This repository includes all malware indicators that were found during the course of Citizen Lab investigations. Each directory corresponds to a single Citizen Lab report as seen below.
| Directory |
Link |
Published |
| 202006_DarkBasin |
Dark Basin: Uncovering a Massive Hack-For-Hire Operation |
June 9, 2020 |
| 201909_MissingLink |
MISSING LINK: Tibetan Groups Targeted with Mobile Exploits |
Sept 24, 2019 |
| 201905_EndlessMayfly |
Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign |
May 14, 2019 |
| 201810_TheKingdomCameToCanada |
The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil |
Oct 1, 2018 |
| 201808_FamiliarFeeling |
Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces |
Aug 8, 2018 |
| 201803_BadTraffic |
Bad Traffic: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? |
Mar 8, 2018 |
| 201801_SpyingOnABudget |
Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community |
Jan 30, 2018 |
| 201712_Cyberbit |
Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware |
Dec 6, 2017 |
| 201707_InsiderInfo |
Insider Information: An intrusion campaign targeting Chinese language news sites |
Jul 5, 2017 |
| 201706_RecklessRedux |
Reckless Redux: Senior Mexican Legislators and Politicians Targeted with NSO Spyware |
Jun 29, 2017 |
| 201706_RecklessExploit |
Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware |
Jun 19, 2017 |
| 201705_TaintedLeaks |
Tainted Leaks: Disinformation and Phishing With a Russian Nexus |
May 25, 2017 |
| 201702_NilePhish |
Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society |
Feb 2, 2017 |
| 201611_KeyBoy |
It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community |
Nov 11, 2016 |
| 201608_NSO_Group |
"The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender" |
Aug 24, 2016 |
| 201608_Group5 |
"Group5: Syria and the Iranian Connection" |
Aug 2, 2016 |
| 201605_Stealth_Falcon |
"Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents" |
May 29, 2016 |
| 201604_UP007_SLServer |
Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns |
Apr 18, 2016 |
| 201603_Shifting_Tactics |
Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans |
Mar 10, 2016 |
| 201512_PackRAT |
"Packrat: Seven Years of a South American Threat Actor" |
Dec 8, 2015 |
| 201510_NGO_Burma |
Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites |
Oct 16, 2015 |
| 201411_Communities@Risk |
Communities @ Risk: Targeted Digital Threats Against Civil Society. |
Nov 11, 2014 |
Yara signatures can be found here
The indicators are provided in the following formats.
- CSV - plain text comma seperated value with the following columns:
- uuid - A unique identifier for the indicator.
- event_id - a number that corresponds to the event.
- category - type of broad category for indicator (ex: network activity, payload)
- type - type of indicator (ex: ip-dst, domain, url)
- comment - text comment or annotation
- to_ids - whether this indicator is applicable to be included in an IDS or not
- date - the data when the indicator was added.
- MISP JSON - Structured format used by the Malware Information Sharing Platform
- OpenIOC - Format for OpenIOC an open framework for sharing threat intelligence.
- STIX XML - Format used by the STIX project
All data is provided under Creative Commons
Attribution-NonCommercial-ShareAlike 4.0 International and available in full
here and summarized
here