216.73.217.22

Indicator (IOC)

yara Revoked AlienVault · Published 21/12/2025 04:18 · Modified 21/12/2025 04:18

Essential information

Value / Name
apt_malware_py_upstyle
Confidence
100/100
Revoked
Yes
Valid from
15/04/2024 09:24
Valid until
19/07/2025 09:24
Pattern type
yara
Published
21/12/2025 04:18
Modified
21/12/2025 04:18
Author / Source
AlienVault

Description

apt_malware_py_upstyle Detect the UPSTYLE webshell.

Pattern

rule apt_malware_py_upstyle : UTA0218
{
    meta:
        author = "[email protected]"
        date = "2024-04-11"
        description = "Detect the UPSTYLE webshell."
        hash1 = "3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac"
        hash2 = "0d59d7bddac6c22230187ef6cf7fa22bca93759edc6f9127c41dc28a2cea19d8"
        hash3 = "4dd4bd027f060f325bf6a90d01bfcf4e7751a3775ad0246beacc6eb2bad5ec6f"
        os = "linux"
        os_arch = "all"
        report = "TIB-20240412"
        scan_context = "file,memory"
        last_modified = "2024-04-12T13:05Z"
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
        rule_id = 10429
        version = 2

    strings:
        $stage1_str1 = "/opt/pancfg/mgmt/licenses/PA_VM"
        $stage1_str2 = "exec(base64."

        $stage2_str1 = "signal.signal(signal.SIGTERM,stop)"
        $stage2_str2 = "exec(base64."

        $stage3_str1 = "write(\"/*\"+output+\"*/\")"
        $stage3_str2 = "SHELL_PATTERN"

    condition:
        all of ($stage1*) or
        all of ($stage2*) or
        all of ($stage3*)
}

Labels / Tags

Labels: credential theft cve-2024-3400 firewall gost lateral movement rce upstyle zero-day

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • UTA0218
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·