From b71b71b5cb086a24cf976b0e7778db7383e22a7e Mon Sep 17 00:00:00 2001
From: Update third-party rules
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 9 Mar 2026 12:07:50 +0000
Subject: [PATCH] Update third-party rules as of 2026-03-09

---
 third_party/yara/JPCERT/Atlas.yara          | 42 +++++++++++++++
 third_party/yara/JPCERT/Kimsuky.yara        | 57 ++++++++++++++++++++
 third_party/yara/JPCERT/RELEASE             |  2 +-
 third_party/yara/JPCERT/blacktech.yara      | 37 +++++++++++++
 third_party/yara/JPCERT/fortinet.yara       | 59 +++++++++++++++++++++
 third_party/yara/JPCERT/phantomstealer.yara | 17 ++++++
 third_party/yara/JPCERT/snakekeylogger.yara | 16 ++++++
 third_party/yara/JPCERT/unc5174.yara        | 38 +++++++++++++
 8 files changed, 267 insertions(+), 1 deletion(-)
 create mode 100644 third_party/yara/JPCERT/Atlas.yara
 create mode 100644 third_party/yara/JPCERT/fortinet.yara
 create mode 100644 third_party/yara/JPCERT/phantomstealer.yara
 create mode 100644 third_party/yara/JPCERT/snakekeylogger.yara
 create mode 100644 third_party/yara/JPCERT/unc5174.yara

diff --git a/third_party/yara/JPCERT/Atlas.yara b/third_party/yara/JPCERT/Atlas.yara
new file mode 100644
index 000000000..e253a1dab
--- /dev/null
+++ b/third_party/yara/JPCERT/Atlas.yara
@@ -0,0 +1,42 @@
+import "pe"
+
+rule malware_AtlasLoader {
+    meta:
+        description = "AtlasLoader"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "11aa581aff8010e4030fdbd3c620d8d75506b1b642393b36a7bddefcbb087e31"
+        created_date = "2026-02-09"
+        updated_date = "2026-02-09"
+
+    strings:
+        $s1 = "RunPluin" ascii
+        $s2 = "AtlasPro" wide
+        $s3 = "AtlasInfo" ascii
+        $s4 = "MainDll.dll" ascii
+
+    condition:
+        uint16(0) == 0x5a4d and
+        uint32(uint32(0x3c)) == 0x00004550 and 
+        3 of them
+}
+
+rule malware_AtlasPlugin {
+    meta:
+        description = "AtlasLoader Plugin"
+        author = "JPCERT/CC Incident Response Group"
+        hash1 = "17452364cdf00c8bdcd9b659253043e37ff76cd044d85d8055b6cc04b2e98302"
+        hash2 = "6d5eafc6715f221b8e6e0f81f48a37c214fa4abcc0d7a5c2b15ffcce0309fa62"
+        created_date = "2026-03-06"
+        updated_date = "2026-03-06"
+
+    strings:
+        $s1 = "AtlasPro" wide
+        $s2 = "LoginAddress" wide
+        $s3 = "LoginPort" wide
+        $s4 = "C:\\Users\\xxx85\\Desktop\\atlasPro" ascii
+        $s5 = "修改通信加密+加载器\\Release\\Plugin\\x64" ascii wide
+
+    condition:
+        pe.exports("RunPluin") and 
+        3 of them
+}
\ No newline at end of file
diff --git a/third_party/yara/JPCERT/Kimsuky.yara b/third_party/yara/JPCERT/Kimsuky.yara
index bc3684d53..255415560 100644
--- a/third_party/yara/JPCERT/Kimsuky.yara
+++ b/third_party/yara/JPCERT/Kimsuky.yara
@@ -71,3 +71,60 @@ rule kimsuky_downloader_pe
         all of ($dotnet*) and
         3 of ($s*)
 }
+
+rule kimsuky_uploader_github_ps1 {
+    meta:
+        description = "Powershell script to upload device information to GitHub"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "d4054495cfabbf511fb2f860487cb1d9e969e0a571bcb5e5c88f7d1ab75c0c09"
+        created_date = "2025-12-19"
+        updated_date = "2025-12-19"
+
+    strings:
+        $s1 = "-XXX-kkk.txt" ascii
+        $s2 = "-0956_info.txt" ascii
+        $s3 = "branch = \"main" ascii
+        $s4 = "message = \"Upload file $" ascii
+        $s5 = "Get-Date -Format \"MMdd_HHmm\"" ascii
+        $s6 = "Write-Output \"Note\" | Out-File" ascii
+
+    condition:
+        3 of them
+}
+
+rule kimsuky_initial_downloader_github_ps1 {
+    meta:
+        description = "Powershell script to download ps1 from GitHub and set by scheduled task"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "0b50547274455ee876512687d8bd24911a97429d2642dff8aeb6c42c7601fe53"
+        created_date = "2025-12-19"
+        updated_date = "2025-12-19"
+
+    strings:
+        $s1 = "($env:AppData) \\\"whale.ps1" ascii
+        $s2 = "($env:AppData) \"Doks.ps1" ascii
+        $s3 = "=\"ghp_" ascii
+        $s4 = "vnd.github.v3.raw" ascii
+        $s5 = "New-ScheduledTaskAction -Execute 'PowerShell.exe'" ascii
+
+    condition:
+        3 of them
+}
+
+rule kimsuky_downloader_github_ps1 {
+    meta:
+        description = "Powershell script to download ps1 from GitHub"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "938650b7ef26cc4ff3586414734a30c7fbc4a0ec82459305000d6778660deb59"
+        created_date = "2025-12-19"
+        updated_date = "2025-12-19"
+
+    strings:
+        $s1 = "($env:AppData) \"Doks.ps1" ascii
+        $s2 = "Authorization=\"token ghp_" ascii
+        $s3 = "vnd.github.v3.raw" ascii
+
+    condition:
+        all of them
+}
+
diff --git a/third_party/yara/JPCERT/RELEASE b/third_party/yara/JPCERT/RELEASE
index e0e626cfc..f22a8135c 100644
--- a/third_party/yara/JPCERT/RELEASE
+++ b/third_party/yara/JPCERT/RELEASE
@@ -1 +1 @@
-9315b430b0dbbb0db4da9196373ec8e26a538608
+7837438e7bcb100bcc7f9d2be09152b19d967c0c
diff --git a/third_party/yara/JPCERT/blacktech.yara b/third_party/yara/JPCERT/blacktech.yara
index e86572e53..b779e5bea 100644
--- a/third_party/yara/JPCERT/blacktech.yara
+++ b/third_party/yara/JPCERT/blacktech.yara
@@ -456,3 +456,40 @@ rule BlackTech_AresPYDoor_str {
      condition:
        5 of them
 }
+
+rule malware_Kivars_Loader {
+    meta:
+        description = "Kivars Loader"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "35efb2661b580866ef9a29770ff960c105edb1239a5d4279e7e6b4e9f9b6256a"
+        created_date = "2025-11-25"
+        updated_date = "2025-11-25"
+        reference = "https://sect.iij.ad.jp/blog/2025/10/blacktech-malware-kivars-2025/"
+
+    strings:
+        $dll_name = "sericeMain.dll" ascii
+        $custom_rc4 = {41 02 02 32 C1 41 88 02 EB ?? 41 32 0A [0-1] 02 CB 41 88 0A 49 FF C2}
+
+    condition:
+        uint16(0) == 0x5A4D and
+        all of them
+}
+
+rule malware_Kivars {
+    meta:
+        description = "Kivars"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "5a9f96217530b68c2fc7a06f25b52062dbcc8dd2760de0f7dca3456af2dc4bec"
+        created_date = "2025-11-25"
+        updated_date = "2025-11-25"
+        reference = "https://sect.iij.ad.jp/blog/2025/10/blacktech-malware-kivars-2025/"
+
+    strings:
+        $s1 = {25 73 5C 25 73 07 33 25 75 07 34 25 75 2D 25 2E 32 75 2D 25 2E 32 75 20 25 2E 32 75 3A 25 2E 32 75 00}
+        $s2 = {58 C6 84 24 ?? ?? ?? ?? 45 C6 84 24 ?? ?? ?? ?? 43 C6 84 24 ?? ?? ?? ?? 50 C6 84 24 ?? ?? ?? ?? 52 C6 84 24 ?? ?? ?? ?? 4F C6 84 24 ?? ?? ?? ?? 42 C6 84 24 ?? ?? ?? ?? 45} // XECPROBELOADER
+        $custom_rc4 = {41 02 02 32 C1 41 88 02 EB ?? 41 32 0A [0-1] 02 CB 41 88 0A 49 FF C2}
+
+    condition:
+        uint16(0) == 0x5A4D and
+        2 of them
+}
diff --git a/third_party/yara/JPCERT/fortinet.yara b/third_party/yara/JPCERT/fortinet.yara
new file mode 100644
index 000000000..b6d07392f
--- /dev/null
+++ b/third_party/yara/JPCERT/fortinet.yara
@@ -0,0 +1,59 @@
+rule malware_GETRdoor {
+    meta:
+        description = "ELF backdoor targeting FortiGate"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "9da731d152c57e90cc95bc58aa55c0873005a747fda0d45529e964bdbc9dc18c"
+        created_date = "2025-11-14"
+        updated_date = "2025-11-20"
+
+    strings:
+        $s1 = "do_upload: file open failed" ascii
+        $s2 = "/bin/snifferd" ascii
+        $s3 = "tcp[(tcp[12]>>2):%d] = 0x%s" ascii
+        $s4 = {00 34 37 34 35 35 34 35 32 00} // 47455452
+        $s5 = "diagnose debug crashlog clear" ascii
+        $s6 = {00 0A 30 78 30 30 30 30 00} // \n0x0000
+
+    condition:
+        uint32(0) == 0x464C457F and
+        3 of them
+}
+
+rule malware_PELdoor {
+    meta:
+        description = "ELF backdoor"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "7991d64a23a6630453b5a68d4082e713d501082535e53b7e84d98b8ec7eee7a9"
+        created_date = "2025-11-20"
+        updated_date = "2025-11-20"
+
+    strings:
+        $s1 = "sxcdewqaz!@#" ascii
+        $s2 = ";7(Zu9YTsA7qQ#vw" ascii
+        $s3 = "/var/run/miglogd000.pid" ascii
+        $s4 = "/tmp/tmplog.tar" ascii
+        $s5 = {66 3D FB 20 74 ?? 48 8B 45 ?? 0F B7 40 ?? 0F B7 C0 89 C7 E8 ?? ?? ?? ?? 66 3D 1D 02}
+
+    condition:
+        uint32(0) == 0x464C457F and
+        3 of them
+}
+
+rule malware_SHADYMARY {
+    meta:
+        description = "SHADYMARY malware"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "1d347944b6cf8ecc54474149e9bcee0108919a293bed348a46228dca3d095618"
+        created_date = "2025-11-20"
+        updated_date = "2025-11-20"
+
+    strings:
+        $s1 = "/data2/libcrashpad.so" ascii
+        $s2 = "/bin/smit" ascii
+        $s3 = "injector return %d" ascii
+        $s4 = "injector__call_syscall" ascii
+
+    condition:
+        uint32(0) == 0x464C457F and
+        2 of them
+}
\ No newline at end of file
diff --git a/third_party/yara/JPCERT/phantomstealer.yara b/third_party/yara/JPCERT/phantomstealer.yara
new file mode 100644
index 000000000..2df34330f
--- /dev/null
+++ b/third_party/yara/JPCERT/phantomstealer.yara
@@ -0,0 +1,17 @@
+rule malware_PhantomStealer {
+    meta:
+        description = "phantom stealer"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "3e6c9cb5304d932483a0f0198a7c727d4898bcd4110b15cf2c7f7a731b2f195d"
+        rule_usage = "memory scan"
+        created_date = "2025-11-25"
+        updated_date = "2025-11-25"
+
+    strings:
+        $s1 = "Phantom stealer" wide
+        $s2 = "Phantom-DebugFile.log" wide
+        $s3 = "Chrome_Phantom" wide
+
+    condition:
+        2 of them
+}
\ No newline at end of file
diff --git a/third_party/yara/JPCERT/snakekeylogger.yara b/third_party/yara/JPCERT/snakekeylogger.yara
new file mode 100644
index 000000000..3c2111d95
--- /dev/null
+++ b/third_party/yara/JPCERT/snakekeylogger.yara
@@ -0,0 +1,16 @@
+rule malware_SnakeKeylogger {
+    meta:
+        description = "Snake Keylogger (a.k.a. VIP Recovery)"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "e7b49b01463ba069ef6b17e39fea65f06882a23bcbf821e52c5ef357cee141c5"
+        rule_usage = "memory scan"
+        created_date = "2025-11-25"
+        updated_date = "2025-11-25"
+
+    strings:
+        $s1 = "VIP Recovery \\ --------" wide
+        $s2 = "Keylogger_Recovered" wide
+
+    condition:
+        all of them
+}
\ No newline at end of file
diff --git a/third_party/yara/JPCERT/unc5174.yara b/third_party/yara/JPCERT/unc5174.yara
new file mode 100644
index 000000000..9b7cd86a9
--- /dev/null
+++ b/third_party/yara/JPCERT/unc5174.yara
@@ -0,0 +1,38 @@
+rule malware_SNOWLIGHT_loader {
+    meta:
+        description = "shellcode loader"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "946f3935a4f69824e16bf815c3385cf6c1af4a5dd8df673861c286b8b65d7771"
+        created_date = "2025-11-25"
+        updated_date = "2025-11-25"
+        reference = "https://sect.iij.ad.jp/blog/2025/11/unc5174-windows-snowlight-in-2025/"
+
+    strings:
+        $s1 = "Global\\MicrosoftEdgeUpdate" wide
+        $s2 = {41 74 6C 54 68 75 6E 6B  5F 44 61 74 61 54 6F 43 00} // AtlThunk_DataToC
+        $decode = {81 34 08 77 57 82 66 83 C0 04 3B C6 7C}
+
+    condition:
+        uint16(0) == 0x5A4D and
+        2 of them
+}
+
+rule malware_SNOWLIGHT_ELF {
+    meta:
+        description = "SNOWLIGHT"
+        author = "JPCERT/CC Incident Response Group"
+        hash = "d4ce9744ab67f5c2298313a997b97e421de31f464e990d02dd4e55bf1fc5043d"
+        created_date = "2025-11-25"
+        updated_date = "2025-11-25"
+        reference = "https://sect.iij.ad.jp/blog/2025/11/unc5174-windows-snowlight-in-2025/"
+
+    strings:
+        $s1 = "/tmp/log_de.log" ascii
+        $s2 = "GET /?a=%s&h=%s&t=%s&p=%d HTTP/1.1" ascii
+        $s3 = "[kworker/0:2]" ascii
+        $decode = {80 30 99 48 FF C0 89 C6 29 EE 39 CE 7C}
+
+    condition:
+        uint32(0) == 0x464C457F and
+        3 of them
+}
\ No newline at end of file