Indicator (IOC)
Essential information
- Value / Name
af43ba807e14047fdcd92519016c0e53e0f124fd- Confidence
- 100/100
- Revoked
- Yes
- Valid from
- 15/01/2024 11:55
- Valid until
- 19/04/2025 12:55
- Pattern type
- yara
- Published
- 20/12/2025 19:41
- Modified
- 21/12/2025 02:17
- Author / Source
- AlienVault
Description
This rule detects unique strings in ZIPLINE, a passive ELF backdoor that waits for incoming TCP connections to receive commands from the threat actor.
Pattern
rule M_Hunting_Backdoor_ZIPLINE_1 {
meta:
author = "Mandiant"
description = "This rule detects unique strings in ZIPLINE, a passive ELF backdoor that waits for incoming TCP connections to receive commands from the threat actor."
strings:
$s1 = "SSH-2.0-OpenSSH_0.3xx" ascii
$s2 = "$(exec $installer $@)" ascii
$t1 = "./installer/do-install" ascii
$t2 = "./installer/bom_files/" ascii
$t3 = "/tmp/data/root/etc/ld.so.preload" ascii
$t4 = "/tmp/data/root/home/etc/manifest/exclusion_list" ascii
condition:
uint32(0) == 0x464c457f and
filesize < 5MB and
((1 of ($s*)) or
(3 of ($t*)))
}
Labels / Tags
Marking (TLP)
TLP:CLEAR
Related entities
No linked attack reports or intrusion sets yet.