From dec79a8480dce0aa9837b55355856603a44e1ec2 Mon Sep 17 00:00:00 2001
From: egibs <20933572+egibs@users.noreply.github.com>
Date: Wed, 4 Jun 2025 08:21:42 -0500
Subject: [PATCH] Tweak tokenizer strings

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 rules/anti-behavior/blocklist/user.yara | 5 ++++-
 rules/exfil/stealer/wallet.yara         | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/rules/anti-behavior/blocklist/user.yara b/rules/anti-behavior/blocklist/user.yara
index 432d00196..c8c21b986 100644
--- a/rules/anti-behavior/blocklist/user.yara
+++ b/rules/anti-behavior/blocklist/user.yara
@@ -48,7 +48,10 @@ rule common_username_block_list: critical {
     $not_wireshark  = "wireshark.org"
     $gpt_tokenizer1 = "GPTTokenizer"
     $gpt_tokenizer2 = "GPT-4"
+    $gpt_tokenizer3 = "const bpe = c0.concat();"
+    $gpt_tokenizer4 = "const bpe = c0.concat(c1);"
+    $gpt_tokenizer5 = "export default bpe;"
 
   condition:
-    8 of them and none of ($not*) and (#gpt_tokenizer1 < 3 and #gpt_tokenizer2 < 65)
+    8 of them and none of ($not*) and none of ($gpt_tokenizer*)
 }
diff --git a/rules/exfil/stealer/wallet.yara b/rules/exfil/stealer/wallet.yara
index ffabb5ec5..1e60dbe4a 100644
--- a/rules/exfil/stealer/wallet.yara
+++ b/rules/exfil/stealer/wallet.yara
@@ -35,9 +35,12 @@ rule crypto_stealer_names: critical {
     $not_geth_site   = "https://geth.ethereum.org"
     $gpt_tokenizer1  = "GPTTokenizer"
     $gpt_tokenizer2  = "GPT-4"
+    $gpt_tokenizer3  = "const bpe = c0.concat();"
+    $gpt_tokenizer4  = "const bpe = c0.concat(c1);"
+    $gpt_tokenizer5  = "export default bpe;"
 
   condition:
-    filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and (#gpt_tokenizer1 < 3 and #gpt_tokenizer2 < 65)
+    filesize < 100MB and $http and 2 of ($w*) and none of ($not*) and none of ($gpt_tokenizer*)
 }
 
 rule crypto_extension_stealer: critical {