Update third-party rules as of 2025-12-29 (#1282)

Co-authored-by: Update third-party rules <41898282+github-actions[bot]@users.noreply.github.com>

Author: octo-sts[bot]

tests/macOS/2023.3CX/libffmpeg.change_decrease.mdiff

@@ -4,7 +4,7 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |:--|:--|:--|:--|
-| -CRITICAL | [3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/de548d649241062f22c143496dc0ce4cf043cf97/yara_rules/downloader_mac_smooth_operator.yar#L1-L16) | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| -CRITICAL | [3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/a89e17a1c6580e917950e3ead768322d8466f020/yara_rules/downloader_mac_smooth_operator.yar#L1-L16) | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | -CRITICAL | [3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275) | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$op1`<br>`$op2`<br>`$sa1`<br>`$sa2` |
 | -CRITICAL | [3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214) | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
 | -CRITICAL | [3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_xor_hunting.yar#L2-L25) | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | `$xo1` |

tests/macOS/2023.3CX/libffmpeg.change_increase.mdiff

@@ -4,7 +4,7 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |:--|:--|:--|:--|
-| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/de548d649241062f22c143496dc0ce4cf043cf97/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/a89e17a1c6580e917950e3ead768322d8466f020/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$op1`<br>`$op2`<br>`$sa1`<br>`$sa2` |
 | +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
 | +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_xor_hunting.yar#L2-L25)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | `$xo1` |

tests/macOS/2023.3CX/libffmpeg.dirty.mdiff

@@ -4,7 +4,7 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |:--|:--|:--|:--|
-| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/de548d649241062f22c143496dc0ce4cf043cf97/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/a89e17a1c6580e917950e3ead768322d8466f020/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$op1`<br>`$op2`<br>`$sa1`<br>`$sa2` |
 | +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
 | +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_xor_hunting.yar#L2-L25)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | `$xo1` |

tests/macOS/2023.3CX/libffmpeg.increase.mdiff

@@ -4,7 +4,7 @@
 
 | RISK | KEY | DESCRIPTION | EVIDENCE |
 |:--|:--|:--|:--|
-| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/de548d649241062f22c143496dc0ce4cf043cf97/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
+| +CRITICAL | **[3P/sekoia/downloader_smooth_operator](https://github.com/SEKOIA-IO/Community/blob/a89e17a1c6580e917950e3ead768322d8466f020/yara_rules/downloader_mac_smooth_operator.yar#L1-L16)** | Detect the Smooth_Operator malware, by [Sekoia.io](https://github.com/SEKOIA-IO/Community) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code) |
 | +CRITICAL | **[3P/sig_base/3cxdesktopapp_backdoor](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L251-L275)** | [Detects 3CXDesktopApp MacOS Backdoor component](https://www.volexity.com/blog/2023/03/30/3cx-supply-chain-compromise-leads-to-iconic-incident/), by X__Junior (Nextron Systems) | [%s/.main_storage](https://github.com/search?q=%25s%2F.main_storage&type=code)<br>[%s/UpdateAgent](https://github.com/search?q=%25s%2FUpdateAgent&type=code)<br>`$op1`<br>`$op2`<br>`$sa1`<br>`$sa2` |
 | +CRITICAL | **[3P/sig_base/nk_3cx_dylib](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_mal_3cx_compromise_mar23.yar#L188-L214)** | [Detects malicious DYLIB files related to 3CX compromise](https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/), by Florian Roth (Nextron Systems) | `$xc1`<br>`$xc2`<br>`$xc3` |
 | +CRITICAL | **[3P/sig_base/susp_xored_mozilla](https://github.com/Neo23x0/signature-base/blob/b7b39a44b6bbfcd5a7078248d442b628bdd4286a/yara/gen_xor_hunting.yar#L2-L25)** | [Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key](https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()), by Florian Roth | `$xo1` |

third_party/yara/YARAForge/RELEASE

@@ -1 +1 @@
-20251221
+20251228