Hunting Detections
Sigma, YARA & Suricata Rules
Detection logic from original research, mapped to MITRE ATT&CK. Free to use in your environment under CC BY-NC 4.0.
No items match that filter.
Detection Rules — Flask C2 & MSSQL CLR Backdoor on a Windows Post-Exploitation Staging Host
Detection Rules — CVE-2026-41940 cPanel Harvester Toolkit (216.126.227.49)
Detection Rules — Inkognito Russian VPN/Phishing Operator (INK VPN / INK Lens)
Detection Rules — BellaMain Turkish PhaaS Panel (79.137.192.3)
Detection Rules — Multi-Cluster Open Directory 79.137.192.3 (Rhadamanthys MaaS / BellaMain / Inkognito)
Detection Rules — HijackLoader / Penguish / Rugmi to AsyncRAT Multi-Vector Phishing Campaign
Detection Rules — AdaptixC2 Open Directory Exposure (45.130.148.125)
Detection Rules — Chaos Ransomware (TorBrowserTor) Multi-Stage Loader (94.103.1.13)
Detection Rules — ShinyHunters Data Leak Site (91.215.85.22)
Detection Rules — OpenStrike Expanded Toolkit — 106 New Files (2026-04-08)
Detection Rules — OpenStrike Beacon Toolkit (172.105.0.126)
Detection Rules — Shadow RAT & XWorm Open Directory Campaign
Detection Rules — Open Directory at 193.56.255.154 — XiebroC2 v3.1 & Covenant C2
Detection Rules — ZeroTrace Multi-Family MaaS Operation (74.0.42.25)
Detection Rules — Sliver C2 Toolchain with ScareCrow Loader (45.94.31.220)
Detection Rules — Webserver Compromise Kit (91.236.230.250)
Detection Rules — Remcos RAT OpenDirectory Campaign
Detection Rules — NsMiner: Multi-Stage Cryptojacking Operation
Detection Rules — Arsenal-237: agent.exe (PoetRAT)
Detection Rules — Arsenal-237: agent_xworm.exe (XWorm RAT v6)
Detection Rules — Arsenal-237: agent_xworm_v2.exe (XWorm RAT v2.4.0)
Detection Rules — Arsenal-237: FleetAgentAdvanced.exe
Detection Rules — Arsenal-237: FleetAgentFUD.exe
Detection Rules — Arsenal-237: uac_test.exe
Detection Rules — Arsenal-237: enc/dec Ransomware Family
Detection Rules — Arsenal-237 New Files: killer.dll (BYOVD Process Termination)
Detection Rules — Arsenal-237 New Files: killer_crowdstrike.dll (CrowdStrike-Specific Termination)
Detection Rules — Arsenal-237 New Files: lpe.exe (Privilege Escalation)
Detection Rules — Arsenal-237 New Files: BdApiUtil64.sys (Vulnerable Baidu Driver)
Detection Rules — Arsenal-237 New Files: rootkit.dll (Kernel-Mode Rootkit)
Detection Rules — Arsenal-237 New Files: nethost.dll (DLL Hijacking Persistence)
Detection Rules — Arsenal-237 New Files: chromelevator.exe (Browser Credential Theft)
Detection Rules — Arsenal-237 New Files: enc_c2.exe (Rust Ransomware with Tor C2)
Detection Rules — Arsenal-237 New Files: dec_fixed.exe (Ransomware Decryptor)
Detection Rules — Arsenal-237 New Files: new_enc.exe (Human-Operated Rust Ransomware)
Detection Rules — Arsenal-237 New Files: full_test_enc.exe (Advanced Rust Ransomware)
Detection Rules — Dual-RAT Analysis: Pulsar RAT vs. NjRAT/XWorm
Detection Rules — PULSAR RAT (server.exe) — Technical Analysis & Business Risk Assessment
Detection Rules — Hybrid Loader/Stealer Ecosystem Masquerading as Sogou
Detection Rules — Houselet.exe — The Go-Based Loader Masquerading as PlayStation Remote Play
Detection Rules — AdvancedRouterScanner
Detection Rules — From Webshells to The Cloud
Detection Rules — Quasar + XWorm + PowerShell