216.73.216.233

Indicator (IOC)

yara Revoked AlienVault · Published 21/12/2025 04:18 · Modified 21/12/2025 04:18

Essential information

Value / Name
susp_any_gost_arguments
Confidence
100/100
Revoked
Yes
Valid from
15/04/2024 09:24
Valid until
19/07/2025 09:24
Pattern type
yara
Published
21/12/2025 04:18
Modified
21/12/2025 04:18
Author / Source
AlienVault

Description

susp_any_gost_arguments Looks for common arguments passed to the hacktool GOST that are sometimes used by attackers in scripts (for example cronjobs etc).

Pattern

rule susp_any_gost_arguments
{
    meta:
        author = "[email protected]"
        date = "2024-04-10"
        description = "Looks for common arguments passed to the hacktool GOST that are sometimes used by attackers in scripts (for example cronjobs etc)."
        os = "all"
        os_arch = "all"
        report = "TIB-20240412"
        scan_context = "file"
        last_modified = "2024-04-12T13:06Z"
        license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
        rule_id = 10425
        version = 2

    strings:
        $s1 = "-L=socks5://" ascii
        $s2 = "-L rtcp://" ascii

    condition:
        filesize < 10KB and
        any of them
}

Labels / Tags

Labels: credential theft cve-2024-3400 firewall gost lateral movement rce upstyle zero-day

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • UTA0218
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·