216.73.217.8

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:32 · Modified 20/12/2025 21:15

Essential information

Value / Name
1013a68fbb3b4f05cf2b1e642071f1c3f8e9af88
Confidence
100/100
Revoked
Yes
Valid from
02/06/2022 10:15
Valid until
05/09/2023 10:15
Pattern type
yara
Published
20/12/2025 19:32
Modified
20/12/2025 21:15
Author / Source
AlienVault

Description

No description.

Pattern

rule lyceum_dotnet_dns_backdoor   
   {   
       meta:   
           author = "CPR"   
           hash1 = "8199f14502e80581000bd5b3bda250ee"   
           hash2 = "d79687676d2d152aec4143c852bdbc4a"   
           hash3 = "bcb465cc2257e5777bab431690ca5039"   
           hash4 = "2bc2abefc1a721908bc805894b62227d"   
           hash5 = "37a1514a7a5f9b2c6786096129a30721"   
       strings:   
           $log1 = "MSG SIZE rcvd" wide   
           $log2 = "Empty output" wide   
           $log3 = "Big Output. lines: " wide   
           $com1 = "Enddd" wide   
           $com2 = "uploaddd" wide   
           $com3 = "downloaddd" wide   
           $dga = "trailers.apple.com" wide   
           $replace1 = "BackSlashh" wide   
           $replace2 = "QuotationMarkk" wide   
           $re_pattern = "60\\s+IN\\s+TXT" wide   
           $func1 = "comRun"   
           $func2 = "PlaceDot"   
           $func3 = "sendAns"   
           $heijden1 = "Heijden.DNS"   
           $heijden2 = "DnsHeijden"   
       condition:   
           uint16(0)==0x5a4d and (all of ($log*) or all of ($com*) or all of ($replace*) or all of ($func*) or (any of ($heijden*) and $re_pattern and $dga))   
   }

Labels / Tags

Labels: apt cve201711882 el machete geopolitical conflict lyceum sidewinder spear-phishing ukraine

Marking (TLP)

TLP:CLEAR