• Stars
    star
    265
  • Rank 154,577 (Top 4 %)
  • Language YARA
  • Created about 10 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Citizen Lab Malware Reports

malware-indicators

This repository includes all malware indicators that were found during the course of Citizen Lab investigations. Each directory corresponds to a single Citizen Lab report as seen below.

Reports

Directory Link Published
202006_DarkBasin Dark Basin: Uncovering a Massive Hack-For-Hire Operation June 9, 2020
201909_MissingLink MISSING LINK: Tibetan Groups Targeted with Mobile Exploits Sept 24, 2019
201905_EndlessMayfly Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign May 14, 2019
201810_TheKingdomCameToCanada The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil Oct 1, 2018
201808_FamiliarFeeling Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces Aug 8, 2018
201803_BadTraffic Bad Traffic: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? Mar 8, 2018
201801_SpyingOnABudget Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community Jan 30, 2018
201712_Cyberbit Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware Dec 6, 2017
201707_InsiderInfo Insider Information: An intrusion campaign targeting Chinese language news sites Jul 5, 2017
201706_RecklessRedux Reckless Redux: Senior Mexican Legislators and Politicians Targeted with NSO Spyware Jun 29, 2017
201706_RecklessExploit Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware Jun 19, 2017
201705_TaintedLeaks Tainted Leaks: Disinformation and Phishing With a Russian Nexus May 25, 2017
201702_NilePhish Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society Feb 2, 2017
201611_KeyBoy It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community Nov 11, 2016
201608_NSO_Group "The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender" Aug 24, 2016
201608_Group5 "Group5: Syria and the Iranian Connection" Aug 2, 2016
201605_Stealth_Falcon "Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents" May 29, 2016
201604_UP007_SLServer Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns Apr 18, 2016
201603_Shifting_Tactics Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans Mar 10, 2016
201512_PackRAT "Packrat: Seven Years of a South American Threat Actor" Dec 8, 2015
201510_NGO_Burma Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites Oct 16, 2015
201411_Communities@Risk Communities @ Risk: Targeted Digital Threats Against Civil Society. Nov 11, 2014

Yara signatures can be found here

Formats

The indicators are provided in the following formats.

  • CSV - plain text comma seperated value with the following columns:
    • uuid - A unique identifier for the indicator.
    • event_id - a number that corresponds to the event.
    • category - type of broad category for indicator (ex: network activity, payload)
    • type - type of indicator (ex: ip-dst, domain, url)
    • comment - text comment or annotation
    • to_ids - whether this indicator is applicable to be included in an IDS or not
    • date - the data when the indicator was added.
  • MISP JSON - Structured format used by the Malware Information Sharing Platform
  • OpenIOC - Format for OpenIOC an open framework for sharing threat intelligence.
  • STIX XML - Format used by the STIX project

License

All data is provided under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International and available in full here and summarized here

More Repositories

1

chat-censorship

Data related to the investigation of realtime censorship
Lua
642
star
2

test-lists

URL testing lists intended for discovering website censorship
Python
450
star
3

malware-signatures

Yara rules for malware families seen as part of targeted threats project
Vim Script
133
star
4

web-censorship

Collection of data about URL filtering in various countries
HTML
40
star
5

wechat-security-report

TypeScript
37
star
6

spyware-scan

Ruby
36
star
7

ami

AMI is a web application that helps people to create legal requests for copies of their personal information from data operators.
PHP
29
star
8

blockpages

Collection of censorship blockpages as collected by various sources
HTML
26
star
9

badtraffic

Supporting data for BAD TRAFFIC Citizen Lab report.
Python
23
star
10

vuln-disclosures

This repository contains information related to vulnerability disclosures done by the Citizen Lab.
22
star
11

tiktok-report-data

JavaScript
22
star
12

wechat-report-data

JavaScript
21
star
13

bluecoat-investigations

Investigation data from two reports around the Blue Coat networking kit.
18
star
14

ami-frontend

Access My Info Frontend
CSS
12
star
15

censored-keyword-isolation

Algorithms for determining keyword combinations used to filter text
Python
10
star
16

filtering-annotations

A collection of text patterns related to filtering infrastructure
HTML
9
star
17

planetnetsweeper

Supporting data for Citizen Lab Planet Netsweeper Report
6
star
18

endless_mayfly

Dataset for the report "Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign"
6
star
19

reports

A mirror of various Citizen Lab research reports in PDF
4
star
20

alg-policing-foi-records

A collection of records and letters from freedom of information requests submitted to various federal and provincial departments, and municipal police services in Canada.
3
star
21

ami-community

JavaScript
1
star
22

not-ok-on-vk-data

Data release associated with the "Not OK On VK" report.
1
star
23

ami-docker

Dockerfiles for AMI
PHP
1
star
24

lgbtiq-report-data

1
star