#yara — Public Fediverse posts

Cuba e Vietnã ampliam cooperação agrícola com novo projeto de cultivo de arroz em Granma

https://fed.brid.gy/r/https://www.brasildefato.com.br/2026/05/12/cuba-e-vietna-ampliam-cooperacao-agricola-com-novo-projeto-de-cultivo-de-arroz-em-granma/

Cuba e Vietnã ampliam cooperação agrícola com novo projeto de cultivo de arroz em Granma

https://fed.brid.gy/r/https://www.brasildefato.com.br/2026/05/12/cuba-e-vietna-ampliam-cooperacao-agricola-com-novo-projeto-de-cultivo-de-arroz-em-granma/

#YARA #SHAHIDI allgraph.ro/advanced-sea... #SEABED #WARFARE www.perplexity.ai/search/new?q... semantic-map-engine.aepiot.com/semantic-map... aePiot: Empowering the present for Web 4.0. Construct nodes and own the SEO of tomorrow.

MultiSearch Tag Explorer

#YARA #SHAHIDI allgraph.ro/advanced-sea... #SEABED #WARFARE www.perplexity.ai/search/new?q... semantic-map-engine.aepiot.com/semantic-map... aePiot: Empowering the present for Web 4.0. Construct nodes and own the SEO of tomorrow.

MultiSearch Tag Explorer

https://www.europesays.com/no/228378/ Yara-topp advarer: – Ganske alvorlig #BreakingNews #BreakingNews #FeaturedNews #FeaturedNews #gjødsel #Headlines #hormuzstredet #LatestNews #LatestNews #News #NO #Norge #Norway #Nyheter #Overskrifter #TopStories #TopStories #Verden #World #WorldNews #WorldNews #Yara

Unmasking the Moon: Comparing LunaStealer Samples with MalChela and Claude

As one tends to do on Saturday mornings with coffee in hand, I was reviewing two samples that were attributed to the LunaStealer / LunaGrabber family. Originally I was validating that tiquery was working with the MCP configuration, however what started as a quick TI check turned into a full static analysis session — and it gave me a good opportunity to put the MalChela MCP integration through its paces in a real workflow. This post walks through how that investigation unfolded, what the pivot points were, and what we found at the bottom of the rabbit hole.

The Setup

If you haven’t seen the MalChela MCP plugin before, the short version is this: MalChela is a Rust-based malware analysis toolkit I’ve been building for a while — tools like tiquery, fileanalyzer, mstrings, and others. The MCP server exposes all of those tools to Claude Desktop natively, so instead of dropping to the terminal for every command, I can run analysis steps conversationally and let Claude help interpret the results and suggest next moves.

This is not replacing the terminal — it’s augmenting it. The pivot decisions still come from the analyst. But having a reasoning layer that can look at mstrings output and say “that SetDllDirectoryW + GetTempPathW combination is staging behavior, and here’s the ATT&CK mapping” is genuinely useful when you’re moving fast.

Both samples were sitting in a folder on my Desktop. I had SHA-256 hashes. Let’s go.

Phase 1: Threat Intelligence Query

First move is always TI. The MalChela tiquery tool hits MalwareBazaar, VirusTotal, Hybrid Analysis, MetaDefender, and Triage simultaneously and returns a combined results matrix. Two calls, two answers.

Sample 1 (4f3b8971...) came back confirmed LunaStealer across all five sources. First seen 2025-12-01. Original filename sdas.exe. VT tagged it trojan.generickdq/python — already telling us something about the build.

Sample 2 (d4f57b42...) was more interesting. MalwareBazaar returned both LunaGrabber and LunaStealer tags. Triage clustered it with BlankGrabber, GlassWorm, IcedID, and Luca-Stealer. The original filename was loader.exe. That’s a different kind of name than sdas.exe. One sounds like a throwaway test artifact. The other sounds deliberate.

The TI results alone suggested these weren’t just two copies of the same thing. They were potentially different components of the same campaign.

Phase 2: Static PE Analysis

fileanalyzer and mstrings on both samples.

The first thing that jumped out was the imphash — f3c0dbc597607baa2ea891bc3a114b19 — identical on both. Same section layout, same section sizes, same import count (146), same 7 PE sections including the .fptable section that PyInstaller uses for its frozen module table. These two samples were compiled from the same PyInstaller loader template with different payloads bundled inside.

But the entropy diverged sharply. Sample 1 (sdas.exe) came in at 3.9 — low, even for a PyInstaller bundle. Sample 2 (loader.exe) was 6.9 — high, indicating the embedded payload is compressed or encrypted more aggressively. Combined with the file size difference (47 MB vs 22 MB), this was the first signal that what was inside each bundle was meaningfully different.

mstrings gave us 22–23 ATT&CK-mapped detections across both samples — largely the same set: IsDebuggerPresent, QueryPerformanceCounter, SetDllDirectoryW, GetTempPathW, ExpandEnvironmentStringsW, OpenProcessToken. Standard infostealer staging behavior. Tcl_CreateThread showed up in both, which is a PyInstaller artifact from bundling Python with Tkinter. The VT python family tag made more sense in context.

Phase 3: PyInstaller Extraction

Both samples were extracted with pyinstxtractor-ng. This is where the two samples started to diverge clearly.

Sample 1 entry point: sdas.pyc — Python 3.13, 112 files in the CArchive, 752 modules in the PYZ archive.

Sample 2 entry point: cleaner.pyc — Python 3.11, 113 files, 760 modules.

The name cleaner.pyc inside a file called loader.exe is a tell. That’s not a stealer payload name. That’s something that runs after.

The bundled library sets were nearly identical between both — requests, requests_toolbelt, Cryptodome, cryptography, psutil, PIL, sqlite3, win32 — same stealer framework. But Sample 2 had a unique addition: a l.js reference (mapped to T1059 — Command and Scripting Interpreter). A JavaScript component not present in the December build. The OpenSSL versions also differed: Sample 1 bundled libcrypto-3.dll (OpenSSL 3.x), Sample 2 had libcrypto-1_1.dll (OpenSSL 1.1). Different build environments, roughly one month apart.

At this point the working theory was solid: Sample 1 is a standalone stealer. Sample 2 is a later-generation dropper/installer with an updated payload and additional capability.

Phase 4: Bytecode Decompilation

decompile3 couldn’t handle Python 3.11 or 3.13 bytecode. That’s a known limitation. pycdc (Decompyle++) handles both.

sdas.pyc decompiled cleanly — the import stack made the capability set immediately obvious:

 from win32crypt import CryptUnprotectData  from Cryptodome.Cipher import AES  from PIL import Image, ImageGrab  from requests_toolbelt.multipart.encoder import MultipartEncoder  import sqlite3  

CryptUnprotectData for browser master key decryption. AES for the decryption itself. ImageGrab for screenshots. MultipartEncoder for structured exfiltration. Classic infostealer, nothing surprising.

cleaner.pyc was a different story. The decompiler output opened with this:

 __________ = eval(getattr(__import__(bytes([98,97,115,101,54,52]).decode()), ...  

Heavy obfuscation — byte arrays used to reconstruct eval, getattr, and __import__ at runtime so none of those strings appear in plain text. The approach is designed to evade static string detection. Decode the byte arrays and you get:

 bytes([98,97,115,101,54,52])        → "base64"  bytes([90,88,90,104,98,65,61,61])   → b64decode("ZXZhbA==") → "eval"  bytes([90,50,86,48,...])            → "getattr"  bytes([88,49,57,112,...])           → "__import__"  

Standard Python malware obfuscation. But buried further down in the decompile output was a large binary blob — a bytes literal starting with \xfd7zXZ. That’s the LZMA magic header.

Phase 5: LZMA Stage 2 Extraction

The blob was located at offset 0x17d4 in the pyc file. Extract and decompress it:

 import lzma  blob = open('cleaner.pyc', 'rb').read()  idx = blob.find(b'\xfd7zXZ')  decompressed = lzma.decompress(blob[idx:])  # → 102,923 bytes  

One important detail: the decompression is wrapped in a try/except LZMAError block with os._exit(0) on failure. If the decompression fails — as it would in some emulated sandbox environments — the process exits silently with no error. That’s the anti-sandbox mechanism.

The decompressed payload was another obfuscated Python source using a custom alphabet substitution encoding. The final execution chain was compile() + exec(). Decoding the full stage 2 revealed everything:

The injection URL:

 https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.js  

This is the live Discord injection payload. The stage 2 pulls this JavaScript file from GitHub and injects it into the Discord desktop client’s core module, persisting across restarts.

The capability set from stage 2:

• Anti-analysis checks on startup: process blacklist (~30 entries including wireshark, processhacker, vboxservice, ollydbg, x96dbg, pestudio), MAC address blacklist (80+ VM prefixes), HWID blacklist, IP blacklist, username/PC name blacklists
• Discord token theft from all three release channels (stable, canary, PTB)
• Browser credential theft across 20+ Chromium and non-Chromium browsers
• Roblox session cookie harvesting (.ROBLOSECURITY= targeting with API validation)
• Desktop screenshot capture
• Self-destruct: ping localhost -n 3 > NUL && del /F "{path}"

The ping delay is a simple trick — the 3-second wait lets the process fully exit before the delete fires, so the file removes itself cleanly after execution.

What MalChela + MCP Added to This Workflow

The honest answer is: speed and synthesis.

tiquery hitting five TI sources in one call versus five separate browser tabs or CLI invocations is a meaningful time saving, but that’s the surface benefit. The deeper value showed up in the mstrings step — getting ATT&CK-mapped output with technique IDs alongside the raw strings meant the behavioral picture came together faster than manually correlating imports against the ATT&CK matrix.

The MCP integration meant each of those steps — TI query, PE analysis, string extraction — could happen within the same conversation context. Claude could see the fileanalyzer output and the mstrings output together and note that the entropy difference between the two samples was significant, that the identical imphash meant shared loader infrastructure, that the staging imports in mstrings were consistent with the exfil approach suggested by the TI tags. That cross-tool synthesis is where the integration earns its keep.

The parts that still required manual work: pyinstxtractor-ng, pycdc, the LZMA extraction, and decoding the stage 2. Those are terminal steps on the Mac.

IOCs at a Glance

Samples:

Injection URL:

 https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.js  

Self-destruct pattern:

 ping localhost -n 3 > NUL && del /F "{executable}"  

Imphash (shared loader stub):

 f3c0dbc597607baa2ea891bc3a114b19  

A full IOC list including ~60 C2 IPs, MAC address blacklists, and HWID blacklists is in the analysis report linked below.

Downloads

• 📄 [Full Analysis Report] — Complete investigation narrative, sample properties, capability breakdown, IOC documentation, campaign timeline, and recommendations. (LunaStealer_Analysis_Report.pdf)
• 🛡️ [YARA Rules — PE] — Four rules targeting the PE samples: exact hash match, shared PyInstaller stub (imphash-based), infostealer payload strings, generic PyInstaller infostealer. (lunastealer_pe.yar)

If you’re running MalChela in your environment and want to reproduce the TI query steps, the MalChela MCP plugin source is on GitHub at github.com/dwmetz/MalChela. Questions or additions to the IOC list — find me on the usual channels.

https://www.europesays.com/dk/72649/ In 2026, a container ship on the Oslo-Hamburg route will abandon diesel and use fertilizer as fuel: the Yara Eyde ushers in the era of green ammonia in maritime transport. #AmôniaVerde #descarbonização #Equinor #Navios #noruega #Norway #Oslo #Yara

https://www.europesays.com/no/220748/ Yara leverer sterkere tall – E24 #Business #Economy #Næringsliv #NO #Norge #Norway #Yara

MalChela 3.2: More Cowbell? More Intel!

One of the things I value most about the open-source community is that the best improvements to a tool often don’t come from inside it — they come from outside conversations.  A short while back, the author of mlget, xorhex,  reached out and suggested I add more malware retrieval sources to FOSSOR, one of my earlier tools for pulling down samples from threat intel repositories.  It was a generous nudge, and it landed at exactly the right moment.

FOSSOR started as a simple script.  It did one job — grab malware samples from a handful of sources — and it did it well enough.  When I wrote it, I already knew it was a candidate for eventual MalChela integration, but “eventually” had stayed firmly in the future tense.  The message from xorhex gave me the push to actually sit down and do it properly.

The result is tiquery — and it’s become a new centerpiece to MalChela 3.2.

The Pattern I Keep Repeating (Deliberately)

If you’ve followed this blog or the MalChela project for a while, you might notice a recurring arc in how my tools tend to develop.  It goes something like this:

• Step one:  write a focused script that solves a specific problem.
• Step two:  that script evolves into a standalone tool as the scope grows.
• Step three:  the tool finds its permanent home inside MalChela, where it benefits from the broader ecosystem — case management, the GUI, the MCP server integration, the portable workspace.
• Step four:  When there’s overlap between tools, follow the KISS principle.

FOSSOR was in step one.  The conversation with xorhex accelerated the jump to step three.  What emerged was something more ambitious than just a source expansion — it’s a unified threat intelligence query engine, built from the ground up.

If you’re new to MalChela, it’s a Rust-based malware analysis toolkit built for DFIR practitioners — static analysis, string extraction, YARA rule generation, threat intel lookups, network analysis, and now a unified case management layer tying it all together.  Free, open-source, and built to run anywhere.

Introducing tiquery

tiquery is now the single threat intel tool in MalChela, replacing the retired malhash.  The core idea is straightforward: submit a hash, query multiple sources in parallel, get a clean color-coded summary back.  No waiting for one source to finish before the next one starts.  No manually juggling browser tabs or API wrappers.

Out of the box, tiquery works with eight confirmed sources:

• VirusTotal
• MalwareBazaar
• AlienVault OTX
• MetaDefender Cloud
• Hybrid Analysis
• FileScan.IO
• Malshare
• ObjectiveSee (no API key required — queries a locally-cached macOS malware catalogue)

Sources are tiered — free sources and registration-required sources are distinguished in the interface.  If you haven’t configured an API key for a given source, tiquery skips it gracefully rather than throwing an error. This means you can run it easily with whatever keys you have available.

The ObjectiveSee integration deserves a special mention.  It queries the objective-see.org/malware.html catalogue for macOS-specific threats using a locally-cached copy that refreshes every 24 hours, with a stale-cache fallback for offline use.  For anyone doing Mac forensics, this is a meaningful addition — a free, no-key-required check specifically against known macOS malware families.

Tiquery, like FOSSOR, supports batch lookups as well — point it to a .csv or .txt file of hashes and they’ll all be checked in parallel. You can also download samples directly, with MalwareBazaar supported in this release and additional sources on the way – (your vote matters).

What It Looks Like in Practice

The screenshots below show tiquery running in both the CLI and GUI.  In both cases, for any of the matching sources you get a basic classification (malware family, tags, detections,) and direct links to threat intelligence documents about the samples. It’s the perfect jumping off point when you want to leverage community research.

The CLI output is clean and tabular — source abbreviation, status (color-coded FOUND/NOT FOUND), family and tag information, detection count, and a direct reference URL.  Everything you need to make a quick triage decision, no scrolling through API response JSON required. You can run tiquery CLI as a stand-alone, or from within the MalChela CLI menu.

In the GUI, the experience is layered a bit more richly.  You can toggle individual sources on or off, switch between single-hash and bulk lookup modes, download the sample directly from MalwareBazaar, and export results to CSV — all from one interface.  The macOS ObjectiveSee source displays its cache age inline so you always know how fresh the data is.

Both outputs feed into MalChela’s case management system.  Check “Save to Case” in the GUI, and tiquery creates a valid case.json automatically — no separate case creation step needed.

Extended Case Management Across the Toolkit

Speaking of case management — 3.2 extends “Save to Case” support across the full GUI.  File Analyzer, File Miner, and mStrings, all now include the checkbox.  This closes out the last gaps in the case workflow.  Whatever tool you’re using for a given task, if you want to preserve the output in a named case, it’s one click. You no longer have to start with the New Case workflow, however it is recommended if that’s the direction you’re going from the start.

The Strings to YARA tool also gains a companion “Save to YARA Library” checkbox.  Check it, and the generated rule gets copied directly into the project’s yara_rules/ directory alongside being saved to the case. This will automatically make the rule available when you run fileanalyzer on subsequent files.  It’s a small workflow improvement, but one that eliminates a manual copy step I was taking every time anyway. I also added a quick formatter so the special character most often in need of escaping “\” gets handled automatically when the rule is generated.

A Note on malhash

malhash is retired in 3.2.  If you’ve been using it in scripts or workflows, tiquery is its direct replacement — it does everything malhash did and then some.  This is a breaking change in the sense that the binary is gone, but functionally tiquery is a superset, not a lateral move.

malhash served its purpose well.  RIP. tiquery is where that purpose lives now.

Get It

MalChela 3.2 is available now on GitHub.  The full release notes are in the repo. 

Thanks to xorhex for the nudge.  Sometimes the best features start with someone saying “have you thought about…”

----------------

🛠️ Tool: YARA-X (Rust-based pattern matcher)
===================

Opening: YARA-X is a ground-up reimplementation of YARA written in Rust. Its stated goals are improved performance, stronger memory safety, and a more user-friendly rule execution model for malware researchers. VirusTotal reports long-running production use, scanning billions of files with tens of thousands of rules.

Key Features:
• Rule model: Supports YARA-like rules composed of named strings (binary and textual), metadata, and boolean conditions.
• String types: Includes support for raw byte patterns, case-insensitive strings, regular expressions, and wildcards.
• Performance and safety: Implemented in Rust to reduce memory-unsafety risks and to enable optimizations for faster scanning at scale.

Technical implementation:
• Language and packaging: Implemented in Rust and published on crates.io (crate name: yara-x).
• Execution model: Rules evaluate a set of pattern matches plus a boolean expression; the engine optimizes string matching and condition evaluation for throughput.
• Production maturity: VirusTotal indicates YARA-X is battle-tested in production, used to process very large corpora and to reconcile discrepancies and bugs.

Use cases:
• Large-scale static scanning pipelines for malware classification and triage.
• Rule development for incident response, threat hunting, and detection engineering.
• Embedding into analysis platforms that require safe, high-performance pattern matching.

Limitations and considerations:
• Rule-level differences exist relative to legacy YARA; rule authors must consult compatibility notes when migrating.
• Although YARA remains maintained (bug fixes/minor features), new modules and feature development are focused on YARA-X, which may affect long-term ecosystem transitions.

Conclusion: YARA-X represents a deliberate modernization of a core malware analysis capability: the project emphasizes Rust-driven safety and performance while preserving YARA-like authoring semantics. For teams developing or running large-scale detection pipelines, YARA-X offers a production-hardened alternative to YARA.

🔹 yara_x #yara #tool

🔗 Source: https://github.com/VirusTotal/yara-x?tab=readme-ov-file

RE: https://infosec.exchange/@binaryninja/116403309269355624

For the few people using #BinYars, it has been updated to support #BinaryNinja 5.3 and now targets YARA-X 1.15.0

Update via Binja's plugin manager to get the latest.

https://github.com/xorhex/BinYars-SideWidget

#YARA #YARAX

RE: https://infosec.exchange/@binaryninja/116403309269355624

For the few people using #BinYars, it has been updated to support #BinaryNinja 5.3 and now targets YARA-X 1.15.0

Update via Binja's plugin manager to get the latest.

https://github.com/xorhex/BinYars-SideWidget

#YARA #YARAX

RE: https://infosec.exchange/@binaryninja/116403309269355624

For the few people using #BinYars, it has been updated to support #BinaryNinja 5.3 and now targets YARA-X 1.15.0

Update via Binja's plugin manager to get the latest.

https://github.com/xorhex/BinYars-SideWidget

#YARA #YARAX

RE: https://infosec.exchange/@binaryninja/116403309269355624

For the few people using #BinYars, it has been updated to support #BinaryNinja 5.3 and now targets YARA-X 1.15.0

Update via Binja's plugin manager to get the latest.

https://github.com/xorhex/BinYars-SideWidget

#YARA #YARAX

RE: https://infosec.exchange/@binaryninja/116403309269355624

For the few people using #BinYars, it has been updated to support #BinaryNinja 5.3 and now targets YARA-X 1.15.0

Update via Binja's plugin manager to get the latest.

https://github.com/xorhex/BinYars-SideWidget

#YARA #YARAX

----------------

🛠️ Tool
===================

Opening: Heimdall is an open‑source DFIR investigation cockpit designed for CSIRT, SOC and DFIR teams that centralizes ingestion, parsing, correlation and visualization of forensic artifacts in a real‑time interface.

Key Features:
• Ingestion & Storage: chunked uploads (up to 256 GB) with automatic resume, integrated object storage (MinIO) patterns and mandatory ClamAV scanning for each file.
• Parsing & Indexing: asynchronous worker queue using BullMQ to parse artifacts with tools such as Hayabusa, Zimmerman Tools and tshark, and index results into a per‑case Elasticsearch Super Timeline.
• Threat Hunting & Correlation: built‑in YARA engine for per‑file/per‑case scans, Sigma hunts on the Super Timeline, GitHub rules import, and TAXII 2.1 / STIX 2.1 threat intel ingestion with automatic correlation.
• Detection & Enrichment: automatic detections including timestomping heuristics, double‑extension checks, C2 beaconing scoring, persistence enumerations, and IOC enrichment via VirusTotal and AbuseIPDB.
• Automation & Reporting: parallel SOAR engine with DFIR playbooks (ransomware, RDP, phishing), Legal Hold manifests signed with HMAC‑SHA256, and enriched PDF export including kill‑chain mapping and triage outputs.
• Local AI Assistance: global AI chat and Case Copilot via Ollama with SSE streaming and support for models such as qwen3 and mistral for contextual analyst assistance.

Technical Implementation: Heimdall combines a web UI with a worker queue architecture. Ingested artifacts are chunked and stored to object storage; workers perform parsing using existing forensic tools and write structured events to Elasticsearch. The Super Timeline aggregates multi‑source artifacts for temporal correlation and Sigma/YARA rules run against parsed events and files.

Use Cases: centralized case management for DFIR teams, automated triage and scoring of incoming evidence, timeline reconstruction across disk/EVTX/PCAP/RAM, and coordinated hunting using threat intel feeds.

Limitations & Considerations: resource demands for Elasticsearch and parsing workers can be significant for large volumes; Volatility 3 / VolWeb integration is marked as "soon"; reliance on third‑party engines implies varying parsing coverage per artifact type.

Overall: Heimdall positions itself as a comprehensive, extensible DFIR cockpit that stitches existing forensic engines into a unified investigation workflow. #tool #DFIR #elasticsearch #YARA #SOAR

🔗 Source: https://raiseix.github.io/Heimdall-DFIR/

Охота на Emmenhtal: как мы восстановили полную kill chain банковского трояна с переформатированного диска

Разбираем реальный IR-кейс: ClickFix → Emmenhtal Loader → банковский троян с Telegram C2. Форензик переформатированного диска на 930 ГБ, VDM-дисамбигуация ложноположительных и восстановление артефактов из hibernation-файла.

https://habr.com/ru/articles/1021698/

#DFIR #форензика #malware_analysis #банковский_троян #Emmenhtal #ClickFix #threat_hunting #YARA #fileless_malware #incident_response

Охота на Emmenhtal: как мы восстановили полную kill chain банковского трояна с переформатированного диска

Разбираем реальный IR-кейс: ClickFix → Emmenhtal Loader → банковский троян с Telegram C2. Форензик переформатированного диска на 930 ГБ, VDM-дисамбигуация ложноположительных и восстановление артефактов из hibernation-файла.

https://habr.com/ru/articles/1021698/

#DFIR #форензика #malware_analysis #банковский_троян #Emmenhtal #ClickFix #threat_hunting #YARA #fileless_malware #incident_response

Охота на Emmenhtal: как мы восстановили полную kill chain банковского трояна с переформатированного диска

Разбираем реальный IR-кейс: ClickFix → Emmenhtal Loader → банковский троян с Telegram C2. Форензик переформатированного диска на 930 ГБ, VDM-дисамбигуация ложноположительных и восстановление артефактов из hibernation-файла.

https://habr.com/ru/articles/1021698/

#DFIR #форензика #malware_analysis #банковский_троян #Emmenhtal #ClickFix #threat_hunting #YARA #fileless_malware #incident_response

Охота на Emmenhtal: как мы восстановили полную kill chain банковского трояна с переформатированного диска

Разбираем реальный IR-кейс: ClickFix → Emmenhtal Loader → банковский троян с Telegram C2. Форензик переформатированного диска на 930 ГБ, VDM-дисамбигуация ложноположительных и восстановление артефактов из hibernation-файла.

https://habr.com/ru/articles/1021698/

#DFIR #форензика #malware_analysis #банковский_троян #Emmenhtal #ClickFix #threat_hunting #YARA #fileless_malware #incident_response

ClearWater — обзор нового шифровальщика

Приветствую, сегодня я расскажу про новый шифровальщик, который мне удалось обнаружить на просторах Интернета. Первые упоминания ClearWater появились ещё в январе 2026 года. Исследуя всемирную паутину, я ещё не находил ни одной нормальной статьи по этому вредоносу, поэтому решил сам написать такую. Данный шифровальщик не отличается какой-то технической сложностью или необычными приемами поэтому его обзор несёт больше информативный характер и предназначен для Malware и TI-аналитиков.

https://habr.com/ru/articles/1018822/

#ClearWater #шифровальщик #вредонос #вредоносное_по #реверсинжиниринг #реверс #анализ_вредоносов #yara #mitre

ClearWater — обзор нового шифровальщика

Приветствую, сегодня я расскажу про новый шифровальщик, который мне удалось обнаружить на просторах Интернета. Первые упоминания ClearWater появились ещё в январе 2026 года. Исследуя всемирную паутину, я ещё не находил ни одной нормальной статьи по этому вредоносу, поэтому решил сам написать такую. Данный шифровальщик не отличается какой-то технической сложностью или необычными приемами поэтому его обзор несёт больше информативный характер и предназначен для Malware и TI-аналитиков.

https://habr.com/ru/articles/1018822/

#ClearWater #шифровальщик #вредонос #вредоносное_по #реверсинжиниринг #реверс #анализ_вредоносов #yara #mitre

ClearWater — обзор нового шифровальщика

Приветствую, сегодня я расскажу про новый шифровальщик, который мне удалось обнаружить на просторах Интернета. Первые упоминания ClearWater появились ещё в январе 2026 года. Исследуя всемирную паутину, я ещё не находил ни одной нормальной статьи по этому вредоносу, поэтому решил сам написать такую. Данный шифровальщик не отличается какой-то технической сложностью или необычными приемами поэтому его обзор несёт больше информативный характер и предназначен для Malware и TI-аналитиков.

https://habr.com/ru/articles/1018822/

#ClearWater #шифровальщик #вредонос #вредоносное_по #реверсинжиниринг #реверс #анализ_вредоносов #yara #mitre

ClearWater — обзор нового шифровальщика

Приветствую, сегодня я расскажу про новый шифровальщик, который мне удалось обнаружить на просторах Интернета. Первые упоминания ClearWater появились ещё в январе 2026 года. Исследуя всемирную паутину, я ещё не находил ни одной нормальной статьи по этому вредоносу, поэтому решил сам написать такую. Данный шифровальщик не отличается какой-то технической сложностью или необычными приемами поэтому его обзор несёт больше информативный характер и предназначен для Malware и TI-аналитиков.

https://habr.com/ru/articles/1018822/

#ClearWater #шифровальщик #вредонос #вредоносное_по #реверсинжиниринг #реверс #анализ_вредоносов #yara #mitre

https://www.europesays.com/no/198454/ Fikk lønnspakke på nær 18 mill. ifjor – E24 #aker #AkerBp #AndersOpedal #Årsrapport #Business #Economy #energi #equinor #KarlJohnnyHersvik #KjerstinBraathen #Lønn #Næringsliv #NO #nordea #Norge #Norway #OddArildGrefstad #Ørsted #ØyvindEriksen #Storebrand #Yara

https://www.europesays.com/no/189229/ Felleskjøpet Agri, Aksjer | Felleskjøpet stanset annonsering i Nationen etter avsløringer om konserndirektør #Aksjer #art #BreakingNews #BreakingNews #FeaturedNews #FeaturedNews #FelleskjøpetAgri #Headlines #LandbrukOgMat #LatestNews #LatestNews #News #NO #Norge #NorskPresseforbund #Norway #Nyheter #Overskrifter #story #TopStories #TopStories #Verden #World #WorldNews #WorldNews #Yara

https://www.europesays.com/no/187097/ Felleskjøpet Agri, Yara | Landbruksdirektør fritatt etter avsløring om Yara-aksjer #Aksjer #art #Business #Economy #FelleskjøpetAgri #LandbrukOgMat #Næringsliv #NO #Norge #Norway #story #Yara

https://www.europesays.com/no/186564/ Felleskjøpet Agri, Yara | Felleskjøpet-topp har sittet på verdifulle Yara-aksjer #Aksjer #art #Business #Economy #FelleskjøpetAgri #gjødsel #LandbrukOgMat #Næringsliv #NO #Norge #Norway #story #Yara

----------------

🛠️ Tool: AI-Powered Ransomware Intelligence Agent
===================

This repository provides n8n automation workflows that continuously monitor ransomware leak sites (ransomware.live) and run LLM-driven analysis to produce structured intelligence outputs. The design supports both cloud LLM usage (Anthropic Claude Sonnet) and fully local processing via Ollama with compatible models such as llama3.1, enabling flexibility in privacy and cost control.

Core pipeline components include feed ingestion from ransomware.live, AI summarization and extraction of entities, IOC enrichment (optional integrations with VirusTotal and AbuseIPDB), YARA rule generation, MITRE ATT&CK mapping, KPI aggregation, and formatted outputs (HTML dashboard, Slack alert, Google Doc, email, JIRA). Visual outputs use Chart.js for KPI and trend charts and a lifecycle/mindmap visualization for observed TTPs and attack phases.

Technical capabilities emphasized by the project are structured IOC extraction, historical trending, composite risk scoring, per-actor profiles, and automated YARA rule suggestion. The workflows are provided at two capability levels: 101 (monitor + AI analysis + HTML/Slack) and 200 (adds IOC enrichment, YARA, historical trends, email, JIRA). Both levels have Claude and Ollama variants; Ollama variants are intended for fully local execution to avoid external API calls.

Limitations and requirements explicitly noted include dependency on external APIs for enrichment (VirusTotal, AbuseIPDB) and the need for webhook/credentials for delivery channels (Slack, email, Google Docs, JIRA). The ransomware.live API is identified as free and unauthenticated. A mock API server is included for safe demos and webinars to simulate leak feeds without contacting live services.

This project documents concrete outputs (KPI cards, MITRE ATT&CK table, five Chart.js charts, attack lifecycle visualization, group profile cards) and integration points rather than deployment steps. Users evaluating the workflows should focus on the provided capability mapping, data outputs, and required integrations when assessing fit.

🔹 n8n #ransomware_live #Ollama #Claude_Sonnet #YARA

🔗 Source: https://github.com/depalmar/AI-Powered-Ransomware-Intelligence-Agent

https://www.europesays.com/no/180671/ Yara, Gjødsel | USA åpner etterforskning mot Yara – mistenkes for ulovlig prissetting #art #BreakingNews #BreakingNews #FeaturedNews #FeaturedNews #gjødsel #Headlines #LatestNews #LatestNews #Næringsliv #News #NO #Norge #Norway #Nyheter #Overskrifter #story #TopStories #TopStories #Verden #World #WorldNews #WorldNews #Yara

https://www.europesays.com/no/179751/ Frykter prissjokk på gjødsel: – Dobbeltsmell – E24 #BreakingNews #BreakingNews #FeaturedNews #FeaturedNews #Headlines #Hovedoppslag #LatestNews #LatestNews #MainNews #MainNews #News #NO #Norge #Norway #Nyheter #Overskrifter #TopStories #TopStories #Yara

Een samenvoeging van verschillende video’s die ik heb geüpload op mijn Youtube Kanaal Peter Stuif #Gezelligheid #Slechtziend #Yara Stuif

Yara-X 1.13 released!

Run (to get the latest): cargo install-update -i yara-x-cli

https://github.com/VirusTotal/yara-x/releases/tag/v1.13.0

#YARAX #YARA

Yara-X 1.13 released!

Run (to get the latest): cargo install-update -i yara-x-cli

https://github.com/VirusTotal/yara-x/releases/tag/v1.13.0

#YARAX #YARA

Yara-X 1.13 released!

Run (to get the latest): cargo install-update -i yara-x-cli

https://github.com/VirusTotal/yara-x/releases/tag/v1.13.0

#YARAX #YARA

Yara-X 1.13 released!

Run (to get the latest): cargo install-update -i yara-x-cli

https://github.com/VirusTotal/yara-x/releases/tag/v1.13.0

#YARAX #YARA

Yara-X 1.13 released!

Run (to get the latest): cargo install-update -i yara-x-cli

https://github.com/VirusTotal/yara-x/releases/tag/v1.13.0

#YARAX #YARA

Yara-X has a language server for VS-Code

https://marketplace.visualstudio.com/items?itemName=VirusTotal.yara-x-ls

#YARAX #YARA

Yara-X has a language server for VS-Code

https://marketplace.visualstudio.com/items?itemName=VirusTotal.yara-x-ls

#YARAX #YARA

Yara-X has a language server for VS-Code

https://marketplace.visualstudio.com/items?itemName=VirusTotal.yara-x-ls

#YARAX #YARA

Yara-X has a language server for VS-Code

https://marketplace.visualstudio.com/items?itemName=VirusTotal.yara-x-ls

#YARAX #YARA

Yara-X has a language server for VS-Code

https://marketplace.visualstudio.com/items?itemName=VirusTotal.yara-x-ls

#YARAX #YARA

Released v1.3.3. of #Yaralyzer, my surprisingly popular tool for visualizing YARA rule matches with colors (a lot of colors).

1. --export-png images lets you export images of the analysis

2. almost all command line options (including multi argument ones like --yara-rules-dir) can be permanently set via environment variables or .yaralyzer file

3. couple of small bug fixes and debugging related command line options

You can try it on the web here: https://yaratoolkit.securitybreak.io/
(I didn't build this website, Thomas Roccia from Microsoft just integrated Yaralyzer into his existing site)

- Github: https://github.com/michelcrypt4d4mus/yaralyzer
- Pypi: https://pypi.org/project/yaralyzer/
- on macOS you can also get it with #Homebrew by installing Pdfalyzer: brew install pdfalyzer

#ascii #asciiArt #blueteam #cybersecurity #detectionEngineering #DFIR #forensics #FOSS #GPL #hacking #infosec #KaliLinux #maldoc #malware #malwareAnalysis #malwareDetection #openSource #pypi #python #redteam #reverseEngineering #reversing #Threatassessment #threathunting #YARA #YARArule #YARArules

Released v1.3.3. of #Yaralyzer, my surprisingly popular tool for visualizing YARA rule matches with colors (a lot of colors).

1. --export-png images lets you export images of the analysis

2. almost all command line options (including multi argument ones like --yara-rules-dir) can be permanently set via environment variables or .yaralyzer file

3. couple of small bug fixes and debugging related command line options

You can try it on the web here: https://yaratoolkit.securitybreak.io/
(I didn't build this website, Thomas Roccia from Microsoft just integrated Yaralyzer into his existing site)

- Github: https://github.com/michelcrypt4d4mus/yaralyzer
- Pypi: https://pypi.org/project/yaralyzer/
- on macOS you can also get it with #Homebrew by installing Pdfalyzer: brew install pdfalyzer

#ascii #asciiArt #blueteam #cybersecurity #detectionEngineering #DFIR #forensics #FOSS #GPL #hacking #infosec #KaliLinux #maldoc #malware #malwareAnalysis #malwareDetection #openSource #pypi #python #redteam #reverseEngineering #reversing #Threatassessment #threathunting #YARA #YARArule #YARArules

Released v1.3.3. of #Yaralyzer, my surprisingly popular tool for visualizing YARA rule matches with colors (a lot of colors).

1. --export-png images lets you export images of the analysis

2. almost all command line options (including multi argument ones like --yara-rules-dir) can be permanently set via environment variables or .yaralyzer file

3. couple of small bug fixes and debugging related command line options

You can try it on the web here: https://yaratoolkit.securitybreak.io/
(I didn't build this website, Thomas Roccia from Microsoft just integrated Yaralyzer into his existing site)

- Github: https://github.com/michelcrypt4d4mus/yaralyzer
- Pypi: https://pypi.org/project/yaralyzer/
- on macOS you can also get it with #Homebrew by installing Pdfalyzer: brew install pdfalyzer

#ascii #asciiArt #blueteam #cybersecurity #detectionEngineering #DFIR #forensics #FOSS #GPL #hacking #infosec #KaliLinux #maldoc #malware #malwareAnalysis #malwareDetection #openSource #pypi #python #redteam #reverseEngineering #reversing #Threatassessment #threathunting #YARA #YARArule #YARArules

Released v1.3.3. of #Yaralyzer, my surprisingly popular tool for visualizing YARA rule matches with colors (a lot of colors).

1. --export-png images lets you export images of the analysis

2. almost all command line options (including multi argument ones like --yara-rules-dir) can be permanently set via environment variables or .yaralyzer file

3. couple of small bug fixes and debugging related command line options

You can try it on the web here: https://yaratoolkit.securitybreak.io/
(I didn't build this website, Thomas Roccia from Microsoft just integrated Yaralyzer into his existing site)

- Github: https://github.com/michelcrypt4d4mus/yaralyzer
- Pypi: https://pypi.org/project/yaralyzer/
- on macOS you can also get it with #Homebrew by installing Pdfalyzer: brew install pdfalyzer

#ascii #asciiArt #blueteam #cybersecurity #detectionEngineering #DFIR #forensics #FOSS #GPL #hacking #infosec #KaliLinux #maldoc #malware #malwareAnalysis #malwareDetection #openSource #pypi #python #redteam #reverseEngineering #reversing #Threatassessment #threathunting #YARA #YARArule #YARArules

Released v1.3.3. of #Yaralyzer, my surprisingly popular tool for visualizing YARA rule matches with colors (a lot of colors).

1. --export-png images lets you export images of the analysis

2. almost all command line options (including multi argument ones like --yara-rules-dir) can be permanently set via environment variables or .yaralyzer file

3. couple of small bug fixes and debugging related command line options

You can try it on the web here: https://yaratoolkit.securitybreak.io/
(I didn't build this website, Thomas Roccia from Microsoft just integrated Yaralyzer into his existing site)

- Github: https://github.com/michelcrypt4d4mus/yaralyzer
- Pypi: https://pypi.org/project/yaralyzer/
- on macOS you can also get it with #Homebrew by installing Pdfalyzer: brew install pdfalyzer

#ascii #asciiArt #blueteam #cybersecurity #detectionEngineering #DFIR #forensics #FOSS #GPL #hacking #infosec #KaliLinux #maldoc #malware #malwareAnalysis #malwareDetection #openSource #pypi #python #redteam #reverseEngineering #reversing #Threatassessment #threathunting #YARA #YARArule #YARArules

----------------

🛠️ Tool
===================

Opening: Blue Team Assistant is a local-first security analysis toolkit targeted at Tier 2/3 SOC analysts, incident responders, and threat hunters. The project aggregates threat intelligence, professional malware analysis capabilities, and optional local LLM support via Ollama to enable AI-assisted investigations without cloud dependency.

Key features:
• Multi-source threat intelligence: Integrates 20+ feeds including VirusTotal, Shodan, AbuseIPDB, and AlienVault OTX for enrichment and context.
• Malware and file analysis: PE/ELF/Mach‑O parsing, entropy analysis, string extraction and YARA scanning to identify suspicious characteristics.
• Email forensics: Header parsing, attachment extraction, phishing detection and URL chain analysis for email-based investigations.
• Detection rule generation: Automated output generation for YARA, Sigma, KQL, and Snort/Suricata formats to support detection and hunting pipelines.
• Reporting and scoring: Interactive HTML reports with MITRE ATT&CK mapping and a production-grade composite scoring model with confidence levels.
• Local LLM integration: Ollama support for offline AI analysis; cloud LLM providers are optional but not required.

Technical implementation:
• Architecture model: CLI component (soc_agent), MCP server mode, and a Python API layer that orchestrates an extensible tools layer for lookups and offline analyzers.
• Operational model: Asynchronous multi-source queries enable faster parallel enrichment; rule generation pipelines translate analysis outputs to multiple detection formats.

Use cases:
• Triage and enrichment of suspicious artifacts during IR workflows.
• Threat hunting using aggregated TI and generated Sigma/KQL rules.
• Malware analysts producing YARA rules and contextualized reports mapped to MITRE ATT&CK.

Limitations and considerations:
• Ollama or similar local LLM infrastructure is required to use the AI-assisted features; offline operation depends on the local model’s capability and resources.
• No cloud requirement is enforced, but some optional modules reference external feeds that may require API keys or access privileges.

References:
• Project indicates MIT license and current version 1.0.0.

🔹 tool #yara #sigma #ollama #mitre

🔗 Source: https://github.com/ugurrates/Blue-Team-Assistant

🛠️ Tool
===================

Opening:
Loki-RS is a Rust-based rewrite of the original Loki scanner that consolidates YARA rule matching and IOC detection into a single high-performance, multi-threaded binary. The project is published as Beta and emphasizes speed, concurrency, and multiple output formats for forensic ingestion.

Key Features:
• YARA scanning of files and process memory with the Core YARA Forge rule set as the default detection surface.
• IOC matching covering cryptographic hashes (MD5, SHA1, SHA256), filename patterns and C2 indicators drawn from the signature-base collection.
• Concurrency model permitting configurable thread counts for parallel scanning and CPU-bound tuning.
• Archive handling with ZIP inspection to reach nested artifacts.
• Operational tooling including an interactive TUI for real-time stats and controls, HTML report generation, and JSONL output for SIEM/log pipeline ingestion.
• Remote logging via syslog over UDP/TCP, with both SYSLOG and JSON formats supported.

Technical Implementation:
• The codebase leverages Rust for memory safety and performance; multi-threaded scanning suggests internal worker queues and file/process enumeration that avoid scanning virtual filesystems by default (/proc, /sys).
• Signature management integrates signature-base for IOCs and YARA Forge for rule sets; the Core rule set is chosen for accuracy and low false positives, while Extended/Full sets are available for swap-in.
• Output pathways include structured JSONL for ingestion pipelines and HTML for human-readable reporting; remote sinks support syslog framing in both traditional SYSLOG and JSON payload modes.

Use Cases:
• Forensic triage on endpoints and mounts where quick identification of known artifacts (hashes, filenames, C2 indicators) is needed.
• Bulk filesystem scans across images or mounted volumes with multi-threaded throughput requirements.
• Integration with logging/monitoring stacks via JSONL or syslog exports.

Limitations & Considerations:
• Project is Beta: features and signatures remain under active development.
• Signature freshness depends on external sources; operational users should plan for regular signature updates.
• Default smart filtering skips virtual filesystems and mounted drives; scanning network/cloud mounts requires explicit configuration.

References:
• Detection content: signature-base (IOCs) and YARA Forge (YARA rules).

🔹 tool #rust #yara #ioctools #forensics

🔗 Source: https://github.com/Neo23x0/Loki-RS

🛠️ Tool
===================

Opening:
Loki-RS is a Rust-based rewrite of the original Loki scanner that consolidates YARA rule matching and IOC detection into a single high-performance, multi-threaded binary. The project is published as Beta and emphasizes speed, concurrency, and multiple output formats for forensic ingestion.

Key Features:
• YARA scanning of files and process memory with the Core YARA Forge rule set as the default detection surface.
• IOC matching covering cryptographic hashes (MD5, SHA1, SHA256), filename patterns and C2 indicators drawn from the signature-base collection.
• Concurrency model permitting configurable thread counts for parallel scanning and CPU-bound tuning.
• Archive handling with ZIP inspection to reach nested artifacts.
• Operational tooling including an interactive TUI for real-time stats and controls, HTML report generation, and JSONL output for SIEM/log pipeline ingestion.
• Remote logging via syslog over UDP/TCP, with both SYSLOG and JSON formats supported.

Technical Implementation:
• The codebase leverages Rust for memory safety and performance; multi-threaded scanning suggests internal worker queues and file/process enumeration that avoid scanning virtual filesystems by default (/proc, /sys).
• Signature management integrates signature-base for IOCs and YARA Forge for rule sets; the Core rule set is chosen for accuracy and low false positives, while Extended/Full sets are available for swap-in.
• Output pathways include structured JSONL for ingestion pipelines and HTML for human-readable reporting; remote sinks support syslog framing in both traditional SYSLOG and JSON payload modes.

Use Cases:
• Forensic triage on endpoints and mounts where quick identification of known artifacts (hashes, filenames, C2 indicators) is needed.
• Bulk filesystem scans across images or mounted volumes with multi-threaded throughput requirements.
• Integration with logging/monitoring stacks via JSONL or syslog exports.

Limitations & Considerations:
• Project is Beta: features and signatures remain under active development.
• Signature freshness depends on external sources; operational users should plan for regular signature updates.
• Default smart filtering skips virtual filesystems and mounted drives; scanning network/cloud mounts requires explicit configuration.

References:
• Detection content: signature-base (IOCs) and YARA Forge (YARA rules).

🔹 tool #rust #yara #ioctools #forensics

🔗 Source: https://github.com/Neo23x0/Loki-RS