Essential information

Value / Name

G_Backdoor_SNOWBASIN_1

Confidence

100/100

Revoked

No

Valid from

24/04/2026 10:50

Valid until

08/02/2027 21:00

Pattern type

yara

Published

27/04/2026 16:41

Modified

27/04/2026 16:41

Author / Source

AlienVault

Description

Pattern

rule G_Backdoor_SNOWBASIN_1 {
  meta:
    author = "Google Threat Intelligence Group (GTIG)"
    platform = "Windows"

  strings:
    $path1 = "self.path == '/probe':"
    $path2 = "self.path == '/stream':"
    $path3 = "self.path == '/buffer':"
    $path4 = "self.path == '/flush':"
    $path5 = "self.path == '/commit':"
    $path6 = "self.path == '/capture':"
    $path7 = "self.path == '/gc':"

    $func1 = "self.handle_stream("
    $func2 = "self.handle_buffer("
    $func3 = "self.handle_flush("
    $func4 = "self.handle_commit("

    $s1 = "self.wfile.write(info_msg"
    $s2 = "selected_port), WebServerHandler) as httpd:"
    $s3 = "ThreadedTCPServer(socketserver.ThreadingMixIn"
    $s4 = "httpd.serve_forever()"


  condition:
    filesize<1MB and (
      (all of ($s*) and 6 of ($path*, $func*)) or
      (8 of ($path*, $func*)) or
      10 of them
    )
}

Labels / Tags

Labels: brickstorm browser extension cloud infrastructure abuse microsoft teams phishing snowbasin snowbelt snowglaze social engineering

Marking (TLP)

TLP:CLEAR