216.73.216.226

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:35 · Modified 20/12/2025 21:56

Essential information

Value / Name
08bc22f3d5e4470a748b1fb9e792392214adedfc
Confidence
100/100
Revoked
Yes
Valid from
16/08/2022 11:21
Valid until
19/11/2023 10:21
Pattern type
yara
Published
20/12/2025 19:35
Modified
20/12/2025 21:56
Author / Source
AlienVault

Description

Detects LuckyMouse RShell Mach-O implant

Pattern

rule apt_LuckyMouse_RShell_strings {   
       meta:   
           id = "89f18013-ea3e-440f-821e-cef102a43b7b"   
           version = "1.0"   
           malware = "RShell"   
           intrusion_set = "LuckyMouse"   
           description = "Detects LuckyMouse RShell Mach-O implant"   
           source = "SEKOIA"   
           creation_date = "2022-08-05"   
           classification = "TLP:GREEN"   
       strings:   
           $ = { 64 69 72 00 70 61 74 68    
                 00 64 6F 77 6E 00 72 65    
                 61 64 00 75 70 6C 6F 61    
                 64 00 77 72 69 74 65 00    
                 64 65 6C }   
           $ = { 6C 6F 67 69 6E 00 68 6F    
                 73 74 6E 61 6D 65 00 6C    
                 61 6E 00 75 73 65 72 6E    
                 61 6D 65 00 76 65 72 73    
                 69 6F 6E }   
       condition:   
           uint32be(0) == 0xCFFAEDFE and    
           filesize < 300KB and   
           all of them   
   }

Labels / Tags

Labels: electron app hyperbro luckymouse macos rshell

Marking (TLP)

TLP:CLEAR

Related entities

No linked attack reports or intrusion sets yet.