Anonymous YARA Rules Are Not Anonymous

YARA rules are widely shared across threat intelligence communities to enable collective defence against malware. This practice implicitly assumes that removing metadata e.g., author fields sufficiently protects the identity of contributing organisations. To assess the validity of this assumption...

A Large Language Model Approach to Generating Bypass Rules for Malware Evasion in Analysis Sandbox

Sandbox evasion remains a critical challenge for automated malware analysis, as modern malware employs environment checks to detect analysis platforms and suppress malicious behavior. Existing approaches rely on manually crafted bypass rules that require deep reverse engineering of each evasion...

Static Attribution of Android Residential Proxy Malware Using Graph Kernels

Android residential proxy applications represent a growing class of potentially-unwanted programs PUPs that covertly route third-party traffic through end-user devices, enabling ad fraud, credential abuse, and evasion of geolocation controls by sophisticated threat actors. Attributing an unknown...

TLSCheck 2.0: An Enhanced Memory Forensics Approach to Efficiently Detect TLS Callbacks

Memory analysis is a crucial technique in digital forensics that enables investigators to examine the runtime state of a system through physical memory dumps. While significant advances have been made in memory forensics, the detection and analysis of Thread Local Storage TLS callbacks remain...

Exploit for Race Condition in Canonical Ubuntu_Linux

Dillu-Analyzer 🛡️ Dillu Analyzer — A web-based universal malwa...

Malicious code in spectral-corsair-my-backdoor (npm)

Malicious package detected. Suspicious preinstall script exfiltrates data to a remote server. Multiple YARA rules and LLM analysis confirm. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0826a28f7948e68cdddd6260a01c3653a7f04deb2c9368054243ed47713ee353 The packa...

MAL-2026-1374 Malicious code in spectral-corsair-my-backdoor (npm)

Malicious package detected. Suspicious preinstall script exfiltrates data to a remote server. Multiple YARA rules and LLM analysis confirm. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0826a28f7948e68cdddd6260a01c3653a7f04deb2c9368054243ed47713ee353 The packa...

EUVD-2026-9078

malcontent: Nested archive extraction failure can drop content from scan inputs...

CVE-2026-28407

CVE-2026-28407 affects malcontent (software for supply‑chain analysis). Prior to version 1.21.0, it could drop or discard nested archives that failed to extract, potentially omitting content from scans. The root cause is the removal of nested archives during processing. Version 1.21.0 fixes the i...

CVE-2026-28407 malcontent's nested archive extraction failure can drop content from scan inputs

malcontent is software for discovering supply-chain compromises through context, differential analysis, and YARA. Prior to version 1.21.0, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archiv...

PT-2026-22408

Name of the Vulnerable Software and Affected Versions malcontent versions prior to 1.21.0 Description malcontent is software designed for identifying supply-chain compromises using context, differential analysis, and YARA. Before version 1.21.0, the software removed nested archives that failed to...

CISA and Partners Release Update to Malware Analysis Report BRICKSTORM Backdoor

Today, the Cybersecurity and Infrastructure Security Agency CISA, National Security Agency, and Canadian Centre for Cyber Security released an update to the Malware Analysis Report BRICKSTORM Backdoor with indicators of compromise IOCs and detection signatures for additional BRICKSTORM samples...

MAL-2025-190621 Malicious code in @eagleview/ev-mapviewer-interactions (npm)

Package is malware. It exfiltrates sensitive info, executes arbitrary code during install, and matches multiple YARA rules. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e2d7da79dc7cea55b1c51c17952322ec30f3d03000a7b075252e9f74084a7a06 The package...

Malicious code in @eagleview/ev-mapviewer-interactions (npm)

Package is malware. It exfiltrates sensitive info, executes arbitrary code during install, and matches multiple YARA rules. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e2d7da79dc7cea55b1c51c17952322ec30f3d03000a7b075252e9f74084a7a06 The package...

CISA Releases Malware Analysis Report on Malicious Listener Targeting Ivanti Endpoint Manager Mobile Systems

Today, CISA released a Malware Analysis Report detailing the functionality of two sets of malware obtained from an organization compromised by cyber threat actors exploiting CVE-2025-4427link is external and CVE-2025-4428link is external in Ivanti Endpoint Manager Mobile Ivanti EPMM. The Malware...

security-analytics

This repository is a community-driven set of security analytics for auditing cloud usage and detecting threats to data & workloads in Google Cloud. It provides a list of sample security analytics for auditing cloud usage and detecting threats, which may assist detection engineers, threat hunters,...

threat-detection-as-code

This repository is a community-driven set of security analytics for auditing cloud usage and detecting threats to data & workloads in Google Cloud. It provides a list of sample security analytics for auditing cloud usage and for detecting threats to your data & workloads in Google Cloud. The...

Automatically Generating Rules of Malicious Software Packages Via Large Language Model

Today's security tools predominantly rely on predefined rules crafted by experts, making them poorly adapted to the emergence of software supply chain attacks. To tackle this limitation, we propose a novel tool, RuleLLM, which leverages large language models LLMs to automate rule generation for O...

synacktiv-rules

synacktiv-rules Public repository of Sigma and YARA/YARA-X ru...

Introducing pattern-based agentless malware detection using YARA rules

Wiz is expanding our existing detection capabilities to include pattern-based malware detection using YARA rules written by the Wiz Research team...