Skip to content

Add NightshadeC2, MonsterV2 Yara Rules #2690

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Oct 6, 2025
+45 −3
Merged

Add NightshadeC2, MonsterV2 Yara Rules #2690

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
fbaeb75
Add yara rule for NightshadeC2
YungBinary Sep 4, 2025
575f99d
Update
YungBinary Sep 4, 2025
073fad7
Address comments
YungBinary Sep 6, 2025
5b10d96
Add MonsterV2 rule
YungBinary Sep 6, 2025
d9c70ee
-L checks if the symlink exists.
YungBinary Sep 10, 2025
fd29de3
Make the directory first
YungBinary Sep 10, 2025
33c4f63
Fix patterns
YungBinary Sep 12, 2025
ca91b39
Description
YungBinary Sep 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions data/yara/CAPE/MonsterV2.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
rule MonsterV2
{
meta:
author = "doomedraven,YungBinary"
description = "MonsterV2 Payload"
cape_type = "MonsterV2 Payload"
packed = "fe69e8db634319815270aa0e55fe4b9c62ce8e62484609c3a42904fbe5bb2ab3"
strings:
$decrypt_config = {
41 B8 0E 04 00 00
48 8D 15 ?? ?? ?? 00
48 8B C?
E8 ?? ?? ?? ?? [3-17]
4C 8B C?
48 8D 54 24 28
48 8B CE
E8 ?? ?? ?? ??
}
condition:
uint16(0) == 0x5A4D and $decrypt_config
}
20 changes: 20 additions & 0 deletions data/yara/CAPE/NightshadeC2.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
rule NightshadeC2
{
meta:
author = "YungBinary"
description = "NightshadeC2 AKA CastleRAT - https://x.com/YungBinary/status/1963751038340534482"
hash = "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d"
cape_type = "NightshadeC2 Payload"
strings:
$s1 = "keylog.txt" fullword wide
$s2 = "\"%ws\" --mute-audio --do-not-de-elevate" fullword wide
$s3 = "\"%ws\" -no-deelevate" fullword wide
$s4 = "MachineGuid" fullword wide
$s5 = "www.ip-api.com" fullword wide
$s6 = "rundll32 \"C:\\Windows\\System32\\shell32.dll\" #61" fullword wide
$s7 = "IsabellaWine" fullword wide
$s8 = "Shell_TrayWnd" fullword wide

condition:
uint16(0) == 0x5A4D and 3 of them
}
7 changes: 4 additions & 3 deletions installer/kvm-qemu.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -918,13 +918,13 @@ function install_qemu() {
make -j"$(nproc)" install
fi
# hack for libvirt/virt-manager
if [ ! -f /usr/bin/qemu-system-x86_64-spice ]; then
if [ ! -L /usr/bin/qemu-system-x86_64-spice ]; then
ln -s /usr/bin/qemu-system-x86_64 /usr/bin/qemu-system-x86_64-spice
fi
if [ ! -f /usr/bin/kvm-spice ]; then
if [ ! -L /usr/bin/kvm-spice ]; then
ln -s /usr/bin/qemu-system-x86_64 /usr/bin/kvm-spice
fi
if [ ! -f /usr/bin/kvm ]; then
if [ ! -L /usr/bin/kvm ]; then
ln -s /usr/bin/qemu-system-x86_64 /usr/bin/kvm
fi
if [ $? -eq 0 ]; then
Expand Down Expand Up @@ -976,6 +976,7 @@ function install_seabios() {
# Windows 10(latest rev.) is uninstallable without ACPI_DSDT
# sed -i 's/CONFIG_ACPI_DSDT=y/CONFIG_ACPI_DSDT=n/g' .config
if PIP_BREAK_SYSTEM_PACKAGES=1 make -j "$(nproc)"; then
mkdir -p /usr/share/qemu
echo '[+] Replacing old bios.bin to new out/bios.bin'
bios=0
SHA256_BIOS=$(shasum -a 256 out/bios.bin|awk '{print $1}')
Expand Down
Loading