IOK Rules: malware

Detects a BbyStealer dropper website. BbyStealer is a JavaScript-based information stealer created by a threat actor called 'brunxkd'. It usually comes packed as an executable (standalone or in an archive) on fake video game websites (which this rule should detect), these URLs are spread by users of this stealer (or compromised accounts) via Discord messages asking victims to 'test' their game for them, as they masquerade as a 'game developer'.

Detects the `Amadey` botnet C2 panel page. Uses the fact that the assets are delimited using a backslash instead of the normal forward slash.

Detects the `Lokibot` stealer C2 panel page. Uses a combination of various unique characteristics of the page design to detect it.

Detects the `Gomorrah` stealer C2 panel page. For some reason this stealer decides to explicitly state that the page is for the Gomorrah stealer panel

Detects the `Rhadamanthys` stealer C2 panel page. For some reason this stealer decides to explicitly state that the page is for the Rhadamanthys stealer panel

Detects a BbyStealer family dropper website. BbyStealer is a JavaScript-based information stealer created by a threat actor called 'brunxkd'. It usually comes packed as an executable (standalone or in an archive) on fake video game websites (which this rule should detect), these URLs are spread by users of this stealer (or compromised accounts) via Discord messages asking victims to 'test' their game for them, as they masquerade as a 'game developer'. There are several other info-stealers that use the same C2 domain as BbyStealer currently they are: - Doenerium (JavaScript) - TargetPlay (Python)

Detects the `ImBetter` stealer C2 panel page. Using the SVG data we can confidentially detect the SVG element that is used for the login page logo.

Detects the `Mystic` stealer C2 panel page. As the page likes to broadcast the fact that it is a Mystic Stealer C2 page in the title.