879c9c294cd7a2b7b13c643b93d8a8e7ae00af5b2b56fcbb90e6c096f40d6"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a = { 48 8B E8 48 8D 48 FF 48 83 F9 ?? ?? ?? ?? ?? ?? 00 48 8D 54 24 48 48 8B C8 FF 15 30 4E 01 00 85 C0 74 52 39 74 24 4C 75 4C 8B 5C 24 48 8D 4E 40 8B D3 FF 15 2F 4E 01 00 48 8B F8 48 85 C0 74 3E }
+    condition:
+        all of them
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_TCLBanker.yar b/third_party/yara/elastic/Windows_Trojan_TCLBanker.yar
@@ -0,0 +1,101 @@
+rule Windows_Trojan_TCLBanker_a0287d4f {
+    meta:
+        author = "Elastic Security"
+        id = "a0287d4f-b3c8-4299-a13e-592ba5192491"
+        fingerprint = "6e07ed3db08c2e1da8003efab2730e97f7a9242717363f48fe1b1368821e45dd"
+        creation_date = "2026-04-27"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.TCLBanker"
+        reference_sample = "8a174aa70a4396547045aef6c69eb0259bae1706880f4375af71085eeb537059"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $str_decrypt = { 48 8D 41 1C 45 33 C0 48 8B C8 41 B9 FF 00 00 00 41 8D 50 23 }
+        $str_decrypt2 = { 66 33 51 EC 66 89 11 48 8D 49 02 49 83 F8 0A }
+        $syscall = { 75 1B 41 80 7F 01 8B 75 14 41 80 7F 02 D1 75 0D 41 80 7F 03 B8 75 06 }
+        $etw_patch = { BA 03 00 00 00 66 C7 03 33 C0 48 8B CB C6 43 02 C3 }
+        $gate = { 48 B8 F5 08 1D 97 3C E2 54 AB 48 89 44 24 48 48 B8 FD FE D9 45 25 B9 2E 95 }
+        $lang_check = { BA FF 03 00 00 8B C8 66 23 C2 66 83 F8 16 75 }
+        $watchdog = "WATCHDOG: thread count suspicious (baseline=%d, current=%d, delta=%d)" ascii fullword
+    condition:
+        3 of them
+}
+
+rule Windows_Trojan_TCLBanker_5df0f971 {
+    meta:
+        author = "Elastic Security"
+        id = "5df0f971-0a77-43aa-a62f-8f10ff1be1e9"
+        fingerprint = "2a857ea549a5129ff3cfc23ca2c26ce986b0c154a070638bb3d65946a8ec7542"
+        creation_date = "2026-04-28"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.TCLBanker"
+        reference_sample = "701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $s1 = "[Persistence] EnsureInstalled: exe=" wide fullword
+        $s2 = "[Persistence] Task deleted OK" wide fullword
+        $s3 = "CommandLine FROM Win32_Process WHERE Name = 'msedge.exe'" wide fullword
+        $s4 = "KeyloggerHookThread" wide fullword
+        $s5 = "Fique atento ao telefone informado" wide fullword
+        $s6 = "O telefone deve ter 10" wide fullword
+        $s7 = "Trabalhando em atualizacoes" wide fullword
+        $s8 = "Win32_Process.Create falhou com codigo" wide fullword
+    condition:
+        4 of them
+}
+
+rule Windows_Trojan_TCLBanker_b5ef38c0 {
+    meta:
+        author = "Elastic Security"
+        id = "b5ef38c0-fada-44e6-85ae-f7e7747f9996"
+        fingerprint = "7af8112c19d301db1fa0a7605088b4b294a7b5ba20008c1f71bda46fc1babffd"
+        creation_date = "2026-04-28"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.TCLBanker"
+        reference_sample = "701d51b7be8b034c860bf97847bd59a87dca8481c4625328813746964995b626"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $s1 = "no_session: QR code detectado, sem conta logada" wide fullword
+        $s2 = "error: campaign not configured" wide fullword
+        $s3 = "error: 0 contacts after filter" wide fullword
+        $s4 = "whatsapp: sessao carregada" wide fullword
+        $s5 = "wpp_inject_failed" wide fullword
+    condition:
+        4 of them
+}
+
+rule Windows_Trojan_TCLBanker_8b41ae04 {
+    meta:
+        author = "Elastic Security"
+        id = "8b41ae04-ef4d-4391-8c4e-0eaa95d7982d"
+        fingerprint = "4dd69bcfbf7fd31d10bb5698f225ec0229168f15c76d609df30a9c35fdbd3f80"
+        creation_date = "2026-04-28"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.TCLBanker"
+        reference_sample = "668f932433a24bbae89d60b24eee4a24808fc741f62c5a3043bb7c9152342f40"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $s1 = "outlook: extraindo contatos" wide fullword
+        $s2 = "error: 0 accounts with contacts in Outlook" wide fullword
+        $s3 = "GetNamespace('MAPI')" wide fullword
+        $s4 = "error: campaign not configured" wide fullword
+        $s5 = "-eq 'caixa de entrada'" wide fullword
+    condition:
+        4 of them
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_Vidar.yar b/third_party/yara/elastic/Windows_Trojan_Vidar.yar
@@ -185,3 +185,50 @@ rule Windows_Trojan_Vidar_540563cf {
         5 of them
 }
 
+rule Windows_Trojan_Vidar_14210811 {
+    meta:
+        author = "Elastic Security"
+        id = "14210811-3bf5-400a-ab5d-f112023b1580"
+        fingerprint = "dc3a25458dc42f62ecee9078893a0f3850c89436bf5321c9e44f6618fe5a2d39"
+        creation_date = "2026-03-16"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.Vidar"
+        reference_sample = "07b84bdfa4d296bcf370019f1a94121e117082a9f02c8fc534c9fcf83df60e1f"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a = { 48 83 C4 40 49 89 C7 8B 05 5B ?? ?? ?? ?? ?? ?? B6 0D 00 8D 50 01 0F AF D0 83 E2 01 83 F9 0A 7C 6C 85 D2 74 68 48 83 EC 40 48 C7 44 24 30 00 00 00 00 C7 44 24 28 80 00 00 00 C7 44 24 20 03 00 }
+    condition:
+        all of them
+}
+
+rule Windows_Trojan_Vidar_0f323538 {
+    meta:
+        author = "Elastic Security"
+        id = "0f323538-d789-4480-9b10-db31e0a18790"
+        fingerprint = "52039ef9b44bbe4a6594d4efdf20a124a13133e30bb8788978baf2fcd30013e4"
+        creation_date = "2026-03-16"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.Vidar"
+        reference_sample = "aae5335b89c8655cffbd9e2e8de1726be6bc38e68dcbb048aabb03a2012640aa"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $steam = "steamcommunity.com/profiles/"
+        $telegram = "telegram.me/"
+        $hwid = "Content-Disposition: form-data; name=\"hwid\""
+        $browser2 = "\\IndexedDB\\chrome-extension__0.indexeddb.leveldb"
+        $browser4 = "\"encrypted_key\":\""
+        $c1 = "information.txt"
+        $pipe = "\\\\.\\pipe\\test"
+        $telemetry1 = "\\telemetry.b64"
+    condition:
+        all of them
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_VoidStealer.yar b/third_party/yara/elastic/Windows_Trojan_VoidStealer.yar
@@ -0,0 +1,25 @@
+rule Windows_Trojan_VoidStealer_b17abbfd {
+    meta:
+        author = "Elastic Security"
+        id = "b17abbfd-8e5f-403e-b7fd-1bf6d3941f19"
+        fingerprint = "30095f55311c8b621c828ccc621e8877ca963e9f2760636e45609900ccbfa5f3"
+        creation_date = "2026-03-27"
+        last_modified = "2026-05-05"
+        threat_name = "Windows.Trojan.VoidStealer"
+        reference_sample = "f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a1 = { 7B 22 62 75 69 6C 64 5F 69 64 22 3A 22 }
+        $a2 = "\\\\.\\pipe\\browser_key_pipe" ascii wide
+        $a3 = { 22 2C 22 73 65 73 73 69 6F 6E 5F 69 64 22 3A 22 }
+        $a4 = "%d %b %y %H:%M %Z" wide fullword
+        $a5 = "OSCrypt.AppBoundProvider.Decrypt.ResultCode" ascii fullword
+        $a6 = "ft5HAfKQvejy8notJdgHNtzEZuHqShVuf2SUNW6wQ1r5dmM17r/rbmrT9AHdBQ==" ascii fullword
+    condition:
+        5 of them
+}
+
diff --git a/third_party/yara/elastic/Windows_Trojan_Winos.yar b/third_party/yara/elastic/Windows_Trojan_Winos.yar

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-d131ea8191d1999855d61d13b708392d8c2e6a6b`
	`1`	`+4e4cb2c4499c24c12a86ec7ef8c30bb2b7e9467a`