Update third-party rules as of 2025-10-15 (#1167)

Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Evan Gibler <20933572+egibs@users.noreply.github.com>

Author: 3 people

third_party/yara/elastic/RELEASE

@@ -1 +1 @@
-0d52fa9af8c9881639edf793f58a8cb637ece5b7
+b5a0c1956d0aa92e2f44156bc9983c25ddc817d1

third_party/yara/elastic/Windows_Ransomware_Stop.yar

@@ -2,9 +2,9 @@ rule Windows_Ransomware_Stop_1e8d48ff {
     meta:
         author = "Elastic Security"
         id = "1e8d48ff-e0ab-478d-8268-a11f2e87ab79"
-        fingerprint = "715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb"
+        fingerprint = "bef9770e8deb4a5ba76cea1050ca0de1ef9ab6a6aa53f071126c3f0dacf368fd"
         creation_date = "2021-06-10"
-        last_modified = "2021-08-23"
+        last_modified = "2025-09-26"
         threat_name = "Windows.Ransomware.Stop"
         reference_sample = "821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3"
         severity = 100
@@ -14,7 +14,7 @@ rule Windows_Ransomware_Stop_1e8d48ff {
         os = "windows"
     strings:
         $a = "E:\\Doc\\My work (C++)\\_Git\\Encryption\\Release\\encrypt_win_api.pdb" ascii fullword
-        $b = { 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF }
+        $b = { 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF FF FF C6 45 FC 01 50 FF D3 85 F6 79 36 56 68 }
     condition:
         any of them
 }

third_party/yara/elastic/Windows_Trojan_AveMaria.yar

@@ -30,3 +30,32 @@ rule Windows_Trojan_AveMaria_31d2bce9 {
         8 of ($a*)
 }
 
+rule Windows_Trojan_AveMaria_e01305a0 {
+    meta:
+        author = "Elastic Security"
+        id = "e01305a0-724e-420a-99af-38a3c6436095"
+        fingerprint = "52acf71c9a53a56337722c43d9bba34957815b8c2c6fe52bea9b38e343dae803"
+        creation_date = "2025-08-18"
+        last_modified = "2025-09-19"
+        threat_name = "Windows.Trojan.AveMaria"
+        reference_sample = "21f1e24abcda47e08ba3e6bf19c0b2d9adb52b908f625c4a08f74ade5b863bf9"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a = "SOFTWARE\\_rptls" wide fullword
+        $b = "-w %ws -d C -f %s" fullword
+        $c = "RDPClip" wide fullword
+        $d = "ExplorerIdentifier" wide fullword
+        $e = "WM_FIND" wide fullword
+        $f = "WM_DISP" wide fullword
+        $g = "MsgBox.exe" wide fullword
+        $h = "Hey I'm Admin" wide fullword
+        $i = "/n:%temp%\\ellocnak.xml" wide fullword
+        $j = "CommandHandler::handleStartVncCommand() Start VNC on port : %d" wide fullword
+    condition:
+        7 of them
+}
+

third_party/yara/elastic/Windows_Trojan_CastleLoader.yar

@@ -0,0 +1,24 @@
+rule Windows_Trojan_CastleLoader_173548b8 {
+    meta:
+        author = "Elastic Security"
+        id = "173548b8-ff11-4528-8ef6-7e9f7d738e6c"
+        fingerprint = "a894955aebf7db79279c58fa3800a21ec9c4cf44dcb6e516825824439931cc15"
+        creation_date = "2025-08-14"
+        last_modified = "2025-09-19"
+        threat_name = "Windows.Trojan.CastleLoader"
+        reference_sample = "1b6befc65b19a63b4131ce5bcc6e8c0552fe1e1d136ab94bc7d81b3924056156"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a = { 8B 34 BA 33 DB 03 F1 BA AA AA AA AA 38 1E 74 ?? 0F BE 0C 1E 8B C2 F6 C3 01 75 ?? C1 E8 03 0F AF C1 8B CA C1 E1 07 33 C1 EB ?? C1 E8 05 33 C1 8B CA C1 E1 0B 03 C1 F7 D0 43 33 D0 }
+        $b = { 8D 42 ?? 83 E0 03 0F B6 80 ?? ?? ?? ?? 66 33 44 0C ?? 66 89 84 0C ?? ?? ?? ?? 8D 42 ?? 83 E0 03 0F B6 80 ?? ?? ?? ?? 66 33 44 0C ?? 66 89 84 0C }
+        $c = { 3D 20 6C 72 70 75 ?? 81 7D F8 65 70 79 68 75 ?? 81 7D F4 20 20 76 72 75 ?? B9 01 }
+        $d = { 69 C0 6D 4E C6 41 05 39 30 00 00 }
+        $e = { 83 7C 24 ?? 20 0F 85 ?? ?? ?? ?? 80 7C 24 ?? B8 0F 85 ?? ?? ?? ?? B9 01 00 00 00 C7 44 24 ?? B8 BB 00 00 C7 44 24 ?? C0 C2 10 00 C7 44 24 ?? 00 00 00 00 }
+    condition:
+        4 of them
+}
+

third_party/yara/elastic/Windows_Trojan_HiddenCli.yar

@@ -0,0 +1,21 @@
+rule Windows_Trojan_HiddenCli_a9aa62d1 {
+    meta:
+        author = "Elastic Security"
+        id = "a9aa62d1-f131-42c4-a62a-0172db697996"
+        fingerprint = "f546cfc4530294a778db94e5295227bb61e39af54526605da7f8224811ba5a3c"
+        creation_date = "2025-10-02"
+        last_modified = "2025-10-13"
+        threat_name = "Windows.Trojan.HiddenCli"
+        reference_sample = "913431f1d36ee843886bb052bfc89c0e5db903c673b5e6894c49aabc19f1e2fc"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $b_1 = { 48 8B 0A 48 8D 45 E7 33 FF 4C 8D 45 EB 48 89 7C 24 38 BA 04 20 22 00 48 89 44 24 30 48 8D 45 27 }
+        $unicode_1 = { 43 00 6F 00 6D 00 6D 00 61 00 6E 00 64 00 20 00 27 00 73 00 74 00 61 00 74 00 65 00 27 00 20 00 73 00 75 00 63 00 63 00 65 00 73 00 73 00 66 00 75 00 6C 00 00 00 }
+    condition:
+        1 of them
+}
+

third_party/yara/elastic/Windows_Trojan_HiddenDriver.yar

@@ -0,0 +1,25 @@
+rule Windows_Trojan_HiddenDriver_e26590fd {
+    meta:
+        author = "Elastic Security"
+        id = "e26590fd-a560-4312-ba2f-4131f5817410"
+        fingerprint = "fe876e1cc0663fd41742a93807a4d49972fb92c3abf6560e323d1e31f8a9eb69"
+        creation_date = "2025-10-02"
+        last_modified = "2025-10-13"
+        threat_name = "Windows.Trojan.HiddenDriver"
+        reference_sample = "f9dd0b57a5c133ca0c4cab3cca1ac8debdc4a798b452167a1e5af78653af00c1"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $activeProcessLinksOffsets = { C7 44 24 20 E8 00 00 00 C7 44 24 24 88 01 00 00 C7 44 24 28 E8 02 00 00 C7 44 24 2C F0 02 00 00 C7 44 24 30 48 04 00 00 }
+        $alloc_table = { 48 83 63 78 00 48 8D 8B 88 00 00 00 83 A3 80 00 00 00 00 B8 01 00 00 00 8B D0 48 89 43 68 45 33 C0 89 43 70 }
+        $str_0 = "InitializePsMonitor"
+        $str_1 = "image load notify registartion failed with code:%08x"
+        $str_2 = "file-system mini-filter haven't started"
+        $str_3 = "can't activate stealth mode"
+    condition:
+        $activeProcessLinksOffsets or $alloc_table or (all of ($str_*))
+}
+

third_party/yara/elastic/Windows_Trojan_Stealc.yar

@@ -69,3 +69,28 @@ rule Windows_Trojan_Stealc_5d3f297c {
         all of them
 }
 
+rule Windows_Trojan_Stealc_41db1d4d {
+    meta:
+        author = "Elastic Security"
+        id = "41db1d4d-d19f-441b-82c3-5ae94ef2baab"
+        fingerprint = "be16274bf7c8fe038b19700aaae47ff0ffcf9cbb98ac93adb7e228c5854b782c"
+        creation_date = "2025-07-16"
+        last_modified = "2025-09-19"
+        threat_name = "Windows.Trojan.Stealc"
+        reference_sample = "a68bc167669c7c98b6742209acea111be61e6002aa652a7b8116af47b284b084"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a1 = "C:\\builder_v2\\stealc\\json.h" wide fullword
+        $a2 = "%08lX-%04hX-%04hX-%02hhX%02hhX-%02hhX%02hhX%02hhX%02hhX%02hhX%02hhX" fullword
+        $a3 = "/c timeout /t 5 & del /f /q \"" fullword
+        $b1 = { 0F B7 C8 81 E9 19 04 00 00 74 14 83 E9 09 74 0F 83 E9 01 74 0A 83 E9 1C 74 05 83 F9 04 75 08 33 C9 FF }
+        $b2 = { 22 74 6F 74 61 6C 5F 70 61 72 74 73 22 3A 20 00 2C 20 00 00 00 00 00 00 22 70 61 72 74 5F 69 6E 64 65 78 22 3A 20 }
+        $b3 = { 48 89 5C 24 10 57 48 83 EC ?? 0F 57 C0 48 8D 3D [3] 00 0F 11 01 48 C7 41 10 00 00 00 00 48 8B D9 48 C7 41 18 0F 00 00 00 C6 01 00 8A 05 [3] 00 EB }
+    condition:
+        3 of them
+}
+

third_party/yara/elastic/Windows_Trojan_Tollbooth.yar

@@ -0,0 +1,32 @@
+rule Windows_Trojan_Tollbooth_85bfcc68 {
+    meta:
+        author = "Elastic Security"
+        id = "85bfcc68-f375-4e19-817d-31ec43eac7eb"
+        fingerprint = "ce6b26e974a82a180f1e924f47279a1312557f7e379da4cd2cf80c7923b4e814"
+        creation_date = "2025-10-08"
+        last_modified = "2025-10-13"
+        threat_name = "Windows.Trojan.Tollbooth"
+        reference_sample = "c1ca053e3c346513bac332b5740848ed9c496895201abc734f2de131ec1b9fb2"
+        severity = 100
+        arch_context = "x86"
+        scan_context = "file, memory"
+        license = "Elastic License v2"
+        os = "windows"
+    strings:
+        $a = "sitemapRangeBegin" ascii wide fullword
+        $b = "seoGroupHijackbotUaMatchRules" ascii wide fullword
+        $c = "clean?type=conf" ascii wide fullword
+        $d = "/landpage?seoConfigId=" ascii wide fullword
+        $e = "<!- GP -->" ascii wide fullword
+        $f = "gooqlebot" ascii wide fullword
+        $g = "GetRandomLinesFromMultipleResources" ascii wide fullword
+        $h = "hj-plugin-iis-cpp-v"
+        $i = "hj-iis-cim-v" wide
+        $j = "<form action='/scjg' method='POST'"
+        $k = "AffLinkServer" ascii wide
+        $l = { 7B E6 9C AC E5 9C B0 E5 8F 8B E9 93 BE 7D }
+        $m = { 7B 00 2C 67 30 57 CB 53 FE 94 7D 00 }
+    condition:
+        7 of them
+}
+