Update third-party rules as of 2025-10-01

third_party/yara/bartblaze/APT/Libcef_Backdoor.yar

@@ -3,27 +3,34 @@ rule Libcef_Backdoor
     meta:
         id = "2kQ17alOYwTwkkTNA8vZCX"
         fingerprint = "v1_sha256_7a32b90fb6e962a82af808d698dc19d503c075606f5a7e52f783f0c7d71f5936"
-        version = "1.0"
+        version = "2.0"
         date = "2025-09-26"
-        modified = "2025-09-26"
+        modified = "2025-09-30"
         status = "RELEASED"
         sharing = "TLP:WHITE"
         source = "BARTBLAZE"
         author = "@bartblaze"
-        description = "Identifies backdoored libcef.dll, used by an unknown (likely) APT."
+        description = "Identifies backdoored libcef.dll, used by an unknown (likely) APT. Uses Telegram for exfil."
         category = "MALWARE"
         malware = "UNKNOWN"
         malware_type = "BACKDOOR"
         reference = "https://github.com/bartblaze/Yara-rules"
         hash = "a3805b24b66646c0cf7ca9abad502fe15b33b53e56a04489cfb64a238616a7bf"
 
     strings:
-        $ = "Could not get process list." 
-        $ = "Please send the document now." 
-        $ = "Failed to create pipe." 
-        $ = "Failed to start process." 
-        $ = "Command executed but returned no output." 
+        $s1 = "Could not get process list."
+        $s2 = "Please send the document now." 
+        $s3 = "Failed to create pipe." 
+        $s4 = "Failed to start process." 
+        $s5 = "Command executed but returned no output." 
+		$s6 = "Screenshot taken."
+		$s7 = "Please send a document, not text."
 
+        $x1 = "No file or photo found in message."
+        $x2 = "Error: Cannot create file on disk."
+        $x3 = "File saved to: "
+        $x4 = "Error receiving file:"
+
     condition:
-        4 of them 
+        4 of ($s*) or 3 of ($x*)
 }

third_party/yara/bartblaze/RELEASE

@@ -1 +1 @@
-749b051626ad44ac2a677f98ec61b3fc76eaa161
+febe623eba19fe562f5e87db72342d08435c8523