malware-indicators
This repository includes all malware indicators that were found during the course of Citizen Lab investigations. Each directory corresponds to a single Citizen Lab report as seen below.
Reports
Directory
Link
Published
202006_DarkBasin
Dark Basin: Uncovering a Massive Hack-For-Hire Operation
June 9, 2020
201909_MissingLink
MISSING LINK: Tibetan Groups Targeted with Mobile Exploits
Sept 24, 2019
201905_EndlessMayfly
Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign
May 14, 2019
201810_TheKingdomCameToCanada
The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil
Oct 1, 2018
201808_FamiliarFeeling
Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces
Aug 8, 2018
201803_BadTraffic
Bad Traffic: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?
Mar 8, 2018
201801_SpyingOnABudget
Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community
Jan 30, 2018
201712_Cyberbit
Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware
Dec 6, 2017
201707_InsiderInfo
Insider Information: An intrusion campaign targeting Chinese language news sites
Jul 5, 2017
201706_RecklessRedux
Reckless Redux: Senior Mexican Legislators and Politicians Targeted with NSO Spyware
Jun 29, 2017
201706_RecklessExploit
Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware
Jun 19, 2017
201705_TaintedLeaks
Tainted Leaks: Disinformation and Phishing With a Russian Nexus
May 25, 2017
201702_NilePhish
Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society
Feb 2, 2017
201611_KeyBoy
It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
Nov 11, 2016
201608_NSO_Group
"The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender"
Aug 24, 2016
201608_Group5
"Group5: Syria and the Iranian Connection"
Aug 2, 2016
201605_Stealth_Falcon
"Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents"
May 29, 2016
201604_UP007_SLServer
Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns
Apr 18, 2016
201603_Shifting_Tactics
Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans
Mar 10, 2016
201512_PackRAT
"Packrat: Seven Years of a South American Threat Actor"
Dec 8, 2015
201510_NGO_Burma
Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites
Oct 16, 2015
201411_Communities@Risk
Communities @ Risk: Targeted Digital Threats Against Civil Society .
Nov 11, 2014
Yara signatures can be found here
Formats
The indicators are provided in the following formats.
CSV - plain text comma seperated value with the following columns:
uuid - A unique identifier for the indicator.
event_id - a number that corresponds to the event.
category - type of broad category for indicator (ex: network activity, payload)
type - type of indicator (ex: ip-dst, domain, url)
comment - text comment or annotation
to_ids - whether this indicator is applicable to be included in an IDS or not
date - the data when the indicator was added.
MISP JSON - Structured format used by the Malware Information Sharing Platform
OpenIOC - Format for OpenIOC an open framework for sharing threat intelligence.
STIX XML - Format used by the STIX project
License
All data is provided under Creative Commons
Attribution-NonCommercial-ShareAlike 4.0 International and available in full
here and summarized
here