216.73.217.98

Indicator (IOC)

yara Revoked AlienVault · Published 20/12/2025 19:43 · Modified 21/12/2025 03:58

Essential information

Value / Name
M_APT_Backdoor_TAMECAT_2
Confidence
100/100
Revoked
Yes
Valid from
03/05/2024 12:24
Valid until
06/08/2025 12:24
Pattern type
yara
Published
20/12/2025 19:43
Modified
21/12/2025 03:58
Author / Source
AlienVault

Description

M_APT_Backdoor_TAMECAT_2

Pattern

rule M_APT_Backdoor_TAMECAT_2 {
	meta:
		author = "Mandiant"
		md5 = "9c5337e0b1aef2657948fd5e82bdb4c3"
		date_created = "2024-03-05"
	    date_modified = "2024-03-05"
	    rev = "1"
	strings:
		$ = "$a.CreateDecryptor($a.Key,$a.iv)"
		$ = "$CommandParts = \"\""
		$ = "$macP = $env:APPDATA+\"\\"
		$ = "$macP = \"$env:LOCALAPPDATA\\"
		$ = "$mac += Get-Content -Path $macP"
		$ = "$CommandParts =$SessionResponse.Split(\""
		$ = "[string]$CommandPart = \"\";"
		$ = "Foreach ($CommandPart in $CommandParts)"
		$ = "$CommandPart.Split(\"~\");"
		$ = "elseif($StartStop -eq \"stop\")"
		$ = "if($StartStop -eq \"start\")"
		$ = "&(gcm *ke-e*) $Command;"
	condition:
		3 of them and filesize<2MB
}

Labels / Tags

Labels: apt cve-2021-44228 cyber espionage iran nicecurl tamecat

Marking (TLP)

TLP:CLEAR