{"id":13643046,"url":"https://github.com/citizenlab/malware-indicators","last_synced_at":"2026-01-22T07:37:11.265Z","repository":{"id":23110011,"uuid":"26464355","full_name":"citizenlab/malware-indicators","owner":"citizenlab","description":"Citizen Lab Malware Reports","archived":false,"fork":false,"pushed_at":"2020-10-04T15:16:09.000Z","size":5971,"stargazers_count":266,"open_issues_count":2,"forks_count":69,"subscribers_count":55,"default_branch":"master","last_synced_at":"2024-11-24T20:51:36.041Z","etag":null,"topics":["ioc","malware-research","technical-indicators"],"latest_commit_sha":null,"homepage":"https://citizenlab.org/tag/malware/","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/citizenlab.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-11-11T01:35:49.000Z","updated_at":"2024-11-12T03:12:22.000Z","dependencies_parsed_at":"2022-08-21T20:10:51.355Z","dependency_job_id":null,"html_url":"https://github.com/citizenlab/malware-indicators","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/citizenlab%2Fmalware-indicators","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/citizenlab%2Fmalware-indicators/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/citizenlab%2Fmalware-indicators/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/citizenlab%2Fmalware-indicators/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/citizenlab","download_url":"https://codeload.github.com/citizenlab/malware-indicators/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249965547,"owners_count":21352925,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ioc","malware-research","technical-indicators"],"created_at":"2024-08-02T01:01:40.292Z","updated_at":"2026-01-22T07:37:11.260Z","avatar_url":"https://github.com/citizenlab.png","language":"YARA","funding_links":[],"categories":["IOCs","YARA"],"sub_categories":["Indicators"],"readme":"malware-indicators\n==================\n\nThis repository includes all malware indicators that were found during the course of [Citizen Lab](https://citizenlab.org) investigations. Each directory corresponds to a single Citizen Lab report as seen below.\n\n# Reports\n\n| Directory | Link | Published |\n|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|\n| [202006_DarkBasin](https://github.com/citizenlab/malware-indicators/tree/master/202006_DarkBasin) | [Dark Basin: Uncovering a Massive Hack-For-Hire Operation](https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/) | June 9, 2020 |\n| [201909_MissingLink](https://github.com/citizenlab/malware-indicators/tree/master/201909_MissingLink) | [MISSING LINK: Tibetan Groups Targeted with Mobile Exploits](https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits) | Sept 24, 2019 |\n| [201905_EndlessMayfly](https://github.com/citizenlab/malware-indicators/tree/master/201905_EndlessMayfly) | [Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign](https://citizenlab.ca/2019/05/burned-after-reading-endless-mayflys-ephemeral-disinformation-campaign) | May 14, 2019 |\n| [201810_TheKingdomCameToCanada](https://github.com/citizenlab/malware-indicators/tree/master/201810_TheKingdomCameToCanada) | [The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil](https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil/) | Oct 1, 2018 |\n| [201808_FamiliarFeeling](https://github.com/citizenlab/malware-indicators/tree/master/201808_FamiliarFeeling) | [Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces](https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces) | Aug 8, 2018 |\n| [201803_BadTraffic](https://github.com/citizenlab/malware-indicators/tree/master/201803_BadTraffic) | [Bad Traffic: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?](https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria) | Mar 8, 2018 |\n| [201801_SpyingOnABudget](https://github.com/citizenlab/malware-indicators/tree/master/201801_SpyingOnABudget) | [Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community](https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community) | Jan 30, 2018 |\n| [201712_Cyberbit](https://github.com/citizenlab/malware-indicators/tree/master/201712_Cyberbit) | [Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware](https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/) | Dec 6, 2017 |\n| [201707_InsiderInfo](https://github.com/citizenlab/malware-indicators/tree/master/201707_InsiderInfo) | [Insider Information: An intrusion campaign targeting Chinese language news sites](https://citizenlab.org/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites/) | Jul 5, 2017 |\n| [201706_RecklessRedux](https://github.com/citizenlab/malware-indicators/tree/master/201706_RecklessRedux) | [Reckless Redux: Senior Mexican Legislators and Politicians Targeted with NSO Spyware](https://citizenlab.org/2017/06/more-mexican-nso-targets/) | Jun 29, 2017 |\n| [201706_RecklessExploit](https://github.com/citizenlab/malware-indicators/tree/master/201706_RecklessExploit) | [Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware](https://citizenlab.org/2017/06/reckless-exploit-mexico-nso/) | Jun 19, 2017 |\n| [201705_TaintedLeaks](https://github.com/citizenlab/malware-indicators/tree/master/201705_TaintedLeaks) | [Tainted Leaks: Disinformation and Phishing With a Russian Nexus](https://citizenlab.org/2017/05/tainted-leaks-disinformation-phish/) | May 25, 2017 |\n| [201702_NilePhish](https://github.com/citizenlab/malware-indicators/tree/master/201702_NilePhish) | [Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society](https://citizenlab.org/2017/02/nilephish-report/) | Feb 2, 2017 |\n| [201611_KeyBoy](https://github.com/citizenlab/malware-indicators/tree/master/201611_KeyBoy) | [It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community](https://citizenlab.org/2016/11/parliament-keyboy/) | Nov 11, 2016 |\n| [201608_NSO_Group](https://github.com/citizenlab/malware-indicators/tree/master/201608_NSO_Group) | [\"The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender\"](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/) | Aug 24, 2016 |\n| [201608_Group5](https://github.com/citizenlab/malware-indicators/tree/master/201608_Group5) | [\"Group5: Syria and the Iranian Connection\"](https://citizenlab.org/2016/08/group5-syria/) | Aug 2, 2016 |\n| [201605_Stealth_Falcon](https://github.com/citizenlab/malware-indicators/tree/master/201605_Stealth_Falcon) | [\"Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents\"](https://citizenlab.org/2016/05/stealth-falcon/) | May 29, 2016 |\n| [201604_UP007_SLServer](https://github.com/citizenlab/malware-indicators/tree/master/201604_UP007_SLServer) | [Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns](https://citizenlab.org/2016/04/between-hong-kong-and-burma/) | Apr 18, 2016 |\n| [201603_Shifting_Tactics](https://github.com/citizenlab/malware-indicators/tree/master/201603_Shifting_Tactics) | [Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans](https://citizenlab.org/2016/03/shifting-tactics/) | Mar 10, 2016 |\n| [201512_PackRAT](https://github.com/citizenlab/malware-indicators/tree/master/201512_PackRAT) | [\"Packrat: Seven Years of a South American Threat Actor\"](https://citizenlab.org/2015/12/packrat-report/) | Dec 8, 2015 |\n| [201510_NGO_Burma](https://github.com/citizenlab/malware-indicators/tree/master/201510_NGO_Burma) | [Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites](https://citizenlab.org/2015/10/targeted-attacks-ngo-burma/) | Oct 16, 2015 |\n| [201411_Communities@Risk](https://github.com/citizenlab/malware-indicators/tree/master/201411_Communities%40Risk) | [Communities @ Risk: Targeted Digital Threats Against Civil Society](https://targetedthreats.net). | Nov 11, 2014 |\n\nYara signatures can be [found here](https://github.com/citizenlab/malware-signatures)\n\n# Formats\n\nThe indicators are provided in the following formats.\n\n* CSV - plain text comma seperated value with the following columns:\n\t* uuid - A unique identifier for the indicator.\n\t* event_id - a number that corresponds to the event.\n\t* category - type of broad category for indicator (ex: network activity, payload)\n\t* type - type of indicator (ex: ip-dst, domain, url)\n\t* comment - text comment or annotation\n\t* to_ids - whether this indicator is applicable to be included in an IDS or not\n\t* date - the data when the indicator was added.\n* MISP JSON - Structured format used by the [Malware Information Sharing Platform](https://github.com/MISP/MISP)\n* OpenIOC - Format for [OpenIOC](http://www.openioc.org/) an open framework for sharing threat intelligence.\n* STIX XML - Format used by the [STIX project](https://stixproject.github.io/)\n\n# License\n\nAll data is provided under Creative Commons\nAttribution-NonCommercial-ShareAlike 4.0 International and available in full\n[here](https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode) and summarized\n[here](https://creativecommons.org/licenses/by-nc-sa/4.0/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcitizenlab%2Fmalware-indicators","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcitizenlab%2Fmalware-indicators","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcitizenlab%2Fmalware-indicators/lists"}