Skip to content

[pull] master from Neo23x0:master #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 6 commits into from
May 5, 2026
+125 −2
Merged

[pull] master from Neo23x0:master #138

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7b9412b
Create threat_compromised_daemon_tools_lite_may26.yar
cod3nym May 5, 2026
e7129ee
Add IOCs for # DAEMON Tools Lite supplychain comrpomise
cod3nym May 5, 2026
c86468d
Add IOCs for DAEMON Tools Lite supplychain compromise
cod3nym May 5, 2026
d8dcdaa
Add DAEMON Tools Lite supplychain compromise IOCs
cod3nym May 5, 2026
a379cec
fix: unescaped dot character in filename IOCs
cod3nym May 5, 2026
8a2be13
Merge pull request #405 from cod3nym/report_daemon_tools_lite_comprom…
Neo23x0 May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion iocs/c2-iocs.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1908,4 +1908,8 @@ repocket.com
181.214.147.164;65
192.119.99.42;65

# Last Line
# DAEMON Tools Lite supplychain comrpomise https://securelist.com/tr/daemon-tools-backdoor/119654/
env-check.daemontools.cc
38.180.107.76

# Last Line
12 changes: 11 additions & 1 deletion iocs/filename-iocs.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4557,7 +4557,17 @@ C:\\perflogs\\RunSchedulerTaskOnce\.ps1;85
\\AppData\\Roaming\\ProShow\\load$;75
\\AppData\\Roaming\\ProShow\\ProShow\.exe;75
\\AppData\\Roaming\\Adobe\\Scripts\\alien\.ini;75
\\AppData\\Roaming\\Adobe\\Scripts\\script.exe;75
\\AppData\\Roaming\\Adobe\\Scripts\\script\.exe;75
\\libtcc\.dll;60

# DAEMON Tools Lite supplychain comrpomise https://securelist.com/tr/daemon-tools-backdoor/119654/
C:\\Temp\\crypto\.dll;85
C:\\Windows\\Temp\\envchk\.exe;85
\\AppData\\Roaming\\Microsoft\\mcrypto\.dat;85
C:\\Windows\\Temp\\cdg\.exe;85
C:\\Windows\\Temp\\cdg\.tmp;85
C:\\Windows\\Temp\\imp\.tmp;85
C:\\Windows\\Temp\\piyu\.exe;85
C:\\ProgramData\\Microsoft\\mcrypto\.chiper;85

# End
21 changes: 21 additions & 0 deletions iocs/hash-iocs.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3355,3 +3355,24 @@ aa9f5ed1eede9aac6d07b0ba13b73185838b159006fa83ed45657d7f333a0efe;ScreenConnect E
cf265a3a3dd068d0aa0c70248cd6325d;perfctl IOCs https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
da006a0b9b51d56fa3f9690cf204b99f;perfctl IOCs https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
ba120e9c7f8896d9148ad37f02b0e3cb;perfctl IOCs https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/

9ccd769624de98eeeb12714ff1707ec4f5bf196d;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
50d47adb6dd45215c7cb4c68bae28b129ca09645;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
0c1d3da9c7a651ba40b40e12d48ebd32b3f31820;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
28b72576d67ae21d9587d782942628ea46dcc870;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
46b90bf370e60d61075d3472828fdc0b85ab0492;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
6325179f442e5b1a716580cd70dea644ac9ecd18;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
bd8fbb5e6842df8683163adbd6a36136164eac58;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
524d2d92909eef80c406e87a0fc37d7bb4dadc14;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
427f1728682ebc7ffe3300fef67d0e3cb6b62948;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
8e7eb0f5ac60dd3b4a9474d2544348c3bda48045;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
00e2df8f42d14072e4385e500d4669ec783aa517;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
aea55e42c4436236278e5692d3dcbcbe5fe6ce0b;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
0456e2f5f56ec8ed16078941248e7cbba9f1c8eb;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
9a09ad7b7e9ff7a465aa1150541e231189911afb;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
8d435918d304fc38d54b104a13f2e33e8e598c82;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
64462f751788f529c1eb09023b26a47792ecdc54;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
2d4eb55b01f59c62c6de9aacba9b47267d398fe4;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
9dbfc23ebf36b3c0b56d2f93116abb32656c42e4;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
295ce86226b933e7262c2ce4b36bdd6c389aaaef;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/
88 changes: 88 additions & 0 deletions yara/threat_compromised_daemon_tools_lite_may26.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
rule MAL_Information_Collector_May26 {
meta:
description = "Detects reconaissance payload used in the DAEMON Tools supplychain compromise. The tools collects detailed information about the infected system like hardware, installed software, running processes etc. all data is exfilled to an attacker controlled server."
author = "MalGamy, Jonathan Peters (cod3nym)"
date = "2026-05-05"
reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/"
hash = "a916e56121212613d17932e124b68752c9312e73bde8f2351054bd64394257df"
score = 80
strings:
$x1 = ": InfoCollector.exe <" wide

$s1 = "CollectInstalledSoftwareSemicolon" ascii
$s2 = "GetRc4KeyFromUrl" ascii
$s3 = "InfoGatherer" ascii

$op1 = { 09 7E ?? ?? ?? 04 28 ?? ?? ?? 0A 28 ?? ?? ?? 0A 13 ?? 11 ?? 16 36 3A 11 ?? 1E 35 ?? 1E 8D ?? ?? ?? 01 13 ?? 09 7E ?? ?? ?? 04 28 ?? ?? ?? 0A 11 ?? 16 11 ?? 28 ?? ?? ?? 0A }
$op2 = { 02 73 ?? ?? ?? 0A 6F ?? ?? ?? 0A 0A 06 2D ?? 72 ?? ?? ?? 70 0B DE ?? 06 6F ?? ?? ?? 0A 0A 06 72 ?? ?? ?? 70 7E ?? ?? ?? 0A 6F ?? ?? ?? 0A 0A 06 6F ?? ?? ?? 0A 2D ?? 72 ?? ?? ?? 70 0B DE ?? 06 0B DE }
condition:
uint16(0) == 0x5a4d
and filesize < 50KB
and (
$x1
or all of ($op*)
or all of ($s*)
)
}

rule MAL_DAEMON_Tools_Lite_Compromised_May26 {
meta:
description = "Detects compromised DAEMON Tools Lite versions deployed in a supplychain compromise campaign affected versions include: 12.5.0.2421 up to 12.5.0.2434 The infected binaries drop Quic RAT and various custom data exfiltration payloads."
author = "Jonathan Peters (cod3nym)"
date = "2026-05-05"
reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/"
hash = "12edcaafab7703d0819b1395f45c35e3083dd83fb8b128292cb11033453fb6e8"
hash = "0066ed9b9de2b8e251f7bcf73edcb549218179398cf90124a221958fedce6212"
hash = "d2a5c9cbb73849cc0667987c33a9bf3822718e1528faef005f1628de3348ffb0"
score = 80
strings:
$sa1 = { 31 03 35 55 e4 c4 32 2d a9 e0 b3 81 6d 14 38 4e } // certificate serial number
$sa2 = "AVB Disc Soft, SIA" ascii
$sa3 = "DAEMON Tools Lite" ascii wide

$re = /12\.5\.0\.24(21|22|23|24|25|26|27|28|29|30|31|33|34)/ ascii wide
condition:
uint16(0) == 0x5a4d
and all of ($sa*)
and $re
}

rule MAL_Backdoor_May26 {
meta:
description = "Detects a backdoor smuggled into signed DAEMON Tools binaries via supply-chain compromise, receives encrypted commands over HTTPS to execute arbitrary shell commands and drop files on victim hosts."
author = "MalGamy"
date = "2026-05-05"
reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/"
hash = "5d581534b48d09855ac045aaf9b196ca26396a6c08616213f9f9afc656849c2f"
score = 80
strings:
$op1 = { 48 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? F3 0F 7F 7D ?? C7 45 ?? ?? ?? ?? ?? F3 0F 7F 75 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? C6 45 ?? ?? FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 95 }
$op2 = { 4D 8D 40 ?? 99 41 FF C1 41 F7 FB 48 63 C2 0F B6 8C 05 ?? ?? ?? ?? 41 30 48 ?? 49 83 EA }
condition:
all of them
}

rule MAL_Minimalistic_Backdoor_May26 {
meta:
description = "Detects minimalistic backdoor deployment where a shellcode loader downloads an encrypted payload and executes it in memory after RC4 decryption using a command-line provided key"
author = "MalGamy"
date = "2026-05-05"
reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/"
hash = "395ec7acd475a8acd358adc75c4615cf41737aed8a96c4f2dd792c8a6af4140c"
score = 80
strings:
$x1 = "Note: if multiple processes load the DLL," wide
$x2 = "Inject (shellcode file is RC4 ciphertext; key is a UTF-8 string" wide

$s1 = "Error: VirtualAllocEx failed, Win" wide
$s2 = "Try running as administrator; " wide
$s3 = ", shellcode size: " wide
$s4 = "input file path cannot be empty." wide
condition:
uint16(0) == 0x5a4d
and filesize < 50KB
and (
1 of ($x*)
or all of ($s*)
)
}
Loading