Update third-party rules as of 2025-11-19 (#1220)

Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com>

Author: octo-sts[bot]

third_party/yara/bartblaze/APT/Autumn_Backdoor.yar

@@ -0,0 +1,36 @@
+rule Autumn_Backdoor
+{
+    meta:
+        id = "2kQ17alOYwTwkkTNA8vZCX"
+        fingerprint = "v1_sha256_7a32b90fb6e962a82af808d698dc19d503c075606f5a7e52f783f0c7d71f5936"
+        version = "2.0"
+        date = "2025-09-26"
+        modified = "2025-11-18"
+        status = "RELEASED"
+        sharing = "TLP:CLEAR"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies backdoored libcef.dll (stage 1), used by a China-nexus APT, as seen in the Autumn Dragon report."
+        category = "MALWARE"
+        malware = "UNKNOWN"
+        malware_type = "BACKDOOR"
+        reference = "https://cyberarmor.tech/blog/autumn-dragon-china-nexus-apt-group-targets-south-east-asia"
+        hash = "a3805b24b66646c0cf7ca9abad502fe15b33b53e56a04489cfb64a238616a7bf"
+
+    strings:
+        $s1 = "Could not get process list."
+        $s2 = "Please send the document now." 
+        $s3 = "Failed to create pipe." 
+        $s4 = "Failed to start process." 
+        $s5 = "Command executed but returned no output." 
+		$s6 = "Screenshot taken."
+		$s7 = "Please send a document, not text."
+
+        $x1 = "No file or photo found in message."
+        $x2 = "Error: Cannot create file on disk."
+        $x3 = "File saved to: "
+        $x4 = "Error receiving file:"
+		
+    condition:
+        4 of ($s*) or 3 of ($x*)
+}

third_party/yara/bartblaze/APT/Autumn_Backdoor_Loader.yar

@@ -0,0 +1,27 @@
+rule Autumn_Backdoor_Loader
+{
+    meta:
+        id = "5ARAyUbFnFrLABeyLz9bWm"
+        fingerprint = "v1_sha256_09a399531a2e2f8064b1c9862949fa1c9eca1ddab19bfb62a5ce947e002445cc"
+        version = "1.0"
+        date = "2025-11-18"
+        modified = "2025-11-18"
+        status = "RELEASED"
+        sharing = "TLP:CLEAR"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies backdoor loader (stage 2), used by a China-nexus APT, as seen in the Autumn Dragon report."
+        category = "MALWARE"
+        malware = "UNKNOWN"
+        malware_type = "BACKDOOR"
+        reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.broomstick"
+        hash = "843fca1cf30c74edd96e7320576db5a39ebf8d0a708bde8ccfb7c12e45a7938c"
+        hash = "d7711333c34a27aed5d38755f30d14591c147680e2b05eaa0484c958ddaae3b6"
+
+strings:
+    $pdb_dev = "\\Dev\\ApplicationDllHijacking\\"
+    $pdb_user = "\\Users\\LG02\\Desktop\\???\\"
+    
+condition:
+    any of them
+}

third_party/yara/bartblaze/RELEASE

@@ -1 +1 @@
-a88bd98592ea6dd57da61bbcb8de76eb8cbf33b6
+ca47007b188bbbaf77c2892483acdc13f456a3d3