{ "type": "bundle", "id": "bundle--042b8034-8219-4fc7-9d32-15718cce3115", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.296301Z", "modified": "2026-06-14T11:56:08.296301Z", "name": "The Hunters Ledger", "identity_class": "organization" }, { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:WHITE", "definition": { "tlp": "white" } }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--f655301a-7df1-54ee-ab04-d7c88ae822b7", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.296665Z", "modified": "2026-06-14T11:56:08.296665Z", "name": "houselet.exe Execution from Temp", "indicator_types": [ "malicious-activity" ], "pattern": "title: houselet.exe Execution from Temp\nlogsource:\n category: process_creation\ndetection:\n selection:\n Image|contains: \"\\AppData\\Local\\Temp\\houselet.exe\"\ncondition: selection\nlevel: high", "pattern_type": "sigma", "valid_from": "2025-11-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4fb2128a-751c-5181-acd1-16d614beaa1a", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.29687Z", "modified": "2026-06-14T11:56:08.29687Z", "name": "Self-Spawned houselet.exe", "indicator_types": [ "malicious-activity" ], "pattern": "title: Self-Spawned houselet.exe\nlogsource:\n category: process_creation\ndetection:\n selection:\n ParentImage|endswith: \"explorer.exe\"\n Image|endswith: \"houselet.exe\"\ncondition: selection\nlevel: high", "pattern_type": "sigma", "valid_from": "2025-11-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--e910c3f1-c7b5-54bc-8ddb-a75669e56bfd", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.297026Z", "modified": "2026-06-14T11:56:08.297026Z", "name": "IE ZoneMap Registry Modification", "indicator_types": [ "malicious-activity" ], "pattern": "title: IE ZoneMap Registry Modification\nlogsource:\n category: registry\ndetection:\n selection:\n TargetObject|contains: \"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\ZoneMap\"\ncondition: selection\nlevel: medium", "pattern_type": "sigma", "valid_from": "2025-11-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--32524768-9257-5891-9499-f3c0c281b43c", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.297161Z", "modified": "2026-06-14T11:56:08.297161Z", "name": "Proxy Registry Modification", "indicator_types": [ "malicious-activity" ], "pattern": "title: Proxy Registry Modification\nlogsource:\n category: registry\ndetection:\n selection:\n TargetObject|contains: \"HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Proxy\"\ncondition: selection\nlevel: medium", "pattern_type": "sigma", "valid_from": "2025-11-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--cbc2fdf2-2145-5282-9027-eea24d8a45e6", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.297314Z", "modified": "2026-06-14T11:56:08.297314Z", "name": "HTTP POST to PHP C2", "indicator_types": [ "malicious-activity" ], "pattern": "title: HTTP POST to PHP C2\nlogsource:\n category: proxy\ndetection:\n selection:\n uri|endswith: \".php\"\n http.method: \"POST\"\ncondition: selection\nlevel: high", "pattern_type": "sigma", "valid_from": "2025-11-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--de72d83f-ebe5-526e-a0db-92a571f8ee7d", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.297463Z", "modified": "2026-06-14T11:56:08.297463Z", "name": "Outbound Traffic to 45.155.69.25", "indicator_types": [ "malicious-activity" ], "pattern": "title: Outbound Traffic to 45.155.69.25\nlogsource:\n category: proxy\ndetection:\n selection:\n dst_ip: \"45.155.69.25\"\ncondition: selection\nlevel: critical", "pattern_type": "sigma", "valid_from": "2025-11-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--eb020d04-d470-5313-b0f1-da17099d4726", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.297597Z", "modified": "2026-06-14T11:56:08.297597Z", "name": "RWX Memory Allocation by Go Binary", "indicator_types": [ "malicious-activity" ], "pattern": "title: RWX Memory Allocation by Go Binary\nlogsource:\n category: sysmon\ndetection:\n selection:\n CallTrace|contains: \"VirtualAlloc\"\ncondition: selection\nlevel: high", "pattern_type": "sigma", "valid_from": "2025-11-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--9f718b19-d5ff-5bc8-83f2-8c37a0312c90", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.297726Z", "modified": "2026-06-14T11:56:08.297726Z", "name": "Suspicious Crypto API Usage", "indicator_types": [ "malicious-activity" ], "pattern": "title: Suspicious Crypto API Usage\nlogsource:\n category: sysmon\ndetection:\n selection:\n CallTrace|contains:\n - \"CryptEncrypt\"\n - \"CryptAcquireContext\"\n - \"BCryptEncrypt\"\ncondition: selection\nlevel: medium", "pattern_type": "sigma", "valid_from": "2025-11-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--0efc861b-36a6-5a3c-8aa4-99145c955762", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.297862Z", "modified": "2026-06-14T11:56:08.297862Z", "name": "Fake Sony Metadata", "indicator_types": [ "malicious-activity" ], "pattern": "title: Fake Sony Metadata\nlogsource:\n category: file\ndetection:\n selection:\n file.description|contains: \"Sony Interactive Entertainment\"\n signature.status: \"Untrusted\"\ncondition: selection\nlevel: medium", "pattern_type": "sigma", "valid_from": "2025-11-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--046f62ed-b64b-50b2-aab5-b44d84bb9607", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.297996Z", "modified": "2026-06-14T11:56:08.297996Z", "name": "Anti-VM Behavior", "indicator_types": [ "malicious-activity" ], "pattern": "title: Anti-VM Behavior\nlogsource:\n category: sysmon\ndetection:\n selection:\n Image|contains: \"houselet.exe\"\n CommandLine|contains:\n - \"VBoxService\"\n - \"vmtoolsd\"\n - \"qemu\"\ncondition: selection\nlevel: medium", "pattern_type": "sigma", "valid_from": "2025-11-17T00:00:00Z", "labels": [ "detection-rule" ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "report", "spec_version": "2.1", "id": "report--66cfa6ea-e048-5321-893d-ff84b9a53c13", "created_by_ref": "identity--8bc8284b-deb5-546c-a233-57ea34b2ea0d", "created": "2026-06-14T11:56:08.298209Z", "modified": "2026-06-14T11:56:08.298209Z", "name": "Houselet.exe \u2014 Masquerading as PlayStation Remote Play", "report_types": [ "threat-report" ], "published": "2025-11-17T00:00:00Z", "object_refs": [ "indicator--f655301a-7df1-54ee-ab04-d7c88ae822b7", "indicator--4fb2128a-751c-5181-acd1-16d614beaa1a", "indicator--e910c3f1-c7b5-54bc-8ddb-a75669e56bfd", "indicator--32524768-9257-5891-9499-f3c0c281b43c", "indicator--cbc2fdf2-2145-5282-9027-eea24d8a45e6", "indicator--de72d83f-ebe5-526e-a0db-92a571f8ee7d", "indicator--eb020d04-d470-5313-b0f1-da17099d4726", "indicator--9f718b19-d5ff-5bc8-83f2-8c37a0312c90", "indicator--0efc861b-36a6-5a3c-8aa4-99145c955762", "indicator--046f62ed-b64b-50b2-aab5-b44d84bb9607" ], "labels": [ "Loader", "Stealer", "Go", "Injection" ], "external_references": [ { "source_name": "The Hunters Ledger", "url": "https://the-hunters-ledger.com/reports/malware-analysis-houselet/" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] } ] }