chainguard-dev · egibs · Sep 27, 2025 · Sep 27, 2025
diff --git a/third_party/yara/bartblaze/APT/Libcef_Backdoor.yar b/third_party/yara/bartblaze/APT/Libcef_Backdoor.yar
@@ -0,0 +1,29 @@
+rule Libcef_Backdoor
+{
+    meta:
+        id = "2kQ17alOYwTwkkTNA8vZCX"
+        fingerprint = "v1_sha256_7a32b90fb6e962a82af808d698dc19d503c075606f5a7e52f783f0c7d71f5936"
+        version = "1.0"
+        date = "2025-09-26"
+        modified = "2025-09-26"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies backdoored libcef.dll, used by an unknown (likely) APT."
+        category = "MALWARE"
+        malware = "UNKNOWN"
+        malware_type = "BACKDOOR"
+        reference = "https://github.com/bartblaze/Yara-rules"
+        hash = "a3805b24b66646c0cf7ca9abad502fe15b33b53e56a04489cfb64a238616a7bf"
+
+    strings:
+        $ = "Could not get process list." 
+        $ = "Please send the document now." 
+        $ = "Failed to create pipe." 
+        $ = "Failed to start process." 
+        $ = "Command executed but returned no output." 
+
+    condition:
+        4 of them 
+}
diff --git a/third_party/yara/bartblaze/RELEASE b/third_party/yara/bartblaze/RELEASE
@@ -1 +1 @@
-cc2fab21ad5ba5f6dd74e57f44373bbcc6f0ce09
+9c6d7c50ddb9f3a51d246a0d21d35cf7b769d4a9
diff --git a/third_party/yara/bartblaze/crimeware/Oyster.yar b/third_party/yara/bartblaze/crimeware/Oyster.yar
@@ -0,0 +1,34 @@
+rule Oyster
+{
+    meta:
+        id = "7kE7GnnyOPX7qw3Kwwua0X"
+        fingerprint = "v1_sha256_c635149f6091ca338956c8c7639aeeab30d70456e06e5d894a1bef0a1c0a031a"
+        version = "1.0"
+        date = "2025-09-26"
+        modified = "2025-09-26"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies Oyster aka Broomstick aka CleanUp backdoor."
+        category = "MALWARE"
+        malware = "OYSTER"
+        malware_type = "BACKDOOR"
+        reference = "https://x.com/roo7cause/status/1971453273862176887"
+        reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.broomstick"
+        hash = "169157f51c05aafda68eb367219a826ecdc90e941e4397da20021b0f4ee2ae14"
+
+    strings:
+        $ = "WordPressAgent" fullword
+        $ = "FingerPrint" fullword
+        $ = "TimeSleep: %d"
+        $ = "[CountStartupProcessSystem] EnumProcesses failed"
+        $ = "Fail Find End .ICO File"
+        $ = "Fail Find DLL File Round 2"
+        $ = "Mutex already exists, another instance is running."
+        $ = "cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q"
+        $ = "The installation has not been completed successfully. We kindly ask you to try again later."
+
+    condition:
+        6 of them
+}
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		cc2fab21ad5ba5f6dd74e57f44373bbcc6f0ce09
		9c6d7c50ddb9f3a51d246a0d21d35cf7b769d4a9