{ "type": "bundle", "id": "bundle--fed3f274-b0e6-48f7-9fa5-785903402f79", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:20.259799Z", "modified": "2026-06-14T11:57:20.259799Z", "name": "The Hunters Ledger", "identity_class": "organization" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4f2dcf1f-4718-5cb2-90c8-c2d7ea5ce570", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:20.260171Z", "modified": "2026-06-14T11:57:20.260171Z", "name": "Pulsar_RAT_Critical_Variant", "indicator_types": [ "malicious-activity" ], "pattern": "rule Pulsar_RAT_Critical_Variant {\n meta:\n description = \"Detects Pulsar RAT variant (server.exe)\"\n author = \"The Hunters Ledger\"\n date = \"2025-11-30\"\n threat_level = \"CRITICAL\"\n confidence = \"HIGH\"\n hash_sha256 = \"2c4387ce18be279ea735ec4f0092698534921030aaa69949ae880e41a5c73766\"\n reference = \"Internal malware analysis report\"\n\n strings:\n // Core Pulsar identifiers\n $pulsar = \"Pulsar.Common\" wide ascii\n $hvnc = \"HVNC\" wide ascii\n $keylog = \"KeyLogger\" wide ascii\n $msgpack = \"MessagePackSerializer\" wide ascii\n $bcrypt = \"BCryptEncrypt\" wide ascii\n\n // Critical persistence indicators\n $winre = \"Recovery\\OEM\\\" wide ascii nocase\n $runonce = \"CurrentVersion\\RunOnce\" wide ascii\n\n // Specific modules\n $remote_desktop = \"RemoteDesktop\" wide ascii\n $passwords = \"Passwords\" wide ascii\n\n condition:\n // PE32 file check\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and \n\n // File size check (1.5 MB \u00b1 margin for variants)\n filesize > 1MB and filesize < 2MB and\n\n // Core strings must be present\n all of ($pulsar, $hvnc, $keylog, $msgpack, $bcrypt, $winre) and\n\n // At least 2 surveillance modules\n 2 of ($remote_desktop, $passwords)\n}", "pattern_type": "yara", "valid_from": "2025-12-01T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "report", "spec_version": "2.1", "id": "report--63c70a80-72cc-5e25-b84d-647b47fa5196", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:57:20.260516Z", "modified": "2026-06-14T11:57:20.260516Z", "name": "PULSAR RAT (server.exe)", "report_types": [ "threat-report" ], "published": "2025-12-01T00:00:00Z", "object_refs": [ "indicator--4f2dcf1f-4718-5cb2-90c8-c2d7ea5ce570" ], "labels": [ "RAT", "Cred Theft", "Evasion", ".NET" ], "external_references": [ { "source_name": "The Hunters Ledger", "url": "https://the-hunters-ledger.com/reports/PULSAR-RAT/" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] } ] }