Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/citizenlab/malware-indicators
Citizen Lab Malware Reports
https://github.com/citizenlab/malware-indicators
ioc malware-research technical-indicators
Last synced: about 2 months ago
JSON representation
Citizen Lab Malware Reports
- Host: GitHub
- URL: https://github.com/citizenlab/malware-indicators
- Owner: citizenlab
- Created: 2014-11-11T01:35:49.000Z (almost 10 years ago)
- Default Branch: master
- Last Pushed: 2020-10-04T15:16:09.000Z (almost 4 years ago)
- Last Synced: 2024-07-12T08:34:18.245Z (2 months ago)
- Topics: ioc, malware-research, technical-indicators
- Language: YARA
- Homepage: https://citizenlab.org/tag/malware/
- Size: 5.69 MB
- Stars: 260
- Watchers: 56
- Forks: 73
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-rainmana - citizenlab/malware-indicators - Citizen Lab Malware Reports (YARA)
- awesome-iocs - citizenlab/malware-indicators - Citizen Lab Malware Reports. (IOCs / Indicators)
README
malware-indicators
==================
This repository includes all malware indicators that were found during the course of [Citizen Lab](https://citizenlab.org) investigations. Each directory corresponds to a single Citizen Lab report as seen below.
# Reports
| Directory | Link | Published |
|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|
| [202006_DarkBasin](https://github.com/citizenlab/malware-indicators/tree/master/202006_DarkBasin) | [Dark Basin: Uncovering a Massive Hack-For-Hire Operation](https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/) | June 9, 2020 |
| [201909_MissingLink](https://github.com/citizenlab/malware-indicators/tree/master/201909_MissingLink) | [MISSING LINK: Tibetan Groups Targeted with Mobile Exploits](https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits) | Sept 24, 2019 |
| [201905_EndlessMayfly](https://github.com/citizenlab/malware-indicators/tree/master/201905_EndlessMayfly) | [Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign](https://citizenlab.ca/2019/05/burned-after-reading-endless-mayflys-ephemeral-disinformation-campaign) | May 14, 2019 |
| [201810_TheKingdomCameToCanada](https://github.com/citizenlab/malware-indicators/tree/master/201810_TheKingdomCameToCanada) | [The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil](https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil/) | Oct 1, 2018 |
| [201808_FamiliarFeeling](https://github.com/citizenlab/malware-indicators/tree/master/201808_FamiliarFeeling) | [Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces](https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces) | Aug 8, 2018 |
| [201803_BadTraffic](https://github.com/citizenlab/malware-indicators/tree/master/201803_BadTraffic) | [Bad Traffic: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?](https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria) | Mar 8, 2018 |
| [201801_SpyingOnABudget](https://github.com/citizenlab/malware-indicators/tree/master/201801_SpyingOnABudget) | [Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community](https://citizenlab.ca/2018/01/spying-on-a-budget-inside-a-phishing-operation-with-targets-in-the-tibetan-community) | Jan 30, 2018 |
| [201712_Cyberbit](https://github.com/citizenlab/malware-indicators/tree/master/201712_Cyberbit) | [Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware](https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/) | Dec 6, 2017 |
| [201707_InsiderInfo](https://github.com/citizenlab/malware-indicators/tree/master/201707_InsiderInfo) | [Insider Information: An intrusion campaign targeting Chinese language news sites](https://citizenlab.org/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites/) | Jul 5, 2017 |
| [201706_RecklessRedux](https://github.com/citizenlab/malware-indicators/tree/master/201706_RecklessRedux) | [Reckless Redux: Senior Mexican Legislators and Politicians Targeted with NSO Spyware](https://citizenlab.org/2017/06/more-mexican-nso-targets/) | Jun 29, 2017 |
| [201706_RecklessExploit](https://github.com/citizenlab/malware-indicators/tree/master/201706_RecklessExploit) | [Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware](https://citizenlab.org/2017/06/reckless-exploit-mexico-nso/) | Jun 19, 2017 |
| [201705_TaintedLeaks](https://github.com/citizenlab/malware-indicators/tree/master/201705_TaintedLeaks) | [Tainted Leaks: Disinformation and Phishing With a Russian Nexus](https://citizenlab.org/2017/05/tainted-leaks-disinformation-phish/) | May 25, 2017 |
| [201702_NilePhish](https://github.com/citizenlab/malware-indicators/tree/master/201702_NilePhish) | [Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society](https://citizenlab.org/2017/02/nilephish-report/) | Feb 2, 2017 |
| [201611_KeyBoy](https://github.com/citizenlab/malware-indicators/tree/master/201611_KeyBoy) | [It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community](https://citizenlab.org/2016/11/parliament-keyboy/) | Nov 11, 2016 |
| [201608_NSO_Group](https://github.com/citizenlab/malware-indicators/tree/master/201608_NSO_Group) | ["The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender"](https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/) | Aug 24, 2016 |
| [201608_Group5](https://github.com/citizenlab/malware-indicators/tree/master/201608_Group5) | ["Group5: Syria and the Iranian Connection"](https://citizenlab.org/2016/08/group5-syria/) | Aug 2, 2016 |
| [201605_Stealth_Falcon](https://github.com/citizenlab/malware-indicators/tree/master/201605_Stealth_Falcon) | ["Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents"](https://citizenlab.org/2016/05/stealth-falcon/) | May 29, 2016 |
| [201604_UP007_SLServer](https://github.com/citizenlab/malware-indicators/tree/master/201604_UP007_SLServer) | [Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns](https://citizenlab.org/2016/04/between-hong-kong-and-burma/) | Apr 18, 2016 |
| [201603_Shifting_Tactics](https://github.com/citizenlab/malware-indicators/tree/master/201603_Shifting_Tactics) | [Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans](https://citizenlab.org/2016/03/shifting-tactics/) | Mar 10, 2016 |
| [201512_PackRAT](https://github.com/citizenlab/malware-indicators/tree/master/201512_PackRAT) | ["Packrat: Seven Years of a South American Threat Actor"](https://citizenlab.org/2015/12/packrat-report/) | Dec 8, 2015 |
| [201510_NGO_Burma](https://github.com/citizenlab/malware-indicators/tree/master/201510_NGO_Burma) | [Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites](https://citizenlab.org/2015/10/targeted-attacks-ngo-burma/) | Oct 16, 2015 |
| [201411_Communities@Risk](https://github.com/citizenlab/malware-indicators/tree/master/201411_Communities%40Risk) | [Communities @ Risk: Targeted Digital Threats Against Civil Society](https://targetedthreats.net). | Nov 11, 2014 |
Yara signatures can be [found here](https://github.com/citizenlab/malware-signatures)
# Formats
The indicators are provided in the following formats.
* CSV - plain text comma seperated value with the following columns:
* uuid - A unique identifier for the indicator.
* event_id - a number that corresponds to the event.
* category - type of broad category for indicator (ex: network activity, payload)
* type - type of indicator (ex: ip-dst, domain, url)
* comment - text comment or annotation
* to_ids - whether this indicator is applicable to be included in an IDS or not
* date - the data when the indicator was added.
* MISP JSON - Structured format used by the [Malware Information Sharing Platform](https://github.com/MISP/MISP)
* OpenIOC - Format for [OpenIOC](http://www.openioc.org/) an open framework for sharing threat intelligence.
* STIX XML - Format used by the [STIX project](https://stixproject.github.io/)
# License
All data is provided under Creative Commons
Attribution-NonCommercial-ShareAlike 4.0 International and available in full
[here](https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode) and summarized
[here](https://creativecommons.org/licenses/by-nc-sa/4.0/)