IOK Rules: malware

Rhadamanthys C2 Panel 26461dbb

Detects the `Rhadamanthys` stealer C2 panel page. For some reason this stealer decides to explicitly state that the page is for the Rhadamanthys stealer panel

Amadey C2 Panel afb0c86a

Detects the `Amadey` botnet C2 panel page. Uses the fact that the assets are delimited using a backslash instead of the normal forward slash.

ImBetter C2 Panel 1f52021a

Detects the `ImBetter` stealer C2 panel page. Using the SVG data we can confidentially detect the SVG element that is used for the login page logo.

MysticStealer C2 Panel 88b6ef2f

Detects the `Mystic` stealer C2 panel page. As the page likes to broadcast the fact that it is a Mystic Stealer C2 page in the title.

Gomorrah C2 Panel 9bead31e

Detects the `Gomorrah` stealer C2 panel page. For some reason this stealer decides to explicitly state that the page is for the Gomorrah stealer panel

BbyStealer Dropper Website aeed70a

Detects a BbyStealer dropper website. BbyStealer is a JavaScript-based information stealer created by a threat actor called 'brunxkd'. It usually comes packed as an executable (standalone or in an archive) on fake video game websites (which this rule should detect), these URLs are spread by users of this stealer (or compromised accounts) via Discord messages asking victims to 'test' their game for them, as they masquerade as a 'game developer'.

Lokibot C2 Panel b5463607

Detects the `Lokibot` stealer C2 panel page. Uses a combination of various unique characteristics of the page design to detect it.

BbyStealer Family Dropper Website 7019ae4

Detects a BbyStealer family dropper website. BbyStealer is a JavaScript-based information stealer created by a threat actor called 'brunxkd'. It usually comes packed as an executable (standalone or in an archive) on fake video game websites (which this rule should detect), these URLs are spread by users of this stealer (or compromised accounts) via Discord messages asking victims to 'test' their game for them, as they masquerade as a 'game developer'. There are several other info-stealers that use the same C2 domain as BbyStealer currently they are: - Doenerium (JavaScript) - TargetPlay (Python)