├── .gitignore ├── IOCs ├── .gitkeep ├── Atlantida.txt ├── BlackBasta_SocialEngineering_IOCs.txt ├── BlackHunt.txt ├── Kimsuky_IOCs.txt ├── Kimsuky_Phishing_Payload_Tactics_IOCs.txt ├── LodaRat │ ├── Full Capablity List.txt │ ├── IOC's.txt │ └── lodarat_string_decryptor.py ├── blacksuit_socialengineering │ ├── 2025-06-10_iocs.txt │ ├── bbchat1.txt │ └── bbchat_call_script.txt └── nsis-abuse-srdi-winos4 │ ├── api_res.py │ └── iocs.txt ├── LICENSE.md ├── Malware Config Extractors ├── IDAT_Loader_extractor.py ├── clean_extract.py └── goofyloader.py ├── README.md ├── Sigma ├── CVE-2023-22527.yml ├── .gitkeep ├── CVE-2024-0204.yml ├── CVE-2024-3400.yml ├── log_uri_CVE_2024_27198.yml ├── oWNCLoud_CVE_2023_49103.yml └── path_traversal_attacks_CVE_2024_27199.yml ├── Vql ├── CVE-2024-3400.yaml ├── CVE-2024-37085.yaml ├── Cleo_CVE_2024_50623.yaml ├── ClickFix.yaml ├── Sharepoint_CVE_2024_38094.yaml ├── TomcatCVE.yaml ├── VelociraptorInception.yaml ├── XZ.yaml └── release │ ├── Rapid7LabsVQL.zip │ └── build_zip.sh ├── Yara ├── .gitkeep ├── 100DaysOfYara_2024 │ ├── Hunt_RussianStringsinPE.yar │ ├── MAL_AgentTesla_Jan24.yar │ ├── MAL_NanoCore_Jan24.yar │ ├── MAL_QuasarRAT_Jan24.yar │ ├── MAL_Ransom_BlackHunt.yar │ ├── MAL_Socks5Systemz_Jan24.yar │ ├── MAL_Stealer_Atlantida.yar │ └── hktl_bruteratel_c4.yar ├── blacklava.yar ├── goofyloader.yar └── mal_rat_VenomRAT.yar └── cortex.yaml /.gitignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/.gitignore -------------------------------------------------------------------------------- /IOCs/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /IOCs/Atlantida.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/Atlantida.txt -------------------------------------------------------------------------------- /IOCs/BlackBasta_SocialEngineering_IOCs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/BlackBasta_SocialEngineering_IOCs.txt -------------------------------------------------------------------------------- /IOCs/BlackHunt.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/BlackHunt.txt -------------------------------------------------------------------------------- /IOCs/Kimsuky_IOCs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/Kimsuky_IOCs.txt -------------------------------------------------------------------------------- /IOCs/Kimsuky_Phishing_Payload_Tactics_IOCs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/Kimsuky_Phishing_Payload_Tactics_IOCs.txt -------------------------------------------------------------------------------- /IOCs/LodaRat/Full Capablity List.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/LodaRat/Full Capablity List.txt -------------------------------------------------------------------------------- /IOCs/LodaRat/IOC's.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/LodaRat/IOC's.txt -------------------------------------------------------------------------------- /IOCs/LodaRat/lodarat_string_decryptor.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/LodaRat/lodarat_string_decryptor.py -------------------------------------------------------------------------------- /IOCs/blacksuit_socialengineering/2025-06-10_iocs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/blacksuit_socialengineering/2025-06-10_iocs.txt -------------------------------------------------------------------------------- /IOCs/blacksuit_socialengineering/bbchat1.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/blacksuit_socialengineering/bbchat1.txt -------------------------------------------------------------------------------- /IOCs/blacksuit_socialengineering/bbchat_call_script.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/blacksuit_socialengineering/bbchat_call_script.txt -------------------------------------------------------------------------------- /IOCs/nsis-abuse-srdi-winos4/api_res.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/nsis-abuse-srdi-winos4/api_res.py -------------------------------------------------------------------------------- /IOCs/nsis-abuse-srdi-winos4/iocs.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/IOCs/nsis-abuse-srdi-winos4/iocs.txt -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/LICENSE.md -------------------------------------------------------------------------------- /Malware Config Extractors/IDAT_Loader_extractor.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Malware Config Extractors/IDAT_Loader_extractor.py -------------------------------------------------------------------------------- /Malware Config Extractors/clean_extract.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Malware Config Extractors/clean_extract.py -------------------------------------------------------------------------------- /Malware Config Extractors/goofyloader.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Malware Config Extractors/goofyloader.py -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/README.md -------------------------------------------------------------------------------- /Sigma/ CVE-2023-22527.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Sigma/ CVE-2023-22527.yml -------------------------------------------------------------------------------- /Sigma/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Sigma/CVE-2024-0204.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Sigma/CVE-2024-0204.yml -------------------------------------------------------------------------------- /Sigma/CVE-2024-3400.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Sigma/CVE-2024-3400.yml -------------------------------------------------------------------------------- /Sigma/log_uri_CVE_2024_27198.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Sigma/log_uri_CVE_2024_27198.yml -------------------------------------------------------------------------------- /Sigma/oWNCLoud_CVE_2023_49103.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Sigma/oWNCLoud_CVE_2023_49103.yml -------------------------------------------------------------------------------- /Sigma/path_traversal_attacks_CVE_2024_27199.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Sigma/path_traversal_attacks_CVE_2024_27199.yml -------------------------------------------------------------------------------- /Vql/CVE-2024-3400.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Vql/CVE-2024-3400.yaml -------------------------------------------------------------------------------- /Vql/CVE-2024-37085.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Vql/CVE-2024-37085.yaml -------------------------------------------------------------------------------- /Vql/Cleo_CVE_2024_50623.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Vql/Cleo_CVE_2024_50623.yaml -------------------------------------------------------------------------------- /Vql/ClickFix.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Vql/ClickFix.yaml -------------------------------------------------------------------------------- /Vql/Sharepoint_CVE_2024_38094.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Vql/Sharepoint_CVE_2024_38094.yaml -------------------------------------------------------------------------------- /Vql/TomcatCVE.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Vql/TomcatCVE.yaml -------------------------------------------------------------------------------- /Vql/VelociraptorInception.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Vql/VelociraptorInception.yaml -------------------------------------------------------------------------------- /Vql/XZ.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Vql/XZ.yaml -------------------------------------------------------------------------------- /Vql/release/Rapid7LabsVQL.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Vql/release/Rapid7LabsVQL.zip -------------------------------------------------------------------------------- /Vql/release/build_zip.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Vql/release/build_zip.sh -------------------------------------------------------------------------------- /Yara/.gitkeep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Yara/100DaysOfYara_2024/Hunt_RussianStringsinPE.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Yara/100DaysOfYara_2024/Hunt_RussianStringsinPE.yar -------------------------------------------------------------------------------- /Yara/100DaysOfYara_2024/MAL_AgentTesla_Jan24.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Yara/100DaysOfYara_2024/MAL_AgentTesla_Jan24.yar -------------------------------------------------------------------------------- /Yara/100DaysOfYara_2024/MAL_NanoCore_Jan24.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Yara/100DaysOfYara_2024/MAL_NanoCore_Jan24.yar -------------------------------------------------------------------------------- /Yara/100DaysOfYara_2024/MAL_QuasarRAT_Jan24.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Yara/100DaysOfYara_2024/MAL_QuasarRAT_Jan24.yar -------------------------------------------------------------------------------- /Yara/100DaysOfYara_2024/MAL_Ransom_BlackHunt.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Yara/100DaysOfYara_2024/MAL_Ransom_BlackHunt.yar -------------------------------------------------------------------------------- /Yara/100DaysOfYara_2024/MAL_Socks5Systemz_Jan24.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Yara/100DaysOfYara_2024/MAL_Socks5Systemz_Jan24.yar -------------------------------------------------------------------------------- /Yara/100DaysOfYara_2024/MAL_Stealer_Atlantida.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Yara/100DaysOfYara_2024/MAL_Stealer_Atlantida.yar -------------------------------------------------------------------------------- /Yara/100DaysOfYara_2024/hktl_bruteratel_c4.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Yara/100DaysOfYara_2024/hktl_bruteratel_c4.yar -------------------------------------------------------------------------------- /Yara/blacklava.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Yara/blacklava.yar -------------------------------------------------------------------------------- /Yara/goofyloader.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Yara/goofyloader.yar -------------------------------------------------------------------------------- /Yara/mal_rat_VenomRAT.yar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/Yara/mal_rat_VenomRAT.yar -------------------------------------------------------------------------------- /cortex.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rapid7/Rapid7-Labs/HEAD/cortex.yaml --------------------------------------------------------------------------------