malware-indicators

This repository includes all malware indicators that were found during the course of Citizen Lab investigations. Each directory corresponds to a single Citizen Lab report as seen below.

Reports

Directory	Link	Published
202006_DarkBasin	Dark Basin: Uncovering a Massive Hack-For-Hire Operation	June 9, 2020
201909_MissingLink	MISSING LINK: Tibetan Groups Targeted with Mobile Exploits	Sept 24, 2019
201905_EndlessMayfly	Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign	May 14, 2019
201810_TheKingdomCameToCanada	The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil	Oct 1, 2018
201808_FamiliarFeeling	Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces	Aug 8, 2018
201803_BadTraffic	Bad Traffic: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?	Mar 8, 2018
201801_SpyingOnABudget	Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community	Jan 30, 2018
201712_Cyberbit	Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware	Dec 6, 2017
201707_InsiderInfo	Insider Information: An intrusion campaign targeting Chinese language news sites	Jul 5, 2017
201706_RecklessRedux	Reckless Redux: Senior Mexican Legislators and Politicians Targeted with NSO Spyware	Jun 29, 2017
201706_RecklessExploit	Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware	Jun 19, 2017
201705_TaintedLeaks	Tainted Leaks: Disinformation and Phishing With a Russian Nexus	May 25, 2017
201702_NilePhish	Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society	Feb 2, 2017
201611_KeyBoy	It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community	Nov 11, 2016
201608_NSO_Group	"The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender"	Aug 24, 2016
201608_Group5	"Group5: Syria and the Iranian Connection"	Aug 2, 2016
201605_Stealth_Falcon	"Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents"	May 29, 2016
201604_UP007_SLServer	Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns	Apr 18, 2016
201603_Shifting_Tactics	Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans	Mar 10, 2016
201512_PackRAT	"Packrat: Seven Years of a South American Threat Actor"	Dec 8, 2015
201510_NGO_Burma	Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites	Oct 16, 2015
201411_Communities@Risk	Communities @ Risk: Targeted Digital Threats Against Civil Society.	Nov 11, 2014

Yara signatures can be found here

Formats

The indicators are provided in the following formats.

• CSV - plain text comma seperated value with the following columns:
  • uuid - A unique identifier for the indicator.
  • event_id - a number that corresponds to the event.
  • category - type of broad category for indicator (ex: network activity, payload)
  • type - type of indicator (ex: ip-dst, domain, url)
  • comment - text comment or annotation
  • to_ids - whether this indicator is applicable to be included in an IDS or not
  • date - the data when the indicator was added.
• MISP JSON - Structured format used by the Malware Information Sharing Platform
• OpenIOC - Format for OpenIOC an open framework for sharing threat intelligence.
• STIX XML - Format used by the STIX project

License

All data is provided under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International and available in full here and summarized here