The Hunter's Ledger
Hunting Detections
Sigma, YARA & Suricata Rules
Detection logic from original research, mapped to MITRE ATT&CK. Free to use in your environment under CC BY-NC 4.0.
Recent
HIGH · May 2026
Detection Rules — HijackLoader / Penguish / Rugmi to AsyncRAT Multi-Vector Phishing Campaign
Loader RAT Evasion Persistence
HIGH · Apr 2026
Detection Rules — AdaptixC2 Open Directory Exposure (45.130.148.125)
C2 Toolkit Evasion Persistence
HIGH · Apr 2026
Detection Rules — Chaos Ransomware (TorBrowserTor) Multi-Stage Loader (94.103.1.13)
Ransomware Loader Evasion Persistence
HIGH · Apr 2026
Detection Rules — ShinyHunters Data Leak Site (91.215.85.22)
Exfil Cred Theft C2 Threat
All Detections
Detection Rules — OpenStrike Expanded Toolkit (New Files 2026-04-08)
Toolkit C2 Injection Evasion
Apr 2026
Detection Rules — OpenStrike Beacon Toolkit (172.105.0.126)
Toolkit C2 Evasion Open Dir
Apr 2026
Detection Rules — Shadow RAT & XWorm Open Directory Campaign
RAT MaaS Evasion Persistence
Apr 2026
Detection Rules — Open Directory at 193.56.255.154 (XiebroC2 v3.1 and Covenant C2)
C2 Multi-Family Injection
Apr 2026
Detection Rules — ZeroTrace Multi-Family MaaS Operation
MaaS C2 Multi-Family
Mar 2026
Detection Rules — Sliver C2 / ScareCrow Loader Open Directory Kit
C2 Loader Evasion
Mar 2026
Detection Rules — Webserver Compromise Kit 91.236.230.250
Toolkit Priv Esc RCE
Feb 2026
Detection Rules — Remcos RAT OpenDirectory Campaign
RAT Persistence Cred Theft
Feb 2026
Detection Rules — NsMiner Cryptojacker
Cryptominer Dropper Evasion
Feb 2026
Arsenal-237 New Files: full_test_enc.exe (Advanced Rust Ransomware)
Ransomware Rust
Jan 2026
Arsenal-237 New Files: new_enc.exe (Human-Operated Rust Ransomware)
Ransomware Rust
Jan 2026
Arsenal-237 New Files: dec_fixed.exe (Ransomware Decryptor)
Ransomware Rust
Jan 2026
Arsenal-237 New Files: enc_c2.exe (Rust Ransomware with Tor C2)
Ransomware C2 Rust
Jan 2026
Arsenal-237 New Files: chromelevator.exe (Browser Credential Theft)
Cred Theft .NET
Jan 2026
Arsenal-237 New Files: nethost.dll (DLL Hijacking Persistence)
DLL Hijack Persistence
Jan 2026
Arsenal-237 New Files: rootkit.dll (Kernel-Mode Rootkit)
Rootkit Evasion
Jan 2026
Arsenal-237 New Files: BdApiUtil64.sys (Vulnerable Baidu Driver)
BYOVD Priv Esc
Jan 2026
Arsenal-237 New Files: lpe.exe (Privilege Escalation)
Priv Esc
Jan 2026
Arsenal-237 New Files: killer_crowdstrike.dll (CrowdStrike-Specific Termination)
Evasion BYOVD
Jan 2026
Arsenal-237 New Files: killer.dll (BYOVD Process Termination)
BYOVD Evasion
Jan 2026
Arsenal-237: enc/dec Ransomware Family
Ransomware Rust
Jan 2026
Arsenal-237: uac_test.exe
Priv Esc Evasion
Jan 2026
Arsenal-237: FleetAgentFUD.exe
Dropper Evasion
Jan 2026
Arsenal-237: FleetAgentAdvanced.exe
Dropper Persistence
Jan 2026
Arsenal-237: agent_xworm_v2.exe (XWorm RAT v2.4.0)
RAT C2
Jan 2026
Arsenal-237: agent_xworm.exe (XWorm RAT v6)
RAT C2
Jan 2026
Arsenal-237: agent.exe (PoetRAT)
RAT C2
Jan 2026
Detection Rules — Dual-RAT Analysis: Pulsar RAT vs. NjRAT/XWorm
RAT Injection .NET
Dec 2025
Detection Rules — PULSAR RAT (server.exe)
RAT Cred Theft .NET
Dec 2025
Hybrid Loader/Stealer Ecosystem Masquerading as Sogou
Loader Stealer Evasion
Nov 2025
Houselet.exe — Go-Based Loader Masquerading as PlayStation Remote Play
Loader Stealer Go
Nov 2025
AdvancedRouterScanner
Scanner Python
Oct 2025
From Webshells to The Cloud
Webshell PHP Exfil
Oct 2025
QuasarRAT + XWorm + PowerShell Loader
RAT PowerShell Evasion
Oct 2025