Update third-party rules as of 2025-11-23 (#1229)

Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com>

Author: octo-sts[bot]

third_party/yara/bartblaze/APT/Confucius_B.yar

@@ -8,7 +8,7 @@ rule Confucius_B
         first_imported = "2021-12-30"
         last_modified = "2021-12-30"
         status = "RELEASED"
-        sharing = "TLP:WHITE"
+        sharing = "TLP:CLEAR"
         source = "BARTBLAZE"
         author = "@bartblaze"
         description = "Identifies Confucius malware."

third_party/yara/bartblaze/APT/Cotx_RAT.yar

@@ -10,7 +10,7 @@ rule Cotx_RAT
         first_imported = "2021-12-30"
         last_modified = "2021-12-30"
         status = "RELEASED"
-        sharing = "TLP:WHITE"
+        sharing = "TLP:CLEAR"
         source = "BARTBLAZE"
         author = "@bartblaze"
         description = "Identifies Cotx RAT."

third_party/yara/bartblaze/APT/EE_Dropper.yar

@@ -8,7 +8,7 @@ rule EE_Dropper
         date = "2025-10-27"
         modified = "2025-10-27"
         status = "RELEASED"
-        sharing = "TLP:WHITE"
+        sharing = "TLP:CLEAR"
         source = "BARTBLAZE"
         author = "@bartblaze"
         description = "Identifies dropper, EXE dropping and loading 3 CAB files, as seen in Earth Estries campaign."

third_party/yara/bartblaze/APT/EE_Loader.yar

@@ -7,7 +7,7 @@ rule EE_Loader
         date = "2025-10-27"
         modified = "2025-10-27"
         status = "RELEASED"
-        sharing = "TLP:WHITE"
+        sharing = "TLP:CLEAR"
         source = "BARTBLAZE"
         author = "@bartblaze"
         description = "Identifies loader used by Earth Estries."

third_party/yara/bartblaze/APT/NikiCert.yar

@@ -1,26 +1,26 @@
-import "pe"
-rule NikiCert
-{
-    meta:
-        id = "64lhugyfG9DlAydhTGBb4F"
-        fingerprint = "v1_sha256_d346c46bb51beaefcfdc247e20af3ceda6d239366c7126e1a568036ef4c8f60f"
-        version = "1.0"
-        creation_date = "2024-06"
-        status = "RELEASED"
-        sharing = "TLP:WHITE"
-        source = "BARTBLAZE"
-        author = "@bartblaze, @nsquar3"
-        description = "Identifies Nexaweb digital certificate used in (likely) Kimsuky campaign."
-        category = "MALWARE"
-        malware = "NIKIHTTP"
-        malware_type = "BACKDOOR"
-        reference = "https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/"
-        hash = "cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d"
-        hash = "000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7"
-
-condition:
-    uint16(0) == 0x5A4D and
-    for any i in (0 .. pe.number_of_signatures) : (
-        pe.signatures[i].serial == "03:15:e1:37:a6:e2:d6:58:f0:7a:f4:54:c6:3a:0a:f2"
-    )
-}
+import "pe"
+rule NikiCert
+{
+    meta:
+        id = "64lhugyfG9DlAydhTGBb4F"
+        fingerprint = "v1_sha256_d346c46bb51beaefcfdc247e20af3ceda6d239366c7126e1a568036ef4c8f60f"
+        version = "1.0"
+        creation_date = "2024-06"
+        status = "RELEASED"
+        sharing = "TLP:CLEAR"
+        source = "BARTBLAZE"
+        author = "@bartblaze, @nsquar3"
+        description = "Identifies Nexaweb digital certificate used in (likely) Kimsuky campaign."
+        category = "MALWARE"
+        malware = "NIKIHTTP"
+        malware_type = "BACKDOOR"
+        reference = "https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/"
+        hash = "cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d"
+        hash = "000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7"
+
+condition:
+    uint16(0) == 0x5A4D and
+    for any i in (0 .. pe.number_of_signatures) : (
+        pe.signatures[i].serial == "03:15:e1:37:a6:e2:d6:58:f0:7a:f4:54:c6:3a:0a:f2"
+    )
+}

third_party/yara/bartblaze/APT/NikiGo.yar

@@ -1,36 +1,36 @@
-rule NikiGo
-{
-    meta:
-        id = "1TfLvwe4Pw7svDq8aY4v5F"
-        fingerprint = "v1_sha256_8ba5e84e750a707eacabbf1df13900ef96ef773745f0f623f41da5e7ca905420"
-        version = "1.0"
-        date = "2024-06"
-        status = "RELEASED"
-        sharing = "TLP:WHITE"
-        source = "BARTBLAZE"
-        author = "@bartblaze, @nsquar3"
-        description = "Identifies NikiGo, a Go dropper by (likely) Kimsuky."
-        category = "MALWARE"
-        malware = "NIKIHTTP"
-        malware_type = "BACKDOOR"
-        reference = "https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/"
-        hash = "000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7"
-
-strings:
-    $go = "Go build ID:"
-
-    $func1 = "main.ParseCommandLine" ascii wide fullword
-    $func2 = "main.RunCmd" ascii wide fullword
-    $func3 = "main.HttpGet" ascii wide fullword
-    $func4 = "main.SelfDel" ascii wide fullword
-    $func5 = "main.RandomBytes" ascii wide fullword
-
-    $pdb_src = "C:/Users/niki/go/src/niki/auxiliary/engine-binder/main.go" ascii wide
-    $pdb_path = "/Users/niki/go/src/niki/auxiliary/engine-binder/" ascii wide
-    
-condition:
-    uint16(0) == 0x5A4D and $go and (
-    all of ($func*) or
-    any of ($pdb*)
-    )
-}
+rule NikiGo
+{
+    meta:
+        id = "1TfLvwe4Pw7svDq8aY4v5F"
+        fingerprint = "v1_sha256_8ba5e84e750a707eacabbf1df13900ef96ef773745f0f623f41da5e7ca905420"
+        version = "1.0"
+        date = "2024-06"
+        status = "RELEASED"
+        sharing = "TLP:CLEAR"
+        source = "BARTBLAZE"
+        author = "@bartblaze, @nsquar3"
+        description = "Identifies NikiGo, a Go dropper by (likely) Kimsuky."
+        category = "MALWARE"
+        malware = "NIKIHTTP"
+        malware_type = "BACKDOOR"
+        reference = "https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/"
+        hash = "000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7"
+
+strings:
+    $go = "Go build ID:"
+
+    $func1 = "main.ParseCommandLine" ascii wide fullword
+    $func2 = "main.RunCmd" ascii wide fullword
+    $func3 = "main.HttpGet" ascii wide fullword
+    $func4 = "main.SelfDel" ascii wide fullword
+    $func5 = "main.RandomBytes" ascii wide fullword
+
+    $pdb_src = "C:/Users/niki/go/src/niki/auxiliary/engine-binder/main.go" ascii wide
+    $pdb_path = "/Users/niki/go/src/niki/auxiliary/engine-binder/" ascii wide
+    
+condition:
+    uint16(0) == 0x5A4D and $go and (
+    all of ($func*) or
+    any of ($pdb*)
+    )
+}

third_party/yara/bartblaze/APT/NikiHTTP.yar

@@ -1,37 +1,37 @@
-rule NikiHTTP
-{
-    meta:
-        id = "7Hna0G06TFoi4ogjbgXnvV"
-        fingerprint = "v1_sha256_0315e58657b36871b5937d06b338363de94e6bb81c19d03b92a53e2b525f56b4"
-        version = "1.0"
-        date = "2024-06"
-        status = "RELEASED"
-        sharing = "TLP:WHITE"
-        source = "BARTBLAZE"
-        author = "@bartblaze, @nsquar3"
-        description = "Identifies NikiHTTP aka HTTPSpy, a versatile backdoor by (likely) Kimsuky."
-        category = "MALWARE"
-        malware = "NIKIHTTP"
-        malware_type = "BACKDOOR"
-        reference = "https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/"
-        hash = "3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744"
-        hash = "c94a5817fcd6a4ea93d47d70b9f2b175923a8b325234a77f127c945ae8649874"
-
-strings:
-    $cmd = {4? 8d 0d be 2f 03 00 4? 85 c0 4? 8d 15 8c 2f 03 00}
-    $str_1 = "%s%sc %s >%s 2>&1" ascii wide
-    $str_2 = "%s%sc %s 2>%s" ascii wide
-    $str_3 = "%s:info" ascii wide
-    
-    //D:\02.data\03.atk-tools\engine\niki\httpSpy\..\bin\httpSpy.pdb
-    $pdb_full = "\\02.data\\03.atk-tools\\"
-    $pdb_httpspy = "\\bin\\httpSpy.pdb"
-        
-    $code = {0f 57 c0 4? 89 7? ?? 33 c0 c7 4? ?? 68 00 00 00 0f 11 4? ?? c7 4? ?? 01 00 00 00 66 4? 89 7? 00 0f 11 4? ?? 4? 89 4? ?? 0f 11 4? ?? c7 44 ?? ?? 53 71 80 60 0f 11 4? ?? c7 44 ?? ?? 71 79 7c 5c 0f 11 4? ?? c7 44 ?? ?? 6d 80 74 63 0f 11 4? ?? 88 44 ?? ?? 0f 11 4? ?? 0f 1f 44 00 00}
-
-condition:
-    uint16(0) == 0x5A4D and (
-    $cmd or (2 of ($str_*)) or
-    any of ($pdb_*) or $code
-    )
-}
+rule NikiHTTP
+{
+    meta:
+        id = "7Hna0G06TFoi4ogjbgXnvV"
+        fingerprint = "v1_sha256_0315e58657b36871b5937d06b338363de94e6bb81c19d03b92a53e2b525f56b4"
+        version = "1.0"
+        date = "2024-06"
+        status = "RELEASED"
+        sharing = "TLP:CLEAR"
+        source = "BARTBLAZE"
+        author = "@bartblaze, @nsquar3"
+        description = "Identifies NikiHTTP aka HTTPSpy, a versatile backdoor by (likely) Kimsuky."
+        category = "MALWARE"
+        malware = "NIKIHTTP"
+        malware_type = "BACKDOOR"
+        reference = "https://cyberarmor.tech/new-north-korean-based-backdoor-packs-a-punch/"
+        hash = "3314b6ea393e180c20db52448ab6980343bc3ed623f7af91df60189fec637744"
+        hash = "c94a5817fcd6a4ea93d47d70b9f2b175923a8b325234a77f127c945ae8649874"
+
+strings:
+    $cmd = {4? 8d 0d be 2f 03 00 4? 85 c0 4? 8d 15 8c 2f 03 00}
+    $str_1 = "%s%sc %s >%s 2>&1" ascii wide
+    $str_2 = "%s%sc %s 2>%s" ascii wide
+    $str_3 = "%s:info" ascii wide
+    
+    //D:\02.data\03.atk-tools\engine\niki\httpSpy\..\bin\httpSpy.pdb
+    $pdb_full = "\\02.data\\03.atk-tools\\"
+    $pdb_httpspy = "\\bin\\httpSpy.pdb"
+        
+    $code = {0f 57 c0 4? 89 7? ?? 33 c0 c7 4? ?? 68 00 00 00 0f 11 4? ?? c7 4? ?? 01 00 00 00 66 4? 89 7? 00 0f 11 4? ?? 4? 89 4? ?? 0f 11 4? ?? c7 44 ?? ?? 53 71 80 60 0f 11 4? ?? c7 44 ?? ?? 71 79 7c 5c 0f 11 4? ?? c7 44 ?? ?? 6d 80 74 63 0f 11 4? ?? 88 44 ?? ?? 0f 11 4? ?? 0f 1f 44 00 00}
+
+condition:
+    uint16(0) == 0x5A4D and (
+    $cmd or (2 of ($str_*)) or
+    any of ($pdb_*) or $code
+    )
+}

third_party/yara/bartblaze/APT/RokRAT.yar

@@ -6,7 +6,7 @@ meta:
 	version = "1.0"
 	modified = "2024-03-08"
 	status = "RELEASED"
-	sharing = "TLP:WHITE"
+	sharing = "TLP:CLEAR"
 	source = "BARTBLAZE"
 	author = "@bartblaze"
 	description = "Identifies RokRAT."

third_party/yara/bartblaze/APT/RoyalRoad_RTF.yar

@@ -8,7 +8,7 @@ rule RoyalRoad_RTF
         first_imported = "2021-12-30"
         last_modified = "2025-03-10"
         status = "RELEASED"
-        sharing = "TLP:WHITE"
+        sharing = "TLP:CLEAR"
         source = "BARTBLAZE"
         author = "@bartblaze"
         description = "Identifies RoyalRoad RTF, used by multiple China-based APT groups."

third_party/yara/bartblaze/APT/StormDNS.yar

@@ -7,7 +7,7 @@ rule StormDNS
         date = "2025-07-24"
         modified = "2025-07-24"
         status = "RELEASED"
-        sharing = "TLP:WHITE"
+        sharing = "TLP:CLEAR"
         source = "BARTBLAZE"
         author = "@bartblaze"
         description = "Identifies StormDNS, a DNS shell used by Storm-260 to receive and execute commands from a C2."