diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..6475b15
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,17 @@
+# Detection Rule License (DRL) 1.1
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this rule set and associated documentation files (the "Rules"), to deal in the Rules without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Rules, and to permit persons to whom the Rules are furnished to do so, subject to the following conditions:
+
+If you share the Rules (including in modified form), you must retain the following if it is supplied within the Rules:
+
+1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated).
+
+2. a URI or hyperlink to the Rule set or explicit Rule to the extent reasonably practicable
+
+3. indicate the Rules are licensed under this Detection Rule License, and include the text of, or the URI or hyperlink to, this Detection Rule License to the extent reasonably practicable
+
+If you use the Rules (including in modified form) on data, messages based on matches with the Rules must retain the following if it is supplied within the Rules:
+
+1. identification of the authors(s) ("author" field) of the Rule and any others designated to receive attribution, in any reasonable manner requested by the Rule author (including by pseudonym if designated).
+
+THE RULES ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE RULES OR THE USE OR OTHER DEALINGS IN THE RULES.
\ No newline at end of file
diff --git a/yara_rules/apt37_rokrat_macho.yar b/yara_rules/apt37_rokrat_macho.yar
new file mode 100644
index 0000000..71f591e
--- /dev/null
+++ b/yara_rules/apt37_rokrat_macho.yar
@@ -0,0 +1,22 @@
+rule apt37_rokrat_macho {
+    meta:
+        id = "c54fb9ae-85fa-4c36-bab9-6c6d989262ba"
+        version = "1.0"
+        description = "Detects Public key of Macho samples of RokRAT"
+        author = "Sekoia.io"
+        creation_date = "2022-09-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = { 4D 49 49 42 49 6A 41 4E 42 67 6B 71 68 6B 69 47 39 77 30 42 41 51 45 46 41 41 4F 43 41 51 38 41 4D 49 49 42 43 67 4B 43 41 51 45 41 73 47 52 59 53 45 56 76 77 6D 66 42 46 4E 42 6A 4F 7A 2B 51}
+        $s2 = {70 61 78 35 72 7A 57 66 2F 4C 54 2F 79 46 55 51 41 31 7A 72 41 31 6E 6A 6A 79 49 48 72 7A 70 68 67 63 39 74 67 47 48 73 2F 37 74 73 57 70 38 65 35 64 4C 6B 41 59 73 56 47 68 57 41 50 73 6A 79}
+        $s3 = {31 67 78 30 64 72 62 64 4D 6A 6C 54 62 42 59 54 79 45 67 35 50 67 79 2F 35 4D 73 45 4E 44 64 6E 73 43 52 57 72 32 33 5A 61 4F 45 4C 76 48 48 56 56 38 43 4D 43 38 46 75 34 57 62 61 7A 38 30 4C}
+        $s4 = {47 68 67 38 69 73 56 50 45 48 43 38 48 2F 79 47 74 6A 48 50 59 46 56 65 36 6C 77 56 72 2F 4D 58 6F 4B 63 70 78 31 33 53 31 4B 38 6E 6D 44 51 4E 41 68 4D 70 54 31 61 4C 61 47 2F 36 51 69 6A 68}
+        $s5 = {57 34 50 2F 52 46 51 71 2B 46 64 69 61 33 66 46 65 68 50 67 35 44 74 59 44 39 30 72 53 33 73 64 46 4B 6D 6A 39 4E 36 4D 4F 30 2F 57 41 56 64 5A 7A 47 75 45 58 44 35 33 4C 48 7A 39 65 5A 77 52}
+        $s6 = {39 59 38 37 38 36 6E 56 44 72 6C 6D 61 35 59 43 4B 70 71 55 5A 35 63 34 36 77 57 33 67 59 57 69 33 73 59 2B 56 53 33 62 32 46 64 41 4B 43 4A 68 54 66 43 79 38 32 41 55 47 71 50 53 56 66 4C 61}
+        $s7 = {6D 51 49 44 41 51 41 42}
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_37_chinotto.yar b/yara_rules/apt_37_chinotto.yar
new file mode 100644
index 0000000..33ff211
--- /dev/null
+++ b/yara_rules/apt_37_chinotto.yar
@@ -0,0 +1,51 @@
+rule apt_37_chinotto {
+    meta:
+        id = "eff8fd11-dc7a-4011-b083-181d0cca8790"
+        version = "1.0"
+        description = "Detects obfuscation and string of APT37 stealer"
+        author = "Sekoia.io"
+        creation_date = "2023-02-27"
+        classification = "TLP:CLEAR"
+        hash1 = "feab7940559392bbf38f29267509340569160e0a3b257fd86e5c65ae087ea014"
+        hash2 = "c9d2c8b6011a53e68e4a6c6e51142cef3348951d0b379e49b1a65a1891538df5"
+        hash3 = "2f5be3773e7e3a2f6806cdef154adfabc454c0e57a49e437c5889ce09b739302"
+        hash4 = "5bf170c95ca0e2079653d694f783b5bcd38f274ea875f67f0b60db4ac552a66c"
+        hash5 = "6fad04c836bc923f12ebaec8d8fb0c7091b044bf6f5c97e36d7bf46b8494f978"
+        hash6 = "64fe964f342acca6d85d247c4f67503e4222a58dfc5c644dedc2006a4b356d39"
+        hash7 = "6e216b265ea391f71f2a609df995f36b9ba8b17c8859f6d8e4ce4a076d351efd"
+        hash8 = "70dcc03cde3dd5c5ec6a6a240190cfb51667aaba9c867e20281e8dfc43afa891"
+        hash9 = "5053390bde150b771f8efe344b692c6c5718ba9203a4b23f5323af1ee9060ff2"
+        hash10 = "089e4dfd8b25afe596eff05baae86156a4e3243c84faa15416cff31a5120e107"
+        hash11 = "37e096338a78cb06d6236cb5a04cf125f191871ded3c9421f08a37890a095eb8"
+        hash12 = "b90a2b0249407b271a5d849fe82cbf4e9a31c2c6259caf515c9be3897e327414"
+        hash13 = "8f4751ed22619b04009c4b85ec45c8140b570835ca4c638c9e6019e7b7eb66c7"
+        
+    strings:
+        $chunk_1 = {
+        C7 85 ?? ?? ?? ?? ?? ?? ?? 00
+        C7 85 ?? ?? ?? ?? ?? ?? ?? 00
+        33 C0
+        EB 03
+        8D 49 00
+        8B 8C 85 ?? ?? ?? ??
+        3B 8C 85 ?? ?? ?? ??
+        }
+        
+        $chunk_2 = {
+        C7 84 24 ?? ?? ?? ?? ?? ?? 0? 00
+        C7 84 24 ?? ?? ?? ?? ?? ?? 0? 00
+        33 C0
+        EB 0D
+        8D A4 24 00 00 00 00
+        8D 9B 00 00 00 00
+        8B 8C 84 ?? ?? ?? ??
+        3B 8C 84 ?? ?? ?? ??
+        }
+        
+        $movs_zip_dir_start = { C7 45 ?? 5A 69 70 20 C7 45 ?? 44 69 72 20 C7 45 ?? 53 74 61 72  C7 45 ?? 74 20 2D 20}
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 1MB and ($chunk_1 or $chunk_2) and $movs_zip_dir_start
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_3cx_payload_stealer.yar b/yara_rules/apt_3cx_payload_stealer.yar
new file mode 100644
index 0000000..f76fa94
--- /dev/null
+++ b/yara_rules/apt_3cx_payload_stealer.yar
@@ -0,0 +1,21 @@
+rule apt_3cx_payload_stealer {
+    meta:
+        id = "1ca0605d-101f-4d1d-a476-9dfd93e74b4c"
+        version = "1.0"
+        description = "Detects stealer used in 3CX campaign"
+        author = "Sekoia.io"
+        creation_date = "2023-03-31"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "******************************** %s ******************************" wide
+        $s2 = "\\3CXDesktopApp\\config.json" wide
+        $s3 = "{\"HostName\": \"%s\", \"DomainName\": \"%s\", \"OsVersion\":" wide
+        $s4 = "%s.old" wide
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 8MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_agent_racoon_strings.yar b/yara_rules/apt_agent_racoon_strings.yar
new file mode 100644
index 0000000..157c479
--- /dev/null
+++ b/yara_rules/apt_agent_racoon_strings.yar
@@ -0,0 +1,25 @@
+rule apt_agent_racoon_strings {
+    meta:
+        id = "ec89f1db-0ba8-48c8-8c1a-c38c410f3e39"
+        version = "1.0"
+        description = "Detects Agent Racoon used by CL-STA-0002"
+        author = "Sekoia.io"
+        creation_date = "2023-12-05"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Command failed:" wide
+        $ = "Not uploaded:" wide
+        $ = "Not downloaded:" wide
+        $ = "xn--cc" wide
+        $ = "xn--ac" wide
+        $ = "xn--bc" wide
+        $ = "cmd.exe" wide
+        $ = ".xn--" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_andariel_dorarat_strings.yar b/yara_rules/apt_andariel_dorarat_strings.yar
new file mode 100644
index 0000000..18c1156
--- /dev/null
+++ b/yara_rules/apt_andariel_dorarat_strings.yar
@@ -0,0 +1,20 @@
+rule apt_andariel_dorarat_strings {
+    meta:
+        id = "30388291-a287-489f-a060-c90a16cda217"
+        version = "1.0"
+        description = "Detects Dora RAT based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-06-17"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $x1 = "/encryption.go" ascii fullword
+        $x2 = "/handshake.go" ascii fullword
+        $x3 = "/trans_module.go" ascii fullword
+        $enc_rsc = { 14 02 72 14 D3 4C 4A 49 55 36 14 DF 8D 6F 2D CF }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        (all of ($x*) or $enc_rsc)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_andariel_keylogger_strings.yar b/yara_rules/apt_andariel_keylogger_strings.yar
new file mode 100644
index 0000000..52c58ea
--- /dev/null
+++ b/yara_rules/apt_andariel_keylogger_strings.yar
@@ -0,0 +1,20 @@
+rule apt_andariel_keylogger_strings {
+    meta:
+        id = "59e94bee-9bd4-4f72-9358-858956bb4787"
+        version = "1.0"
+        description = "Detects one of the Andariel keylogger"
+        author = "Sekoia.io"
+        creation_date = "2024-06-17"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Username:%s [%d/%02d/%02d %02d:%02d]" ascii fullword
+        $ = "-------[%d/%02d/%02d %02d:%02d]"
+        $ = "{Insert}"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 300KB and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_andariel_nestdoor_variants_strings.yar b/yara_rules/apt_andariel_nestdoor_variants_strings.yar
new file mode 100644
index 0000000..b2ee30a
--- /dev/null
+++ b/yara_rules/apt_andariel_nestdoor_variants_strings.yar
@@ -0,0 +1,22 @@
+rule apt_andariel_nestdoor_variants_strings {
+    meta:
+        id = "dcfc48ad-f17b-4224-912b-b01740080fea"
+        version = "1.0"
+        description = "Detects Nestdoor based on (weak) strings"
+        author = "Sekoia.io"
+        creation_date = "2024-06-17"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $v_11 = "Error occurs while reading" wide
+        $v_12 = "{DECIMAL}" wide
+        $v_13 = "lnk_" wide
+        $v_21 = "Cannot connect with your ip and your operating system." wide
+        $v_22 = "del /q /f %1" ascii
+        $v_23 = "/f /tn %2" ascii
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        (all of ($v_1*) or all of ($v_2*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_andariel_siennablue.yar b/yara_rules/apt_andariel_siennablue.yar
new file mode 100644
index 0000000..fd516ed
--- /dev/null
+++ b/yara_rules/apt_andariel_siennablue.yar
@@ -0,0 +1,21 @@
+rule apt_andariel_siennablue {
+    meta:
+        id = "ab3f8b49-0851-47a8-ac77-98d4e26f448e"
+        version = "1.0"
+        description = "Detects SiennaBlue based routine names"
+        author = "Sekoia.io"
+        creation_date = "2023-11-16"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "main_cryptAVPass"
+        $ = "main_DecryptString"
+        $ = "main_DisableNetworkDevice"
+        $ = "main_DeleteSchTask"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize > 4MB and filesize < 15MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt10_hui_loader.yar b/yara_rules/apt_apt10_hui_loader.yar
new file mode 100644
index 0000000..6dce310
--- /dev/null
+++ b/yara_rules/apt_apt10_hui_loader.yar
@@ -0,0 +1,18 @@
+rule apt_apt10_hui_loader {
+    meta:
+        id = "97d17052-80d0-4f8e-8b3a-2e0d622522a9"
+        version = "1.0"
+        description = "Specific string for HUI Loader"
+        author = "Sekoia.io"
+        creation_date = "2022-07-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "HUIHWASDIHWEIUDHDSFSFEFWEFEWFDSGEFERWGWEEFWFWEWD" wide fullword
+        
+    condition:
+        (uint16be(0) == 0x4d5a) 
+        and filesize > 30KB and filesize < 100KB
+        and 1 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt28_document_phishing_webpage.yar b/yara_rules/apt_apt28_document_phishing_webpage.yar
new file mode 100644
index 0000000..38bb88f
--- /dev/null
+++ b/yara_rules/apt_apt28_document_phishing_webpage.yar
@@ -0,0 +1,23 @@
+rule apt_apt28_document_phishing_webpage {
+    meta:
+        id = "585a8e23-c302-41d3-938f-eda60c82ef28"
+        version = "1.0"
+        description = "Detects APT28 document phishing webpage"
+        author = "Sekoia.io"
+        creation_date = "2024-04-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "webhook.site"
+        $ = "document.createElement('img')"
+        $ = "brightness(15%) blur(7.0px)"
+        $ = "This document is not available from mobile devices."
+        $ = "Capture2.PNG"
+        $ = ">CLICK TO VIEW DOCUMENT<"
+        $ = "window.location.href = 's"
+        $ = ".oast."
+        
+    condition:
+        4 of them and filesize < 20KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt28_htmlsmuggling.yar b/yara_rules/apt_apt28_htmlsmuggling.yar
new file mode 100644
index 0000000..409ce05
--- /dev/null
+++ b/yara_rules/apt_apt28_htmlsmuggling.yar
@@ -0,0 +1,18 @@
+rule apt_apt28_htmlsmuggling {
+    meta:
+        id = "2e20c992-d971-4c0f-99b3-a7d528c7055a"
+        version = "1.0"
+        reference = "https://www.zscaler.com/blogs/security-research/steal-it-campaign"
+        description = "Detects some kind of HTMLSmuggling used by APT28"
+        author = "Sekoia.io"
+        creation_date = "2023-09-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "click();" ascii
+        $s2 = "window.location.replace("
+        
+    condition:
+        $s1 in (@s2..@s2-100)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt28_htmlsmuggling_disclosing_ip.yar b/yara_rules/apt_apt28_htmlsmuggling_disclosing_ip.yar
new file mode 100644
index 0000000..3cebc88
--- /dev/null
+++ b/yara_rules/apt_apt28_htmlsmuggling_disclosing_ip.yar
@@ -0,0 +1,19 @@
+rule apt_apt28_htmlsmuggling_disclosing_ip {
+    meta:
+        id = "57adc227-2b72-457e-a786-97ca1a7300d8"
+        version = "1.0"
+        reference = "https://www.zscaler.com/blogs/security-research/steal-it-campaign"
+        description = "Detects some kind of HTMLSmuggling used by APT28"
+        author = "Sekoia.io"
+        creation_date = "2023-09-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "ipapi.co/json"
+        $s2 = "a.download("
+        $s3 = "a.click("
+        
+    condition:
+        $s1 and $s2 and $s3 and filesize < 5000
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt28_powershell_ntlm_stealer.yar b/yara_rules/apt_apt28_powershell_ntlm_stealer.yar
new file mode 100644
index 0000000..d03fa36
--- /dev/null
+++ b/yara_rules/apt_apt28_powershell_ntlm_stealer.yar
@@ -0,0 +1,20 @@
+rule apt_apt28_powershell_ntlm_stealer {
+    meta:
+        id = "3fb5c472-6b1c-490e-b38f-4d4f1c472f43"
+        version = "1.0"
+        description = "Detects the NTLM Stealer used by APT28 against UA energy sector"
+        author = "Sekoia.io"
+        creation_date = "2023-09-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "'NTLM ' = [Convert]::ToBase64String"
+        $ = ".Prefixes.Add('http://localhost:8080/')"
+        $ = ".AddHeader('WWW-Authenticate', 'NTLM')"
+        $ = "GetValues('Authorization');"
+        $ = "[0] -split '\\s+';"
+        
+    condition:
+        3 of them and filesize < 4000
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt28_susp_graphite_downloader.yar b/yara_rules/apt_apt28_susp_graphite_downloader.yar
new file mode 100644
index 0000000..5952013
--- /dev/null
+++ b/yara_rules/apt_apt28_susp_graphite_downloader.yar
@@ -0,0 +1,27 @@
+import "pe"
+        
+rule apt_apt28_susp_graphite_downloader {
+    meta:
+        id = "9c9da5fe-ffd6-4c45-8ce1-9a6cf4fa2fda"
+        version = "1.0"
+        description = "Matches the routine which decrypts the RSA key blob in the Graphite downloader"
+        author = "Sekoia.io"
+        creation_date = "2022-01-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $gen =  { 33 D2
+        8B C1
+        6A ??
+        5E
+        F7 F6
+        8A 82 ?? ?? ?? ??
+        30 81 ?? ?? ?? ??
+        41
+        81 F9 94 04 00 00
+        72 E2 }
+        
+    condition:
+        uint16be(0) == 0x4d5a and $gen and pe.number_of_exports == 1
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt28_ukrnet_phishing_page.yar b/yara_rules/apt_apt28_ukrnet_phishing_page.yar
new file mode 100644
index 0000000..84dc547
--- /dev/null
+++ b/yara_rules/apt_apt28_ukrnet_phishing_page.yar
@@ -0,0 +1,25 @@
+rule apt_apt28_ukrnet_phishing_page {
+    meta:
+        id = "053158d8-aac0-486f-8432-834a06f41ed2"
+        version = "1.0"
+        description = "Detects APT28 Phishing page"
+        author = "Sekoia.io"
+        creation_date = "2024-09-02"
+        classification = "TLP:CLEAR"
+        hash = "20dc3a5beb8e3a7801e010b4113efef1"
+        hash = "5f1462144d7704101cd71c679ea0322b"
+        
+    strings:
+        $ = "baseurl+\"/captcha\""
+        $ = "(\"sessionID\", sessionID"
+        $ = ".responseJSON['origin"
+        $ = "var baseurl="
+        $ = "(req.responseText.includes("
+        $ = "else if (req.responseText=='FAIL')"
+        $ = "|| document.getElementById('confpwd"
+        $ = "/master/dist/text-security-disc.woff"
+        
+    condition:
+        4 of them and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt28_wayzgoose_exploit_string.yar b/yara_rules/apt_apt28_wayzgoose_exploit_string.yar
new file mode 100644
index 0000000..65d9598
--- /dev/null
+++ b/yara_rules/apt_apt28_wayzgoose_exploit_string.yar
@@ -0,0 +1,21 @@
+rule apt_apt28_wayzgoose_exploit_string {
+    meta:
+        id = "23d9e09e-202c-47f5-abf7-6b5085e44400"
+        version = "1.0"
+        description = "Detects APT28's Wayzgoose exploit strings"
+        author = "Sekoia.io"
+        creation_date = "2024-04-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "wayzgoose.dll"
+        $ = "wayzgoose_get_version"
+        $ = "NtSetInformationFile"
+        $ = "ZwDuplicateObject"
+        $ = "ZwClose"
+        
+    condition:
+        uint16be(0) == 0x4d5a and 4 of them
+        and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt29_malicious_rdp_file.yar b/yara_rules/apt_apt29_malicious_rdp_file.yar
new file mode 100644
index 0000000..f8723b3
--- /dev/null
+++ b/yara_rules/apt_apt29_malicious_rdp_file.yar
@@ -0,0 +1,27 @@
+rule apt_apt29_malicious_rdp_file {
+    meta:
+        id = "a7b092b5-53a1-4638-a6c1-733d3f063139"
+        version = "1.0"
+        description = "Detects malicious RDP files"
+        author = "Sekoia.io"
+        creation_date = "2024-10-25"
+        classification = "TLP:CLEAR"
+        hash = "db326d934e386059cc56c4e61695128e"
+        hash = "b38e7e8bba44bc5619b2689024ad9fca"
+        hash = "f58cf55b944f5942f1d120d95140b800"
+        hash = "40f957b756096fa6b80f95334ba92034"
+        
+    strings:
+        $ = "RedirectPrinters" wide
+        $ = "RedirectCOMPorts" wide
+        $ = "RedirectSmartCards" wide
+        $ = "RedirectPOSDevices" wide
+        $ = "RedirectClipboard" wide
+        $ = "DrivesToRedirect" wide
+        $ = "full address:s:" wide
+        
+    condition:
+        uint16be(0) == 0xFFFE and
+        all of them and filesize < 20KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt29_quarterrig.yar b/yara_rules/apt_apt29_quarterrig.yar
new file mode 100644
index 0000000..4636e50
--- /dev/null
+++ b/yara_rules/apt_apt29_quarterrig.yar
@@ -0,0 +1,19 @@
+rule apt_apt29_quarterrig {
+    meta:
+        id = "e370ed7e-5e12-4add-95f3-3773ea8e2d03"
+        version = "1.0"
+        description = "Detects QUARTERRIG"
+        author = "Sekoia.io"
+        creation_date = "2023-04-19"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str_dll_name = "hijacker.dll"
+        $str_import_name = "VCRUNTIME140.dll"
+        $op_resolve_and_call_openthread = { 48 [6] 48 [6] 8B D8 E8 [4] [3] 33 D2 B9 FF FF 1F 00 FF D0 }
+        $op_resolve_and_call_suspendthread = { E8 [4] 48 8B CB FF D0 83 F8 FF }
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt29_wineloader_malicious_hta.yar b/yara_rules/apt_apt29_wineloader_malicious_hta.yar
new file mode 100644
index 0000000..233861e
--- /dev/null
+++ b/yara_rules/apt_apt29_wineloader_malicious_hta.yar
@@ -0,0 +1,19 @@
+rule apt_apt29_wineloader_malicious_hta {
+    meta:
+        id = "5a17d854-0564-4830-a0e5-7867b99716c2"
+        version = "1.0"
+        description = "Detects malicious HTA used by APT29 to drop Wineloader"
+        author = "Sekoia.io"
+        creation_date = "2024-03-25"
+        classification = "TLP:CLEAR"
+        hash = "efafcd00b9157b4146506bd381326f39"
+        
+    strings:
+        $ = "<HTA:APPLICATION ID="
+        $ = "var _0x"
+        $ = "Date['\\x6e\\x6f\\x77']"
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt29_wineloader_malicious_pdf.yar b/yara_rules/apt_apt29_wineloader_malicious_pdf.yar
new file mode 100644
index 0000000..a4401d5
--- /dev/null
+++ b/yara_rules/apt_apt29_wineloader_malicious_pdf.yar
@@ -0,0 +1,22 @@
+rule apt_apt29_wineloader_malicious_pdf {
+    meta:
+        id = "b1db731e-471e-493a-b76c-38d2808ccac9"
+        version = "1.0"
+        description = "Detects malicious PDF used by APT29 to drop Wineloader"
+        author = "Sekoia.io"
+        creation_date = "2024-03-25"
+        classification = "TLP:CLEAR"
+        hash = "9712217ff3597468b48cdf45da588005de3a725ba554789bb7e5ae1b0f7c02a7"
+        hash = "3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9"
+        
+    strings:
+        $s1 = "<</Type/Annot/Subtype/Link/Border[0 0 0]/Rect["
+        $s2 = "/A<</Type/Action/S/URI/URI("
+        $s3 = { 2f [2-10] 2e 70 68 70 29 3e 3e }
+        $s4 = "JamrulNormal"
+        
+    condition:
+        uint32be(0) == 0x25504446 and
+        $s2 in (@s1..@s3) and $s4
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt31_pakdoor.yar b/yara_rules/apt_apt31_pakdoor.yar
new file mode 100644
index 0000000..25d8df6
--- /dev/null
+++ b/yara_rules/apt_apt31_pakdoor.yar
@@ -0,0 +1,26 @@
+rule apt_apt31_pakdoor {
+    meta:
+        id = "463b8d0d-30f4-45ed-8f19-4b32436fbbf0"
+        description = "Detects APT31 ORB implant - 2019/2021"
+        version = "1.0"
+        creation_date = "2021-10-11"
+        classification = "TLP:CLEAR"
+        author = "Sekoia.io"
+        version = "1.0"
+        hash = "1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2"
+        
+    strings:
+        // Common strings between samples
+        $s1 = "mv -f %s %s ;chmod 777 %s"
+        $s2 = "GET /plain HTTP/1.1"
+        $s3 = "exc_cmd time out"
+        $s4 = "exc_cmd pipe err"
+        $s5 = { 2e 2f [1-10] 20 20 64 65 6c }
+        
+    condition:
+        int32be(0) == 0x7f454c46 and 
+        filesize < 800KB and 
+        filesize > 400KB and 
+        4 of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt31_rekoobe.yar b/yara_rules/apt_apt31_rekoobe.yar
new file mode 100644
index 0000000..1088161
--- /dev/null
+++ b/yara_rules/apt_apt31_rekoobe.yar
@@ -0,0 +1,16 @@
+import "elf"
+        
+rule apt_apt31_rekoobe {
+    meta:
+        id = "b1461a72-76ce-4cc5-ac84-3cc87454d288"
+        version = "1.0"
+        description = "Find Rekoobe sample via Trend Elf Hash (telfhash)"
+        author = "Sekoia.io"
+        creation_date = "2023-07-10"
+        classification = "TLP:CLEAR"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize < 100KB and elf.telfhash() == "t18fc080c7c6b56a34a7f32538ac7c407982035e1581561b207f50c955d93b408404c5ef"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt33_falsefont.yar b/yara_rules/apt_apt33_falsefont.yar
new file mode 100644
index 0000000..1572b58
--- /dev/null
+++ b/yara_rules/apt_apt33_falsefont.yar
@@ -0,0 +1,39 @@
+rule apt_apt33_falsefont {
+    meta:
+        id = "d77c1f5b-9898-456f-954a-ac1f0907a2ba"
+        version = "1.0"
+        description = "FalseFont backdoor"
+        author = "Sekoia.io"
+        creation_date = "2024-03-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s0 = "Agent.Core.WPF"
+        $s1 = "data2.txt" wide fullword
+        $s2 = "data.txt" wide fullword
+        $s3 = "Loginvault.db" wide fullword
+        $command1 = "ExecUseShell" ascii
+        $command2 = "ExecAndKeepAlive" ascii
+        $command3 = "CMD" ascii
+        $command4 = "PowerShell" ascii
+        $command5 = "KillByName" ascii
+        $command6 = "KillById" ascii
+        $command7 = "Download" ascii
+        $command8 = "Upload" ascii
+        $command9 = "Delete" ascii
+        $command10 = "GetDirectories" ascii
+        $command11 = "ChangeTime" ascii
+        $command12 = "SendAllDirectory" ascii
+        $command13 = "UpadateApplication" ascii
+        $command14 = "Restart" ascii
+        $command15 = "GetProcess" ascii
+        $command16 = "SendAllDirectoryWithStartPath" ascii
+        $command17 = "GetDir" ascii
+        $command18 = "GetHard" ascii
+        $command19 = "GetScreen" ascii
+        $command20 = "StopSendScreen" ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and 15 of ($command*) and 3 of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt33_tickler.yar b/yara_rules/apt_apt33_tickler.yar
new file mode 100644
index 0000000..c35f73b
--- /dev/null
+++ b/yara_rules/apt_apt33_tickler.yar
@@ -0,0 +1,20 @@
+import "hash"
+import "pe"
+        
+rule apt_apt33_tickler {
+    meta:
+        id = "e9ecf678-350c-47d2-ab4c-522974c70a45"
+        version = "1.0"
+        description = "Detects APT33 Tickler malware"
+        author = "Sekoia.io"
+        creation_date = "2024-08-29"
+        classification = "TLP:CLEAR"
+        hash = "8bd712b0a49f4fecd39d30ebd121832c"
+        hash = "3f29429fce0168748d7cc75e1478aedc"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        (hash.md5(pe.rich_signature.clear_data) == "2fe65623e6b22577516a4cd051ec3baa"
+        or pe.imphash() == "a5accd1a0d3eaf2c131bc662dd7ff8ea")
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt35_iisraid_strings.yar b/yara_rules/apt_apt35_iisraid_strings.yar
new file mode 100644
index 0000000..8305337
--- /dev/null
+++ b/yara_rules/apt_apt35_iisraid_strings.yar
@@ -0,0 +1,20 @@
+rule apt_apt35_iisraid_strings {
+    meta:
+        id = "ee42f406-0c7e-4385-9098-409611dbe0a5"
+        version = "1.0"
+        description = "Detects APT35s ISSRaid implant"
+        author = "Sekoia.io"
+        creation_date = "2023-05-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "CHttpModule::"
+        $ = "X-Forward-Verify"
+        $ = "X-Beserver-Verify"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 500KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt37_chinotto_powershell_variant.yar b/yara_rules/apt_apt37_chinotto_powershell_variant.yar
new file mode 100644
index 0000000..bff6e39
--- /dev/null
+++ b/yara_rules/apt_apt37_chinotto_powershell_variant.yar
@@ -0,0 +1,21 @@
+rule apt_apt37_chinotto_powershell_variant {
+    meta:
+        id = "fa42b225-58fe-4e00-b84b-df37491d8fdd"
+        version = "1.0"
+        description = "Detects APT37 Chinotto Powershell Variant"
+        author = "Sekoia.io"
+        creation_date = "2023-03-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$env:COMPUTERNAME + '-' + $env:USERNAME;" ascii wide
+        $ = "while($true -eq $true)" ascii wide
+        $ = "Start-Sleep -Seconds" ascii wide
+        $ = " -ne 'null' -and $" ascii wide
+        $ = "= 'R=' + [System.Convert]::" ascii wide
+        $ = "[string]$([char]0x0D) + [string]$([char]0x0A);" ascii wide
+        
+    condition:
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt37_malicious_hta_file.yar b/yara_rules/apt_apt37_malicious_hta_file.yar
new file mode 100644
index 0000000..920bd21
--- /dev/null
+++ b/yara_rules/apt_apt37_malicious_hta_file.yar
@@ -0,0 +1,21 @@
+rule apt_apt37_malicious_hta_file {
+    meta:
+        id = "22a98c27-8ff4-4760-b505-f8eacf4dabda"
+        version = "1.0"
+        description = "Detects malicious APT37 files"
+        author = "Sekoia.io"
+        creation_date = "2023-03-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "<HTML>" nocase
+        $s2 = " UwB0AGEAcgB0AC0AUwBs" ascii
+        $s3 = "= new ActiveXObject(" ascii
+        $s4 = "\", \"\", \"open\", 0);" ascii
+        $s5 = ".moveTo(" ascii
+        $s6 = "self.close();"
+        
+    condition:
+        $s1 at 0 and all of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt41_javascript_dropper.yar b/yara_rules/apt_apt41_javascript_dropper.yar
new file mode 100644
index 0000000..255572a
--- /dev/null
+++ b/yara_rules/apt_apt41_javascript_dropper.yar
@@ -0,0 +1,22 @@
+rule apt_apt41_javascript_dropper {
+    meta:
+        id = "fde70806-af50-4706-9daf-d39ad0564fc7"
+        version = "1.0"
+        description = "Detects Earth Lusca JS dropper"
+        author = "Sekoia.io"
+        creation_date = "2024-02-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "eval(function(p, a, c, k, e, r) {"
+        $s2 = "|4d53"
+        $s3 = "ActiveXObject"
+        $x1 = " -F:* %1%"
+        $x2 = "&I /r c:\\"
+        $x3 = "ActiveXObject"
+        
+    condition:
+        filesize < 2MB and
+        (all of ($s*) or all of ($x*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt41_keyplug_dropper.yar b/yara_rules/apt_apt41_keyplug_dropper.yar
new file mode 100644
index 0000000..b3a31da
--- /dev/null
+++ b/yara_rules/apt_apt41_keyplug_dropper.yar
@@ -0,0 +1,21 @@
+rule apt_apt41_keyplug_dropper {
+    meta:
+        id = "b6740371-c4c3-437e-8235-0bd4f7b9c3f5"
+        version = "1.0"
+        description = "Detects a dropper used by keyplug"
+        author = "Sekoia.io"
+        creation_date = "2024-06-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "C:\\ProgramData\\pfm.ico" wide
+        $ = "C:\\\\ProgramData\\\\pfm.ico" wide
+        $ = "67f8de349abc5ghi" wide
+        $ = "3abc64597f8diegh" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 2MB and
+        any of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt41_powershell_collection_script.yar b/yara_rules/apt_apt41_powershell_collection_script.yar
new file mode 100644
index 0000000..774f783
--- /dev/null
+++ b/yara_rules/apt_apt41_powershell_collection_script.yar
@@ -0,0 +1,20 @@
+rule apt_apt41_powershell_collection_script {
+    meta:
+        id = "55b6cc3e-24b2-4faa-a7fb-b4203a8e6d83"
+        version = "1.0"
+        description = "Detects PowerShell collection script"
+        author = "Sekoia.io"
+        creation_date = "2023-11-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$yestoday.ToString(" ascii wide nocase
+        $ = "$m.LastAccessTime -" ascii wide nocase
+        $ = "$fmat=" ascii wide nocase
+        $ = "$computername" ascii wide nocase
+        $ = "Rar.exe" ascii wide nocase
+        
+    condition:
+        filesize < 10KB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt41_powershell_exfiltration_script.yar b/yara_rules/apt_apt41_powershell_exfiltration_script.yar
new file mode 100644
index 0000000..00f1adc
--- /dev/null
+++ b/yara_rules/apt_apt41_powershell_exfiltration_script.yar
@@ -0,0 +1,19 @@
+rule apt_apt41_powershell_exfiltration_script {
+    meta:
+        id = "9a15f845-c0af-4f1c-a033-b4f40232dc0d"
+        version = "1.0"
+        description = "Detects PowerShell exfiltration script"
+        author = "Sekoia.io"
+        creation_date = "2023-11-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$UPLOAD_PASSPORT" ascii wide nocase
+        $ = "$fileName=$singleFile.Name" ascii wide nocase
+        $ = "Upload-Passport" ascii wide nocase
+        $ = "$singleFile in $files" ascii wide nocase
+        
+    condition:
+        filesize < 10KB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt_k_47_orpcbackdoor.yar b/yara_rules/apt_apt_k_47_orpcbackdoor.yar
new file mode 100644
index 0000000..46acd46
--- /dev/null
+++ b/yara_rules/apt_apt_k_47_orpcbackdoor.yar
@@ -0,0 +1,21 @@
+rule apt_apt_k_47_orpcbackdoor {
+    meta:
+        id = "9768371d-763f-45df-b727-ccda97501aaa"
+        version = "1.0"
+        description = "Detects ORPCBackdoor used by APT-K-47"
+        author = "Sekoia.io"
+        creation_date = "2024-02-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "RegisteredOrganization:\t\t\t" ascii wide
+        $s2 = "To Be Filled By O.E.M" ascii wide
+        $s3 = ">> "
+        $s4 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%u" wide
+        $s5 = "Error! GetSystemDirectory failed."
+        $s6 = "Domain:\t\t\t\t"
+        
+    condition:
+        all of them and filesize < 300KB and uint16be(0) == 0x4d5a
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_apt_k_47_walkershell.yar b/yara_rules/apt_apt_k_47_walkershell.yar
new file mode 100644
index 0000000..464128e
--- /dev/null
+++ b/yara_rules/apt_apt_k_47_walkershell.yar
@@ -0,0 +1,21 @@
+rule apt_apt_k_47_walkershell {
+    meta:
+        id = "201f8415-32d4-4af1-ba80-734554ced728"
+        version = "1.0"
+        description = "Detects WalkerShell used by APT-K-47"
+        author = "Sekoia.io"
+        creation_date = "2024-02-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "\\n kuskure" ascii wide
+        $s2 = "col.log.txt" ascii wide
+        $s3 = "polor" ascii wide
+        $s4 = "emit" ascii wide
+        $s5 = "delta" ascii wide
+        $s6 = "under process" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 4MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_aptc36_vbs_maldoc.yar b/yara_rules/apt_aptc36_vbs_maldoc.yar
new file mode 100644
index 0000000..531c278
--- /dev/null
+++ b/yara_rules/apt_aptc36_vbs_maldoc.yar
@@ -0,0 +1,24 @@
+rule apt_aptc36_vbs_maldoc {
+    meta:
+        id = "f0ca061f-e94b-4f70-bbd1-8a15193652d3"
+        version = "1.0"
+        description = "Find VBS file used by the threat actor APT-C-36"
+        author = "Sekoia.io"
+        creation_date = "2022-02-16"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $dim = "dim " wide ascii
+        $hea = "::::::::::::::::::::::::::::::::::::::::::::::::" wide ascii
+        $str0 = "update" wide ascii nocase
+        $str1 = "On Error Resume Next" wide ascii
+        $str2 = "CreateObject" wide ascii
+        $str3 = "WScript" wide ascii
+        
+    condition:
+        #dim > 5 and
+        #hea > 10 and
+        2 of ($str*) and
+        filesize > 10KB and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_aptc60_downloader_strings.yar b/yara_rules/apt_aptc60_downloader_strings.yar
new file mode 100644
index 0000000..aac34ef
--- /dev/null
+++ b/yara_rules/apt_aptc60_downloader_strings.yar
@@ -0,0 +1,21 @@
+rule apt_aptc60_downloader_strings {
+    meta:
+        id = "02fd6d5b-7211-46cc-bcff-ab5d78e459c0"
+        version = "1.0"
+        description = "Detects a simple downloader abusing wlrmdr.exe and used by APT-C-60"
+        author = "Sekoia.io"
+        creation_date = "2024-09-05"
+        classification = "TLP:CLEAR"
+        hash = "b14ef85a60ac71c669cc960bdf580144"
+        
+    strings:
+        $ = "mydllmain" fullword
+        $ = "-s 3600 -f 0 -t _ -m _ -a 11 -u" wide
+        $ = "WlrMakeService" wide
+        $ = "Trigger1" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+        and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_aptk47_asyncshell.yar b/yara_rules/apt_aptk47_asyncshell.yar
new file mode 100644
index 0000000..d182e8d
--- /dev/null
+++ b/yara_rules/apt_aptk47_asyncshell.yar
@@ -0,0 +1,25 @@
+rule apt_aptk47_asyncshell {
+    meta:
+        id = "2d009cf4-e30e-406d-8860-03b37a396ffa"
+        version = "1.0"
+        description = "Detects APT-K-47's Asyncshell"
+        author = "Sekoia.io"
+        creation_date = "2024-11-22"
+        classification = "TLP:CLEAR"
+        hash = "ce6a589d5e3604112e5595a1f8d53e1e"
+        hash = "751f427da8e11d8ab394574260735220"
+        
+    strings:
+        $ = "Error executing command:" wide
+        $ = "Error occurred:" wide
+        $ = "Attempting to reconnect in {0} seconds..." wide
+        $ = "Exiting the application." wide
+        $ = "Server disconnected." wide
+        $ = "_CorExeMain"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and 
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_aptk47_maliciouslnk.yar b/yara_rules/apt_aptk47_maliciouslnk.yar
new file mode 100644
index 0000000..c80af01
--- /dev/null
+++ b/yara_rules/apt_aptk47_maliciouslnk.yar
@@ -0,0 +1,19 @@
+rule apt_aptk47_maliciouslnk {
+    meta:
+        id = "2ccc8777-26fe-4018-9646-4ea91394fe78"
+        version = "1.0"
+        description = "Detects APT-K-47 malicious LNK"
+        author = "Sekoia.io"
+        creation_date = "2024-11-22"
+        classification = "TLP:CLEAR"
+        hash = "6a405d4e88b4acb9706e19a83aad9cf6"
+        
+    strings:
+        $ = "[/c for /f" wide
+        $ = "2^>nul') do copy" wide
+        $ = "%F in ('where /r %Temp%" wide
+        
+    condition:
+        uint32be(0) == 0x4c000000 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_aridviper_rustsysjoker.yar b/yara_rules/apt_aridviper_rustsysjoker.yar
new file mode 100644
index 0000000..5372ec5
--- /dev/null
+++ b/yara_rules/apt_aridviper_rustsysjoker.yar
@@ -0,0 +1,19 @@
+rule apt_aridviper_rustsysjoker {
+    meta:
+        id = "14ff3f76-0371-4b45-9864-bf69c74e60aa"
+        version = "1.0"
+        description = "Detects Rust Sysjoker variant via PDB path or key and Rust string"
+        author = "Sekoia.io"
+        creation_date = "2023-11-27"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        
+        $Rust = "called `Option::unwrap()` on a `None` value"
+        $Key = "QQL8VJUJMABL8H5YNRC9QNEOHA"
+        $PDB = "C:\\Code\\Rust\\RustDown-Belal\\target\\release\\deps\\RustDown.pdb"
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 1MB and ($PDB or ($Rust and $Key))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_backdoordiplomaty_custommerlinagent_strings.yar b/yara_rules/apt_backdoordiplomaty_custommerlinagent_strings.yar
new file mode 100644
index 0000000..b893912
--- /dev/null
+++ b/yara_rules/apt_backdoordiplomaty_custommerlinagent_strings.yar
@@ -0,0 +1,21 @@
+rule apt_backdoordiplomaty_custommerlinagent_strings {
+    meta:
+        id = "965693ba-93b8-4c52-9292-957884411968"
+        version = "1.0"
+        description = "Detects custom variant of Merlin agent used by BackdoorDiplomaty"
+        author = "Sekoia.io"
+        creation_date = "2024-06-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "agent.GetSpecificID"
+        $ = "agent.ExecuteCommand"
+        $ = "agent.getClient"
+        $ = "agent.SignalListen"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 10MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_backdoordiplomaty_phantomnet.yar b/yara_rules/apt_backdoordiplomaty_phantomnet.yar
new file mode 100644
index 0000000..77aa001
--- /dev/null
+++ b/yara_rules/apt_backdoordiplomaty_phantomnet.yar
@@ -0,0 +1,20 @@
+rule apt_backdoordiplomaty_phantomnet {
+    meta:
+        id = "bbcc0664-ef2b-47db-a546-b5e0aa2a1e9a"
+        version = "1.0"
+        description = "Detects PhantomNet based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-06-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "memory load plugin failed!" wide
+        $ = "Event eee!!!" ascii
+        $ = "LoadWin32_x64.pdb" ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 2MB and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_commonmagic_generic_1.yar b/yara_rules/apt_badmagic_commonmagic_generic_1.yar
new file mode 100644
index 0000000..d1b57f6
--- /dev/null
+++ b/yara_rules/apt_badmagic_commonmagic_generic_1.yar
@@ -0,0 +1,21 @@
+rule apt_badmagic_commonmagic_generic_1 {
+    meta:
+        id = "0b328771-f674-4606-bb30-d20d07c67832"
+        version = "1.0"
+        description = "Detects CommonMagic related implants"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "\\CommonCommand\\Clean\\"
+        $ = "\\CommonCommand\\Overall\\"
+        $ = "\\CommonCommand\\Other\\"
+        $ = "\\CommonCommand\\Other\\*"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_commonmagic_generic_2.yar b/yara_rules/apt_badmagic_commonmagic_generic_2.yar
new file mode 100644
index 0000000..e6ab00d
--- /dev/null
+++ b/yara_rules/apt_badmagic_commonmagic_generic_2.yar
@@ -0,0 +1,21 @@
+rule apt_badmagic_commonmagic_generic_2 {
+    meta:
+        id = "c6a16ecc-e00a-4756-b603-f6c85e4f4220"
+        version = "1.0"
+        description = "Detects CommonMagic related implants"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "\\CommonCommand\\" ascii wide
+        $ = "\\\\.\\pipe\\PipeMd" ascii wide fullword
+        $ = "\\\\.\\pipe\\PipeDtMd" ascii wide fullword
+        $ = "\\\\.\\pipe\\PipeCrDtMd" ascii wide fullword
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_commonmagic_main.yar b/yara_rules/apt_badmagic_commonmagic_main.yar
new file mode 100644
index 0000000..a1d2377
--- /dev/null
+++ b/yara_rules/apt_badmagic_commonmagic_main.yar
@@ -0,0 +1,20 @@
+rule apt_badmagic_commonmagic_main {
+    meta:
+        id = "99983df5-89d6-4fac-81e6-16e5ab20bde3"
+        version = "1.0"
+        description = "Detects CommonMagic related implants"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "graph.microsoft.com" ascii wide
+        $ = "children?select=name,size" ascii wide fullword
+        $ = "\\\\.\\pipe\\PipeCrDtMd" ascii wide fullword
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_commonmagic_screenshot_module.yar b/yara_rules/apt_badmagic_commonmagic_screenshot_module.yar
new file mode 100644
index 0000000..e1ed06a
--- /dev/null
+++ b/yara_rules/apt_badmagic_commonmagic_screenshot_module.yar
@@ -0,0 +1,20 @@
+rule apt_badmagic_commonmagic_screenshot_module {
+    meta:
+        id = "d1ef0bd1-37dc-405f-b82b-288b1798455c"
+        version = "1.0"
+        description = "Detects CommonMagic related implants"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "%s_%02d.%02d.%04d_%02d.%02d.%02d.%03d.%s" wide
+        $ = "Screenshot" wide
+        $ = "\\\\.\\pipe\\PipeDtMd" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_commonmagic_usbstealer.yar b/yara_rules/apt_badmagic_commonmagic_usbstealer.yar
new file mode 100644
index 0000000..5791a0a
--- /dev/null
+++ b/yara_rules/apt_badmagic_commonmagic_usbstealer.yar
@@ -0,0 +1,21 @@
+rule apt_badmagic_commonmagic_usbstealer {
+    meta:
+        id = "37d5becc-f1c3-4400-bc10-cd6036d4dbb1"
+        version = "1.0"
+        description = "Detects CommonMagic related implants"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "\\\\.\\pipe\\PipeDtMd" ascii wide fullword
+        $ = "State USB" ascii wide
+        $ = "DefaultNameDevice" ascii wide
+        $ = "SerialNumber" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_generic_pshscript.yar b/yara_rules/apt_badmagic_generic_pshscript.yar
new file mode 100644
index 0000000..73537cb
--- /dev/null
+++ b/yara_rules/apt_badmagic_generic_pshscript.yar
@@ -0,0 +1,17 @@
+rule apt_badmagic_generic_pshscript {
+    meta:
+        id = "82cda554-3c2b-4c04-b9f9-b5ba50c53271"
+        version = "1.0"
+        description = "Detects BadMagic generic powershell script (Possible FPs)"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$ExecutablePath"
+        $ = "Start-Sleep -Second 2"
+        
+    condition:
+        all of them and filesize < 1KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_installpzz_pshscript.yar b/yara_rules/apt_badmagic_installpzz_pshscript.yar
new file mode 100644
index 0000000..e5485ce
--- /dev/null
+++ b/yara_rules/apt_badmagic_installpzz_pshscript.yar
@@ -0,0 +1,19 @@
+rule apt_badmagic_installpzz_pshscript {
+    meta:
+        id = "d01bc217-9e14-498b-a92a-17f6aedec269"
+        version = "1.0"
+        description = "Detects BadMagic InstallPZZ powershell script"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "start-job -ScriptBlock $script;"
+        $ = "Start-Sleep -Second 1;"
+        $ = "Write-Output \"$url$j"
+        $ = "Start-Sleep -Second 2;"
+        
+    condition:
+        all of them and filesize < 1KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_ld_dll_loader_pshscript.yar b/yara_rules/apt_badmagic_ld_dll_loader_pshscript.yar
new file mode 100644
index 0000000..bdd798c
--- /dev/null
+++ b/yara_rules/apt_badmagic_ld_dll_loader_pshscript.yar
@@ -0,0 +1,19 @@
+rule apt_badmagic_ld_dll_loader_pshscript {
+    meta:
+        id = "d4a23afc-693f-4fab-b2c4-15eecba047f7"
+        version = "1.0"
+        description = "Detects BadMagic DLL Loader powershell script"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$ModulePath = \"$folder_path\\$name"
+        $ = "$ModuleExport ="
+        $ = "start-job -ScriptBlock $ScriptBlock"
+        $ = "Invoke-WebRequest -Uri"
+        
+    condition:
+        all of them and filesize < 1KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_listfiles_pshscript.yar b/yara_rules/apt_badmagic_listfiles_pshscript.yar
new file mode 100644
index 0000000..ac61297
--- /dev/null
+++ b/yara_rules/apt_badmagic_listfiles_pshscript.yar
@@ -0,0 +1,17 @@
+rule apt_badmagic_listfiles_pshscript {
+    meta:
+        id = "55f1c409-234e-4feb-91a3-9bf5c41ec2b8"
+        version = "1.0"
+        description = "Detects BadMagic ListFiles powershell script"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$env:USERPROFILE"
+        $ = "-Include *.jpg, *.odt, *.doc, *.docx"
+        
+    condition:
+        all of them and filesize < 1KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_malicious_lnk.yar b/yara_rules/apt_badmagic_malicious_lnk.yar
new file mode 100644
index 0000000..c49ee0d
--- /dev/null
+++ b/yara_rules/apt_badmagic_malicious_lnk.yar
@@ -0,0 +1,20 @@
+rule apt_badmagic_malicious_lnk {
+    meta:
+        id = "731bd51d-c4e4-4efb-9fa8-f981a8555ed3"
+        version = "1.0"
+        description = "Detect LNK used by BadMagic to execute MSI payloads."
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "/i http" wide
+        $ = ".msi /quiet" wide
+        $ = "%WINDIR%\\System32\\msiexec.exe"
+        
+    condition:
+        uint32be(0) == 0x4c000000 and
+        filesize < 1KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_modules.yar b/yara_rules/apt_badmagic_modules.yar
new file mode 100644
index 0000000..eab30a6
--- /dev/null
+++ b/yara_rules/apt_badmagic_modules.yar
@@ -0,0 +1,21 @@
+import "pe"
+        
+rule apt_badmagic_modules {
+    meta:
+        id = "e4f1f706-4a46-4a09-b598-e4e8d80f2c4b"
+        version = "1.0"
+        description = "Detect the modules used by the CloudWizard framework"
+        author = "Sekoia.io"
+        creation_date = "2023-05-25"
+        classification = "TLP:CLEAR"
+        hash = "no hash has been found on 2023-05-25 to test the rule"
+        
+    condition:
+        pe.DLL and
+        pe.exports("Start") and
+        pe.exports("Stop") and
+        pe.exports("Whoami") and
+        pe.exports("GetResult") and
+        pe.exports("GetSettings")
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_reco_pshscript.yar b/yara_rules/apt_badmagic_reco_pshscript.yar
new file mode 100644
index 0000000..5c03fa8
--- /dev/null
+++ b/yara_rules/apt_badmagic_reco_pshscript.yar
@@ -0,0 +1,19 @@
+rule apt_badmagic_reco_pshscript {
+    meta:
+        id = "7a1b2d31-03b7-4a43-8f4e-ed38ba8e118e"
+        version = "1.0"
+        description = "Detects BadMagic Reco powershell script"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$headers = @{};"
+        $ = "==ARP Cache=="
+        $ = "ipconfig.me"
+        $ = "-ComputerName $env:computername;"
+        
+    condition:
+        all of them and filesize < 1KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_startngrok_pshscript.yar b/yara_rules/apt_badmagic_startngrok_pshscript.yar
new file mode 100644
index 0000000..dcd36ea
--- /dev/null
+++ b/yara_rules/apt_badmagic_startngrok_pshscript.yar
@@ -0,0 +1,20 @@
+rule apt_badmagic_startngrok_pshscript {
+    meta:
+        id = "94d64482-3033-4531-8530-58546364ac06"
+        version = "1.0"
+        description = "Detects BadMagic StartNgrok powershell script"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$ExecutablePath http \"\"file:///$Disk"
+        $ = "write \"$ExecutablePath not found"
+        $ = "$ng_proxy_string ="
+        $ = "$ng_auth_token ="
+        $ = "$env:ALLUSERSPROFILE\\$NGrokFolderName"
+        
+    condition:
+        all of them and filesize < 1KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_badmagic_startrevsocks_pshscript.yar b/yara_rules/apt_badmagic_startrevsocks_pshscript.yar
new file mode 100644
index 0000000..206472a
--- /dev/null
+++ b/yara_rules/apt_badmagic_startrevsocks_pshscript.yar
@@ -0,0 +1,18 @@
+rule apt_badmagic_startrevsocks_pshscript {
+    meta:
+        id = "a6c96aee-9e78-47d2-afe3-f3c5246a9370"
+        version = "1.0"
+        description = "Detects BadMagic DLL Loader powershell script"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$ExecutablePath"
+        $ = "Start-Sleep -Second 2"
+        $ = "recn -15 -rect 15"
+        
+    condition:
+        all of them and filesize < 1KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_blackwood_nspx30_plugin.yar b/yara_rules/apt_blackwood_nspx30_plugin.yar
new file mode 100644
index 0000000..7cbd429
--- /dev/null
+++ b/yara_rules/apt_blackwood_nspx30_plugin.yar
@@ -0,0 +1,18 @@
+rule apt_blackwood_nspx30_plugin {
+    meta:
+        id = "ef8e0d51-c78c-426b-8008-910e27546f23"
+        version = "1.0"
+        description = "Detects plugins of NSPX30 backdoor based on RTTI and rundll32 string"
+        author = "Sekoia.io"
+        creation_date = "2024-01-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = {2E 3F 41 56 43 43 61 62 69 6E 65 74 40 40}
+        $s2 = {2E 3F 41 56 43 45 6E 63 6F 64 65 72 40 40}
+        $s3 = "rundll32.exe \"%hs\",#1" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 1MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_boldmove_strings.yar b/yara_rules/apt_boldmove_strings.yar
new file mode 100644
index 0000000..a22d1ff
--- /dev/null
+++ b/yara_rules/apt_boldmove_strings.yar
@@ -0,0 +1,21 @@
+rule apt_boldmove_strings {
+    meta:
+        id = "0458e282-f92f-4600-964a-de6b66b4a82d"
+        version = "1.0"
+        description = "Detects BOLDMOVE via strings"
+        author = "Sekoia.io"
+        creation_date = "2023-01-16"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "cwd=%s" ascii wide
+        $s2 = "executable=%s" ascii wide
+        $s3 = "curl/6.12.34" ascii wide
+        $s4 = "www.example.com" ascii wide
+        $s5 = "GET /ws HTTP/1.1" ascii wide
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 4MB and 4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_buhtrap_maldocx.yar b/yara_rules/apt_buhtrap_maldocx.yar
new file mode 100644
index 0000000..c879321
--- /dev/null
+++ b/yara_rules/apt_buhtrap_maldocx.yar
@@ -0,0 +1,26 @@
+rule apt_buhtrap_maldocx {
+    meta:
+        id = "4aaba2f1-fafd-4e3f-8b18-7beda11464d1"
+        version = "1.0"
+        description = "Detect the malicious DOCX used by Buhtrap"
+        author = "Sekoia.io"
+        creation_date = "2022-02-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "<xm:macrosheet xmlns=" ascii fullword
+        $ = "CALL(\"kernel32\",\"VirtualFree"
+        $ = "CALL(\"kernel32\",\"CreateFileA"
+        $ = "CALL(\"kernel32\",\"WriteFile"
+        $ = "CALL(\"kernel32\",\"VirtualAlloc"
+        $ = "CALL(\"kernel32\",\"WinExec"
+        $ = "CALL(\"kernel32\",\"lstrcatA"
+        $ = "CALL(\"kernel32\",\"CreateFileA"
+        $ = "CALL(\"kernel32\",\"VirtualFree"
+        $ = "CALL(\"kernel32\",\"ExpandEnvironmentStringsA"
+        $ = "CALL(\"kernel32\",\"CloseHandle"
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cerana_keeper_dropboxflop.yar b/yara_rules/apt_cerana_keeper_dropboxflop.yar
new file mode 100644
index 0000000..84c68af
--- /dev/null
+++ b/yara_rules/apt_cerana_keeper_dropboxflop.yar
@@ -0,0 +1,18 @@
+rule apt_cerana_keeper_dropboxflop {
+    meta:
+        id = "e077901f-3847-45f3-82cb-d52724cd3fb5"
+        version = "1.0"
+        description = "Detects DropboxFlop malware"
+        author = "Sekoia.io"
+        creation_date = "2024-10-04"
+        classification = "TLP:CLEAR"
+        hash = "2b65b74e52fbf25cb400dbdfcd1a06a7"
+        
+    strings:
+        $ = "<assemblyIdentity type=\"win32\" name=\"dropboxflop\""
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cerana_keeper_yk0130.yar b/yara_rules/apt_cerana_keeper_yk0130.yar
new file mode 100644
index 0000000..283c067
--- /dev/null
+++ b/yara_rules/apt_cerana_keeper_yk0130.yar
@@ -0,0 +1,18 @@
+rule apt_cerana_keeper_yk0130 {
+    meta:
+        id = "3da898a9-68e7-472f-8478-a0243840ec0a"
+        version = "1.0"
+        description = "Detects YK0130 reverse shell"
+        author = "Sekoia.io"
+        creation_date = "2024-10-04"
+        classification = "TLP:CLEAR"
+        hash = "2554e4864294dc96a5b4548dd42c7189"
+        
+    strings:
+        $pdb = "C:\\Users\\admin\\source\\repos\\YK0130" ascii fullword
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        all of them and filesize < 300KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cloudatlas_init_module_virtualalloc.yar b/yara_rules/apt_cloudatlas_init_module_virtualalloc.yar
new file mode 100644
index 0000000..19722ec
--- /dev/null
+++ b/yara_rules/apt_cloudatlas_init_module_virtualalloc.yar
@@ -0,0 +1,26 @@
+rule apt_cloudatlas_init_module_virtualalloc {
+    meta:
+        id = "299ed681-9d1f-4b47-8389-ff5a608f49d4"
+        version = "1.0"
+        description = "Find init module of CloudAtlas with params passed to VirtualAlloc"
+        author = "Sekoia.io"
+        creation_date = "2023-09-19"
+        classification = "TLP:CLEAR"
+        hash1 = "02a1a9582f5ccf421b08c41c35049416b9cdefc9228daf6b38d95e9b0930cc5a"
+        hash2 = "c7f19c7c295c86867ea7fa4597ba0cebe12f751753866e7298fd5d84676facc3"
+        
+    strings:
+        $chunk_1 = {
+        6A 40
+        68 00 30 10 00
+        8B 8D ?? ?? ?? ??
+        8B 51 50
+        52
+        6A 00
+        FF 15 ?? ?? ?? ??
+        }
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and $chunk_1 and filesize < 3MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cloudatlas_powershower_clean.yar b/yara_rules/apt_cloudatlas_powershower_clean.yar
new file mode 100644
index 0000000..8f74f0c
--- /dev/null
+++ b/yara_rules/apt_cloudatlas_powershower_clean.yar
@@ -0,0 +1,20 @@
+rule apt_cloudatlas_powershower_clean {
+    meta:
+        id = "4a7c37df-3f53-4190-a86f-94bba3df628e"
+        version = "1.0"
+        description = "Detects clean version of PowerShower"
+        author = "Sekoia.io"
+        creation_date = "2022-12-05"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[io.file]::WriteAllBytes($zipfile" ascii wide
+        $ = "System.IO.File]::Exists($p_t" ascii wide
+        $ = "HttpRequestP" ascii wide
+        $ = "$http_request.getOption(2)" ascii wide
+        $ = "HttpRequestP($url)" ascii wide
+        
+    condition:
+    uint8(0) == 0x24 and filesize < 4000 and 4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cloudatlas_powershower_module.yar b/yara_rules/apt_cloudatlas_powershower_module.yar
new file mode 100644
index 0000000..fe5cf62
--- /dev/null
+++ b/yara_rules/apt_cloudatlas_powershower_module.yar
@@ -0,0 +1,19 @@
+rule apt_cloudatlas_powershower_module {
+    meta:
+        id = "dd688058-3d5d-46a7-8380-fe961c3327cd"
+        version = "1.0"
+        description = "Detects CloudAtlas PowerShower module"
+        author = "Sekoia.io"
+        creation_date = "2022-11-30"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$env:temp" ascii wide
+        $ = "foreach($item in $zip.items" ascii wide
+        $ = "echo $result" ascii wide
+        $ = "pass.txt" ascii wide
+        
+    condition:
+    all of them and filesize < 10000
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cloudatlas_powershower_obfuscated.yar b/yara_rules/apt_cloudatlas_powershower_obfuscated.yar
new file mode 100644
index 0000000..55c62e2
--- /dev/null
+++ b/yara_rules/apt_cloudatlas_powershower_obfuscated.yar
@@ -0,0 +1,19 @@
+rule apt_cloudatlas_powershower_obfuscated {
+    meta:
+        id = "f76ab9d8-7753-4a17-aedd-fc9c3b8cd322"
+        version = "1.0"
+        description = "Detects obfuscated version of PowerShower"
+        author = "Sekoia.io"
+        creation_date = "2022-11-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "{0}{1}{2}{3}{4}{5}{6}{7}{8}" ascii wide
+        $s2 = "{000}{001}{002}{003}{004}{005}{006}{007}{008}" ascii wide
+        $s3 = "::Unicode.GetString([System.Convert]::FromBase64String(" ascii wide
+        
+    condition:
+        ($s1 in (0..100) or $s2 in (0..100))
+        and $s3 in (filesize-200..filesize)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cloudatlas_powershower_variant.yar b/yara_rules/apt_cloudatlas_powershower_variant.yar
new file mode 100644
index 0000000..081cfa0
--- /dev/null
+++ b/yara_rules/apt_cloudatlas_powershower_variant.yar
@@ -0,0 +1,18 @@
+rule apt_cloudatlas_powershower_variant {
+    meta:
+        id = "416d0cb0-bc59-47ae-8a98-d7b39f8108ab"
+        version = "1.0"
+        description = "Detects PowerShower"
+        author = "Sekoia.io"
+        creation_date = "2023-12-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "[System.Text.Encoding]::" ascii wide
+        $s2 = "{8}{9}{10}{11}{12}{13}{14}{15}{16}{17}{18}{19}{20}"  ascii wide
+        
+    condition:
+        filesize < 10KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cloudatlas_powertunnel.yar b/yara_rules/apt_cloudatlas_powertunnel.yar
new file mode 100644
index 0000000..c4525af
--- /dev/null
+++ b/yara_rules/apt_cloudatlas_powertunnel.yar
@@ -0,0 +1,22 @@
+rule apt_cloudatlas_powertunnel {
+    meta:
+        id = "04981493-de8b-4662-ae81-8866c182f8b2"
+        version = "1.0"
+        description = "Detects PowerTunnel DLL of CloudAtlas"
+        author = "Sekoia.io"
+        creation_date = "2022-11-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "BeginGetHostEntry"
+        $ = "get_AddressList"
+        $ = "time_stop_delay_seconds"
+        $ = "<connect><result>{0}</result></connect>"
+        $ = "_CorDllMain"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB  and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cloudatlas_powertunnel_loader.yar b/yara_rules/apt_cloudatlas_powertunnel_loader.yar
new file mode 100644
index 0000000..e7861e1
--- /dev/null
+++ b/yara_rules/apt_cloudatlas_powertunnel_loader.yar
@@ -0,0 +1,19 @@
+rule apt_cloudatlas_powertunnel_loader {
+    meta:
+        id = "f2333b8a-99e9-4f28-b0d8-4f7dc4c648c5"
+        version = "1.0"
+        description = "Detects the Powershell loader of the PowerTunnel dll"
+        author = "Sekoia.io"
+        creation_date = "2022-11-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "New-Object System.IO.Compression.GzipStream(" ascii fullword
+        $ = "[System.Reflection.Assembly]::Load("
+        $ = ".ReadBytes("
+        $ = ".Service]::StartMain"
+        
+    condition:
+        uint8be(0) == 0x24 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cloudatlas_rtf_shellcode_cve_2018_0798.yar b/yara_rules/apt_cloudatlas_rtf_shellcode_cve_2018_0798.yar
new file mode 100644
index 0000000..6014256
--- /dev/null
+++ b/yara_rules/apt_cloudatlas_rtf_shellcode_cve_2018_0798.yar
@@ -0,0 +1,17 @@
+rule apt_cloudatlas_rtf_shellcode_cve_2018_0798 {
+    meta:
+        id = "6c602c66-df40-4436-800f-e548dacc1e81"
+        version = "1.0"
+        description = "CloudAtlas Shellcode for CVE_2018_0798 "
+        author = "Sekoia.io"
+        creation_date = "2022-12-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "6060606061616161616161616161616161616161FB0B00004bE8FFFFFFFFC35F83C71B33C966B908010f0d00ddd8d97424f4668137" ascii nocase
+        
+    condition:
+        filesize < 8MB  and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cloudatlas_stagescalldllmainafterexec.yar b/yara_rules/apt_cloudatlas_stagescalldllmainafterexec.yar
new file mode 100644
index 0000000..ad16bc8
--- /dev/null
+++ b/yara_rules/apt_cloudatlas_stagescalldllmainafterexec.yar
@@ -0,0 +1,47 @@
+rule apt_cloudatlas_stagescalldllmainafterexec {
+    meta:
+        id = "a24b7887-87f6-44e3-80c5-cd117e694595"
+        version = "1.0"
+        description = "Detects call to dllmain after execution of exported function"
+        author = "Sekoia.io"
+        creation_date = "2023-10-31"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $chunk_1 = {
+        55
+        8B EC
+        83 EC 10
+        C7 45 ?? 00 00 00 00
+        83 7D ?? 00
+        74 ??
+        8B 45 ??
+        89 45 ??
+        8B 4D ??
+        8B 51 ??
+        03 55 ??
+        89 55 ??
+        8B 45 ??
+        8B 48 ??
+        03 4D ??
+        89 4D ??
+        6A 00
+        6A 00
+        FF 75 ??
+        FF 55 ??
+        68 00 80 00 00
+        6A 00
+        8B 55 ??
+        52
+        FF 15 ?? ?? ?? ??
+        C7 45 ?? 01 00 00 00
+        8B 45 ??
+        8B E5
+        5D
+        C2 04 00
+        }
+        
+    condition:
+        any of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cloudmensis_downloader_strings.yar b/yara_rules/apt_cloudmensis_downloader_strings.yar
new file mode 100644
index 0000000..603223a
--- /dev/null
+++ b/yara_rules/apt_cloudmensis_downloader_strings.yar
@@ -0,0 +1,21 @@
+rule apt_cloudmensis_downloader_strings {
+    meta:
+        id = "450cfa42-7b56-4d93-afe2-9cf5c1049217"
+        version = "1.0"
+        description = "Detects CloudMensis downloader"
+        author = "Sekoia.io"
+        creation_date = "2022-07-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "https://api.pcloud.com/getfilelink?path=%@&forcedownload=1"
+        $ = "python -c 'import os; print(os.confstr(65538))'"
+        $ = "getCmdResult:"
+        $ = "[pCloud DownloadFile:]"
+        
+    condition:
+        uint32be(0) == 0xcafebabe and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cloudmensis_spyagent_strings.yar b/yara_rules/apt_cloudmensis_spyagent_strings.yar
new file mode 100644
index 0000000..9684f1c
--- /dev/null
+++ b/yara_rules/apt_cloudmensis_spyagent_strings.yar
@@ -0,0 +1,22 @@
+rule apt_cloudmensis_spyagent_strings {
+    meta:
+        id = "c2df8373-6698-4b23-9d77-8e7968bd69f0"
+        version = "1.0"
+        description = "Detects CloudMensis SpyAgent"
+        author = "Sekoia.io"
+        creation_date = "2022-07-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[control_thread loop_DirStructure:]"
+        $ = "[screen_keylog getScreenShotData]"
+        $ = "[screen_keylog loop_usb]"
+        $ = "[Management UploadFilebyPath:destination:]"
+        $ = "[control_thread loop_pwd:]"
+        
+    condition:
+        uint32be(0) == 0xcafebabe and 
+        filesize < 2MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_coathanger_beacon.yar b/yara_rules/apt_coathanger_beacon.yar
new file mode 100644
index 0000000..a72a92f
--- /dev/null
+++ b/yara_rules/apt_coathanger_beacon.yar
@@ -0,0 +1,22 @@
+rule apt_coathanger_beacon {
+    meta:
+        id = "cc201479-016a-46d2-a9e2-41b4914ce618"
+        version = "1.0"
+        description = "Detects COATHANGER beacon"
+        author = "Sekoia.io"
+        creation_date = "2024-02-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = {
+        48 B8 47 45 54 20 2F 20 48 54
+        48 89 45 B0 48 B8 54 50 2F 32 0A 48 6F 73
+        48 89 45 B8 48 B8 74 3A 20 77 77 77 2E 67
+        48 89 45 C0 48 B8 6F 6F 67 6C 65 2E 63 6F
+        }
+        
+    condition:
+        uint32(0) == 0x464c457f and filesize < 5MB and
+        any of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_coathanger_files.yar b/yara_rules/apt_coathanger_files.yar
new file mode 100644
index 0000000..3825394
--- /dev/null
+++ b/yara_rules/apt_coathanger_files.yar
@@ -0,0 +1,25 @@
+rule apt_coathanger_files {
+    meta:
+        id = "615f5ac1-14bc-4f5b-a02e-7b13cd179917"
+        version = "1.0"
+        description = "Detects COATHANGER files"
+        author = "Sekoia.io"
+        creation_date = "2024-02-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "/data2/"
+        $ = "/httpsd"
+        $ = "/preload.so"
+        $ = "/authd"
+        $ = "/tmp/packfile"
+        $ = "/smartctl"
+        $ = "/etc/ld.so.preload"
+        $ = "/newcli"
+        $ = "/bin/busybox"
+        
+    condition:
+        (uint32(0) == 0x464c457f or uint32(4) == 0x464c457f)
+        and filesize < 5MB and 4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_cottonsandstorm_win_implant.yar b/yara_rules/apt_cottonsandstorm_win_implant.yar
new file mode 100644
index 0000000..6120f89
--- /dev/null
+++ b/yara_rules/apt_cottonsandstorm_win_implant.yar
@@ -0,0 +1,25 @@
+rule apt_cottonsandstorm_win_implant {
+    meta:
+        id = "04a5255c-f9bb-4612-b0e2-ed0326867055"
+        version = "1.0"
+        description = "Detects a simple win implant used by Cotton Sandstorm"
+        author = "Sekoia.io"
+        creation_date = "2024-11-05"
+        classification = "TLP:CLEAR"
+        hash = "f797d71ed07d6e05556300e4ce0f2927"
+        
+    strings:
+        $ = "DIR =>" wide
+        $ = "type=machines&md5=" wide
+        $ = "File =>" wide
+        $ = "&ip=" wide fullword
+        $ = "&un=" wide fullword
+        $ = "&cp=" wide fullword
+        $ = "myFile\";filename=" ascii
+        $ = "ifB75BcjsRBhy2et" ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        4 of them and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_dark_pink_pdb_path.yar b/yara_rules/apt_dark_pink_pdb_path.yar
new file mode 100644
index 0000000..806a4dd
--- /dev/null
+++ b/yara_rules/apt_dark_pink_pdb_path.yar
@@ -0,0 +1,18 @@
+rule apt_dark_pink_pdb_path {
+    meta:
+        id = "695586dc-66de-4f9d-814a-2d81261a7357"
+        version = "1.0"
+        description = "Detects PDB path of some Dark Pink sample"
+        author = "Sekoia.io"
+        creation_date = "2023-01-16"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "C:\\Users\\hoang\\source\\repos\\Cucky\\Cucky\\obj\\Release\\net46\\Cucky.pdb" wide ascii
+        $s2 = "C:\\Users\\build\\source\\repos\\CtealWebCredential\\Release\\CtealWebCredential.pdb" wide ascii
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 5MB and any of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_darkpink_kamikakabot_strings.yar b/yara_rules/apt_darkpink_kamikakabot_strings.yar
new file mode 100644
index 0000000..e28b029
--- /dev/null
+++ b/yara_rules/apt_darkpink_kamikakabot_strings.yar
@@ -0,0 +1,31 @@
+rule apt_darkpink_kamikakabot_strings {
+    meta:
+        id = "0f5a7d72-81c8-4fdd-aefd-136bc6d48aa5"
+        version = "1.0"
+        description = "Detects KamiKakaBot strings (.NET sample of Dark Pink)"
+        author = "Sekoia.io"
+        creation_date = "2023-02-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Execute"
+        $ = "f4869"
+        $ = "getIndentifyName"
+        $ = "getMessageAsync"
+        $ = "requestMessageID"
+        $ = "run_command"
+        $ = "sendFile"
+        $ = "sendMessage"
+        $ = "send_brw_data"
+        $ = "updateMessageID"
+        $ = "update_new_token"
+        $ = "update_new_xml"
+        $ = {53 00 74 00 61 00 72 00 74 00 65 00 64 00 20 00 75 00 70 00 20 00 72 00 75 00 6e}
+        $ = {20 00 72 00 65 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 65 00 64 00 21}
+        $ = {6e 00 65 00 77 00 20 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 65 00 64 00 21}
+        $ = {74 00 6f 00 6b 00 65 00 6e 00 20 00 75 00 70 00 64 00 61 00 74 00 65 00 20 00 73 00 75 00 63 00 63 00 65 00 73 00 73 00 21 00 21 00 21}
+        
+    condition:
+       6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_darkpink_loader_decryptionroutine.yar b/yara_rules/apt_darkpink_loader_decryptionroutine.yar
new file mode 100644
index 0000000..5b39695
--- /dev/null
+++ b/yara_rules/apt_darkpink_loader_decryptionroutine.yar
@@ -0,0 +1,50 @@
+import "hash"
+import "pe"
+        
+rule apt_darkpink_loader_decryptionroutine {
+    meta:
+        id = "fefc7b2f-eecc-49dc-84bc-24c45e9ea8f0"
+        version = "1.0"
+        description = "Detects decryption routine of dark pink loader"
+        author = "Sekoia.io"
+        creation_date = "2023-01-17"
+        classification = "TLP:CLEAR"
+        hashs = "3f38860d0f6f0ff1b65219379f8793383cba85b11de1c853192fb2d2ba99e481"
+        hashs = "b3f1d6366ebc184f634a240c838b39d729c28b8718b0b9ca6be988a7e446ec42"
+        
+    strings:
+        $chunk_1 = {
+        8A 08
+        40
+        84 C9
+        75 ??
+        6A 00
+        2B C2
+        50
+        53
+        56
+        E8 ?? ?? ?? ??
+        8A 88 ?? ?? ?? ??
+        30 0C 3E
+        83 C6 01
+        83 D3 00
+        78 ??
+        7F ??
+        81 FE ?? ?? ?? ??
+        72 ??
+        55
+        }
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 3MB and (
+            all of them 
+            or
+            hash.md5(pe.rich_signature.clear_data) == "950c0710dc4cbf6e2cd6b857d25da523"
+            or
+            for any i in (0..pe.number_of_sections-1) : (
+                hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "547e43dd8560fa8b0ca0be9f633bf62d"
+            )
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_darkpink_sample.yar b/yara_rules/apt_darkpink_sample.yar
new file mode 100644
index 0000000..1dd3c7d
--- /dev/null
+++ b/yara_rules/apt_darkpink_sample.yar
@@ -0,0 +1,20 @@
+rule apt_darkpink_sample {
+    meta:
+        id = "91b4c64a-7622-4f03-bd3f-9fe56f01dfbe"
+        version = "1.0"
+        description = "Detects two parts of cmd.exe /c "
+        author = "Sekoia.io"
+        creation_date = "2023-06-05"
+        classification = "TLP:CLEAR"
+        hash = "8dc3f6179120f03fd6cb2299dbc94425451d84d6852b801a313a39e9df5d9b1a"
+        
+    strings:
+        $cmd_xor_part_1 = {DF 00 A1 00 E4 00 F0 00 4B 00 3A 00 D1 00 C4 00}
+        $cmd_xor_part_2 = {bc 00 cc 00 80 00 d0 00 64 00 59 00 F1 00 E6 00 FD 00 83 00 C6}
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize <1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_emberbear_credpump_strings.yar b/yara_rules/apt_emberbear_credpump_strings.yar
new file mode 100644
index 0000000..3902609
--- /dev/null
+++ b/yara_rules/apt_emberbear_credpump_strings.yar
@@ -0,0 +1,21 @@
+rule apt_emberbear_credpump_strings {
+    meta:
+        id = "c9898e34-4ab8-49d6-9c8a-3fce592449e2"
+        version = "1.0"
+        description = "Detects CredPump backdoor"
+        author = "Sekoia.io"
+        creation_date = "2023-02-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "User=%s Pass=%s Host=%s"
+        $ = "/etc/rc0.d/.rc0.d"
+        $ = "pam_get_authtok"
+        $ = "Password:"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize < 200KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_emissarypanda_sysupdate_removing_tool.yar b/yara_rules/apt_emissarypanda_sysupdate_removing_tool.yar
new file mode 100644
index 0000000..2cb6961
--- /dev/null
+++ b/yara_rules/apt_emissarypanda_sysupdate_removing_tool.yar
@@ -0,0 +1,19 @@
+rule apt_emissarypanda_sysupdate_removing_tool {
+    meta:
+        id = "711d059c-6229-49ef-aa20-a04d505838dc"
+        version = "1.0"
+        description = "Detects the SysUpdate removing tool"
+        author = "Sekoia.io"
+        creation_date = "2022-08-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "KsWAYYYXXsFUCK" wide
+        $ = "remove Services:%s %d" wide
+        $ = "remove dir:%s %d" wide
+        $ = "remove reg %d" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 11MB and 2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_emissarypanda_web_auto_attack_tool.yar b/yara_rules/apt_emissarypanda_web_auto_attack_tool.yar
new file mode 100644
index 0000000..d756207
--- /dev/null
+++ b/yara_rules/apt_emissarypanda_web_auto_attack_tool.yar
@@ -0,0 +1,22 @@
+rule apt_emissarypanda_web_auto_attack_tool {
+    meta:
+        id = "c93eb792-a443-4c9a-8fcb-6015cc69f9b3"
+        version = "1.0"
+        description = "Detect LuckyMouse's Web auto attack tool"
+        author = "Sekoia.io"
+        creation_date = "2022-08-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[192.168.1.1/24|192.168.1.1|192.168.1|@host.txt]" ascii
+        $ = "80,s443,8080,s8443,8000-8010" ascii
+        $ = "exploit When find module vul" ascii
+        $ = "<title>\\s*(.*?)\\s*</title>" ascii
+        $ = "<meta.+?charset=[^\\w]?([-\\w]+)" ascii
+        $ = "%s is not existed" ascii
+        $ = "%-15s %4d Open" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and 4 of them and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_evasive_panda_downloader_certificate_exe.yar b/yara_rules/apt_evasive_panda_downloader_certificate_exe.yar
new file mode 100644
index 0000000..94134e1
--- /dev/null
+++ b/yara_rules/apt_evasive_panda_downloader_certificate_exe.yar
@@ -0,0 +1,16 @@
+rule apt_evasive_panda_downloader_certificate_exe {
+    meta:
+        id = "1b40fca9-04b1-46b3-b48c-5a148a1b36b9"
+        version = "1.0"
+        description = "Detects downloader used by Evasive Panda (certificate.exe)"
+        author = "Sekoia.io"
+        creation_date = "2024-03-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = {C6 45 D4 44 C6 45 D5 74 C6 45 D6 7C C6 45 D7 74 C6 45 D8 79}
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_evasive_panda_rphost_dll.yar b/yara_rules/apt_evasive_panda_rphost_dll.yar
new file mode 100644
index 0000000..4180744
--- /dev/null
+++ b/yara_rules/apt_evasive_panda_rphost_dll.yar
@@ -0,0 +1,21 @@
+rule apt_evasive_panda_rphost_dll {
+    meta:
+        id = "8d70639d-b736-4823-86ad-37f0e383b5f7"
+        version = "1.0"
+        description = "Detects DLL used by Evasive Panda"
+        author = "Sekoia.io"
+        creation_date = "2024-03-15"
+        classification = "TLP:CLEAR"
+        hash = "fa44028115912c95b5efb43218f3c7237d5c349f"
+        
+    strings:
+        $s1 = "htks.ini" ascii fullword
+        $s2 = "MyDemo" wide fullword
+        
+    condition:
+        uint16be(0) == 0x4d5a and 
+        all of them 
+        
+        and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_flightnight_malicious_lnk.yar b/yara_rules/apt_flightnight_malicious_lnk.yar
new file mode 100644
index 0000000..756e955
--- /dev/null
+++ b/yara_rules/apt_flightnight_malicious_lnk.yar
@@ -0,0 +1,22 @@
+rule apt_flightnight_malicious_lnk {
+    meta:
+        id = "06f33ece-ac9f-4dd3-98fb-cd69305ee995"
+        version = "1.0"
+        description = "Detects malicious LNK used by FlightNight"
+        author = "Sekoia.io"
+        creation_date = "2024-04-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s0 = "/c start /B " wide
+        $s1 = ".exe &" wide
+        $s2 = ".pdf" wide
+        $s3 = "%CD%" wide
+        
+    condition:
+        uint32be(0) == 0x4c000000 and
+        $s1 in (@s0..@s2) and
+        $s1 in (@s0..@s0+100) and
+        $s3
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_ddrdoh_powershell_backdoor.yar b/yara_rules/apt_gamaredon_ddrdoh_powershell_backdoor.yar
new file mode 100644
index 0000000..a794659
--- /dev/null
+++ b/yara_rules/apt_gamaredon_ddrdoh_powershell_backdoor.yar
@@ -0,0 +1,20 @@
+rule apt_gamaredon_ddrdoh_powershell_backdoor {
+    meta:
+        id = "3413dedd-e3ec-4231-8af7-c7f709ab82d7"
+        version = "1.0"
+        description = "Detects GAMAREDON's DDRDOH PowerShell Backdoor"
+        author = "Sekoia.io"
+        creation_date = "2023-01-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "hidden iex $env:" ascii wide
+        $ = ".substring(0,4) -eq \"http" ascii wide
+        $ = ".split('!')[1];" ascii wide
+        $ = " -bxor $key[$i % $key.Length]" ascii wide
+        $s = "Filter $fil | Select-Object VolumeSerialNumber" ascii wide
+        
+    condition:
+        uint8(0) == 0x24 and 4 of them and filesize < 10KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_ddrdoh_vbs_downloader.yar b/yara_rules/apt_gamaredon_ddrdoh_vbs_downloader.yar
new file mode 100644
index 0000000..ef1514a
--- /dev/null
+++ b/yara_rules/apt_gamaredon_ddrdoh_vbs_downloader.yar
@@ -0,0 +1,27 @@
+rule apt_gamaredon_ddrdoh_vbs_downloader {
+    meta:
+        id = "c934b95d-d81d-4f58-a752-1bb31ba8593d"
+        version = "1.0"
+        description = "Detects the core of the VBS Gamaredon's Telegram Downloader"
+        author = "Sekoia.io"
+        creation_date = "2023-01-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $a1 = "==([0-9\\@]+)==" ascii
+        $a2 = "data\"\":\"\"(.*?)" ascii
+        $a3 = ", vbcr ,\"\")" ascii
+        $a4 = ", vblf ,\"\")" ascii
+        $a5 = ", \"&&\" ,\"\")" ascii
+        $a6 = "ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4" ascii
+        $b1 = "==([0-9\\@]+)==" base64
+        $b2 = "data\"\":\"\"(.*?)" base64
+        $b3 = ", vbcr ,\"\")" base64
+        $b4 = ", vblf ,\"\")" base64
+        $b5 = ", \"&&\" ,\"\")" base64
+        $b6 = "ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4" base64
+        
+    condition:
+        (4 of ($a*) or 4 of ($b*)) and filesize < 50KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_ddrdoh_vbs_downloader_vbs.yar b/yara_rules/apt_gamaredon_ddrdoh_vbs_downloader_vbs.yar
new file mode 100644
index 0000000..5a2924c
--- /dev/null
+++ b/yara_rules/apt_gamaredon_ddrdoh_vbs_downloader_vbs.yar
@@ -0,0 +1,21 @@
+rule apt_gamaredon_ddrdoh_vbs_downloader_vbs {
+    meta:
+        id = "cc29d5d9-58bd-4f68-8673-daa41abfc7be"
+        version = "1.0"
+        description = "Detects malicious VBScript executed by LNK/mshta"
+        author = "Sekoia.io"
+        creation_date = "2023-01-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "b24gZXJyb3IgcmVzd" ascii
+        $ = "BinaryStream.readtext" ascii nocase
+        $ = "createobject(\"msxml2.domdocument.3.0\").createelement(" ascii nocase
+        $ = "Dim cSecond, cMinute, CHour, cDay, cMonth, cYear" ascii nocase
+        $ = "tDate & \"T\" & tTime"
+        $ = "AutoOpen" ascii nocase
+        
+    condition:
+        5 of them and filesize < 50KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_doc_external_template.yar b/yara_rules/apt_gamaredon_doc_external_template.yar
new file mode 100644
index 0000000..0a3b0ae
--- /dev/null
+++ b/yara_rules/apt_gamaredon_doc_external_template.yar
@@ -0,0 +1,18 @@
+rule apt_gamaredon_doc_external_template {
+    meta:
+        id = "5f6bbf92-2fdf-428d-af49-2d3e754c29d7"
+        version = "1.0"
+        description = "Detects malicious templates used by Gamaredon"
+        author = "Sekoia.io"
+        creation_date = "2023-01-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "USERPROFILE" ascii
+        $ = "msxml2" ascii
+        $ = "T24gRXJyb3IgUmVzdW1lIE5leHQ" ascii
+        
+    condition:
+        uint32be(0) == 0xd0cf11e0 and filesize < 100KB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_flash_infostealer.yar b/yara_rules/apt_gamaredon_flash_infostealer.yar
new file mode 100644
index 0000000..605d843
--- /dev/null
+++ b/yara_rules/apt_gamaredon_flash_infostealer.yar
@@ -0,0 +1,22 @@
+rule apt_gamaredon_flash_infostealer {
+    meta:
+        id = "f060fe4b-74fd-4ef3-ac86-916e2113ff24"
+        version = "1.0"
+        description = "Detects the Gamaredon's Flash InfoStealer"
+        author = "Sekoia.io"
+        creation_date = "2023-01-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $a1 = "Content-Type: multipart/form-data; boundary=----%s" ascii
+        $a2 = "Content-Disposition: form-data; name=\"p\"" ascii
+        $a3 = "Content-Type: application/octet-stream"
+        $w1 = "%s||%s||%s||%s" wide
+        $w2 = "Pragma: no-cache" wide
+        $w3 = { 64 00 6F 00 63 00 00 00 00 00 2E 00 64 00 6F 00 63 00 78 00 }
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 500KB and
+        2 of ($a*) and 2 of ($w*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_gamaredon_lnk_usb_spreader.yar b/yara_rules/apt_gamaredon_gamaredon_lnk_usb_spreader.yar
new file mode 100644
index 0000000..d838ac0
--- /dev/null
+++ b/yara_rules/apt_gamaredon_gamaredon_lnk_usb_spreader.yar
@@ -0,0 +1,24 @@
+rule apt_gamaredon_gamaredon_lnk_usb_spreader {
+    meta:
+        id = "a0972e30-bfc5-48ff-b04b-382db8c08a54"
+        version = "1.0"
+        description = "Detects Gamaredon LNK USB Spreader"
+        author = "Sekoia.io"
+        hash = "2aee8bb2a953124803bc42e5c42935c92f87030b65448624f51183bf00dd1581"
+        creation_date = "2023-06-19"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = ".CREatesHoRTCUt(" nocase ascii wide
+        $ = "cOPY-Item $enV:UsErprOfilE" nocase ascii wide
+        $ = "-dEsTInaTioN $Env:" nocase ascii wide
+        $ = " = GET-ChilDITem $drivE.nAMe" nocase ascii wide
+        $ = "STArt-SLEeP" nocase ascii wide
+        $ = "-eq [SYsTEM.Io.fILeaTTrIbuTES]::DIRecToRy" nocase ascii wide
+        $ = "drIvETYPe='2'" nocase ascii wide
+        $ = ".iConloCaTiON = " nocase ascii wide
+        
+    condition:
+        7 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_gamaredon_lnk_usb_spreader_encoded.yar b/yara_rules/apt_gamaredon_gamaredon_lnk_usb_spreader_encoded.yar
new file mode 100644
index 0000000..d13384b
--- /dev/null
+++ b/yara_rules/apt_gamaredon_gamaredon_lnk_usb_spreader_encoded.yar
@@ -0,0 +1,20 @@
+rule apt_gamaredon_gamaredon_lnk_usb_spreader_encoded {
+    meta:
+        id = "e42bb654-d1aa-4219-b3da-dd4053d59a83"
+        version = "1.0"
+        description = "Detects encoded version of Gamaredon LNK USB Spreader"
+        author = "Sekoia.io"
+        hash = "28358a4a6acdcdfc6d41ea642220ef98c63b9c3ef2268449bb02d2e2e71e7c01"
+        creation_date = "2023-06-19"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(" ascii
+        $s2 = " 1000000){" base64
+        $s3 = "+\"\\$" base64
+        $s4 = ",3\";" base64
+        
+    condition:
+        $s1 at 0 and 3 of them and filesize < 4000
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_gammaload_malicioushta.yar b/yara_rules/apt_gamaredon_gammaload_malicioushta.yar
new file mode 100644
index 0000000..e72a33f
--- /dev/null
+++ b/yara_rules/apt_gamaredon_gammaload_malicioushta.yar
@@ -0,0 +1,22 @@
+rule apt_gamaredon_gammaload_malicioushta {
+    meta:
+        id = "e5e502db-7f37-40f2-9ba3-81e158e767db"
+        version = "1.0"
+        description = "Detects Gamaredon's GammaLoad HTA"
+        author = "Sekoia.io"
+        creation_date = "2022-08-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "platform = window.navigator?.userAgentData?.platform" ascii fullword
+        $s2 = "'Win32', 'Win64', 'Windows', 'WinCE'" ascii
+        $s3 = "dcreate.download ="
+        $s4 = "dcreate.href = 'data:application/x-rar-compressed;base64"
+        $s5 = "= \"UmFyI"
+        
+    condition:
+        uint32be(0) == 0x3c68746d and
+        filesize < 400KB and filesize > 50KB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_gammaload_maliciouslnk.yar b/yara_rules/apt_gamaredon_gammaload_maliciouslnk.yar
new file mode 100644
index 0000000..26eb660
--- /dev/null
+++ b/yara_rules/apt_gamaredon_gammaload_maliciouslnk.yar
@@ -0,0 +1,19 @@
+rule apt_gamaredon_gammaload_maliciouslnk {
+    meta:
+        id = "2612e6c6-0bda-4bfa-a840-aa0a0b4c945b"
+        version = "1.0"
+        description = "Detects Gamaredon's GammaLoad LNK"
+        author = "Sekoia.io"
+        creation_date = "2022-08-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $mshta = "System32\\mshta.exe"
+        $trait = { 0D 0A ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0D 0A }
+        
+    condition:
+        uint32be(0) == 0x4c000000 and
+        #trait > 100 and $mshta and
+        filesize > 100KB and filesize < 300KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_getlogicaldrive_hunting.yar b/yara_rules/apt_gamaredon_getlogicaldrive_hunting.yar
new file mode 100644
index 0000000..632a1d2
--- /dev/null
+++ b/yara_rules/apt_gamaredon_getlogicaldrive_hunting.yar
@@ -0,0 +1,21 @@
+rule apt_gamaredon_getlogicaldrive_hunting {
+    meta:
+        id = "18958ee8-7eb8-43b5-8ad2-be93bb39aa80"
+        version = "1.0"
+        description = "Detects gamaredon powershell stuff"
+        author = "Sekoia.io"
+        creation_date = "2023-02-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "VolumeSerialNumber" ascii wide nocase
+        $ = "Get-WmiObject" ascii wide nocase
+        $ = "]::ToUInt32(" ascii wide nocase
+        $ = "DeviceID" ascii wide nocase
+        $ = "UploadValues" ascii wide nocase
+        $ = "UploadString" ascii wide nocase
+        
+    condition:
+        5 of them and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_htmlsmuggling_2024.yar b/yara_rules/apt_gamaredon_htmlsmuggling_2024.yar
new file mode 100644
index 0000000..4a32446
--- /dev/null
+++ b/yara_rules/apt_gamaredon_htmlsmuggling_2024.yar
@@ -0,0 +1,24 @@
+rule apt_gamaredon_htmlsmuggling_2024 {
+    meta:
+        id = "8fa1f80b-2261-4d63-92d8-7c360be73fe2"
+        version = "1.0"
+        description = "Detects HTML Smuggling webpages of Gamaredon used in 2024"
+        author = "Sekoia.io"
+        creation_date = "2024-09-09"
+        classification = "TLP:CLEAR"
+        hash = "ab2807824e68d5efb4c896e1af82e693"
+        hash = "926b7e65d0d61cd6ba9e085193ae8b1d"
+        
+    strings:
+        $ = "').innerHTML;window['" ascii fullword
+        $ = "='at'+'ob';"
+        $ = "]('*','');"
+        $ = "display:none"
+        $ = "0px;\" onerror=\""
+        $ = "'ev'+'"
+        $ = "<!DOCTYPE html PUBLIC"
+        
+    condition:
+        5 of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_htmlsmuggling_attachment.yar b/yara_rules/apt_gamaredon_htmlsmuggling_attachment.yar
new file mode 100644
index 0000000..b54aaa9
--- /dev/null
+++ b/yara_rules/apt_gamaredon_htmlsmuggling_attachment.yar
@@ -0,0 +1,20 @@
+rule apt_gamaredon_htmlsmuggling_attachment {
+    meta:
+        id = "a39b6e67-9327-4c5b-902a-b9853cfefc8e"
+        version = "1.0"
+        description = "Detects Gamaredon HTMLSmuggling attachment"
+        author = "Sekoia.io"
+        creation_date = "2023-01-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "['at'+'ob'](" ascii
+        $ = "['ev'+'al'](" ascii
+        $ = "document.querySelectorAll('[" ascii
+        $ = "[0].innerHTML.split(' ').join('')))" ascii
+        
+    condition:
+        filesize < 1MB and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_htmlsmuggling_attachment_stage2.yar b/yara_rules/apt_gamaredon_htmlsmuggling_attachment_stage2.yar
new file mode 100644
index 0000000..dfd0305
--- /dev/null
+++ b/yara_rules/apt_gamaredon_htmlsmuggling_attachment_stage2.yar
@@ -0,0 +1,20 @@
+rule apt_gamaredon_htmlsmuggling_attachment_stage2 {
+    meta:
+        id = "e82335ea-48d5-409c-a270-cfd5a2197c44"
+        version = "1.0"
+        description = "Detects Gamaredon HTMLSmuggling attachment"
+        author = "Sekoia.io"
+        creation_date = "2023-01-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = ") == -1) die();" ascii
+        $ = "'data:application/x-rar-compressed;base64, ' +" ascii
+        $ = ".appendChild(img);" ascii
+        $ = "['Win32', 'Win64', 'Windows', 'WinCE'].indexOf(" ascii
+        $ = " = navigator[\"platform\"];" ascii
+        
+    condition:
+        4 of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_lnk.yar b/yara_rules/apt_gamaredon_lnk.yar
new file mode 100644
index 0000000..4f8ba42
--- /dev/null
+++ b/yara_rules/apt_gamaredon_lnk.yar
@@ -0,0 +1,17 @@
+rule apt_gamaredon_lnk {
+    meta:
+        id = "bfa69d84-433c-4f37-93b7-5b1b11677fbb"
+        version = "1.0"
+        description = "Detects lnk file used by Gamaredon"
+        author = "Sekoia.io"
+        creation_date = "2024-02-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "-windowstyle hidden $(gc " wide
+        $s2 = "|out-string)|powershell -noprofile -" wide
+        
+    condition:
+        uint32be(0) == 0x4c000000 and any of them  and filesize < 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_lnk_spreader.yar b/yara_rules/apt_gamaredon_lnk_spreader.yar
new file mode 100644
index 0000000..51aec40
--- /dev/null
+++ b/yara_rules/apt_gamaredon_lnk_spreader.yar
@@ -0,0 +1,20 @@
+rule apt_gamaredon_lnk_spreader {
+    meta:
+        id = "2866ca1d-c094-49ba-b1de-ff9a60680e28"
+        version = "1.0"
+        description = "Detects LNK generated by Gamaredon LNK spreader"
+        author = "Sekoia.io"
+        hash = "7d6264ce74e298c6d58803f9ebdb4a40b4ce909d02fd62f54a1f8d682d73519a"
+        creation_date = "2023-06-19"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "windoWSTYLE hiDdEn -NOlOgo iEX" wide nocase
+        $ = "(IeX (geT-coNtEnT" wide nocase
+        
+    condition:
+        uint32be(0) == 0x4C000000 
+        and filesize < 3KB
+        and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_lnks_farl139_hostname.yar b/yara_rules/apt_gamaredon_lnks_farl139_hostname.yar
new file mode 100644
index 0000000..289db5d
--- /dev/null
+++ b/yara_rules/apt_gamaredon_lnks_farl139_hostname.yar
@@ -0,0 +1,18 @@
+rule apt_gamaredon_lnks_farl139_hostname {
+    meta:
+        id = "f8bb2e6b-e544-46b0-b61b-048fe84e1100"
+        version = "1.0"
+        description = "Detects some hostname used in Gamaredon LNKs"
+        author = "Sekoia.io"
+        creation_date = "2023-01-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "desktop-farl139"
+        
+    condition:
+        uint32be(0) == 0x4c000000
+        and all of them 
+        and filesize < 10KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_powerrevshell.yar b/yara_rules/apt_gamaredon_powerrevshell.yar
new file mode 100644
index 0000000..cdc5333
--- /dev/null
+++ b/yara_rules/apt_gamaredon_powerrevshell.yar
@@ -0,0 +1,20 @@
+rule apt_gamaredon_powerrevshell {
+    meta:
+        id = "b5161c23-c607-4096-9f4a-1be516a0a614"
+        version = "1.0"
+        description = "Detects Powershell reverse shell"
+        author = "Sekoia.io"
+        creation_date = "2023-02-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "iex $enc.GetString("
+        $ = "$stream.Write"
+        $ = ".).FullName"
+        $ = "Sockets.TcpClient"
+        $ = "\">\";"
+        
+    condition:
+        all of them and filesize < 3000
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_stealer_obfuscation_1.yar b/yara_rules/apt_gamaredon_stealer_obfuscation_1.yar
new file mode 100644
index 0000000..3d583ca
--- /dev/null
+++ b/yara_rules/apt_gamaredon_stealer_obfuscation_1.yar
@@ -0,0 +1,19 @@
+rule apt_gamaredon_stealer_obfuscation_1 {
+    meta:
+        id = "a6197d16-8ed1-410b-8814-d7eff9a8096c"
+        version = "1.0"
+        description = "Matches the Gamaredon Stealer obfuscation"
+        author = "Sekoia.io"
+        creation_date = "2022-02-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = { 76 61 72 20 [5-30] 3d 20 6e 65 77 20 6f 62 6a 65 63 74 5b 5d 20 7b 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 20 7d 3b }
+        $s2 = { 66 6f 72 28 69 6e 74 20 [5-30] 20 3d 20 30 3b 20 [5-30] 20 3c 20 31 30 3b 20 [5-30] 2b 2b 29 }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize > 100MB and
+        (#s1 > 100 or #s2 > 100)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_stealer_obfuscation_2.yar b/yara_rules/apt_gamaredon_stealer_obfuscation_2.yar
new file mode 100644
index 0000000..1130a92
--- /dev/null
+++ b/yara_rules/apt_gamaredon_stealer_obfuscation_2.yar
@@ -0,0 +1,18 @@
+rule apt_gamaredon_stealer_obfuscation_2 {
+    meta:
+        id = "fd278a90-537b-4c67-9421-01c9f2416b60"
+        version = "1.0"
+        description = "Matches the Gamaredon Stealer obfuscation"
+        author = "Sekoia.io"
+        creation_date = "2022-02-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = { 3d 20 6e 65 77 20 73 74 72 69 6e 67 5b 5d 20 7b 20 [50-200] 20 7d 3b }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize > 100MB   and
+        #s1 > 40
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_subtle_paws.yar b/yara_rules/apt_gamaredon_subtle_paws.yar
new file mode 100644
index 0000000..1bc16f0
--- /dev/null
+++ b/yara_rules/apt_gamaredon_subtle_paws.yar
@@ -0,0 +1,19 @@
+rule apt_gamaredon_subtle_paws {
+    meta:
+        id = "1950f886-97d2-4aa1-8f13-2947eba706e4"
+        version = "1.0"
+        description = "SUBTLE-PAWS powershell backdoor used by Gamaredon"
+        author = "Sekoia.io"
+        creation_date = "2024-02-09"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "$splitter" ascii wide
+        $s2 = "[System.Convert]::FromBase64String" ascii wide
+        $s3 = "$_;$var2 =\"var1\";$var3" ascii wide
+        $s4 = "foreach-object{$_|powershell -noprofile -}" ascii wide
+        
+    condition:
+        $s1 and $s2 and ($s3 or $s4) and filesize < 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gamaredon_vbs_downloader.yar b/yara_rules/apt_gamaredon_vbs_downloader.yar
new file mode 100644
index 0000000..d2658a3
--- /dev/null
+++ b/yara_rules/apt_gamaredon_vbs_downloader.yar
@@ -0,0 +1,24 @@
+rule apt_gamaredon_vbs_downloader {
+    meta:
+        id = "13b63570-2f18-4b35-8087-9ab15c58a0d1"
+        version = "1.0"
+        description = "Detects small VBS loader"
+        author = "Sekoia.io"
+        creation_date = "2023-02-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "on error resume next" nocase ascii wide
+        $s2 = "String('http" nocase ascii wide
+        $s3 = "send()" nocase ascii wide
+        $s4 = ")|Invoke-Expression" nocase ascii wide
+        $s5 = "'); Invoke-Expression $" nocase ascii wide
+        $s6 = "');Invoke-Expression $" nocase ascii wide
+        
+    condition:
+        $s1 and 
+        ($s2 or $s3) and 
+        ($s4 or $s5 or $s6) and 
+        filesize < 1KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gelsemium_firewood_backdoor.yar b/yara_rules/apt_gelsemium_firewood_backdoor.yar
new file mode 100644
index 0000000..09b967a
--- /dev/null
+++ b/yara_rules/apt_gelsemium_firewood_backdoor.yar
@@ -0,0 +1,22 @@
+rule apt_gelsemium_firewood_backdoor {
+    meta:
+        id = "93670c07-9edd-4ea2-b8ed-6fee625491f4"
+        version = "1.0"
+        description = "Detects Gelsemium's FireWood backdoor"
+        author = "Sekoia.io"
+        creation_date = "2024-11-22"
+        classification = "TLP:CLEAR"
+        hash = "2251bc7910fe46fd0baf8bc05599bdcf"
+        
+    strings:
+        $ = "root dir:%s"
+        $ = "df -h|grep 'dev' |grep -v none|awk '/dev/{print $6}'"
+        $ = "rm -rf ../lib/%s"
+        $ = "Total Disk space:%luG, Free Disk spae:%luG"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and 
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gelsemium_wolfsbane_backdoor.yar b/yara_rules/apt_gelsemium_wolfsbane_backdoor.yar
new file mode 100644
index 0000000..44b6515
--- /dev/null
+++ b/yara_rules/apt_gelsemium_wolfsbane_backdoor.yar
@@ -0,0 +1,25 @@
+rule apt_gelsemium_wolfsbane_backdoor {
+    meta:
+        id = "db2ad5a4-b592-4646-a385-c668bb2ea090"
+        version = "1.0"
+        description = "Detects Gelsemium's WolfsBane backdoor"
+        author = "Sekoia.io"
+        creation_date = "2024-11-22"
+        classification = "TLP:CLEAR"
+        hash = "1418fe9a743226b9661a2b6decb19db0"
+        
+    strings:
+        $ = "udp_session"
+        $ = "session_interface"
+        $ = "plugin_persist"
+        $ = "Udp.cpp"
+        $ = "ikcp.c"
+        $ = "' %s 2>/dev/null"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize > 3MB and
+        filesize < 4MB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gelsemium_wolfsbane_launcher.yar b/yara_rules/apt_gelsemium_wolfsbane_launcher.yar
new file mode 100644
index 0000000..8930faf
--- /dev/null
+++ b/yara_rules/apt_gelsemium_wolfsbane_launcher.yar
@@ -0,0 +1,22 @@
+rule apt_gelsemium_wolfsbane_launcher {
+    meta:
+        id = "26fbf4df-aa08-47b6-a73c-e8f80a408454"
+        version = "1.0"
+        description = "Detects Gelsemium's WolfsBane launcher"
+        author = "Sekoia.io"
+        creation_date = "2024-11-22"
+        classification = "TLP:CLEAR"
+        hash = "87e437cf74ce4b1330b8af9ff71edae2"
+        
+    strings:
+        $ = "rm -f /dev/shm/sem*%s"
+        $ = "/etc/ld.so.preload"
+        $ = "kill -9 %d 2>/dev/null"
+        $ = "/,1d' %s 2>/dev/null"
+        
+    condition:
+        uint32be(0) == 0x7F454C46 and 
+        filesize < 500KB and 
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gelsemium_wolfsbane_rootkit.yar b/yara_rules/apt_gelsemium_wolfsbane_rootkit.yar
new file mode 100644
index 0000000..816a3cb
--- /dev/null
+++ b/yara_rules/apt_gelsemium_wolfsbane_rootkit.yar
@@ -0,0 +1,25 @@
+rule apt_gelsemium_wolfsbane_rootkit {
+    meta:
+        id = "e93f4515-62f5-4057-a464-aae11cbe0639"
+        version = "1.0"
+        description = "Detects Gelsemium's WolfsBane rootkit"
+        author = "Sekoia.io"
+        creation_date = "2024-11-22"
+        classification = "TLP:CLEAR"
+        hash = "ba08e63ad65a9bdcdb1655f25d32c808"
+        
+    strings:
+        $ = "__non_hooked_symbols"
+        $ = "__hidden_literals"
+        $ = "extract_type_2_socket_inode2"
+        $ = "/proc/%s/fd"
+        $ = "pluginkey" wide
+        $ = "mainpath" wide
+        $ = "hiderpath" wide
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and 
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_globalshadow.yar b/yara_rules/apt_globalshadow.yar
new file mode 100644
index 0000000..ac51fd6
--- /dev/null
+++ b/yara_rules/apt_globalshadow.yar
@@ -0,0 +1,29 @@
+rule apt_globalshadow {
+    meta:
+        id = "2fef6192-25a6-4d6a-8e19-53ad51617d90"
+        version = "1.0"
+        description = "Detects the GLOBALSHADOW malware"
+        author = "Sekoia.io"
+        creation_date = "2024-09-04"
+        classification = "TLP:CLEAR"
+        hash = "68c16b6f178c88c12c9555169887c321"
+        
+    strings:
+        $command1 = "time to rest"  wide
+        $command2 = "pw" wide
+        $command3 = "pr" wide
+        $command4 = "dnld" wide
+        $step1 = "step1-" wide
+        $step2 = "step2-" wide
+        $step3 = "step3-" wide
+        $step4 = "step4-" wide
+        $step5 = "step5-" wide
+        $step6 = "step6-" wide
+        $delim = "]#@#[" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and 
+        2 of ($command*) and 3 of ($step*) and $delim and
+        true
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_gobrat_2.yar b/yara_rules/apt_gobrat_2.yar
new file mode 100644
index 0000000..a1c294f
--- /dev/null
+++ b/yara_rules/apt_gobrat_2.yar
@@ -0,0 +1,17 @@
+rule apt_gobrat_2 {
+    meta:
+        id = "6b7e38f5-00bc-49c8-b34d-3e878bf426d8"
+        version = "1.0"
+        description = "Detects GobRat related files"
+        author = "Sekoia.io"
+        creation_date = "2024-09-10"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "thisisweird" ascii
+        $ = "ZzZzZzZzZzZz"
+        
+    condition:
+        all of them and uint32be(0) == 0x7f454c46
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_granitetyphoon_pingpulllinux_strings.yar b/yara_rules/apt_granitetyphoon_pingpulllinux_strings.yar
new file mode 100644
index 0000000..6ee6b6b
--- /dev/null
+++ b/yara_rules/apt_granitetyphoon_pingpulllinux_strings.yar
@@ -0,0 +1,26 @@
+rule apt_granitetyphoon_pingpulllinux_strings {
+    meta:
+        id = "ee213206-d9ad-47fa-bea1-61a9d2cfba58"
+        version = "1.0"
+        description = "Detects PingPull Linux variant"
+        author = "Sekoia.io"
+        creation_date = "2023-05-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "chkconfig --add %s"
+        $ = "chkconfig %s on"
+        $ = "update-rc.d %s enable"
+        $ = "service %s start"
+        $ = "respawn limit 10 10"
+        $ = "POST /%s HTTP/1.1"
+        $ = "PROJECT_%s_%s_%08X"
+        $ = "Description=The HTTP(S) Client"
+        $ = "exec %s -f"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize < 11MB and
+        7 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_granitetyphoon_sword2023_strings.yar b/yara_rules/apt_granitetyphoon_sword2023_strings.yar
new file mode 100644
index 0000000..ee613d4
--- /dev/null
+++ b/yara_rules/apt_granitetyphoon_sword2023_strings.yar
@@ -0,0 +1,22 @@
+rule apt_granitetyphoon_sword2023_strings {
+    meta:
+        id = "417b355f-9eb8-40ae-bc3b-f7f23b5ca63e"
+        version = "1.0"
+        description = "Detects Sword2023 malware based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-05-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "TERM=linux"
+        $ = ";echo"
+        $ = "sh:time out"
+        $ = "sh:read stdout error"
+        $ = "/proc/sys/kernel/random/uuid"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46) and
+        filesize < 100KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_icepeony_icecache.yar b/yara_rules/apt_icepeony_icecache.yar
new file mode 100644
index 0000000..65b3f3f
--- /dev/null
+++ b/yara_rules/apt_icepeony_icecache.yar
@@ -0,0 +1,47 @@
+rule apt_icepeony_icecache {
+    meta:
+        id = "3135c70e-c925-4d26-beed-09424fc0c153"
+        version = "1.0"
+        description = "Detects IceCache backdoor"
+        author = "Sekoia.io"
+        creation_date = "2024-10-21"
+        classification = "TLP:CLEAR"
+        hash = "38708c33dafb5625ddde1030a7efa7db"
+        hash = "1e102c8909b2bf71c626b81f7526ee01"
+        hash = "34bc3c586a48f836b00aff59fe891b30"
+        hash = "cd906f4cef84dddeb644b06777474b2e"
+        hash = "add23fedfbf238f51173796f3feb12af"
+        hash = "25b8daaa5e9c5f8820261d7ebf79f3cd"
+        hash = "7fd45cc1de1230c916d5f547a9fc725c"
+        hash = "e6e4060e838d7af5f13ad64258d5db0c"
+        hash = "87dfc911885420380bea0cf74c8160d3"
+        hash = "bd15103b300cad635191972330913d17"
+        hash = "a8119b7803a6e0b8aed6bc74d9062b7f"
+        hash = "e1bc3efc33b57c9e1e6d37e5011228f2"
+        hash = "e1233a5f613aafec2c28133e810f536d"
+        hash = "fe88a5b91841b25b4bafa08d42faab22"
+        
+    strings:
+        $ = "Source Response Empty!"
+        $ = "Source Response Len:"
+        $ = "GetFromSource:"
+        $ = "Failed add header!"
+        $ = "Failed receive response:"
+        $ = "Error: Status Code :"
+        $ = "WinHttpAddRequestHeaders"
+        $ = "X-FORWARDED-HOST:"
+        $ = "PROXY_DEL_CONTENT"
+        $ = "PROXY_CLEAR_CONTENT"
+        $ = "PROXY_SET_JS"
+        $ = "PROXY_GET_JS"
+        $ = "PROXY_ALLOW_PC"
+        $ = "Parse IP failed :"
+        $ = "Clear Proxy Contents Success!"
+        $ = "FILE_UPLOAD"
+        $ = "FILE_DOWNLOAD"
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 1MB and
+        6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_icepeony_iceevent.yar b/yara_rules/apt_icepeony_iceevent.yar
new file mode 100644
index 0000000..995cded
--- /dev/null
+++ b/yara_rules/apt_icepeony_iceevent.yar
@@ -0,0 +1,25 @@
+rule apt_icepeony_iceevent {
+    meta:
+        id = "7d1f8b90-fde4-4d5c-a8a3-375db8aa88a1"
+        version = "1.0"
+        description = "Detects IceEvent Backdoor"
+        author = "Sekoia.io"
+        creation_date = "2024-10-21"
+        classification = "TLP:CLEAR"
+        hash = "07c291c9cea4430676c303128bbbb8e3"
+        hash = "489b573b37ab8bc74cca3704e723b895"
+        hash = "265f6cf778d26e62903fb295f89507e3"
+        hash = "f5eb28dd29c91cc84818b74d7f138ff6"
+        
+    strings:
+        $ = "Created a process" ascii fullword
+        $ = "CreateProcess failed: %d"
+        $ = "bind error:"
+        $ = "Error creating pip: %d"
+        $ = "listen error:"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        4 of them and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_implant_xdealer_linux_variant_strings.yar b/yara_rules/apt_implant_xdealer_linux_variant_strings.yar
new file mode 100644
index 0000000..ada9c8b
--- /dev/null
+++ b/yara_rules/apt_implant_xdealer_linux_variant_strings.yar
@@ -0,0 +1,22 @@
+rule apt_implant_xdealer_linux_variant_strings {
+    meta:
+        id = "42690513-753f-4296-b641-4d3b59a5e5e1"
+        version = "1.0"
+        description = "Detects XDealer linux variant"
+        author = "Sekoia.io"
+        creation_date = "2024-03-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "ls -l /proc/%s/exe"
+        $ = "Linux_%s_%s_%u"
+        $ = "chkconfig --add"
+        $ = "cmd over return [%s]"
+        $ = "touch   -d"
+        $ = "%s can't be opened/n"
+        $ = "/proc/%s/status"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and 3 of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_implant_xdealer_stealer_strings.yar b/yara_rules/apt_implant_xdealer_stealer_strings.yar
new file mode 100644
index 0000000..bfd4fa9
--- /dev/null
+++ b/yara_rules/apt_implant_xdealer_stealer_strings.yar
@@ -0,0 +1,21 @@
+rule apt_implant_xdealer_stealer_strings {
+    meta:
+        id = "6314cf6c-2c3b-4e9a-87a1-b56ee148474c"
+        version = "1.0"
+        description = "Detects stealer module of XDealer"
+        author = "Sekoia.io"
+        creation_date = "2024-03-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "%sbmp.tmp"
+        $ = "%sjgp.tmp"
+        $ = "%sma_%s_%05u_%u."
+        $ = "%s%s_%05u_%u."
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 500KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_implant_xdealer_strings.yar b/yara_rules/apt_implant_xdealer_strings.yar
new file mode 100644
index 0000000..d9fabf0
--- /dev/null
+++ b/yara_rules/apt_implant_xdealer_strings.yar
@@ -0,0 +1,21 @@
+rule apt_implant_xdealer_strings {
+    meta:
+        id = "06ef72ca-b4e3-493b-8e01-d34b98259c6d"
+        version = "1.0"
+        description = "Detects XDealer based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-03-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "unknow_PC"
+        $ = "rdp-tcp#"
+        $ = "Din_%s_%s_%u_"
+        $ = "nslookup %s %s"
+        $ = "XFByb2dyYW1EYXRhXA=="
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        3 of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_implant_xdealer_vbs_launcher_strings.yar b/yara_rules/apt_implant_xdealer_vbs_launcher_strings.yar
new file mode 100644
index 0000000..aaa7663
--- /dev/null
+++ b/yara_rules/apt_implant_xdealer_vbs_launcher_strings.yar
@@ -0,0 +1,18 @@
+rule apt_implant_xdealer_vbs_launcher_strings {
+    meta:
+        id = "ebfc8a33-70dc-44d5-bc4a-07afc56f8254"
+        version = "1.0"
+        description = "Detects XDealer VBS Launcher"
+        author = "Sekoia.io"
+        creation_date = "2024-03-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "Dim objws"
+        $s2 = "Set objws="
+        $s3 = "objws.Run \"\"\"C:\\ProgramData\\"
+        
+    condition:
+       $s1 at 0 and all of them and filesize < 200
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_ir_sugarush_implant.yar b/yara_rules/apt_ir_sugarush_implant.yar
new file mode 100644
index 0000000..aeea587
--- /dev/null
+++ b/yara_rules/apt_ir_sugarush_implant.yar
@@ -0,0 +1,22 @@
+rule apt_ir_sugarush_implant {
+    meta:
+        id = "bcf057cc-272c-4cb6-bb76-928788675282"
+        version = "1.0"
+        description = "Detects the SUGARUSH implant"
+        author = "Sekoia.io"
+        creation_date = "2022-08-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "You are offline at " wide
+        $ = "\\Logs\\ServiceLog_" wide
+        $ = "Service is recall at" wide
+        $ = "add_OutputDataReceived" ascii
+        $ = "get_CurrentDomain" ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 100KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_ivanti_krustyloader.yar b/yara_rules/apt_ivanti_krustyloader.yar
new file mode 100644
index 0000000..d03e5b3
--- /dev/null
+++ b/yara_rules/apt_ivanti_krustyloader.yar
@@ -0,0 +1,29 @@
+rule apt_ivanti_krustyloader {
+    meta:
+        id = "617fdd5f-7555-49e8-b0ec-2199f017dc40"
+        version = "1.0"
+        description = "Detects KrustyLoader used in the Ivanti campaign"
+        author = "Sekoia.io"
+        creation_date = "2024-01-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "/proc/self/exe" ascii fullword
+        $s2 = "||||||||||||||"
+        $s3 = "/tmp/"
+        $xor = {40 80 f5}
+        $chunk_1 = {
+        66 0F EF D0
+        66 0F 6F C3
+        66 0F 73 F8 0C
+        66 0F EF C1
+        66 0F EF C2
+        66 0F EF C3
+        } // used for crypto but not specific to Krustyloader
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and filesize < 2MB and all of them
+        and #xor > 2 and #chunk_1 > 6
+        and @s3 < @s2 and @s2 < @s3+300 //$s2 is less than 300 bytes after $s3
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_fpspy.yar b/yara_rules/apt_kimsuky_fpspy.yar
new file mode 100644
index 0000000..ed7ef11
--- /dev/null
+++ b/yara_rules/apt_kimsuky_fpspy.yar
@@ -0,0 +1,23 @@
+rule apt_kimsuky_fpspy {
+    meta:
+        id = "75d41851-a7a6-4068-8ea5-6a3e6e62a965"
+        version = "1.0"
+        description = "Detects FPSpy, a backdoor used by Kimsuky"
+        author = "Sekoia.io"
+        creation_date = "2024-09-27"
+        classification = "TLP:CLEAR"
+        hash = "6d6c1b175e435f5564341cc1f2c33ddf"
+        hash = "54c58b72f98cb63c44e7694add551e9d"
+        
+    strings:
+        $ = "Chrome/31.0." wide
+        $ = "%srundll32.exe %s, %s %%1" wide
+        $ = "MazeFunc" wide
+        $ = "sys.dll" wide
+        $ = "KLog" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_klogexe.yar b/yara_rules/apt_kimsuky_klogexe.yar
new file mode 100644
index 0000000..fe7d750
--- /dev/null
+++ b/yara_rules/apt_kimsuky_klogexe.yar
@@ -0,0 +1,33 @@
+rule apt_kimsuky_klogexe {
+    meta:
+        id = "f6e3b1a5-43b6-4dac-83c2-a365c41de38d"
+        version = "1.0"
+        description = "Detects KLogExe, a keylogger used by Kimsuky"
+        author = "Sekoia.io"
+        creation_date = "2024-09-27"
+        classification = "TLP:CLEAR"
+        hash = "e1d683ee1746c08c5fff1c4c2b3b02f0"
+        hash = "90946c6358eacd119fe1eb36ec7a0a18"
+        hash = "9760f489a390665b5e7854429b550c83"
+        
+    strings:
+        //$ = "GetAsyncKeyState" ascii wide
+        //$ = "desktops.ini" ascii wide
+        $event = "Norton_BreakHelper" ascii wide
+        $log = "------ %d/%d/%d : %d/%d ------" ascii wide
+        
+        $keylog_1 = "[RM+]"
+        $keylog_2 = "[Tab+]"
+        $keylog_3 = "[Home+]"
+        $keylog_4 = "[End+]"
+        $keylog_5 = "[clip_s]: %s "
+        $keylog_6 = "%s[Too many clip_tail]"
+        $keylog_7 = "%s[F%d]"
+        
+        $user_agent = "Chrome/31.0." wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 600KB and 
+        8 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_malicious_gotopwsh_lnk.yar b/yara_rules/apt_kimsuky_malicious_gotopwsh_lnk.yar
new file mode 100644
index 0000000..87444fe
--- /dev/null
+++ b/yara_rules/apt_kimsuky_malicious_gotopwsh_lnk.yar
@@ -0,0 +1,16 @@
+rule apt_kimsuky_malicious_gotopwsh_lnk {
+    meta:
+        id = "cfe9adf5-2c06-4d04-8006-c4eea0dab549"
+        version = "1.0"
+        description = "Detects malicious LNK used by Kimsuky"
+        author = "Sekoia.io"
+        creation_date = "2023-09-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = {67 00 6f 00 74 00 6f 00 26 00 70 00 5e 00 6f 00 77 00 5e 00 65 00 5e 00 72 00 73 00 5e 00 68 00 65 00 5e 00 6c 00 5e 00 6c}
+        
+    condition:
+        uint32be(0) == 0x4c000000 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_malicious_vba.yar b/yara_rules/apt_kimsuky_malicious_vba.yar
new file mode 100644
index 0000000..185ea53
--- /dev/null
+++ b/yara_rules/apt_kimsuky_malicious_vba.yar
@@ -0,0 +1,19 @@
+rule apt_kimsuky_malicious_vba {
+    meta:
+        id = "2dbe2431-3592-4395-8164-49abae4a5a3d"
+        version = "1.0"
+        description = "Detects malicious VBA used by Kimsuky"
+        author = "Sekoia.io"
+        creation_date = "2022-08-30"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Certutil -decode %TMP%"
+        $ = "%LOCALAPPDATA%\\Microsoft\\Office"
+        
+    condition:
+        uint32be(0) == 0xD0CF11E0 and 
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_powershell.yar b/yara_rules/apt_kimsuky_powershell.yar
new file mode 100644
index 0000000..8f2b470
--- /dev/null
+++ b/yara_rules/apt_kimsuky_powershell.yar
@@ -0,0 +1,22 @@
+rule apt_kimsuky_powershell {
+    meta:
+        id = "b7f812e0-d08b-40fe-908a-dc5765d6bc66"
+        version = "1.0"
+        description = "Powershell scripts used by Kimsuky. If size < 3KB ok. If between 3 and 15, a check is needed"
+        author = "Sekoia.io"
+        creation_date = "2024-09-23"
+        classification = "TLP:CLEAR"
+        hash = "6babb53d881448dc58dd7c32fcd4208a"
+        hash = "29ec7a4495ea512d44d33c9847893200"
+        hash = "fde68771cebd7ecd81721b0dff5b7869"
+        hash = "0c3fd7f45688d5ddb9f0107877ce2fbd"
+        hash = "1a1723be720c1d9cd57cf4a6a112df79"
+        
+    strings:
+        $ = ".ToCharArray();[array]::Reverse(" ascii
+        $ = ");$res = -join ($bytes -as [char[]]);Invoke-Expression $res;" ascii
+        
+    condition:
+        all of them and filesize < 15KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_powershell_dropper_strings.yar b/yara_rules/apt_kimsuky_powershell_dropper_strings.yar
new file mode 100644
index 0000000..f6d01e3
--- /dev/null
+++ b/yara_rules/apt_kimsuky_powershell_dropper_strings.yar
@@ -0,0 +1,22 @@
+rule apt_kimsuky_powershell_dropper_strings {
+    meta:
+        id = "8b346e05-215b-46c0-82bf-fce3a65440f3"
+        version = "1.0"
+        description = "Detects a PowerShell dropper used by Kimsuky"
+        author = "Sekoia.io"
+        creation_date = "2024-06-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "try { " ascii wide
+        $s2 = "); } catch(e){} } if ("
+        $s3 = "WScript.Sleep("
+        $s4 = " } catch(e) { }"
+        
+    condition:
+        filesize > 500KB and
+        $s1 at 0 and $s2 in (filesize-1000..filesize)
+                 and $s3 in (filesize-1000..filesize)
+                 and $s4 in (filesize-1000..filesize)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_sharpext_compromised_securepreferences.yar b/yara_rules/apt_kimsuky_sharpext_compromised_securepreferences.yar
new file mode 100644
index 0000000..0c4ef56
--- /dev/null
+++ b/yara_rules/apt_kimsuky_sharpext_compromised_securepreferences.yar
@@ -0,0 +1,18 @@
+rule apt_kimsuky_sharpext_compromised_securepreferences {
+    meta:
+        id = "aeda5d15-82e1-4ffc-8252-1eb4fc78d024"
+        version = "1.0"
+        description = "Detects compromised Chrome SecurePreferences file"
+        author = "Sekoia.io"
+        creation_date = "2022-07-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "\"devtools\", \"tabs\", \"webNavigation\", \"webRequest\", \"webRequestBlocking\""
+        $ = "AppData\\\\Roaming"
+        $ = "https://*/*"
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_sharpext_devps1_strings.yar b/yara_rules/apt_kimsuky_sharpext_devps1_strings.yar
new file mode 100644
index 0000000..060b2b2
--- /dev/null
+++ b/yara_rules/apt_kimsuky_sharpext_devps1_strings.yar
@@ -0,0 +1,19 @@
+rule apt_kimsuky_sharpext_devps1_strings {
+    meta:
+        id = "f2ad32a4-bfca-40b2-964e-b8562538a6f2"
+        version = "1.0"
+        description = "Detects strings of Dev.ps1"
+        author = "Sekoia.io"
+        creation_date = "2022-07-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "keybd_Event(" ascii fullword
+        $s2 = "Sleep" ascii fullword
+        $s3 = "CreateDev" ascii fullword
+        
+    condition:
+        filesize < 10KB and 
+        #s1 == 6 and #s2 == 6 and $s3
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_sharpext_devtoolmodule_strings.yar b/yara_rules/apt_kimsuky_sharpext_devtoolmodule_strings.yar
new file mode 100644
index 0000000..093ebfa
--- /dev/null
+++ b/yara_rules/apt_kimsuky_sharpext_devtoolmodule_strings.yar
@@ -0,0 +1,18 @@
+rule apt_kimsuky_sharpext_devtoolmodule_strings {
+    meta:
+        id = "6f589a9c-344a-4ddc-929e-f123a2c3c187"
+        version = "1.0"
+        description = "Detects the DevTool module used by SharpExt"
+        author = "Sekoia.io"
+        creation_date = "2022-07-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "packetProc = function" ascii fullword
+        $ = "var url = request.request.url" ascii fullword
+        $ = "https://mail" ascii fullword
+        
+    condition:
+        all of them and filesize < 50KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_sharpext_jsexfil_strings.yar b/yara_rules/apt_kimsuky_sharpext_jsexfil_strings.yar
new file mode 100644
index 0000000..e63c3df
--- /dev/null
+++ b/yara_rules/apt_kimsuky_sharpext_jsexfil_strings.yar
@@ -0,0 +1,19 @@
+rule apt_kimsuky_sharpext_jsexfil_strings {
+    meta:
+        id = "c9ebd123-6450-4424-93d1-60322bd97bf6"
+        version = "1.0"
+        description = "Detects the exfiltration JS code of SharpExt"
+        author = "Sekoia.io"
+        creation_date = "2022-07-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "var req_url" ascii fullword
+        $ = "var newReqId" ascii fullword
+        $ = "chrome.tabs.query" ascii fullword
+        $ = "payload.message.flags = new Object();" ascii fullword
+        
+    condition:
+        all of them and filesize < 50KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_sharptongue_c2_source.yar b/yara_rules/apt_kimsuky_sharptongue_c2_source.yar
new file mode 100644
index 0000000..649a449
--- /dev/null
+++ b/yara_rules/apt_kimsuky_sharptongue_c2_source.yar
@@ -0,0 +1,19 @@
+rule apt_kimsuky_sharptongue_c2_source {
+    meta:
+        id = "a2ccf773-511c-4088-8bcf-b923291d024b"
+        version = "1.0"
+        description = "Detects the PHP code of the SharpTongue C2"
+        author = "Sekoia.io"
+        creation_date = "2022-07-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "<?php"
+        $ = "foreach($_GET as $variable => $value)"
+        $ = "$chk=$value"
+        $ = "base64_encode($ip)"
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_sharptongue_strings.yar b/yara_rules/apt_kimsuky_sharptongue_strings.yar
new file mode 100644
index 0000000..56e48ab
--- /dev/null
+++ b/yara_rules/apt_kimsuky_sharptongue_strings.yar
@@ -0,0 +1,19 @@
+rule apt_kimsuky_sharptongue_strings {
+    meta:
+        id = "56027edb-4e6e-40ec-a1b9-36c52b0dd3ec"
+        version = "1.0"
+        description = "Detects SharpTongue variants."
+        author = "Sekoia.io"
+        creation_date = "2022-07-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "Post0.Open" ascii wide
+        $s2 = ".php?op=" ascii wide
+        $s3 = "s=s&Mid(c,ix*d+jx+1,1)" ascii wide
+        $s4 = "curl -o " ascii wide
+        
+    condition:
+        $s2 in (@s1..@s1+200) or $s2 in (@s4..@s4+200) or $s3 and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_sharptongue_vbslauncher_strings.yar b/yara_rules/apt_kimsuky_sharptongue_vbslauncher_strings.yar
new file mode 100644
index 0000000..c0ce8e2
--- /dev/null
+++ b/yara_rules/apt_kimsuky_sharptongue_vbslauncher_strings.yar
@@ -0,0 +1,18 @@
+rule apt_kimsuky_sharptongue_vbslauncher_strings {
+    meta:
+        id = "82bd648c-2961-4945-950e-8fb1e4650338"
+        version = "1.0"
+        description = "Detects VBS Launchers used by SharpTongue"
+        author = "Sekoia.io"
+        creation_date = "2022-07-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "powershell" ascii wide
+        $ = "On Error Resume Next" ascii wide
+        $ = "oShell.run(tmp0,0" ascii wide
+        
+    condition:
+        all of them and filesize < 10KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_toddlershark_obfuscated.yar b/yara_rules/apt_kimsuky_toddlershark_obfuscated.yar
new file mode 100644
index 0000000..71b12b5
--- /dev/null
+++ b/yara_rules/apt_kimsuky_toddlershark_obfuscated.yar
@@ -0,0 +1,19 @@
+rule apt_kimsuky_toddlershark_obfuscated {
+    meta:
+        id = "9ab82466-4f38-4597-b75b-13252e180c70"
+        version = "1.0"
+        description = "Detects obfuscated version of Kimsuky TODDLERSHARK vbs malware"
+        author = "Sekoia.io"
+        creation_date = "2024-03-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = { 3a 20 [3-10] 20 3d 20 22 [3-30] 22 3a }
+        $s2 = { 45 78 65 63 75 74 65 28  [3-15] 28 22 }
+        $s3 = { 50 72 69 76 61 74 65 20 46 75 6e 63 74 69 6f 6e 20 [3-15] 28 42 79 56 61 6c 20 [3-15] 29 3a }
+        $s4 = "& Chr(\"&H\" & Mid("
+        
+    condition:
+        #s4 == 1 and #s3 == 1 and #s2 == 1 and #s1 > 20 and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_toddlershark_strings.yar b/yara_rules/apt_kimsuky_toddlershark_strings.yar
new file mode 100644
index 0000000..00e9d68
--- /dev/null
+++ b/yara_rules/apt_kimsuky_toddlershark_strings.yar
@@ -0,0 +1,21 @@
+rule apt_kimsuky_toddlershark_strings {
+    meta:
+        id = "2db1a424-9e83-4168-8ebf-d3b415b6a576"
+        version = "1.0"
+        description = "Detects Kimsuky TODDLERSHARK vbs malware"
+        author = "Sekoia.io"
+        creation_date = "2024-03-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "On Error Resume Next"
+        $ = ".open \"POST\", \"http"
+        $ = ".setRequestHeader"
+        $ = ".send"
+        $ = "Execute("
+        $ = ".responseText)"
+        
+    condition:
+        all of them and filesize < 450
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_validator_strings.yar b/yara_rules/apt_kimsuky_validator_strings.yar
new file mode 100644
index 0000000..38f6653
--- /dev/null
+++ b/yara_rules/apt_kimsuky_validator_strings.yar
@@ -0,0 +1,18 @@
+rule apt_kimsuky_validator_strings {
+    meta:
+        id = "e055f2d4-8318-4342-812e-0f621d7886b4"
+        version = "1.0"
+        description = "Detects Kimsuky validator"
+        author = "Sekoia.io"
+        creation_date = "2024-06-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "%s%sc %s >%s 2>&1" wide
+        $ = "%s%sc %s 2>%s" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_vbs.yar b/yara_rules/apt_kimsuky_vbs.yar
new file mode 100644
index 0000000..3ecefef
--- /dev/null
+++ b/yara_rules/apt_kimsuky_vbs.yar
@@ -0,0 +1,24 @@
+rule apt_kimsuky_vbs {
+    meta:
+        id = "3f92dbda-2ddb-4fa3-a587-743f65ced9e4"
+        version = "1.0"
+        description = "VBS files used by Kimsuky"
+        author = "Sekoia.io"
+        creation_date = "2024-09-23"
+        classification = "TLP:CLEAR"
+        hash = "12386be22ca82fce98a83a5a19e632bc"
+        hash = "7b5783d42240651af78ebf7e01b31fe8"
+        hash = "ff7d68e5fb253664ce64c85457b28041"
+        hash = "622358469e5e24114dd0eb03da815576"
+        hash = "edbb2aa40408e2a7936067ace38b445b"
+        hash = "73ed9b012785dc3b3ee33aa52700cfe4"
+        
+    strings:
+        $ = ")):Next:Execute " ascii
+        $ = "=\"\":" ascii
+        $ = "\":for "
+        
+    condition:
+        all of them and filesize < 10KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_kimsuky_vbs_powershell_downloader.yar b/yara_rules/apt_kimsuky_vbs_powershell_downloader.yar
new file mode 100644
index 0000000..b4137f0
--- /dev/null
+++ b/yara_rules/apt_kimsuky_vbs_powershell_downloader.yar
@@ -0,0 +1,19 @@
+rule apt_kimsuky_vbs_powershell_downloader {
+    meta:
+        id = "4c9af11f-802b-4ffe-9783-90fc2ee53809"
+        version = "1.0"
+        description = "Detects VBS/Powershell Downloader used by Kimsuky"
+        author = "Sekoia.io"
+        creation_date = "2022-08-30"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "& WScript.ScriptFullName &" ascii fullword
+        $ = "/c schtasks /create /sc minute /mo 5 /tn"
+        $ = "pOwErsHeLl -ep bypass -encodedCommand"
+        
+    condition:
+        filesize < 200KB and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_konni.yar b/yara_rules/apt_konni.yar
new file mode 100644
index 0000000..96f0079
--- /dev/null
+++ b/yara_rules/apt_konni.yar
@@ -0,0 +1,26 @@
+rule apt_konni {
+    meta:
+        id = "6a20c492-e932-41bd-ac4a-01d35bfb0c49"
+        version = "1.0"
+        description = "Rule based on structure offsets and file extension"
+        author = "Sekoia.io"
+        creation_date = "2022-09-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ext_1 = ".zip" wide ascii fullword
+        $ext_2 = ".cab" wide ascii fullword
+        $ext_3 = ".rar" wide ascii fullword
+        $ext_4 = ".ini" wide ascii fullword
+        $ext_5 = ".dat" wide ascii fullword
+        
+        
+        $offset_structure_1 = { 8d ?? 08 02 00 00 } //offset 0x208
+        $offset_structure_2 = { 8d ?? 10 04 00 00 } //offset 0x410
+        $offset_structure_3 = { 8d ?? 18 06 00 00 } //offset 0x618
+        $url = "%s/dn.php?name=%s&prefix=%s" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 3MB and 3 of ($ext_*) and all of ($offset_structure_*) and $url
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_konni_check_bat.yar b/yara_rules/apt_konni_check_bat.yar
new file mode 100644
index 0000000..5aecdff
--- /dev/null
+++ b/yara_rules/apt_konni_check_bat.yar
@@ -0,0 +1,24 @@
+rule apt_konni_check_bat {
+    meta:
+        id = "f05e6ba2-c128-4c17-8f74-f7640103c859"
+        version = "1.0"
+        description = "Script used to performs check before executing Konni"
+        author = "Sekoia.io"
+        creation_date = "2023-11-27"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = ":64BIT"
+        $ = ":32BIT"
+        $ = ":INSTALL"
+        $ = ":EXIT"
+        $ = "netpp.dll"
+        $ = "wpns.dll"
+        $ = "netpp64.dll"
+        $ = "wpns64.dll"
+        $ = "rundll32"
+        
+    condition:
+        filesize < 1MB and 7 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_konni_dropper.yar b/yara_rules/apt_konni_dropper.yar
new file mode 100644
index 0000000..bd194dc
--- /dev/null
+++ b/yara_rules/apt_konni_dropper.yar
@@ -0,0 +1,20 @@
+rule apt_konni_dropper {
+    meta:
+        id = "0783a55e-1d1e-40ca-a661-2c5dec6d78d6"
+        version = "1.0"
+        description = "Detects Konni dropper used when distributed via malicious document"
+        author = "Sekoia.io"
+        creation_date = "2023-11-27"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "UnzipAFile"
+        $ = "check.bat"
+        $ = "FOF_SILENT"
+        $ = "fLieObj"
+        
+    condition:
+        
+        filesize < 1MB and 3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_lazarus_backdoored_jslib.yar b/yara_rules/apt_lazarus_backdoored_jslib.yar
new file mode 100644
index 0000000..4888000
--- /dev/null
+++ b/yara_rules/apt_lazarus_backdoored_jslib.yar
@@ -0,0 +1,18 @@
+rule apt_lazarus_backdoored_jslib {
+    meta:
+        id = "73ffd449-93c8-494e-9c14-2e933b21a200"
+        version = "1.0"
+        description = "Detects InvisibleFerret based on common ressource."
+        author = "Sekoia.io"
+        creation_date = "2024-10-28"
+        classification = "TLP:CLEAR"
+        hash = "52e92be527690f4e63608cbc699e2f70"
+        
+    strings:
+        $obf = "(function(_0x" ascii
+        $exp = "module.exports =" ascii
+        
+    condition:
+        $exp in (filesize-500..filesize) and #obf == 1
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_lazarus_blindingcan_rtti.yar b/yara_rules/apt_lazarus_blindingcan_rtti.yar
new file mode 100644
index 0000000..f74cf33
--- /dev/null
+++ b/yara_rules/apt_lazarus_blindingcan_rtti.yar
@@ -0,0 +1,17 @@
+rule apt_lazarus_blindingcan_rtti {
+    meta:
+        id = "9a16c189-ffc1-4aa6-8582-298abaecd0ef"
+        version = "1.0"
+        description = "Detects BLINDINGCAN with RTTI"
+        author = "Sekoia.io"
+        creation_date = "2022-10-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = ".?AVCHTTP_Protocol@@" ascii wide fullword
+        $s2 = ".?AVCFileRW@@" ascii wide fullword
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_lazarus_dangerouspassword_lnk.yar b/yara_rules/apt_lazarus_dangerouspassword_lnk.yar
new file mode 100644
index 0000000..6668451
--- /dev/null
+++ b/yara_rules/apt_lazarus_dangerouspassword_lnk.yar
@@ -0,0 +1,22 @@
+rule apt_lazarus_dangerouspassword_lnk {
+    meta:
+        id = "32533880-7f75-4682-a7ae-9868d0b5174b"
+        version = "1.0"
+        description = "Detects Lazarus DangerousPassword LNKs"
+        author = "Sekoia.io"
+        creation_date = "2022-07-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = {6D 00 73 00 68 00 2A}
+        $s2 = {25 00 70 00 75 00 62 00 6C 00 69 00 63 00 25}
+        $s3 = {44 00 4F 00 20 00 73 00 74 00 61 00 72 00 74}
+        $b1 = {2F 00 63 00 20 00 73 00 74 00 61 00 72 00 74 00 20 00 2F 00 62 00 20 00 6D 00 73 00 68 00 74 00 61}
+        $c1 = {68 00 74 00 74 00 70 00 73 00 3A 00 2F 00 2F 00 62 00 69 00 74 00 2E 00 6C 00 79 00 2F}
+        
+    condition:
+        uint32be(0)== 0x4C000000 and
+        filesize > 1KB and filesize < 40MB and
+        (all of ($s*) or $b1 or ($s1 and $c1))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_lazarus_dll_c2_comms.yar b/yara_rules/apt_lazarus_dll_c2_comms.yar
new file mode 100644
index 0000000..485f02e
--- /dev/null
+++ b/yara_rules/apt_lazarus_dll_c2_comms.yar
@@ -0,0 +1,34 @@
+rule apt_lazarus_dll_c2_comms {
+    meta:
+        id = "9b379aa8-77ce-4c76-ab13-05e35ebfbdfe"
+        version = "1.0"
+        description = "Detects DLL communicating with the C2"
+        author = "Sekoia.io"
+        creation_date = "2023-04-04"
+        classification = "TLP:CLEAR"
+        hash1 = "fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e"
+        hash2 = "bb1066c1ca53139dc5a2c1743339f4e6360d6fe4f2f3261d24fc28a12f3e2ab9"
+        hash3 = "dca33d6dacac0859ec2f3104485720fe2451e21eb06e676f4860ecc73a41e6f9"
+        hash4 = "69dd140f45c3fa3aaa64c69f860cd3c74379dec37c46319d7805a29b637d4dbf"
+        
+    strings:
+        $x1 = "vG2eZ1KOeGd2n5fr" ascii fullword
+        $s1 = "Windows %d(%d)-%s" ascii fullword
+        $s2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" wide fullword
+        
+        $op1 = {B8 C8 00 00 00 83 FB 01 44 0F 47 E8 41 8B C5 48 8B B4 24 E0 18 00 00 4C 8B A4 24 E8 18 00 00 48 8B 8D A0 17 00 00 48 33 CC}
+        $op2 = {33 D2 46 8D 04 B5 00 00 00 00 66 0F 1F 44 00 00 49 63 C0 41 FF C0 8B 4C 84 70 31 4C 94 40 48 FF C2}
+        $op3 = {89 5C 24 50 0F 57 C0 C7 44 24 4C 04 00 00 00 C7 44 24 48 40 00 00 00 0F 11 44 24 60 0F 11 44 24 70 0F 11 45 80 0F 11 45 90}
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and (
+        filesize < 500KB and(
+            1 of ($x*)
+            or 2 of them
+        )
+        or (
+            $x1 and 1 of ($s*)
+            or 3 of them
+        ))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_lazarus_gopuram_backdoor.yar b/yara_rules/apt_lazarus_gopuram_backdoor.yar
new file mode 100644
index 0000000..d069a00
--- /dev/null
+++ b/yara_rules/apt_lazarus_gopuram_backdoor.yar
@@ -0,0 +1,25 @@
+import "pe"
+        
+rule apt_lazarus_gopuram_backdoor {
+    meta:
+        id = "947d4ee3-79fa-450b-8482-beafe607baae"
+        version = "1.0"
+        description = "Detects Gopuram Backdoor"
+        author = "Sekoia.io"
+        creation_date = "2023-04-04"
+        classification = "TLP:CLEAR"
+        hash1 = "97b95b4a5461f950e712b82783930cb2a152ec0288c00a977983ca7788342df7"
+        hash2 = "beb775af5196f30e0ee021790a4978ca7a7ac2a7cf970a5a620ffeb89cc60b2c"
+        
+    strings:
+        $x1 = "%s\\config\\TxR\\%s.TxR.0.regtrans-ms"
+        $xop = {D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE}
+        $opa1 = {48 89 44 24 ?? 45 33 C9 45 33 C0 33 D2 89 5C 24 ?? 48 89 74 24 ?? 48 89 5C 24 ?? 89 7C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 ?? 4C 8D 4C 24 ?? 44 8D 43 ??}
+        $opa2 = {48 89 B4 24 ?? ?? ?? ?? 44 8D 43 ?? 33 D2 48 89 BC 24 ?? ?? ?? ?? 4C 89 B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 45 33 C0 33 D2 8B F8 E8 ?? ?? ?? ?? 8D 4F ?? E8 ?? ?? ?? ?? 4C 8B 4C 24 ?? 44 8D 43 ?? 48 8B C8 8B D7 48 8B F0 44 8B F7 E8 ?? ?? ?? ?? 48 8B 4C 24 ?? E8 ?? ?? ??}
+        
+    condition:        (uint16(0) == 0x4d5a and filesize < 2MB
+        and pe.characteristics & pe.DLL and 1 of ($x*)
+   )
+   or all of ($opa*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_lazarus_lambload_timecheck.yar b/yara_rules/apt_lazarus_lambload_timecheck.yar
new file mode 100644
index 0000000..d558227
--- /dev/null
+++ b/yara_rules/apt_lazarus_lambload_timecheck.yar
@@ -0,0 +1,68 @@
+rule apt_lazarus_lambload_timecheck {
+    meta:
+        id = "8807c752-c34e-4c3b-9194-3a9bd2575a88"
+        version = "1.0"
+        description = "Detects timeCheck routine in LambLoad"
+        author = "Sekoia.io"
+        creation_date = "2023-11-27"
+        classification = "TLP:CLEAR"
+        reference = "https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/"
+        
+    strings:
+        /*
+        0x41322e 0F8567030000                  jne 41359bh
+        0x413234 8D8548FBFFFF                  lea eax, [ebp - 4b8h]
+        0x41323a 50                            push eax
+        0x41323b E8F2490700                    call 487c32h
+        0x413240 83C404                        add esp, 4
+        0x413243 83781802                      cmp dword ptr [eax + 18h], 2
+        0x413247 0F854E030000                  jne 41359bh
+        0x41324d 8B4808                        mov ecx, dword ptr [eax + 8]
+        0x413250 83F90B                        cmp ecx, 0bh
+        0x413253 0F8C42030000                  jl 41359bh
+        0x413259 83F90C                        cmp ecx, 0ch
+        0x41325c 0F8D39030000                  jge 41359bh
+        0x413262 8B4004                        mov eax, dword ptr [eax + 4]
+        0x413265 83F81E                        cmp eax, 1eh
+        0x413268 0F8C2D030000                  jl 41359bh
+        0x41326e 83F83C                        cmp eax, 3ch
+        0x413271 0F8D24030000                  jge 41359bh
+        0x413277 53                            push ebx
+        0x413278 57                            push edi
+        0x413279 6808020000                    push 208h
+        0x41327e 8D8580FDFFFF                  lea eax, [ebp - 280h]
+        0x413284 6A00                          push 0
+        0x413286 50                            push eax
+        0x413287 C78550FBFFFF04010000          mov dword ptr [ebp - 4b0h], 104h
+        */
+        $chunk_1 = {
+        0F 85 ?? ?? ?? ??
+        8D 85 ?? ?? ?? ??
+        50
+        E8 ?? ?? ?? ??
+        83 C4 ??
+        83 78 ?? ??
+        0F 85 ?? ?? ?? ??
+        8B 48 ??
+        83 F9 ??
+        0F 8C ?? ?? ?? ??
+        83 F9 ??
+        0F 8D ?? ?? ?? ??
+        8B 40 ??
+        83 F8 ??
+        0F 8C ?? ?? ?? ??
+        83 F8 ??
+        0F 8D ?? ?? ?? ??
+        53
+        57
+        68 ?? ?? ?? ??
+        8D 85 ?? ?? ?? ??
+        6A ??
+        50
+        C7 85 ?? ?? ?? ?? ?? ?? ?? ??
+        }
+        
+    condition:
+        uint16be(0) == 0x4d5a and any of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_lazarus_pondrat.yar b/yara_rules/apt_lazarus_pondrat.yar
new file mode 100644
index 0000000..a6bcb7d
--- /dev/null
+++ b/yara_rules/apt_lazarus_pondrat.yar
@@ -0,0 +1,25 @@
+rule apt_lazarus_pondrat {
+    meta:
+        id = "a957c158-a79a-4d7a-8473-b6960cf02d9b"
+        version = "1.0"
+        description = "Detects PondRAT via mangled command names"
+        author = "Sekoia.io"
+        creation_date = "2024-09-23"
+        classification = "TLP:CLEAR"
+        hash = "b62c912de846e743effdf7e5654a7605"
+        hash = "61d7b2c7814971e5323ec67b3a3d7f45"
+        hash = "ce35c935dcc9d55b2c79945bac77dc8e"
+        hash = "f50c83a4147b86cdb20cc1fbae458865"
+        hash = "05957d98a75c04597649295dc846682d"
+        hash = "33c9a47debdb07824c6c51e13740bdfe"
+        
+    strings:
+        $cmd_PondRAT1 = "_Z7MsgDownP11_TRANS_INFO" ascii
+        $cmd_PondRAT2 = "_Z5MsgUpP11_TRANS_INFO" ascii
+        $cmd_PondRAT3 = "_Z6MsgRunP11_TRANS_INFO" ascii
+        $cmd_PondRAT4 = "_Z6MsgCmdP11_TRANS_INFO" ascii
+        
+    condition:
+        3 of them and filesize < 4MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_lazarus_vhd_ransomware_downloader.yar b/yara_rules/apt_lazarus_vhd_ransomware_downloader.yar
new file mode 100644
index 0000000..4d7c32c
--- /dev/null
+++ b/yara_rules/apt_lazarus_vhd_ransomware_downloader.yar
@@ -0,0 +1,21 @@
+rule apt_lazarus_vhd_ransomware_downloader {
+    meta:
+        id = "edcc9df8-650c-437a-adb8-a671e8b75e64"
+        version = "1.0"
+        description = "Detects VHD ransomware downloader"
+        author = "Sekoia.io"
+        creation_date = "2022-11-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "rundll32.exe %s #1 %S" wide
+        $ = "cmd /c timeout /t 10 & Del /f /q \"%s\" & attrib -s -h \"%s\" & rundll32 \"%s\" #1" wide
+        $ = "cmd /c timeout /t 10 & rundll32 \"%s\" #1" wide
+        $ = "curl -A cur1-agent -L %s -s -d da"
+        $ = "curl -A cur1-agent -L %s -s -d dl"
+        
+    condition:
+        filesize < 2MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_lazarus_vhd_ransomware_loader.yar b/yara_rules/apt_lazarus_vhd_ransomware_loader.yar
new file mode 100644
index 0000000..1cb5250
--- /dev/null
+++ b/yara_rules/apt_lazarus_vhd_ransomware_loader.yar
@@ -0,0 +1,31 @@
+rule apt_lazarus_vhd_ransomware_loader {
+    meta:
+        id = "377f3ec5-fa2a-431e-93d2-6a1eb9e01d28"
+        version = "1.0"
+        description = "Detects VHD ransomware x64 loader "
+        author = "Sekoia.io"
+        creation_date = "2022-11-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = { B8 64 [8] B8 75 [8] B8 6D [8] B8 70 [8] B8 2E [8] B8 62 [8] B8 69 [8] B8 6E }
+        $ = { 48 63 ?? ?? ??
+        48 8B ?? ?? ??
+        0F BE ?? ??
+        B9 ?? ?? ?? ??
+        48 6B ?? ??
+        48 8B ?? ?? ??
+        0F BE ?? ??
+        ?? ??
+        48 63 ?? ?? ??
+        48 8B ?? ?? ??
+        88 ?? ??
+        EB }
+        $ = { 25 00 73 00 5c [3-15] 25 00 64 00 25 00 64 00 2e 00 62 00 69 00 6e }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 200KB and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_luckymouse_compromised_electronapp.yar b/yara_rules/apt_luckymouse_compromised_electronapp.yar
new file mode 100644
index 0000000..ed98cc9
--- /dev/null
+++ b/yara_rules/apt_luckymouse_compromised_electronapp.yar
@@ -0,0 +1,16 @@
+rule apt_luckymouse_compromised_electronapp {
+    meta:
+        id = "7702217d-771f-47af-8eaa-d5acf1e14f4d"
+        version = "1.0"
+        description = "Detects compromised ElectronApp"
+        author = "Sekoia.io"
+        creation_date = "2022-08-05"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s = "module.exports=function(t){eval(function(p,a,c,k,e,r)"
+        
+    condition:
+        $s at 0 and filesize < 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_luckymouse_rshell_strings.yar b/yara_rules/apt_luckymouse_rshell_strings.yar
new file mode 100644
index 0000000..0c6abe8
--- /dev/null
+++ b/yara_rules/apt_luckymouse_rshell_strings.yar
@@ -0,0 +1,27 @@
+rule apt_luckymouse_rshell_strings {
+    meta:
+        id = "89f18013-ea3e-440f-821e-cef102a43b7b"
+        version = "1.0"
+        description = "Detects LuckyMouse RShell Mach-O implant"
+        author = "Sekoia.io"
+        creation_date = "2022-08-05"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = { 64 69 72 00 70 61 74 68
+        00 64 6F 77 6E 00 72 65
+        61 64 00 75 70 6C 6F 61
+        64 00 77 72 69 74 65 00
+        64 65 6C }
+        $ = { 6C 6F 67 69 6E 00 68 6F
+        73 74 6E 61 6D 65 00 6C
+        61 6E 00 75 73 65 72 6E
+        61 6D 65 00 76 65 72 73
+        69 6F 6E }
+        
+    condition:
+        (uint32be(0) == 0xCFFAEDFE or uint16be(0) == 0x4d5a) and 
+        filesize < 300KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_luckymouse_rshell_strings_all_platform.yar b/yara_rules/apt_luckymouse_rshell_strings_all_platform.yar
new file mode 100644
index 0000000..006da6f
--- /dev/null
+++ b/yara_rules/apt_luckymouse_rshell_strings_all_platform.yar
@@ -0,0 +1,21 @@
+rule apt_luckymouse_rshell_strings_all_platform {
+    meta:
+        id = "e79a5ee1-96b3-4643-ab11-0b1095e96488"
+        version = "1.0"
+        description = "Detects LuckyMouse RShell Mach-O implant"
+        author = "Sekoia.io"
+        creation_date = "2022-08-05"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = { 6C 6F 67 69 6E 00 68 6F
+        73 74 6E 61 6D 65 00 6C
+        61 6E 00 75 73 65 72 6E
+        61 6D 65 00 76 65 72 73
+        69 6F 6E }
+        
+    condition:
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_luckymouse_sysupdate_removing_tool.yar b/yara_rules/apt_luckymouse_sysupdate_removing_tool.yar
new file mode 100644
index 0000000..7950fb4
--- /dev/null
+++ b/yara_rules/apt_luckymouse_sysupdate_removing_tool.yar
@@ -0,0 +1,19 @@
+rule apt_luckymouse_sysupdate_removing_tool {
+    meta:
+        id = "711d059c-6229-49ef-aa20-a04d505838dc"
+        version = "1.0"
+        description = "Detects the SysUpdate removing tool"
+        author = "Sekoia.io"
+        creation_date = "2022-08-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "KsWAYYYXXsFUCK" wide
+        $ = "remove Services:%s %d" wide
+        $ = "remove dir:%s %d" wide
+        $ = "remove reg %d" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 11MB and 2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_malware_pocoproxy.yar b/yara_rules/apt_malware_pocoproxy.yar
new file mode 100644
index 0000000..5ec9da2
--- /dev/null
+++ b/yara_rules/apt_malware_pocoproxy.yar
@@ -0,0 +1,26 @@
+rule apt_malware_pocoproxy {
+    meta:
+        id = "8b37e37f-339e-4f8b-b792-435096f56af0"
+        version = "1.0"
+        description = "Detects strings in PocoProxy"
+        author = "Sekoia.io"
+        creation_date = "2024-08-13"
+        classification = "TLP:CLEAR"
+        hash = "2b89f15012512002c656ff821bbbeca0"
+        hash = "8d850fed6bb1f3b60365ed656c6791c5"
+        
+    strings:
+        $ = "-listen" ascii fullword
+        $ = "-connect" ascii fullword
+        $ = "-proxy" ascii fullword
+        $ = "%d-%d-%d %d:%d:%d" ascii fullword
+        $ = "%S://%S:%u%S" wide
+        $ = "\\r\\n[%u(%u/%u/%u/%u)]==> %S  %S>> %S:%d connect ok." wide
+        $ = "\\r\\nnconnect to %S:%d faild." wide
+        $ = "\\r\\nI'm listen %S:%d,welcome..." wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_menupass_maliciouslibvlc_dll.yar b/yara_rules/apt_menupass_maliciouslibvlc_dll.yar
new file mode 100644
index 0000000..fa7cae3
--- /dev/null
+++ b/yara_rules/apt_menupass_maliciouslibvlc_dll.yar
@@ -0,0 +1,18 @@
+import "pe"
+        
+rule apt_menupass_maliciouslibvlc_dll {
+    meta:
+        id = "8b6b56f3-33b5-41cf-8bcb-e653c98718bd"
+        version = "1.0"
+        description = "Detects the malicious LibVLC variants used by MenuPass"
+        author = "Sekoia.io"
+        creation_date = "2022-04-06"
+        classification = "TLP:CLEAR"
+        
+    condition:
+        pe.DLL and
+        pe.number_of_exports < 15 and
+        for all i in (0..pe.number_of_exports - 1):
+        (pe.export_details[i].name contains "libvlc_")
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_micdown_encrypted_configuration.yar b/yara_rules/apt_micdown_encrypted_configuration.yar
new file mode 100644
index 0000000..522ebb6
--- /dev/null
+++ b/yara_rules/apt_micdown_encrypted_configuration.yar
@@ -0,0 +1,16 @@
+rule apt_micdown_encrypted_configuration {
+    meta:
+        id = "9567d68b-05d1-4d41-b87f-c8691ee689cd"
+        version = "1.0"
+        description = "Encrypted C2 configuration of micDown"
+        author = "Sekoia.io"
+        creation_date = "2023-08-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = {?? [20] 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 84 36}
+        
+    condition:
+        filesize == 66 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_muddywater_manifestation_backdoor.yar b/yara_rules/apt_muddywater_manifestation_backdoor.yar
new file mode 100644
index 0000000..567e760
--- /dev/null
+++ b/yara_rules/apt_muddywater_manifestation_backdoor.yar
@@ -0,0 +1,21 @@
+rule apt_muddywater_manifestation_backdoor {
+    meta:
+        id = "998fb0ab-73ed-41e5-b87e-f987b8f05a8c"
+        version = "1.0"
+        description = "Detects Muddys manifestation JScript backdoor"
+        author = "Sekoia.io"
+        creation_date = "2022-01-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "/^\\s+|\\s+$/g" ascii
+        $l2 = "while (1) {"  ascii
+        $l3 = { 57 53 63 72 69 70 74 2e 73 6c 65 65 70 28 ?? ?? 20 2a 20 31 30 30 30 29 3b }
+        $s4 = ")+ key , false)" ascii
+        $s5 = ")+ data , false)" ascii
+        
+    condition:
+        filesize > 1000 and
+        ($l3 in (@l2..@l2+300)) and (any of ($s*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_muddywater_manifestation_backdoor_obfuscated.yar b/yara_rules/apt_muddywater_manifestation_backdoor_obfuscated.yar
new file mode 100644
index 0000000..458ab72
--- /dev/null
+++ b/yara_rules/apt_muddywater_manifestation_backdoor_obfuscated.yar
@@ -0,0 +1,18 @@
+rule apt_muddywater_manifestation_backdoor_obfuscated {
+    meta:
+        id = "58df72a1-822c-4b82-904d-1c0124dc7bc1"
+        version = "1.0"
+        description = "Detects obfuscated Muddys manifestation JScript backdoor"
+        author = "Sekoia.io"
+        creation_date = "2022-01-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $m = { 76 61 72 20 5f 30 78 [4-6] 3d 5b }
+        $w = {57 53 63 72 69 70 74 5b 5f 30 78 [4-6] 28 30 78 [2-3] 29 5d 28 30 78 [2-3] 2a 30 78 [2-3] 29 2c }
+        $t = "subkeys(key));}"
+        
+    condition:
+        $m at 0 and ($t at (filesize-16) or $w in (filesize-200..filesize))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_muddywater_moriagent.yar b/yara_rules/apt_muddywater_moriagent.yar
new file mode 100644
index 0000000..f866c27
--- /dev/null
+++ b/yara_rules/apt_muddywater_moriagent.yar
@@ -0,0 +1,29 @@
+import "pe"
+        
+rule apt_muddywater_moriagent {
+    meta:
+        id = "e7a83663-6a30-416a-8f29-87a6b9445ea4"
+        version = "1.0"
+        description = "Detects Muddy's Mori Agent implant"
+        author = "Sekoia.io"
+        creation_date = "2022-01-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $mut = "0x50504060" ascii fullword
+        $cmd1 = "TType" ascii fullword
+        $cmd2 = "TPath" ascii fullword
+        $cmd3 = "TFileid" ascii fullword
+        $cmd4 = "TCommand" ascii fullword
+        $cmd5 = "TTimeout" ascii fullword
+        $cmd6 = "TFilter" ascii fullword
+        
+    condition:
+        
+        uint16be(0) == 0x4d5a and
+        ( ( pe.number_of_exports == 2 and
+        pe.exports("DllRegisterServer") and
+        pe.exports("DllUnregisterServer") ) and
+        ( 5 of them ) )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_muddywater_muddyc2go_dll_launcher_strings.yar b/yara_rules/apt_muddywater_muddyc2go_dll_launcher_strings.yar
new file mode 100644
index 0000000..2070c65
--- /dev/null
+++ b/yara_rules/apt_muddywater_muddyc2go_dll_launcher_strings.yar
@@ -0,0 +1,21 @@
+rule apt_muddywater_muddyc2go_dll_launcher_strings {
+    meta:
+        id = "59756195-d842-4038-8fbf-43d26f4353bc"
+        version = "1.0"
+        description = "Detects MuddyC2Go DLL launcher"
+        author = "Sekoia.io"
+        creation_date = "2024-03-07"
+        classification = "TLP:CLEAR"
+        hash = "1a0827082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdaca"
+        
+    strings:
+        $ = "-Method GET -ErrorAction Stop;Write-Output $response.Content;iex $response.Content;"
+        $ = "GetCurrentProcess"
+        $ = "TerminateProcess"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 50KB and 
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_muddywater_powershell_reverse_secure_proxy.yar b/yara_rules/apt_muddywater_powershell_reverse_secure_proxy.yar
new file mode 100644
index 0000000..ae5a24c
--- /dev/null
+++ b/yara_rules/apt_muddywater_powershell_reverse_secure_proxy.yar
@@ -0,0 +1,18 @@
+rule apt_muddywater_powershell_reverse_secure_proxy {
+    meta:
+        id = "b255f327-cb56-41b7-82f7-83ee23f791a5"
+        version = "1.0"
+        description = "Detects PowerShell Reverse Secure Proxy"
+        author = "Sekoia.io"
+        creation_date = "2023-11-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$CS.Read($buff,4,2) | Out-Null" ascii wide
+        $ = "$DP = $buff[2]*256 + $buff[3]" ascii wide
+        $ = "$PS3.BeginInvoke() | Out-Null" ascii wide
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_muddywater_powgoop_decode_loop.yar b/yara_rules/apt_muddywater_powgoop_decode_loop.yar
new file mode 100644
index 0000000..6640637
--- /dev/null
+++ b/yara_rules/apt_muddywater_powgoop_decode_loop.yar
@@ -0,0 +1,20 @@
+rule apt_muddywater_powgoop_decode_loop {
+    meta:
+        id = "644ed1c4-e0e1-496e-9efc-7d9e15565f7b"
+        version = "1.0"
+        description = "Detects the loop used in PowGoop and its loader"
+        author = "Sekoia.io"
+        creation_date = "2022-01-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "System.Collections.Generic.List[System.Object]" ascii wide
+        $s2 = "$d.Add($in[$i]);" ascii wide
+        $s3 = "[System.Convert]::FromBase64String(" ascii wide
+        
+    condition:
+        filesize < 1MB and
+        $s2 in (@s1..@s1+400) and
+        $s3 in (@s1..@s1+400)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_muddywater_powgoop_decoded.yar b/yara_rules/apt_muddywater_powgoop_decoded.yar
new file mode 100644
index 0000000..8b7299b
--- /dev/null
+++ b/yara_rules/apt_muddywater_powgoop_decoded.yar
@@ -0,0 +1,27 @@
+rule apt_muddywater_powgoop_decoded {
+    meta:
+        id = "194cb9ef-da96-42b6-a3b5-b0aee7495f2c"
+        version = "1.0"
+        description = "Detects decoded PowGoop malware"
+        author = "Sekoia.io"
+        creation_date = "2022-01-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $h1 = "[System.Net.WebRequest]::Create(" ascii wide
+        $h2 = "Headers.Add('Authorization'" ascii wide
+        $h3 = "Headers.Add('Cookie',('value=' + $ec + ';')" ascii wide
+        $h4 = ".GetResponse()" ascii wide
+        $h5 = "GetResponseStream()" ascii wide
+        $c1 = "return (65..90) + (97..122) | Get-Random -Count" ascii wide
+        $c2 = "% {[char]$_}" ascii wide
+        
+    condition:
+        filesize > 1KB and
+        filesize < 1MB and
+        ( $h2 in (@h1..@h5) and
+        $h3 in (@h1..@h5) and
+        $h4 in (@h1..@h5) )
+        or ( $c2 in (@c1..@c1+50) ) and  true
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_muddywater_powgoop_loader.yar b/yara_rules/apt_muddywater_powgoop_loader.yar
new file mode 100644
index 0000000..8db2d0f
--- /dev/null
+++ b/yara_rules/apt_muddywater_powgoop_loader.yar
@@ -0,0 +1,20 @@
+rule apt_muddywater_powgoop_loader {
+    meta:
+        id = "716b45e1-9f17-4546-a003-a7c78340d623"
+        version = "1.0"
+        description = "Detects the loader of PowGoop malware"
+        author = "Sekoia.io"
+        creation_date = "2022-01-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "$d.Add($in[$i]);" ascii wide
+        $s2 = "[System.Text.Encoding]::UTF8.GetString($o);" ascii wide
+        $s3 = "$i+=(1+1)" ascii wide
+        $t = { 24 ?? 3d [1-15] 20 24 ?? 3b ?? ?? ?? 20 24 ?? 3b }
+        
+    condition:
+        filesize < 50KB and
+        (3 of ($s*) or $t in (filesize-50..filesize))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_muddywater_rotrot_strings.yar b/yara_rules/apt_muddywater_rotrot_strings.yar
new file mode 100644
index 0000000..0bd07a1
--- /dev/null
+++ b/yara_rules/apt_muddywater_rotrot_strings.yar
@@ -0,0 +1,37 @@
+rule apt_muddywater_rotrot_strings {
+    meta:
+        id = "f7bc195a-0e60-4495-b78a-78f101543700"
+        version = "1.0"
+        description = "Detects RotRot backdoor based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-06-10"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "qsphsbnebub"
+        $s2 = "rtqitcofcvc"
+        $s3 = "surjudpgdwd"
+        $s4 = "tvskveqhexe"
+        $s5 = "uwtlwfrifyf"
+        $s6 = "vxumxgsjgzg"
+        
+        $t1 = "MpbeMjcsbs"
+        $t2 = "NqcfNkdtct"
+        $t3 = "OrdgOleudu"
+        $t4 = "PsehPmfvev"
+        $t5 = "QtfiQngwfw"
+        $t6 = "RugjRohxgx"
+        
+        $u1 = "UfsnjobufKpcPckfdu"
+        $u2 = "VgtokpcvgLqdQdlgev"
+        $u3 = "WhuplqdwhMreRemhfw"
+        $u4 = "XivqmrexiNsfSfnigx"
+        $u5 = "YjwrnsfyjOtgTgojhy"
+        $u6 = "ZkxsotgzkPuhUhpkiz"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize > 100KB and filesize < 300KB and
+        any of ($s*) and any of ($t*) and any of ($u*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustang_panda_nupakage.yar b/yara_rules/apt_mustang_panda_nupakage.yar
new file mode 100644
index 0000000..bbbba52
--- /dev/null
+++ b/yara_rules/apt_mustang_panda_nupakage.yar
@@ -0,0 +1,17 @@
+rule apt_mustang_panda_nupakage {
+    meta:
+        id = "bd62c220-addc-48e9-bd01-2eff687ac3ce"
+        version = "1.0"
+        description = "Detects NUPAKAGE malware (only PDB, too much false positives)"
+        author = "Sekoia.io"
+        creation_date = "2023-03-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "D:\\Project\\NEW_PACKAGE_FILE\\Release\\NEW_PACKAGE_FILE.pdb" ascii wide
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 1MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustang_panda_toneins.yar b/yara_rules/apt_mustang_panda_toneins.yar
new file mode 100644
index 0000000..bfcde33
--- /dev/null
+++ b/yara_rules/apt_mustang_panda_toneins.yar
@@ -0,0 +1,45 @@
+import "pe"
+import "hash"
+        
+rule apt_mustang_panda_toneins {
+    meta:
+        id = "f178217a-ff28-4dd7-9395-f19f3e2e934c"
+        version = "1.0"
+        description = "Detect the TONEINS implant used by Mustang Panda"
+        author = "Sekoia.io"
+        creation_date = "2022-11-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $rtti1 = ".?AVDNameNode@@"
+        $rtti2 = ".?AVcharNode@@"
+        $rtti3 = ".?AVpcharNode@@"
+        $rtti4 = ".?AVpDNameNode@@"
+        $rtti5 = ".?AVDNameStatusNode@@"
+        $rtti6 = ".?AVpairNode@@"
+        
+        $s1 = "DefWindowProcW1222_test" wide ascii
+        $s2 = "schtasks /create /sc minute /mo 2 /tn" wide ascii
+        $fnv_CreateFile = {CE C9 CA BD}
+        $fnv_GetFileSize = {18 81 ED 44}
+        $fnv_ReadFile = {43 C9 FC 54}
+        $fnv_CloseHandle = {65 00 BA FA}
+        $fnv_WriteFile = {4A C4 07 7F}
+        $fnv_CreateEventA = {E2 DD D2 F9}
+        $fnv_TerminateProcess = {59 EE 4E F8}
+        $fnv_GetCurrentProcess = {45 A8 D8 6D}
+        $fnv_CreateProcessA = { 09 0A 7C 4A}
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        4 of ($rtti*)
+        and
+        filesize < 8MB and 
+        (    
+            for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "69f400d3ff4679294e63fb8a8ca97dbb") 
+            or
+            (all of ($s*) and 5 of ($fnv*))
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustang_panda_toneshell.yar b/yara_rules/apt_mustang_panda_toneshell.yar
new file mode 100644
index 0000000..7a85ae1
--- /dev/null
+++ b/yara_rules/apt_mustang_panda_toneshell.yar
@@ -0,0 +1,161 @@
+import "pe"
+import "hash"
+        
+rule apt_mustang_panda_toneshell {
+    meta:
+        id = "bf7c68a9-dddc-494a-a603-c2311ed712a4"
+        version = "1.0"
+        description = "Detect the TONESHELL implant used by Mustang Panda from specific functions"
+        author = "Sekoia.io"
+        creation_date = "2022-11-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        /*    GetTEB
+        result = NtCurrentTeb();
+        dword_1007CA38 = (int)result;
+        return result;
+        */
+        $func1 = {
+        55
+        89 E5
+        64 A1 18 00 00 00
+        A3 ?? ?? ?? ??
+        5D
+        C3
+        }
+        
+        /*memcpy
+        v5 = a1;
+        while ( a3-- )
+        *a1++ = *a2++;
+        return v5;
+        */
+        $func2 =  {
+        55
+        89 E5
+        50
+        8B 45 ??
+        8B 45 ??
+        8B 45 ??
+        8B 45 ??
+        89 45 ??
+        8B 45 ??
+        89 C1
+        83 C1 FF
+        89 4D ??
+        83 F8 00
+        0F 84 ?? ?? ?? ??
+        8B 45 ??
+        8A 08
+        8B 45 ??
+        88 08
+        8B 45 ??
+        83 C0 01
+        89 45 ??
+        8B 45 ??
+        83 C0 01
+        89 45 ??
+        E9 ?? ?? ?? ??
+        8B 45 ??
+        83 C4 04
+        5D
+        C3
+        }
+        
+        /* Decryptionroutine
+        result = a1;
+        for ( i = 0; i < 32; ++i )
+        {
+        *(_BYTE *)(a1 + i) ^= 0x7Eu;
+        result = i + 1;
+        }
+        return result;
+        */
+        $decryption_routine1 = {
+        8B 45 ??
+        C7 45 ?? 00 00 00 00
+        83 7D ?? 20
+        0F 8D ?? ?? ?? ??
+        8B 45 ??
+        8B 4D ??
+        0F BE 04 08
+        83 F0 ??
+        88 C2
+        8B 45 ??
+        8B 4D ??
+        88 14 08
+        8B 45 ??
+        83 C0 01
+        89 45 ??
+        E9 ?? ?? ?? ??
+        83 C4 04
+        }
+        
+        /*
+        v6 = 0;
+        for ( i = 0; ; ++i )
+        {
+        result = v6;
+        if ( v6 >= a2 )
+        break;
+        *(_BYTE *)(a1 + v6) ^= *(_BYTE *)(a3 + i);
+        if ( i == a4 - 1 )
+        i = 0;
+        ++v6;
+        }
+        return result;
+        */
+        $decryption_routine2 = {
+        55
+        89 E5
+        83 EC 08
+        8B 45 ??
+        8B 45 ??
+        8B 45 ??
+        8B 45 ??
+        C7 45 ?? 00 00 00 00
+        C7 45 ?? 00 00 00 00
+        8B 45 ??
+        3B 45 ??
+        0F 8D ?? ?? ?? ??
+        8B 45 ??
+        8B 4D ??
+        0F BE 04 08
+        8B 4D ??
+        8B 55 ??
+        0F BE 0C 11
+        31 C8
+        88 C2
+        8B 45 ??
+        8B 4D ??
+        88 14 08
+        8B 45 ??
+        8B 4D ??
+        83 E9 01
+        39 C8
+        0F 85 ?? ?? ?? ??
+        C7 45 ?? 00 00 00 00
+        E9 ?? ?? ?? ??
+        8B 45 ??
+        83 C0 01
+        89 45 ??
+        8B 45 ??
+        83 C0 01
+        89 45 ??
+        E9 ?? ?? ?? ??
+        83 C4 08
+        5D
+        C3
+        }
+        
+    condition:
+        uint16be(0) == 0x4d5a and 
+        filesize < 8MB and
+        for all i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) != "69f400d3ff4679294e63fb8a8ca97dbb"
+        ) and 
+        3 of them and
+        true
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_coolclient.yar b/yara_rules/apt_mustangpanda_coolclient.yar
new file mode 100644
index 0000000..cfb560f
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_coolclient.yar
@@ -0,0 +1,20 @@
+rule apt_mustangpanda_coolclient {
+    meta:
+        id = "2f8fdb66-03a2-400f-808b-56ae1b276d2f"
+        version = "1.0"
+        description = "Detect COOLCLIENT via obfuscation & specific string"
+        author = "Sekoia.io"
+        creation_date = "2023-03-27"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = {eb 14 ea 50 eb 0b ea 8b c4 a8 01 74 06 eb 0b}
+        $s2 = {66 0f d6 44 24 eb eb}
+        $s3 = "c:\\windows\\syste" fullword
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_decrypt_payload.yar b/yara_rules/apt_mustangpanda_decrypt_payload.yar
new file mode 100644
index 0000000..06d80fc
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_decrypt_payload.yar
@@ -0,0 +1,28 @@
+rule apt_mustangpanda_decrypt_payload {
+    meta:
+        id = "7b954007-0929-454d-8a10-05279a337f1b"
+        version = "1.0"
+        description = "Detects the decryption routine of DAT file"
+        author = "Sekoia.io"
+        creation_date = "2022-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $chunk_1 = {
+        85 ??
+        74 ??
+        8B ??
+        D1 EA
+        A1 ?? ?? ?? ??
+        03 C2
+        A3 ?? ?? ?? ??
+        30 04 29
+        41
+        3B ??
+        72 EC
+        }
+        
+    condition:
+        filesize < 8MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_downloader.yar b/yara_rules/apt_mustangpanda_downloader.yar
new file mode 100644
index 0000000..9aad441
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_downloader.yar
@@ -0,0 +1,20 @@
+rule apt_mustangpanda_downloader {
+    meta:
+        id = "54850ffd-f93b-4082-b3ca-8e1d60b35422"
+        version = "1.0"
+        description = "Detects the MustangPanda Downloader"
+        author = "Sekoia.io"
+        creation_date = "2022-03-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Windows Api" wide nocase
+        $ = "200 OK" wide
+        $ = "200 ok" wide
+        $ = "mscoree.dll" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_malicious_lnk_worm.yar b/yara_rules/apt_mustangpanda_malicious_lnk_worm.yar
new file mode 100644
index 0000000..d1d3875
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_malicious_lnk_worm.yar
@@ -0,0 +1,17 @@
+rule apt_mustangpanda_malicious_lnk_worm {
+    meta:
+        id = "e7cc5ecc-2369-49ff-9e35-c9faeb69acda"
+        version = "1.0"
+        description = "Detects MustangPanda infected ThumbDrive"
+        author = "Sekoia.io"
+        creation_date = "2023-09-21"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "RECYCLER.BIN\\1\\CEFHelper.exe" wide
+        
+    condition:
+        uint32be(0) == 0x4C000000 and
+        1 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_maliciousdll_loading_plugx_strings.yar b/yara_rules/apt_mustangpanda_maliciousdll_loading_plugx_strings.yar
new file mode 100644
index 0000000..bca666d
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_maliciousdll_loading_plugx_strings.yar
@@ -0,0 +1,24 @@
+import "pe"
+        
+rule apt_mustangpanda_maliciousdll_loading_plugx_strings {
+    meta:
+        id = "2296ac6e-63f5-4cff-aeb7-2c5205e6f559"
+        version = "1.0"
+        description = "Detects MustangPanda malicious DLL"
+        author = "Sekoia.io"
+        creation_date = "2023-12-18"
+        classification = "TLP:CLEAR"
+        hash = "651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859"
+        
+    strings:
+        $ = "VirtualAlloc"
+        $ = "VirtualFree"
+        $ = "VirtualProtect"
+        $ = "VirtualQuery"
+        $ = "GCC: (MinGW-W64"
+        
+    condition:
+        pe.exports("MsiProvideQualifiedComponentW") 
+        and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_mqsttang_qmagent.yar b/yara_rules/apt_mustangpanda_mqsttang_qmagent.yar
new file mode 100644
index 0000000..68bb9a4
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_mqsttang_qmagent.yar
@@ -0,0 +1,24 @@
+rule apt_mustangpanda_mqsttang_qmagent {
+    meta:
+        id = "bcf6f961-0d9b-4fbc-81d2-f5d00c68d4d5"
+        version = "1.0"
+        description = "Detects specifics string of MQsTTang, also known as QMAGENT"
+        author = "Sekoia.io"
+        creation_date = "2023-03-27"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "iot/server"
+        $s2 = "QMQTT::Message"
+        $s3 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
+        $command1 = "c_topic"
+        $command2 = "Alive"
+        $command3 = "msg"
+        $command4 = "ret"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 8MB  and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_payload.yar b/yara_rules/apt_mustangpanda_payload.yar
new file mode 100644
index 0000000..6368ca3
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_payload.yar
@@ -0,0 +1,43 @@
+rule apt_mustangpanda_payload {
+    meta:
+        id = "ce7ddf20-e13f-4b5f-8fff-4b1387b29568"
+        version = "1.0"
+        description = "Decryption routine of mustang panda payload"
+        author = "Sekoia.io"
+        creation_date = "2022-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $chunk_1 = {
+        89 74 24 ??
+        B9 ?? ?? ?? ??
+        8B 44 24 ??
+        3D ?? ?? ?? ??
+        B8 ?? ?? ?? ??
+        0F 4C C1
+        E9 ?? ?? ?? ??
+        B8 ?? ?? ?? ??
+        31 DB
+        31 ED
+        31 FF
+        E9 ?? ?? ?? ??
+        8B 44 24 ??
+        B9 ?? ?? ?? ??
+        3B 44 24 ??
+        B8 ?? ?? ?? ??
+        0F 42 C1
+        E9 ?? ?? ?? ??
+        88 5C 24 ??
+        89 6C 24 ??
+        89 7C 24 ??
+        B9 ?? ?? ?? ??
+        8B 44 24 ??
+        3D ?? ?? ?? ??
+        B8 ?? ?? ?? ??
+        0F 4C C1
+        }
+        
+    condition:
+        filesize < 8MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_tinynote.yar b/yara_rules/apt_mustangpanda_tinynote.yar
new file mode 100644
index 0000000..a373bec
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_tinynote.yar
@@ -0,0 +1,22 @@
+rule apt_mustangpanda_tinynote {
+    meta:
+        id = "a2b9bea4-a211-456f-8a3f-0f31733e8b29"
+        version = "1.0"
+        description = "Detects strings in TinyNote backdoor"
+        author = "Sekoia.io"
+        creation_date = "2023-06-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "bypassSMADAV" ascii fullword
+        $s2 = "excuteCmdLine" ascii fullword
+        $s3 = "/Create1953125" ascii
+        $s4 = "MINUTEMonday" ascii
+        $s5 = "WndProc" ascii
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 8MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_tonedrop.yar b/yara_rules/apt_mustangpanda_tonedrop.yar
new file mode 100644
index 0000000..c6d1264
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_tonedrop.yar
@@ -0,0 +1,44 @@
+rule apt_mustangpanda_tonedrop {
+    meta:
+        id = "39df631c-5766-4804-838f-6c9b800c0cc9"
+        version = "1.0"
+        description = "TONEDROP strings"
+        author = "Sekoia.io"
+        creation_date = "2023-06-19"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $window1 = "PROCMON_WINDOW_CLASS"  ascii wide
+        $window2 = "OLLYDBG" ascii wide
+        $window3 = "WinDbgFrameClass"  ascii wide
+        $window4 = "OllyDbg - [CPU]"  ascii wide
+        $window5 = "Immunity Debugger - [CPU]"  ascii wide
+        
+        $errormsg1 = "Unable to open file %s for writing"  ascii wide
+        
+        $proc_01 = "cheatengine-x86_64.exe" ascii wide
+        $proc_02 = "ollydbg.exe" ascii wide
+        $proc_03 = "ida.exe" ascii wide
+        $proc_04 = "ida64.exe" ascii wide
+        $proc_05 = "radare2.exe" ascii wide
+        $proc_06 = "x64dbg.exe" ascii wide
+        $proc_07 = "procmon.exe" ascii wide
+        $proc_08 = "procmon64.exe" ascii wide
+        $proc_09 = "procexp.exe" ascii wide
+        $proc_10 = "processhacker.exe" ascii wide
+        $proc_11 = "pestudio.exe" ascii wide
+        $proc_12 = "systracerx32.exe" ascii wide
+        $proc_13 = "fiddler.exe" ascii wide
+        $proc_14 = "tcpview.exe" ascii wide
+        
+        $opcodes_check_PEsize = {C7 85 94 FD FF FF 2C 02}
+        $opcodes_ShellExecute_1 = {C7 45 BC 53 68 65 6C}
+        $opcodes_ShellExecute_2 = {C7 45 C0 6C 45 78 65}
+        $opcodes_ShellExecute_3 = {C7 45 C4 63 75 74 65}
+        $opcodes_ShellExecute_4 = {66 C7 45 C8 41 00}
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 8MB and 3 of ($window*) and $errormsg1 and 10 of ($proc_*) and 3 of ($opcodes*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_windows_remoteshell.yar b/yara_rules/apt_mustangpanda_windows_remoteshell.yar
new file mode 100644
index 0000000..8434f94
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_windows_remoteshell.yar
@@ -0,0 +1,122 @@
+rule apt_mustangpanda_windows_remoteshell {
+    meta:
+        id = "cffdd11e-9700-462e-a965-f9f51db63f0b"
+        version = "1.0"
+        description = "Detects Remote Shell of Mustang Panda by detecting internal structure intialization"
+        author = "Sekoia.io"
+        creation_date = "2022-12-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        /*
+        *p_dword101a4 = 12;
+        this->encrypted[5] = 3;
+        *(_DWORD *)&this->encrypted[6] = this->dword10198;
+        *(_WORD *)&this->encrypted[10] = this->dword1019c;
+        */
+        
+        $chunk_1 = {
+        C7 45 ?? 0C 00 00 00
+        8D 4E ??
+        C6 01 03
+        8B 87 ?? ?? ?? ??
+        89 41 ??
+        66 8B 87 ?? ?? ?? ??
+        66 89 41 ??
+        }
+        /*
+        *p_dword101a4 = 12;
+        this->encrypted[5] = 2;
+        *(_DWORD *)&this->encrypted[6] = this->dword10198;
+        *(_WORD *)&this->encrypted[10] = this->dword1019c;
+        cme_crypt(&this->encrypted[5], *p_dword101a4 - 5);
+        */
+        
+        $chunk_2 = {
+        C7 45 ?? 0C 00 00 00
+        8D 4E ??
+        C6 01 02
+        8B 87 ?? ?? ?? ??
+        89 41 ??
+        66 8B 87 ?? ?? ?? ??
+        66 89 41 ??
+        8B 45 ??
+        83 E8 05
+        50
+        51
+        E8 ?? ?? ?? ??
+        }
+        /*
+        
+        this->dword101a0 = 1;
+        *p_dword101a4 = 12;
+        this->encrypted[5] = 4;
+        *(_DWORD *)&this->encrypted[6] = this->dword10198;
+        *(_WORD *)&this->encrypted[10] = this->dword1019c;
+        cme_crypt(&this->encrypted[5], *p_dword101a4 - 5);
+        */
+        $chunk_3 = {
+        C7 87 ?? ?? ?? ?? 01 00 00 00
+        8D 4E ??
+        C7 45 ?? 0C 00 00 00
+        C6 01 04
+        8B 87 ?? ?? ?? ??
+        89 41 ??
+        66 8B 87 ?? ?? ?? ??
+        66 89 41 ??
+        8B 45 ??
+        83 E8 05
+        50
+        51
+        E8 ?? ?? ?? ??
+        }
+        
+        /*
+        for ( i = 0; i < size; ++i )
+        encrypt[i] ^= v3[i % 0x70u];
+        for ( j = 0; ; ++j )
+        {
+        result = j;
+        if ( j >= size )
+        break;
+        encrypt[j] ^= v5[j % 0x64u];
+        }
+        
+        */
+        
+        $chunk_4 = {
+        83 65 ?? ??
+        EB ??
+        8B 45 ??
+        40
+        89 45 ??
+        8B 45 ??
+        3B 45 ??
+        7D ??
+        8B 45 ??
+        03 45 ??
+        0F B6 08
+        8B 45 ??
+        33 D2
+        6A ??
+        5E
+        F7 F6
+        0F B6 84 15 ?? ?? ?? ??
+        33 C8
+        8B 45 ??
+        03 45 ??
+        88 08
+        EB ??
+        83 65 ?? ??
+        EB ??
+        8B 45 ??
+        40
+        89 45 ??
+        8B 45 ??
+        }
+        
+    condition:
+        filesize < 8MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_windows_shellcode_decryptionalgorithm.yar b/yara_rules/apt_mustangpanda_windows_shellcode_decryptionalgorithm.yar
new file mode 100644
index 0000000..4c9f933
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_windows_shellcode_decryptionalgorithm.yar
@@ -0,0 +1,29 @@
+rule apt_mustangpanda_windows_shellcode_decryptionalgorithm {
+    meta:
+        id = "c9873a5f-97a6-477f-a1a0-650441c73444"
+        version = "1.0"
+        description = "Decryption routine for Shellcode of MustangPanda"
+        author = "Sekoia.io"
+        creation_date = "2022-12-05"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $chunk_1 = {
+        7E ??
+        8B 55 ??
+        53
+        56
+        8B 75 ??
+        57
+        8B 7D ??
+        4F
+        8D A4 24 ?? ?? ?? ??
+        8A 1C 11
+        30 1C 30
+        }
+        
+    condition:
+        
+        filesize < 8MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_xoreddll.yar b/yara_rules/apt_mustangpanda_xoreddll.yar
new file mode 100644
index 0000000..7ed11f7
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_xoreddll.yar
@@ -0,0 +1,21 @@
+rule apt_mustangpanda_xoreddll {
+    meta:
+        id = "73d13624-01df-41ab-b449-86db43dc6c55"
+        version = "1.0"
+        description = "Detects xored DLL from MustangPanda embedding a document"
+        author = "Sekoia.io"
+        creation_date = "2022-07-19"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $clear = "This program cannot be run in DOS mode"
+        $stub = "This program cannot be run in DOS mode" xor
+        $res1 = "5w>w9wR'31Z" xor
+        $res2 = "r0y0~0KlBD" xor
+        $res3 = "d&o&h&öé7Æ" xor
+        $res4 = "9{2{5{+0" xor
+        
+    condition:
+        $stub and any of ($res*) and not $clear and filesize < 3MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_mustangpanda_zpakage.yar b/yara_rules/apt_mustangpanda_zpakage.yar
new file mode 100644
index 0000000..4f8f16c
--- /dev/null
+++ b/yara_rules/apt_mustangpanda_zpakage.yar
@@ -0,0 +1,32 @@
+rule apt_mustangpanda_zpakage {
+    meta:
+        id = "a4767d12-5058-4a26-be62-0cec685917bd"
+        version = "1.0"
+        description = "Detect obfuscation seen in ZPAKAGE"
+        author = "Sekoia.io"
+        creation_date = "2023-03-27"
+        classification = "TLP:CLEAR"
+        hash = "711c0e83f4e626a7b54e3948b281a71915a056c5341c8f509ecba535bc199bee"
+        
+    strings:
+        $chunk_1 = {
+        88 94 1D ?? ?? ?? ??
+        8A 84 1D ?? ?? ?? ??
+        83 ?? ??
+        88 84 1D ?? ?? ?? ??
+        8A 84 1D ?? ?? ?? ??
+        83 ?? ??
+        88 84 1D ?? ?? ?? ??
+        8A 84 1D ?? ?? ?? ??
+        83 ?? ??
+        88 84 1D ?? ?? ?? ??
+        0F BE 8C 1D ?? ?? ?? ??
+        0F BE 84 1D ?? ?? ?? ??
+        }
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 1MB and filesize < 11MB and
+        #chunk_1 > 20
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_nobelium_acrobox_downloader_apr2022.yar b/yara_rules/apt_nobelium_acrobox_downloader_apr2022.yar
new file mode 100644
index 0000000..85a9324
--- /dev/null
+++ b/yara_rules/apt_nobelium_acrobox_downloader_apr2022.yar
@@ -0,0 +1,25 @@
+rule apt_nobelium_acrobox_downloader_apr2022 {
+    meta:
+        id = "77f7f01d-72a2-4b13-b23f-d938a415dd40"
+        version = "1.0"
+        description = "Detects AcroBox downloader"
+        author = "Sekoia.io"
+        creation_date = "2022-05-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = { 80 ?? 7B
+        0F 84 ?? ?? 00 00
+        80 ?? ?? 0F
+        0F 84 ?? ?? 00 00
+        80 ?? ?? 0F
+        0F 84 ?? ?? 00 00
+        80 ?? ?? 0F
+        0F 84 ?? ?? 00 00 }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 200KB and
+        all of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_nobelium_nativezone_gen.yar b/yara_rules/apt_nobelium_nativezone_gen.yar
new file mode 100644
index 0000000..5cc42d0
--- /dev/null
+++ b/yara_rules/apt_nobelium_nativezone_gen.yar
@@ -0,0 +1,32 @@
+import "pe"
+        
+rule apt_nobelium_nativezone_gen {
+    meta:
+        id = "e16cac97-38dd-4145-95f5-cf641940a19b"
+        version = "1.0"
+        description = "Detects NativeZone used in 2022"
+        author = "Sekoia.io"
+        creation_date = "2022-02-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $rich = { 52 69 63 68 [4] 00 }
+        $obs = { C7 85 [8] C7 85 }
+        $nobs = { C7 85 [6] 00 00 C7 85 }
+        
+    condition:
+        pe.DLL and
+        filesize < 2500KB and
+        pe.number_of_exports > 20 and
+        pe.number_of_imports < 30 and
+        (
+        pe.imports("kernel32.dll", "VirtualAlloc") and
+        pe.imports("kernel32.dll", "VirtualProtect")
+        ) and for any i in (0..pe.number_of_sections - 1):
+        ( pe.sections[i].name == ".rdata" and
+        pe.sections[i].raw_data_size > 300000 )
+        and #obs > 300
+        and #nobs < 150
+        and not $rich
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_oilrig_clipog_strings.yar b/yara_rules/apt_oilrig_clipog_strings.yar
new file mode 100644
index 0000000..b05f2bf
--- /dev/null
+++ b/yara_rules/apt_oilrig_clipog_strings.yar
@@ -0,0 +1,21 @@
+rule apt_oilrig_clipog_strings {
+    meta:
+        id = "0ac40fd9-f67d-41fa-a774-77a3a1b7cac3"
+        version = "1.0"
+        description = "Detects OilRig's Clipog stealer"
+        author = "Sekoia.io"
+        creation_date = "2023-10-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[ClipBoard=" wide
+        $ = "[NUMPAD .]" wide
+        $ = "[SPACE]" wide
+        $ = "GetClipboardData"
+        
+    condition:
+        uint16be(0) == 0x4d5a 
+        and filesize < 350KB 
+        and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_oilrig_maliciousdocument_may2022.yar b/yara_rules/apt_oilrig_maliciousdocument_may2022.yar
new file mode 100644
index 0000000..e5c0645
--- /dev/null
+++ b/yara_rules/apt_oilrig_maliciousdocument_may2022.yar
@@ -0,0 +1,23 @@
+rule apt_oilrig_maliciousdocument_may2022 {
+    meta:
+        id = "cb4ab310-e24c-4edc-8804-0c49c30124fb"
+        version = "1.0"
+        description = "Detects OilRig Malicious Document"
+        author = "Sekoia.io"
+        creation_date = "2022-05-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "<LogonType>InteractiveToken</LogonType>"
+        $s2 = "Select * From Win32_PingStatus Where Address"
+        $s3 = "She@et1"
+        $s4 = "_VBA_PROJECT" wide
+        $s5 = "This program cannot be run in DOS mode." base64
+        $s6 = ".Agent.pdb" base64
+        $s7 = "GetAgentID" base64
+        
+    condition:
+        uint32be(0) == 0xD0CF11E0 and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_oilrig_odagent_strings.yar b/yara_rules/apt_oilrig_odagent_strings.yar
new file mode 100644
index 0000000..317b51c
--- /dev/null
+++ b/yara_rules/apt_oilrig_odagent_strings.yar
@@ -0,0 +1,22 @@
+rule apt_oilrig_odagent_strings {
+    meta:
+        id = "1c5c0eb5-7c6f-4a34-b2e2-4a7c6d7030d6"
+        version = "1.0"
+        description = "Detects ODAgent malware based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-12-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "application/x-www-form-urlencoded" ascii wide
+        $ = "dly>" ascii wide
+        $ = "DELETE" ascii wide
+        $ = "nok!" ascii wide
+        $ = ".c:/content" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 5MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_oilrig_oilbooster_strings.yar b/yara_rules/apt_oilrig_oilbooster_strings.yar
new file mode 100644
index 0000000..4350ba9
--- /dev/null
+++ b/yara_rules/apt_oilrig_oilbooster_strings.yar
@@ -0,0 +1,21 @@
+rule apt_oilrig_oilbooster_strings {
+    meta:
+        id = "001d12bc-1e7e-4a6c-9172-66687d08d827"
+        version = "1.0"
+        description = "Detects OilBooster malware based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-12-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "/rt.ovf" wide ascii
+        $ = "User-Agent: " wide ascii
+        $ = "/me/drive/items" wide ascii
+        $ = "client_secret" wide ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 5MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_oilrig_powerexchange.yar b/yara_rules/apt_oilrig_powerexchange.yar
new file mode 100644
index 0000000..bc37a0f
--- /dev/null
+++ b/yara_rules/apt_oilrig_powerexchange.yar
@@ -0,0 +1,20 @@
+rule apt_oilrig_powerexchange {
+    meta:
+        id = "cb6b370f-7b05-480b-865e-ac81ded4a2a4"
+        version = "1.0"
+        description = "Detects OilRig's PowerExchange backdoor"
+        author = "Sekoia.io"
+        creation_date = "2023-10-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "($h.value).PadRight((($h.value).Length+($h.value).Length%4),'='" ascii wide
+        $ = "(($h.value).Length%4 -ne 0)" ascii wide
+        $ = "-match \"@@(.*)@@\"" ascii wide
+        $ = "[Environment]::NewLine+$_.Exception.Message | Out-File -FilePath" ascii wide
+        $ = "ContainsSubjectStrings.Add(\"@@\")" ascii wide
+        
+    condition:
+        2 of them and filesize < 50KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_oilrig_saitama_backdoor_may2022.yar b/yara_rules/apt_oilrig_saitama_backdoor_may2022.yar
new file mode 100644
index 0000000..1632601
--- /dev/null
+++ b/yara_rules/apt_oilrig_saitama_backdoor_may2022.yar
@@ -0,0 +1,21 @@
+rule apt_oilrig_saitama_backdoor_may2022 {
+    meta:
+        id = "4ea8c27f-c441-4616-a29b-2b5dfdd3bd20"
+        version = "1.0"
+        description = "Detects tje Saitama backdoor"
+        author = "Sekoia.io"
+        creation_date = "2022-05-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = { 7E [4] 7E [4] 59 0A 02 8E 69 06 28 [4] D1 0B 02 16 7E [4] 7E [4] 07 }
+        $ = "systeminfo | findstr" wide
+        $ = "powershell -exec bypass -enc" wide
+        $ = "SendAndReceive : {0}" wide
+        $ = "SleepSecond : Start" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_oilrig_saitama_backdoor_may2022_2.yar b/yara_rules/apt_oilrig_saitama_backdoor_may2022_2.yar
new file mode 100644
index 0000000..63df961
--- /dev/null
+++ b/yara_rules/apt_oilrig_saitama_backdoor_may2022_2.yar
@@ -0,0 +1,21 @@
+rule apt_oilrig_saitama_backdoor_may2022_2 {
+    meta:
+        id = "f885551a-d0f0-431d-aa4f-7caa93b1db6a"
+        version = "1.0"
+        description = "Detects Saitama backdoor variants"
+        author = "Sekoia.io"
+        creation_date = "2022-05-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "_CorExeMain"
+        $ = "GetAgentID"
+        $ = "ComputeStringHash"
+        $ = ".Agent.pdb"
+        $ = "TaskExecTimeout"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_oilrig_sc5kv3_strings.yar b/yara_rules/apt_oilrig_sc5kv3_strings.yar
new file mode 100644
index 0000000..251fdfd
--- /dev/null
+++ b/yara_rules/apt_oilrig_sc5kv3_strings.yar
@@ -0,0 +1,19 @@
+rule apt_oilrig_sc5kv3_strings {
+    meta:
+        id = "885ea13b-47b0-4a6d-8136-9b31abc9064a"
+        version = "1.0"
+        description = "Detects SC5kv3 malware based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-12-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "no-reply this email!" ascii wide
+        $ = "The serial is " ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 5MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_oilrig_webshell.yar b/yara_rules/apt_oilrig_webshell.yar
new file mode 100644
index 0000000..868597f
--- /dev/null
+++ b/yara_rules/apt_oilrig_webshell.yar
@@ -0,0 +1,19 @@
+rule apt_oilrig_webshell {
+    meta:
+        id = "53955117-5176-4682-89ad-1503faba42aa"
+        version = "1.0"
+        description = "Detects a webshell used by OilRig"
+        author = "Sekoia.io"
+        creation_date = "2024-10-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "string d = com;"
+        $ = "string p = fu;"
+        $ = "#@rt12!@$$$nnMF##"
+        $ = "messi(d)))"
+        
+    condition:
+        2 of them and filesize < 80KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_polonium_deepcreep_strings.yar b/yara_rules/apt_polonium_deepcreep_strings.yar
new file mode 100644
index 0000000..ba2a890
--- /dev/null
+++ b/yara_rules/apt_polonium_deepcreep_strings.yar
@@ -0,0 +1,21 @@
+rule apt_polonium_deepcreep_strings {
+    meta:
+        id = "b04af229-2bea-4ee8-9e17-8e4befa06e3a"
+        version = "1.0"
+        description = "Tries to detect POLONIUM's DeepCreep implant"
+        author = "Sekoia.io"
+        creation_date = "2022-10-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = ";Invoke-Expression -Command '$shortcut =" ascii wide
+        $ = "CreateShortcut($c1" ascii wide
+        $ = "svchostdp.exe" ascii wide
+        $ = "HNlIC91IA==" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 3MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_polonium_megacreep_strings.yar b/yara_rules/apt_polonium_megacreep_strings.yar
new file mode 100644
index 0000000..464fb32
--- /dev/null
+++ b/yara_rules/apt_polonium_megacreep_strings.yar
@@ -0,0 +1,29 @@
+rule apt_polonium_megacreep_strings {
+    meta:
+        id = "927c5fd6-0574-43bf-8db9-6ecc328estrin56c7"
+        version = "1.0"
+        description = "Tries to detect POLONIUM's MegaCreep implant"
+        author = "Sekoia.io"
+        creation_date = "2022-10-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[#!#]" ascii wide
+        $ = "[$$%$$]" ascii wide
+        $ = ".e##x##e" ascii wide
+        $ = "WHLib.dll" ascii wide
+        $ = "TestService.txt" ascii wide
+        $ = "X = Stop" ascii wide
+        $ = "Sess.dll" ascii wide
+        $ = "filepathOnTarget" ascii wide
+        $ = "FileNameOnMega" ascii wide
+        $ = "Missing Parameter.. Format of command:" ascii wide
+        $ = "Your Old K##E##Y is Wronge" ascii wide
+        $ = "Your Upgrage Is Success" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 2MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_polonium_powershell_creepydrive_strings.yar b/yara_rules/apt_polonium_powershell_creepydrive_strings.yar
new file mode 100644
index 0000000..2cfe2f6
--- /dev/null
+++ b/yara_rules/apt_polonium_powershell_creepydrive_strings.yar
@@ -0,0 +1,25 @@
+rule apt_polonium_powershell_creepydrive_strings {
+    meta:
+        id = "0ba196bd-9cd6-4553-b7bf-69989cdb8be4"
+        version = "1.0"
+        description = "Detects POLONIUM CreepyDrive Powershell implant"
+        author = "Sekoia.io"
+        creation_date = "2022-06-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "function Exec($comm)" base64 ascii  wide
+        $ = "$comm = $comm + \"| outstring" base64 ascii  wide
+        $ = "Invoke-Expression -Command:$comm" base64 ascii  wide
+        $ = "microsoft.com" base64 ascii  wide
+        $ = "$req = Invoke-WebRequest" base64 ascii  wide
+        $ = "$j += $data" base64 ascii  wide
+        $ = "$res = Exec($arr[$i])" base64 ascii  wide
+        $ = "$arr = @(iex \"$req\")" base64 ascii  wide
+        $ = "elseif ($req -cmatch" base64 ascii  wide
+        $ = "graph.microsoft.com" base64 ascii  wide
+        
+    condition:
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_polonium_technocreep_strings.yar b/yara_rules/apt_polonium_technocreep_strings.yar
new file mode 100644
index 0000000..014327a
--- /dev/null
+++ b/yara_rules/apt_polonium_technocreep_strings.yar
@@ -0,0 +1,28 @@
+rule apt_polonium_technocreep_strings {
+    meta:
+        id = "dad79df3-b081-458e-9c14-1d5e2b43ba91"
+        version = "1.1"
+        description = "Tries to detect TechnoCreep implant"
+        author = "Sekoia.io"
+        creation_date = "2022-10-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "file name : " ascii wide
+        $ = "copy to : " ascii wide
+        $ = "download" ascii wide
+        $ = "persistence" ascii wide
+        $ = "/cmdResult created!" ascii wide
+        $ = "/downloadsResulat created!" ascii wide
+        $ = "Downloading will take minets..." ascii wide
+        $ = "powershell -Command \"$c1 = " ascii wide
+        $ = "Missing Parameter.. Format of command:" ascii wide
+        $ = "File Fath On Target Device Not Exists>" ascii wide
+        $ = "/MissingDownloadParameter.txt" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_qnapworm_loader_may2022.yar b/yara_rules/apt_qnapworm_loader_may2022.yar
new file mode 100644
index 0000000..8500a50
--- /dev/null
+++ b/yara_rules/apt_qnapworm_loader_may2022.yar
@@ -0,0 +1,29 @@
+rule apt_qnapworm_loader_may2022 {
+    meta:
+        id = "c6e87a55-73ea-4df4-ab61-b5d34968d741"
+        version = "1.0"
+        description = "Detects the QNAPWorm loader"
+        author = "Sekoia.io"
+        creation_date = "2022-05-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = {
+        66 C1 C0 05
+        0F B7 D8
+        81 C3 85 D0 FF FF
+        66 C1 C3 02
+        0F B7 C3
+        0F B6 9A ?? ?? ?? ??
+        33 D8
+        88 1C 11
+        42
+        0F B6 D2
+        81 FA ?? 00 00 00
+        }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        all of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_queueseed.yar b/yara_rules/apt_queueseed.yar
new file mode 100644
index 0000000..fc54f71
--- /dev/null
+++ b/yara_rules/apt_queueseed.yar
@@ -0,0 +1,29 @@
+rule apt_queueseed {
+    meta:
+        id = "35f7ffd5-4f6f-4b31-8d60-c713a15d14e8"
+        version = "1.0"
+        description = "Detects strings of Queueseed/Kapeka malware"
+        author = "Sekoia.io"
+        creation_date = "2024-04-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        // Looking for strings with alignment
+        $ = {2D 00 6F 00 00 00} // '-o'
+        $ = {2D 00 62 00 63 00 00 00} //'-bc'
+        $ = {20 00 00 00 00 00 00 00} // ' '
+        $ = {20 00 2D 00 77 00 00 00} // ' -w'
+        $ = {35 00 3A 00 20 00 00 00} // '5: '
+        $ = {34 00 3A 00 20 00 00 00} // '4: '
+        $ = {33 00 3A 00 20 00 00 00} // '3: '
+        $ = {32 00 3A 00 20 00 00 00} // '2: '
+        $ = {31 00 3A 00 20 00 00 00} // '1: '
+        $ = {50 00 49 00 44 00 20 00 3A 00 20 00 00 00 00 00} // 'PID : '
+        
+        
+        $ = "ExitCode : " wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them and filesize < 200KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_reaper_2fa_phishing_webpage.yar b/yara_rules/apt_reaper_2fa_phishing_webpage.yar
new file mode 100644
index 0000000..cc5ed12
--- /dev/null
+++ b/yara_rules/apt_reaper_2fa_phishing_webpage.yar
@@ -0,0 +1,24 @@
+rule apt_reaper_2fa_phishing_webpage {
+    meta:
+        id = "348ca2ad-c8f9-4aed-8a27-95caa3a34f4b"
+        version = "1.0"
+        description = "Detects Reaper 2FA phishing webpage"
+        author = "Sekoia.io"
+        creation_date = "2023-03-09"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "setTimeout(checkUpload,"
+        $ = "commChannel.addListener("
+        $ = "else if(commType =="
+        $ = "?dir=DOWN&method=READ&id="
+        $ = "Content : base64_encode(upload_data)"
+        $ = "$.post(upHttpRelayer"
+        $ = "var ablyUpData = {"
+        $ = "initComm();"
+        $ = "function Next(arg) {"
+        
+    condition:
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_reaper_malicious_lnk.yar b/yara_rules/apt_reaper_malicious_lnk.yar
new file mode 100644
index 0000000..366d5f9
--- /dev/null
+++ b/yara_rules/apt_reaper_malicious_lnk.yar
@@ -0,0 +1,16 @@
+rule apt_reaper_malicious_lnk {
+    meta:
+        id = "8f055d1b-5727-4d77-9671-cdbb1ea69d5f"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-09-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "*rshell.exe" wide
+        $ = "/od') do call" wide
+        
+    condition:
+        uint32be(0) == 0x4c000000 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_redhotel_maliciouslnk_strings.yar b/yara_rules/apt_redhotel_maliciouslnk_strings.yar
new file mode 100644
index 0000000..1f1904f
--- /dev/null
+++ b/yara_rules/apt_redhotel_maliciouslnk_strings.yar
@@ -0,0 +1,26 @@
+rule apt_redhotel_maliciouslnk_strings {
+    meta:
+        id = "df2f0002-7921-4378-a936-ea0de5fbfa5a"
+        version = "1.0"
+        description = "Detects RedHotel's malicious LNKs"
+        author = "Sekoia.io"
+        creation_date = "2024-09-06"
+        classification = "TLP:CLEAR"
+        hash = "8e2c17040ec78cbcdc07bb2cf9dd7e01"
+        hash = "dc613a519e515ca817fdfb88f81fc9d7"
+        hash = "6f7d85c196c277a6a619f6d94b8f69b9"
+        hash = "b04d484d1e1d793b04af2a5fb88a8a57"
+        
+    strings:
+        $ = "desktop-" ascii
+        $ = ".\\1.docx" wide
+        $ = ".\\1.pdf" wide
+        $ = ".\\1.doc" wide
+        $ = ".\\1.ppt" wide
+        $ = ".\\1.pptx" wide
+        $ = "MACOS" wide
+        
+    condition:
+        uint32be(0) == 0x4c000000 and 3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_rusticweb_stealer.yar b/yara_rules/apt_rusticweb_stealer.yar
new file mode 100644
index 0000000..6fd6df3
--- /dev/null
+++ b/yara_rules/apt_rusticweb_stealer.yar
@@ -0,0 +1,20 @@
+rule apt_rusticweb_stealer {
+    meta:
+        id = "813072e0-28de-4cb7-b2cc-71d77a1e8508"
+        version = "1.0"
+        description = "Detects stealer used by RusticWeb"
+        author = "Sekoia.io"
+        creation_date = "2024-01-09"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "-FTT=@"
+        $s2 = "https://oshi.at"
+        $s3 = "curl-T"
+        $s4 = "upload/upload.php"
+        $s5 = "cargo"
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 4MB and 3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sandworm_awfulshred_obfuscation_apr2022.yar b/yara_rules/apt_sandworm_awfulshred_obfuscation_apr2022.yar
new file mode 100644
index 0000000..7769143
--- /dev/null
+++ b/yara_rules/apt_sandworm_awfulshred_obfuscation_apr2022.yar
@@ -0,0 +1,17 @@
+rule apt_sandworm_awfulshred_obfuscation_apr2022 {
+    meta:
+        id = "52317e6b-7f2c-4c2a-bcfc-ebb4ab4c728e"
+        version = "1.0"
+        description = "Detects the AWFULSHRED wiper used by Sandworm"
+        author = "Sekoia.io"
+        creation_date = "2022-04-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $h = "#!/bin/bash"
+        $s = { 64 65 63 6c 61 72 65 20 2d 72 20 [8] 3d }
+        
+    condition:
+        $h at 0 and #s > 15
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sandworm_caddywiper_stacked_strings.yar b/yara_rules/apt_sandworm_caddywiper_stacked_strings.yar
new file mode 100644
index 0000000..8f9824f
--- /dev/null
+++ b/yara_rules/apt_sandworm_caddywiper_stacked_strings.yar
@@ -0,0 +1,75 @@
+rule apt_sandworm_caddywiper_stacked_strings {
+    meta:
+        id = "7750c4b6-5781-4b1c-8200-cbce9f18aa56"
+        version = "2.0"
+        description = "Detects stacked strings used in the wiper."
+        author = "Sekoia.io"
+        creation_date = "2022-04-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ =  { C6 45 ?? 6E
+        C6 45 ?? 65
+        C6 45 ?? 74
+        C6 45 ?? 61
+        C6 45 ?? 70
+        C6 45 ?? 69
+        C6 45 ?? 33
+        C6 45 ?? 32
+        C6 45 ?? 2E
+        C6 45 ?? 64
+        C6 45 ?? 6C
+        C6 45 ?? 6C }
+        $ = {  C6 45 ?? 44
+        C6 45 ?? 65
+        C6 45 ?? 76
+        C6 45 ?? 69
+        C6 45 ?? 63
+        C6 45 ?? 65
+        C6 45 ?? 49
+        C6 45 ?? 6F
+        C6 45 ?? 43
+        C6 45 ?? 6F
+        C6 45 ?? 6E
+        C6 45 ?? 74
+        C6 45 ?? 72
+        C6 45 ?? 6F
+        C6 45 ?? 6C }
+        $ = { C6 45 ?? 5C
+        C6 45 ?? 00
+        C6 45 ?? 5C
+        C6 45 ?? 00
+        C6 45 ?? 2E
+        C6 45 ?? 00
+        C6 45 ?? 5C
+        C6 45 ?? 00
+        C6 45 ?? 50
+        C6 45 ?? 00
+        C6 45 ?? 48
+        C6 45 ?? 00
+        C6 45 ?? 59
+        C6 45 ?? 00
+        C6 45 ?? 53
+        C6 45 ?? 00
+        C6 45 ?? 49
+        C6 45 ?? 00
+        C6 45 ?? 43
+        C6 45 ?? 00
+        C6 45 ?? 41
+        C6 45 ?? 00
+        C6 45 ?? 4C
+        C6 45 ?? 00
+        C6 45 ?? 44
+        C6 45 ?? 00
+        C6 45 ?? 52
+        C6 45 ?? 00
+        C6 45 ?? 49
+        C6 45 ?? 00
+        C6 45 ?? 56
+        C6 45 ?? 00
+        C6 45 ?? 45 }
+        
+    condition:
+        uint16be(0) == 0x4d5a and 2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sandworm_notpetya_strings.yar b/yara_rules/apt_sandworm_notpetya_strings.yar
new file mode 100644
index 0000000..dc5f62c
--- /dev/null
+++ b/yara_rules/apt_sandworm_notpetya_strings.yar
@@ -0,0 +1,22 @@
+rule apt_sandworm_notpetya_strings {
+    meta:
+        id = "c6021638-1b59-4d20-a29d-95cabf256a28"
+        version = "1.0"
+        description = "Detects NotPetya worm"
+        author = "Sekoia.io"
+        creation_date = "2022-04-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "wevtutil cl Security &" wide
+        $ = "wevtutil cl System &" wide
+        $ = "u%s \\%s -accepteula -s" wide
+        $ = "\\\\%ws\\admin$\\%ws" wide
+        $ = "\\\\%s\\admin$" wide
+        $ = "C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\%s\",#1" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sandworm_olympicdestroyer.yar b/yara_rules/apt_sandworm_olympicdestroyer.yar
new file mode 100644
index 0000000..a24d620
--- /dev/null
+++ b/yara_rules/apt_sandworm_olympicdestroyer.yar
@@ -0,0 +1,22 @@
+rule apt_sandworm_olympicdestroyer {
+    meta:
+        id = "6820eb32-fea2-4a00-a5a2-672ba09f8206"
+        version = "1.0"
+        description = "Detects OlympicDestroyer malware"
+        author = "Sekoia.io"
+        creation_date = "2022-04-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "cmd.exe /c (ping 0.0.0.0 > nul)" wide
+        $ = "if exist %programdata%\\evtchk.txt" wide
+        $ = "\\\\.\\pipe\\%ls" wide
+        $ = "%ProgramData%\\%COMPUTERNAME%.exe" wide
+        $ = "(exit 5) else ( type nul >" wide
+        $ = "Select * From Win32_ProcessStopTrace" nocase
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sandworm_orcshred_apr2022.yar b/yara_rules/apt_sandworm_orcshred_apr2022.yar
new file mode 100644
index 0000000..1af6081
--- /dev/null
+++ b/yara_rules/apt_sandworm_orcshred_apr2022.yar
@@ -0,0 +1,19 @@
+rule apt_sandworm_orcshred_apr2022 {
+    meta:
+        id = "1a88800c-29e1-4e2c-8374-f5a93dd9fd91"
+        version = "1.0"
+        description = "Detects the ORCSHRED script"
+        author = "Sekoia.io"
+        creation_date = "2022-04-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "find /etc -name os-release >"
+        $ = "/bin/bash /var/"
+        $ = "crontab -l >"
+        $ = ".sh & disown"
+        
+    condition:
+        3 of them and filesize < 2KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sandworm_powergap_apr2022.yar b/yara_rules/apt_sandworm_powergap_apr2022.yar
new file mode 100644
index 0000000..130b0b1
--- /dev/null
+++ b/yara_rules/apt_sandworm_powergap_apr2022.yar
@@ -0,0 +1,21 @@
+rule apt_sandworm_powergap_apr2022 {
+    meta:
+        id = "2a1c7f02-92b3-45b8-a710-253b1a28fe85"
+        version = "1.0"
+        description = "Detects the POWERGAP malware"
+        author = "Sekoia.io"
+        creation_date = "2022-04-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Get-WmiObject Win32 ComputerSystem).Domain" nocase wide ascii
+        $ = "Write-Host \"Error1" nocase wide ascii
+        $ = "Write-Host \"Done\" -ForegroundColor Red" nocase wide ascii
+        $ = "sysvol\\$Domain\\Poicies\\$GpoGuid" nocase wide ascii
+        $ = "Function Start-work" nocase wide ascii
+        $ = "Domain: {0}\" -f $Domain)" nocase wide ascii
+        
+    condition:
+        filesize < 3KB and 5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_scanbox_framework_not_obfuscated.yar b/yara_rules/apt_scanbox_framework_not_obfuscated.yar
new file mode 100644
index 0000000..77cd8d7
--- /dev/null
+++ b/yara_rules/apt_scanbox_framework_not_obfuscated.yar
@@ -0,0 +1,24 @@
+rule apt_scanbox_framework_not_obfuscated {
+    meta:
+        id = "4790f122-89de-4f7b-a25f-9ac7b1af8333"
+        version = "1.0"
+        description = "Detects the non obfuscated version of ScanBox"
+        author = "Sekoia.io"
+        creation_date = "2022-09-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "php?m=a&data="
+        $ = "php?m=p&data="
+        $ = ".fun.split_data = function"
+        $ = ".php?data="
+        $ = ".php?m=b"
+        $ = "basic.apipath"
+        $ = ".info.seed ="
+        $ = "loadjs ="
+        $ = "info.color = screen.colorDepth"
+        
+    condition:
+        5 of them and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_scanbox_obfuscated_versions.yar b/yara_rules/apt_scanbox_obfuscated_versions.yar
new file mode 100644
index 0000000..97f5dcc
--- /dev/null
+++ b/yara_rules/apt_scanbox_obfuscated_versions.yar
@@ -0,0 +1,21 @@
+rule apt_scanbox_obfuscated_versions {
+    meta:
+        id = "2866cead-7f16-4895-80ef-aad6fb66e864"
+        version = "1.0"
+        description = "Detects obfuscated versions of the scanbox framework"
+        author = "Sekoia.io"
+        creation_date = "2022-09-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$_$_$_$__$_____$__$_$_$_$__$"
+        $ = "NztCm_NcDkh"
+        $ = "____$_$__$__$_______w____$_$__$__$_____i____$_$__$__$_____"
+        $ = "391,379,398,381,386"
+        $ = "plguinurl"
+        $ = "plugin_timeout*1000"
+        
+    condition:
+        2 of them and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_shadowpad_first_called_function.yar b/yara_rules/apt_shadowpad_first_called_function.yar
new file mode 100644
index 0000000..2b8161c
--- /dev/null
+++ b/yara_rules/apt_shadowpad_first_called_function.yar
@@ -0,0 +1,37 @@
+rule apt_shadowpad_first_called_function {
+    meta:
+        id = "3ce1ffd3-5c30-4b36-b7cc-c9fa873ebc25"
+        version = "1.0"
+        description = "Detects entrypoint of shadowpad"
+        author = "Sekoia.io"
+        creation_date = "2023-01-30"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $chunk_1 = {
+        48 83 EC 28
+        33 C9
+        FF 15 ?? ?? ?? ??
+        8B 80 ?? ?? ?? ??
+        3B 05 ?? ?? ?? ??
+        74 ??
+        E8 ?? ?? ?? ??
+        E8 ?? ?? ?? ??
+        EB ??
+        48 8B 0D ?? ?? ?? ??
+        E8 ?? ?? ?? ??
+        8B C8
+        FF 15 ?? ?? ?? ??
+        90
+        B9 28 04 00 00
+        FF 15 ?? ?? ?? ??
+        90
+        48 83 C4 28
+        C3
+        }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sidecopy_actionrat_packer_strings.yar b/yara_rules/apt_sidecopy_actionrat_packer_strings.yar
new file mode 100644
index 0000000..2b79515
--- /dev/null
+++ b/yara_rules/apt_sidecopy_actionrat_packer_strings.yar
@@ -0,0 +1,20 @@
+rule apt_sidecopy_actionrat_packer_strings {
+    meta:
+        id = "b9370bd5-12e1-448e-a5b1-2acc72adc4a7"
+        version = "1.0"
+        description = "Detects SideCopy's ActionRAT (packer?)"
+        author = "Sekoia.io"
+        creation_date = "2023-05-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "(HTTP/1\\.[01]) (\\d{3})(?: (.*?))?"
+        $ = "cpp-httplib/0.7"
+        $ = "\\HTTP Arsanel\\"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sidecopy_cheex.yar b/yara_rules/apt_sidecopy_cheex.yar
new file mode 100644
index 0000000..ea168e6
--- /dev/null
+++ b/yara_rules/apt_sidecopy_cheex.yar
@@ -0,0 +1,17 @@
+rule apt_sidecopy_cheex {
+    meta:
+        id = "e9b57f15-e703-4367-b501-fa8a873e4455"
+        version = "1.0"
+        description = "Detects PDB path of Cheex"
+        author = "Sekoia.io"
+        creation_date = "2024-08-14"
+        classification = "TLP:CLEAR"
+        hash = "825c7a1603f800ff247c8f3e9a1420af"
+        
+    strings:
+        $ = "C:\\Users\\Dead Snake\\source\\repos\\cheex" ascii fullword
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sidecopy_malicious_macro.yar b/yara_rules/apt_sidecopy_malicious_macro.yar
new file mode 100644
index 0000000..3f07e9d
--- /dev/null
+++ b/yara_rules/apt_sidecopy_malicious_macro.yar
@@ -0,0 +1,22 @@
+rule apt_sidecopy_malicious_macro {
+    meta:
+        id = "4b90c33e-48d4-48b6-87a7-c35686e7e913"
+        version = "1.0"
+        description = "Detects malicious macro used by SideCopy"
+        author = "Sekoia.io"
+        creation_date = "2023-05-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "htmlFile$"
+        $ = "Gecko/20100101 Firefox/91.0"
+        $ = "Start Menu\\Programs\\Startup\\"
+        $ = "Document_Close"
+        $ = "ThisDocument" wide
+        $ = "ServerXMLHTTP.6.0"
+        
+    condition:
+        uint32be(0) == 0xD0CF11E0 and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sidecopy_reverserat_strings.yar b/yara_rules/apt_sidecopy_reverserat_strings.yar
new file mode 100644
index 0000000..ccf87b5
--- /dev/null
+++ b/yara_rules/apt_sidecopy_reverserat_strings.yar
@@ -0,0 +1,24 @@
+rule apt_sidecopy_reverserat_strings {
+    meta:
+        id = "383397c9-fd4a-4255-a8f2-27683bdbb7f7"
+        version = "1.0"
+        description = "Detects SideCopy's ReverseRAT"
+        author = "Sekoia.io"
+        creation_date = "2023-05-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "downloadexe" wide
+        $ = "creatdir" wide
+        $ = "regnewkey" wide
+        $ = "reglist" wide
+        $ = "regdelkey" wide
+        $ = "clipboardset" wide
+        $ = "shellexec" wide
+        $ = "SELECT maxclockspeed,  datawidth, name, manufacturer FROM Win32_Processor" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sofacy_graphitemalware_generic.yar b/yara_rules/apt_sofacy_graphitemalware_generic.yar
new file mode 100644
index 0000000..568a15f
--- /dev/null
+++ b/yara_rules/apt_sofacy_graphitemalware_generic.yar
@@ -0,0 +1,26 @@
+import "pe"
+        
+rule apt_sofacy_graphitemalware_generic {
+    meta:
+        id = "6b51cfa3-4a7d-4c2a-9fd9-f129b8a18466"
+        version = "1.0"
+        description = "Detects APT28 graphite malware based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-09-27"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Microsoft Enhanced RSA and AES Cryptographic Provider" wide
+        $ = "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" wide
+        $ = "%s %04d sp%1d.%1d %s"
+        $ = "%s%c%s%c%s"
+        $ = "InternetReadFile"
+        $ = "ObtainUserAgentString"
+        $ = "CryptImportKey"
+        
+    condition:
+        uint16be(0) == 0x4d5a and 
+        filesize < 100KB   and
+        ( all of them or pe.imphash() == "c56c322548250651361aef7dacf93eaf" )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_spikedwine_malicious_hta.yar b/yara_rules/apt_spikedwine_malicious_hta.yar
new file mode 100644
index 0000000..96ceafb
--- /dev/null
+++ b/yara_rules/apt_spikedwine_malicious_hta.yar
@@ -0,0 +1,18 @@
+rule apt_spikedwine_malicious_hta {
+    meta:
+        id = "e4526142-d98a-bf35-9d2c-ca2e83638c4b"
+        version = "1.0"
+        description = "Detects malicious HTA used by SPIKEDWINE"
+        author = "Sekoia.io"
+        creation_date = "2024-02-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "<HTA:APPLICATION ID=" nocase
+        $ = "return _0x"
+        $ = "font-size: 18px;"
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_spikedwine_wineloader.yar b/yara_rules/apt_spikedwine_wineloader.yar
new file mode 100644
index 0000000..66717e8
--- /dev/null
+++ b/yara_rules/apt_spikedwine_wineloader.yar
@@ -0,0 +1,27 @@
+import "pe"
+        
+rule apt_spikedwine_wineloader {
+    meta:
+        id = "7a599076-cd9d-42c4-a83a-9a991ede19fb"
+        version = "1.0"
+        description = "Detects vineloader"
+        author = "Sekoia.io"
+        creation_date = "2024-02-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $c = { E8 ?? ?? ?? ?? 48 8D 0D
+        ?? ?? ?? ?? 48 8D 05 ??
+        ?? ?? ?? 48 89 05 ?? ??
+        ?? ?? 48 C7 05 ?? ?? ??
+        ?? ?? ?? 00 00 48 C7 05
+        ?? ?? ?? ?? ?? ?? 00 00 }
+        
+    condition:
+        pe.is_dll() and
+        filesize < 100KB and
+        for any export in pe.export_details: (
+            $c in (export.offset..export.offset+100)
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_spynote_android_dex_strings.yar b/yara_rules/apt_spynote_android_dex_strings.yar
new file mode 100644
index 0000000..4d8caf5
--- /dev/null
+++ b/yara_rules/apt_spynote_android_dex_strings.yar
@@ -0,0 +1,21 @@
+rule apt_spynote_android_dex_strings {
+    meta:
+        id = "87fb8b7a-bfac-4003-b618-50b4a7863928"
+        version = "1.0"
+        description = "Detects Android SpyNote DEX file"
+        author = "Sekoia.io"
+        creation_date = "2022-08-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "is not file found"
+        $ = "Can not access"
+        $ = "PANG !!"
+        $ = "On Start!!"
+        
+    condition:
+        uint32be(0) == 0x6465780A and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_stripedfly.yar b/yara_rules/apt_stripedfly.yar
new file mode 100644
index 0000000..31d040f
--- /dev/null
+++ b/yara_rules/apt_stripedfly.yar
@@ -0,0 +1,18 @@
+rule apt_stripedfly {
+    meta:
+        id = "81968d34-3247-4965-ba44-55747370c90e"
+        version = "1.0"
+        description = "Detects string relative to Stripedfly malware"
+        author = "Sekoia.io"
+        creation_date = "2023-11-30"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "{\"id\":%d,\"jsonrpc\":\"2.0\",\"method\":\"%s\",\"params\":%s}"
+        $s2 = "{\"login\":\"%s\",\"pass\":\"%s\",\"agent\":\"\"}"
+        $s3 = "(tcp|ssl)://([A-Za-z0-9\\.\\-]+):([0-9]+)"
+        
+    condition:
+        filesize < 3MB and 2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sugardump_credentials_stealer_http.yar b/yara_rules/apt_sugardump_credentials_stealer_http.yar
new file mode 100644
index 0000000..d807d9a
--- /dev/null
+++ b/yara_rules/apt_sugardump_credentials_stealer_http.yar
@@ -0,0 +1,29 @@
+rule apt_sugardump_credentials_stealer_http {
+    meta:
+        id = "47d01ba8-9fdd-42d5-9f10-115f982dc133"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2022-08-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "\\Google\\Chrome\\User Data" wide
+        $ = "\\DebugLogWindowsDefender.txt" wide
+        $ = "Opera Software\\Opera Stable" wide
+        $ = "Microsoft\\Edge\\User Data" wide
+        $ = "\"encrypted_key\":\"(.*?)\\" wide
+        $ = "Url:" wide
+        $ = "Username:" wide
+        $ = "Password:" wide
+        $ = "Application:" wide
+        $ = "BCrypt.BCryptDecrypt" wide
+        $ = "C:\\Users\\User\\" wide
+        $ = "_CorExeMain"
+        $ = "http://" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        10 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sugardump_credentials_stealer_smtp.yar b/yara_rules/apt_sugardump_credentials_stealer_smtp.yar
new file mode 100644
index 0000000..b0e25cc
--- /dev/null
+++ b/yara_rules/apt_sugardump_credentials_stealer_smtp.yar
@@ -0,0 +1,21 @@
+rule apt_sugardump_credentials_stealer_smtp {
+    meta:
+        id = "bf028ebc-bfaa-45b3-9a3f-8949a5efbb73"
+        version = "1.0"
+        description = "Detects SUGARDUMP SMTP version"
+        author = "Sekoia.io"
+        creation_date = "2022-08-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "<<<<<<<< ------ Passwords Total: {0} --------- >>>>>>>>" wide
+        $ = "Url = {0} , Count = {1}" wide
+        $ = "smtp." wide
+        $ = "encrypted_key\":\"(.*?)\"" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_sugargh0stcampaign_malicious_lnk.yar b/yara_rules/apt_sugargh0stcampaign_malicious_lnk.yar
new file mode 100644
index 0000000..572e080
--- /dev/null
+++ b/yara_rules/apt_sugargh0stcampaign_malicious_lnk.yar
@@ -0,0 +1,19 @@
+rule apt_sugargh0stcampaign_malicious_lnk {
+    meta:
+        id = "4297c150-d125-49b9-8850-fcedf5284ae9"
+        version = "1.0"
+        description = "Detects malicious LNK used in SugarGh0st campaign"
+        author = "Sekoia.io"
+        creation_date = "2023-12-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "dir /S/b *.lnk " wide
+        $ = "%temp%\\*.lnk" wide
+        
+    condition:
+        uint32be(0) == 0x4c000000 and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_susp_apt28_uac0063_hatvibe.yar b/yara_rules/apt_susp_apt28_uac0063_hatvibe.yar
new file mode 100644
index 0000000..61266c4
--- /dev/null
+++ b/yara_rules/apt_susp_apt28_uac0063_hatvibe.yar
@@ -0,0 +1,21 @@
+rule apt_susp_apt28_uac0063_hatvibe {
+    meta:
+        id = "c4e04671-e75f-40a4-a489-79c2ce91cf7a"
+        version = "1.0"
+        description = "Detects some suspected UAC-0063/APT28 HTA loader"
+        author = "Sekoia.io"
+        creation_date = "2024-07-25"
+        classification = "TLP:CLEAR"
+        hash = "332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725"
+        
+    strings:
+        $ = "& temp(Mid(" ascii fullword
+        $ = ".InnerHTML =" ascii fullword
+        $ = "peceert" ascii fullword
+        $ = "window.setTimeout" ascii fullword
+        $ = "cmdline = Split(" ascii fullword
+        
+    condition:
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_susp_apt28_uac0063_hta_loader.yar b/yara_rules/apt_susp_apt28_uac0063_hta_loader.yar
new file mode 100644
index 0000000..56d5ee0
--- /dev/null
+++ b/yara_rules/apt_susp_apt28_uac0063_hta_loader.yar
@@ -0,0 +1,19 @@
+rule apt_susp_apt28_uac0063_hta_loader {
+    meta:
+        id = "8e1889c1-c6ac-4048-9d3a-99ccbbd5435f"
+        version = "1.0"
+        description = "Detects some suspected APT28 HTA loader"
+        author = "Sekoia.io"
+        creation_date = "2024-07-25"
+        classification = "TLP:CLEAR"
+        hash = "332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725"
+        
+    strings:
+        $ = "<HEAD><HTA:APPLICATION ID" ascii fullword
+        $ = "id=service>null</span" ascii fullword
+        $ = "script Language=\"VBScript.Encode" ascii fullword
+        
+    condition:
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_susp_apt28_uac0063_malicious_doc.yar b/yara_rules/apt_susp_apt28_uac0063_malicious_doc.yar
new file mode 100644
index 0000000..d9b00e3
--- /dev/null
+++ b/yara_rules/apt_susp_apt28_uac0063_malicious_doc.yar
@@ -0,0 +1,19 @@
+rule apt_susp_apt28_uac0063_malicious_doc {
+    meta:
+        id = "2b9d597a-a6cd-49df-8938-7103342a1d06"
+        version = "1.0"
+        description = "Detects some suspected APT28 document"
+        author = "Sekoia.io"
+        creation_date = "2024-07-25"
+        classification = "TLP:CLEAR"
+        hash = "93322be0785556e627d2b09832c18e39c115e6a6fbff64b1e590e1ddcf8f6a43"
+        
+    strings:
+        $ = "Sub pop() : : End Sub" ascii fullword
+        $ = "%localappdata%\\Temp" ascii fullword
+        $ = "rthedbv" ascii fullword
+        
+    condition:
+        2 of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_susp_apt28_uac0063_malicious_doc_settings_xml.yar b/yara_rules/apt_susp_apt28_uac0063_malicious_doc_settings_xml.yar
new file mode 100644
index 0000000..60b1b51
--- /dev/null
+++ b/yara_rules/apt_susp_apt28_uac0063_malicious_doc_settings_xml.yar
@@ -0,0 +1,20 @@
+rule apt_susp_apt28_uac0063_malicious_doc_settings_xml {
+    meta:
+        id = "fd104985-6441-4fb6-8cc1-30afa4a7797b"
+        version = "1.0"
+        description = "Detects some suspected APT28 document settings.xml"
+        author = "Sekoia.io"
+        creation_date = "2024-07-25"
+        classification = "TLP:CLEAR"
+        hash = "0272acc6ed17c72320e4e7b0f5d449841d0ccab4ea89f48fd69d0a292cc5d39a"
+        
+    strings:
+        $ = "http://schemas.openxmlformats.org/" ascii fullword
+        $ = "Call svc.GetFolder(" ascii fullword
+        $ = "CreateTextFile(appdir" ascii fullword
+        $ = "Sub Document_Open() : On Error Resume Next" ascii fullword
+        
+    condition:
+        2 of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_susp_apt28_uac0063_malicious_doc_vba.yar b/yara_rules/apt_susp_apt28_uac0063_malicious_doc_vba.yar
new file mode 100644
index 0000000..dc7afcd
--- /dev/null
+++ b/yara_rules/apt_susp_apt28_uac0063_malicious_doc_vba.yar
@@ -0,0 +1,18 @@
+rule apt_susp_apt28_uac0063_malicious_doc_vba {
+    meta:
+        id = "58040dbd-09ae-4f9e-940d-3a522e7ccfbb"
+        version = "1.0"
+        description = "Detects some suspected APT28 document vba"
+        author = "Sekoia.io"
+        creation_date = "2024-07-25"
+        classification = "TLP:CLEAR"
+        hash = "fceffb8ae94cef3af21b2943131e94db9e0e67073de48d9d32601a245448d067"
+        
+    strings:
+        $ = { 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 31 30 }
+        $ = "ThisDocument" wide
+        
+    condition:
+        uint32be(0) == 0xd0cf11e0 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_susp_lazarus_dangerous_password.yar b/yara_rules/apt_susp_lazarus_dangerous_password.yar
new file mode 100644
index 0000000..514fee4
--- /dev/null
+++ b/yara_rules/apt_susp_lazarus_dangerous_password.yar
@@ -0,0 +1,16 @@
+rule apt_susp_lazarus_dangerous_password {
+    meta:
+        id = "726c8b92-7fbe-40f8-917a-cabd206028da"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-09-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = ".jpeg" wide
+        $ = "mshta"
+        
+    condition:
+        uint32be(0) == 0x4c000000 and all of them and filesize < 5KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_suspected_sandworm_sdelete_wiper.yar b/yara_rules/apt_suspected_sandworm_sdelete_wiper.yar
new file mode 100644
index 0000000..792881c
--- /dev/null
+++ b/yara_rules/apt_suspected_sandworm_sdelete_wiper.yar
@@ -0,0 +1,20 @@
+rule apt_suspected_sandworm_sdelete_wiper {
+    meta:
+        id = "c1419b11-33e5-4280-b92a-039719cb17d3"
+        version = "1.0"
+        description = "Detects Sdelete wiper"
+        author = "Sekoia.io"
+        creation_date = "2023-10-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = ".exe -accepteula -r -s -q" wide
+        $s2 = "sdelete [-p passes] [-r]" wide
+        $s3 = "!This program cannot be run in DOS mode."
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        $s1 and $s2 and #s3 == 2 and
+        filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_ta410_driver_keylogger.yar b/yara_rules/apt_ta410_driver_keylogger.yar
new file mode 100644
index 0000000..2a8c96a
--- /dev/null
+++ b/yara_rules/apt_ta410_driver_keylogger.yar
@@ -0,0 +1,24 @@
+rule apt_ta410_driver_keylogger {
+    meta:
+        id = "0cba1b3b-b93e-41e3-a7df-afd306e6b519"
+        version = "1.0"
+        description = "Keylogger TA410"
+        author = "Sekoia.io"
+        creation_date = "2022-10-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "namedpipe_keymousespy" ascii wide
+        $ = "[`LCTRL]" ascii wide
+        $ = "[`RCTRL]" ascii wide
+        $ = "[`BREAK]" ascii wide
+        $ = "[`NUMLOCK]" ascii wide
+        $ = "[`L]" ascii wide
+        $ = "[`R]" ascii wide
+        $ = "[`M]" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 1MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_ta410_flowcloud_loader.yar b/yara_rules/apt_ta410_flowcloud_loader.yar
new file mode 100644
index 0000000..ecb2e59
--- /dev/null
+++ b/yara_rules/apt_ta410_flowcloud_loader.yar
@@ -0,0 +1,24 @@
+rule apt_ta410_flowcloud_loader {
+    meta:
+        id = "0a11dfa0-5a59-477b-baf6-6a777d020860"
+        version = "1.0"
+        description = "Detects FlowCloud Loader"
+        author = "Sekoia.io"
+        creation_date = "2024-05-27"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $decryption_function = {8A C8 80 C1 26 32 D1 30 14 38}
+        $derivation_key = {6B 04 00 00 F7 ?? 81 c2 a8 01 00 00}
+        
+        $new_pattern_1 = {50 33 c0 58 74 01 e8}
+        $new_pattern_2 = {89 44 24 fc 58 8D 64
+        24 fc 81 fc 00 10 00
+        00 77 06 81 c4 ?? ??
+        ?? ?? 8B 44 24 FC}
+        $patch_bytes = {68 78 56 34 12 C3 90 90 90 90 90 00}
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 4MB and 2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_ta410_flowcloud_rtti.yar b/yara_rules/apt_ta410_flowcloud_rtti.yar
new file mode 100644
index 0000000..3c86831
--- /dev/null
+++ b/yara_rules/apt_ta410_flowcloud_rtti.yar
@@ -0,0 +1,18 @@
+rule apt_ta410_flowcloud_rtti {
+    meta:
+        id = "c6a18c08-8b98-46d7-a6c3-dc171c7791ac"
+        version = "1.0"
+        description = "Detects FlowCloud via RTTI"
+        author = "Sekoia.io"
+        creation_date = "2022-10-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $RTTI_1 = ".?AVdllloader@@" ascii fullword
+        $RTTI_2 = ".?AVel_cryptowrapper@@" ascii fullword
+        $RTTI_3 = ".?AVAntiVirusCheck@@" ascii fullword
+        
+    condition:
+        uint16(0) == 0x5A4D and filesize < 10MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_ta428_tmanger_strings.yar b/yara_rules/apt_ta428_tmanger_strings.yar
new file mode 100644
index 0000000..dcd83a1
--- /dev/null
+++ b/yara_rules/apt_ta428_tmanger_strings.yar
@@ -0,0 +1,27 @@
+rule apt_ta428_tmanger_strings {
+    meta:
+        id = "f600404d-3f93-4e3f-bba7-9f519f67c6cb"
+        version = "1.0"
+        description = "Detects Tmanger malware"
+        author = "Sekoia.io"
+        creation_date = "2022-09-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "sock_hmutex" wide ascii
+        $ = "cmd_hmutex" wide ascii
+        $ = "%s_%d.bmp" wide ascii
+        $ = "WSAStartup Error!" wide ascii
+        $ = "4551-8f84-08e738aec" wide ascii
+        $ = "Init failed!" wide ascii
+        $ = "GetLanIP error!" wide ascii
+        $ = "chcp & exit" wide ascii
+        $ = "GetHostname error!" wide ascii
+        $ = "[Num Lock]" wide ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 200KB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_tealkurma_snappytcp_reverse_shell_strings.yar b/yara_rules/apt_tealkurma_snappytcp_reverse_shell_strings.yar
new file mode 100644
index 0000000..59fe644
--- /dev/null
+++ b/yara_rules/apt_tealkurma_snappytcp_reverse_shell_strings.yar
@@ -0,0 +1,22 @@
+rule apt_tealkurma_snappytcp_reverse_shell_strings {
+    meta:
+        id = "e842825c-546c-475a-bc94-7e97aea4e9e0"
+        version = "1.0"
+        description = "Detects TealKurma SnappyTCP reverse shell"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "2>&1>/dev/null&" ascii
+        $ = ".php HTTP/1.1" ascii
+        $ = "GET /" ascii
+        $ = "Hostname: %s" ascii
+        $ = "bash -c \"./" ascii
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize < 3MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_tealkurma_snappytcp_strings.yar b/yara_rules/apt_tealkurma_snappytcp_strings.yar
new file mode 100644
index 0000000..e4898b0
--- /dev/null
+++ b/yara_rules/apt_tealkurma_snappytcp_strings.yar
@@ -0,0 +1,19 @@
+rule apt_tealkurma_snappytcp_strings {
+    meta:
+        id = "6bbee6d6-f490-4550-bd61-a643f93a8788"
+        version = "1.0"
+        description = "Detects TealKurma SnappyTCP shell script"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "#!/bin/bash" ascii
+        $s2 = "2>&1>/dev/null&" ascii
+        $s3 = "PATH=$PATH:$PWD;" ascii
+        
+    condition:
+        $s1 at 0 and $s2 at filesize-16 and $s3 
+        and filesize < 300
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_toddycat_toddybox_strings.yar b/yara_rules/apt_toddycat_toddybox_strings.yar
new file mode 100644
index 0000000..ec974ee
--- /dev/null
+++ b/yara_rules/apt_toddycat_toddybox_strings.yar
@@ -0,0 +1,25 @@
+rule apt_toddycat_toddybox_strings {
+    meta:
+        id = "fde3df24-ebd7-4327-998e-bddaa08835da"
+        version = "1.0"
+        description = "Detects ToddyCat's ToddyBox binary"
+        author = "Sekoia.io"
+        creation_date = "2023-11-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Wait a while to upload the next file..."
+        $ = "[-] Error Msg: %s"
+        $ = "[-] Error Msg: Connect Errors or Proxy Errors"
+        $ = "[-] arg missing!"
+        $ = "[-] Get module dir failed!"
+        $ = "[-] Dir error!"
+        $ = "Auto Get Proxy %S"
+        $ = "Dropbox-API-Arg"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_toddycat_tomberbil_strings.yar b/yara_rules/apt_toddycat_tomberbil_strings.yar
new file mode 100644
index 0000000..988a853
--- /dev/null
+++ b/yara_rules/apt_toddycat_tomberbil_strings.yar
@@ -0,0 +1,23 @@
+rule apt_toddycat_tomberbil_strings {
+    meta:
+        id = "b16f4d35-ea59-4439-8ddb-2c0415b97b9b"
+        version = "1.0"
+        description = "Detects TomBerBil password stealer"
+        author = "Sekoia.io"
+        creation_date = "2024-04-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[+] Begin" ascii wide
+        $ = "[+] Delete File" ascii wide
+        $ = "[+] Current user" ascii wide
+        $ = "[+] Impersonate user" ascii wide
+        $ = "[+] Local State File" ascii wide
+        $ = "[>] Profile" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_toddycat_waexp_strings.yar b/yara_rules/apt_toddycat_waexp_strings.yar
new file mode 100644
index 0000000..17703ed
--- /dev/null
+++ b/yara_rules/apt_toddycat_waexp_strings.yar
@@ -0,0 +1,19 @@
+rule apt_toddycat_waexp_strings {
+    meta:
+        id = "1bbb3e81-14a9-4bda-b647-b6f5255e9a16"
+        version = "1.0"
+        description = "Detects WAExp based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-04-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[>] Profile:" wide ascii
+        $ = "[+] All Done" wide ascii
+        $ = "[+] Files:" wide ascii
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        all of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_toneshell_loader.yar b/yara_rules/apt_toneshell_loader.yar
new file mode 100644
index 0000000..4d50cb3
--- /dev/null
+++ b/yara_rules/apt_toneshell_loader.yar
@@ -0,0 +1,41 @@
+rule apt_toneshell_loader {
+    meta:
+        id = "b4bf284b-cab6-455e-a1c1-ad341d43bfdd"
+        version = "1.0"
+        description = "Detects loader of ToneShell (exception based)"
+        author = "Sekoia.io"
+        creation_date = "2024-10-02"
+        classification = "TLP:CLEAR"
+        hash = "41e0d172d900344a3692b88fff7527d9"
+        hash = "782cf7183735935f3f7aad041cec3184"
+        hash = "97c1f436028c58b51d4c92ee9c9ce424"
+        hash = "d6c771f2afd8ce35e8727f95f3a3c6c4"
+        hash = "b8520c5bad88ade394086cb7b1b7b631"
+        hash = "0b3e8571e70a32490da19f6b3283151c"
+        hash = "f6784c65ee115a9ae4c0fb03e0045285"
+        hash = "38888696e5223c77f5f8680922396123"
+        hash = "b52d0707e4e5d5c0d5fd5f5a177ba712"
+        hash = "fd54c6d17ff91640b377ff41353efdaa"
+        hash = "a6efe263acc794a212647a96e52ddf1f"
+        hash = "6e8c80c5f2f9a1da504618e984d2a56c"
+        hash = "0839666697ccc562a9c1fe77d6755931"
+        hash = "f367f2fe580e556176b60da202c742a5"
+        hash = "e8b2fcc14494ada2f28d1f6ecd2521a2"
+        hash = "c08589e10812cc7d636dcbe2a36d43b4"
+        hash = "fa848a05cfecc0c25cd21364c9516584"
+        hash = "be231f7879d8d2159b67b7f277527268"
+        hash = "2acd8b48202dcc30d88a871370c4f37a"
+        hash = "72963bfc2837695f038680471d4f061c"
+        
+    strings:
+        $exception = {00 00 00 00 2e 44 00 00}
+        $code = {02 00 00 00 66 89 96}
+        $kernel32 = "Kernel32.dll" wide
+        $outputdbgstr = "OutputDebugStringA"
+        $content = "ResetEvent"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_toneshell_shellcode.yar b/yara_rules/apt_toneshell_shellcode.yar
new file mode 100644
index 0000000..11aa693
--- /dev/null
+++ b/yara_rules/apt_toneshell_shellcode.yar
@@ -0,0 +1,35 @@
+rule apt_toneshell_shellcode {
+    meta:
+        id = "5ac8d2e9-dbeb-42f9-8343-1281510d4411"
+        version = "1.0"
+        description = "Detects first bytes of ToneShell used to call the shellcode or the code to check the MagicNumber (0x17 0x03 0x03)"
+        author = "Sekoia.io"
+        creation_date = "2024-10-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $code = {55 8b ec 83 ec 0c e8 85 00 00 00 6a 00 6a 00 6a 02 6a 00 6a 00 68 00 00 00 10}
+        $MagicNumberParser = {
+        B8 01 00 00 00
+        6B C8 00
+        8B 55 ??
+        0F BE 04 0A
+        83 F8 17
+        75 ??
+        B9 01 00 00 00
+        C1 E1 00
+        8B 55 ??
+        0F BE 04 0A
+        83 F8 03
+        75 ??
+        B9 01 00 00 00
+        D1 E1
+        8B 55 ??
+        0F BE 04 0A
+        83 F8 03
+        }
+        
+    condition:
+        any of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_tortoiseshell_imaploader.yar b/yara_rules/apt_tortoiseshell_imaploader.yar
new file mode 100644
index 0000000..d0f7e4a
--- /dev/null
+++ b/yara_rules/apt_tortoiseshell_imaploader.yar
@@ -0,0 +1,20 @@
+rule apt_tortoiseshell_imaploader {
+    meta:
+        id = "e1706b59-5c94-4fbf-8560-0022ca631d1d"
+        version = "1.0"
+        description = "Detects IMAPLoader malware"
+        author = "Sekoia.io"
+        creation_date = "2023-11-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "yandex.com"
+        $s2 = "saveImapMessage.pdb"
+        $s3 = "downloader"
+        $s4 = "MailServer.Auth"
+        
+    condition:
+        filesize < 1MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_tortoiseshell_wateringhole_script.yar b/yara_rules/apt_tortoiseshell_wateringhole_script.yar
new file mode 100644
index 0000000..58c301d
--- /dev/null
+++ b/yara_rules/apt_tortoiseshell_wateringhole_script.yar
@@ -0,0 +1,23 @@
+rule apt_tortoiseshell_wateringhole_script {
+    meta:
+        id = "58c5ae66-fe09-497c-80bf-20feee4d95e7"
+        version = "1.0"
+        description = "Detect's Tortoiseshell WH script"
+        author = "Sekoia.io"
+        creation_date = "2023-05-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "btoa(pluggin.toString())"
+        $ = "btoa(document.referrer)"
+        $ = "pluggin.push(navigator.plugins[i]"
+        $ = "navigator.language"
+        $ = "window.RTCPeerConnection"
+        $ = "sha256(canvas.toDataURL("
+        $ = "canvas.getContext('2d"
+        $ = "noop = function() {},"
+        
+    condition:
+        5 of them and filesize < 10000
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_turla_comlook.yar b/yara_rules/apt_turla_comlook.yar
new file mode 100644
index 0000000..441e8c9
--- /dev/null
+++ b/yara_rules/apt_turla_comlook.yar
@@ -0,0 +1,32 @@
+rule apt_turla_comlook {
+    meta:
+        id = "c3bf886b-f952-47f9-aff6-3cd74c27077d"
+        version = "1.0"
+        description = "Detects Class and Method names used inside ComLook"
+        author = "Sekoia.io"
+        creation_date = "2023-10-30"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ClassName1 = "AgentConfig"
+        $ClassName2 = "CommandPerforming"
+        
+        
+        $MethodName1 = "CmdCommand"
+        $MethodName2 = "GetConfigCommand"
+        $MethodName3 = "GetFileCommand"
+        $MethodName4 = "PutFileCommand"
+        $MethodName5 = "SetConfigCommand"
+        $MethodName6 = "AgentProtocol"
+        
+        $Log1 = "CONFIG_SERVERS_LIST_PARSING_ERROR" ascii wide
+        $Log2 = "GET_UIDS_TO_CHECK_PARSING_ERROR" ascii wide
+        $Log3 = "PAYLOAD_PARSING_FILEPATH_AND_FILE_ERROR" ascii wide
+        $Log4 = "COMMAND_EMPTY_ERROR" ascii wide
+        $Log5 = "IMAP_USERNAME_FORMAT_INCORRECT" ascii wide
+        $Log6 = "NO_MESSAGES_TO_RETRIEVE" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 10MB and any of ($ClassName*) and any of ($MethodName*) and any of ($Log*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_turla_kazuar_variant_2023.yar b/yara_rules/apt_turla_kazuar_variant_2023.yar
new file mode 100644
index 0000000..d916be9
--- /dev/null
+++ b/yara_rules/apt_turla_kazuar_variant_2023.yar
@@ -0,0 +1,18 @@
+rule apt_turla_kazuar_variant_2023 {
+    meta:
+        id = "51e9de6a-5d8a-4627-8063-b70f78e78726"
+        version = "1.0"
+        description = "New variant of Kazuar observed in 2023"
+        author = "Sekoia.io"
+        creation_date = "2023-11-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "Started from file '" ascii wide
+        $s2 = "Zombifying user's" ascii wide
+        $s3 = "Result #{0:X16} already exists in {1}" ascii wide
+        
+    condition:
+        uint16(0) == 0x5a4d and 2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_uac0099_lonepage.yar b/yara_rules/apt_uac0099_lonepage.yar
new file mode 100644
index 0000000..28c1178
--- /dev/null
+++ b/yara_rules/apt_uac0099_lonepage.yar
@@ -0,0 +1,31 @@
+rule apt_uac0099_lonepage {
+    meta:
+        id = "007f62f5-da5c-4df7-8b5c-5ed815ce6993"
+        version = "1.0"
+        description = "Detects LonePage vbs malware"
+        author = "Sekoia.io"
+        creation_date = "2024-01-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s0 = "dim r, c" ascii fullword
+        $s1 = "= createobject(\"WScript.Shell\")" ascii fullword
+        $s2 = "r.Run c, 0, false" ascii fullword
+        
+        $t1 = "GetHostAddresses" ascii fullword nocase
+        $t2 = "upgrade.txt" ascii fullword nocase
+        $t3 = "net.webclient" ascii fullword nocase
+        $t4 = "downloaddata" ascii fullword nocase
+        $t5 = "[System.Environment]::NewLine" ascii fullword nocase
+        $t6 = ".uploaddata('" ascii nocase
+        
+    condition:
+        true and filesize < 10KB
+        and 
+        (
+            ($s1 at 0x10 and $s0 at 0 and $s2 and 2 of ($t*)) 
+            or 
+            (all of ($t*) and any of ($s*))
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_uac0154_malicious_html_smuggling.yar b/yara_rules/apt_uac0154_malicious_html_smuggling.yar
new file mode 100644
index 0000000..a877a36
--- /dev/null
+++ b/yara_rules/apt_uac0154_malicious_html_smuggling.yar
@@ -0,0 +1,18 @@
+rule apt_uac0154_malicious_html_smuggling {
+    meta:
+        id = "923d11e5-6332-456d-8aff-ae7fb76193a8"
+        version = "1.0"
+        description = "UAC-0154 Infection chain"
+        author = "Sekoia.io"
+        creation_date = "2023-10-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Microsoft&reg; HTML Help Workshop 4.1"
+        $ = "var a=['"
+        $ = ")+b('0x"
+        
+    condition:
+        all of them and filesize < 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_uac0154_powershell_infection_chain_1.yar b/yara_rules/apt_uac0154_powershell_infection_chain_1.yar
new file mode 100644
index 0000000..d2e5f91
--- /dev/null
+++ b/yara_rules/apt_uac0154_powershell_infection_chain_1.yar
@@ -0,0 +1,19 @@
+rule apt_uac0154_powershell_infection_chain_1 {
+    meta:
+        id = "428eb021-b37f-4db5-8cab-ca2f6dd2e202"
+        version = "1.0"
+        description = "UAC-0154 Infection chain"
+        author = "Sekoia.io"
+        creation_date = "2023-10-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "command $es ="
+        $ = "function isV"
+        $ = "doIn;"
+        $ = "System.IO.Comp"
+        
+    condition:
+        all of them and filesize < 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_uac0154_powershell_infection_chain_2.yar b/yara_rules/apt_uac0154_powershell_infection_chain_2.yar
new file mode 100644
index 0000000..832a2cf
--- /dev/null
+++ b/yara_rules/apt_uac0154_powershell_infection_chain_2.yar
@@ -0,0 +1,20 @@
+rule apt_uac0154_powershell_infection_chain_2 {
+    meta:
+        id = "6fe37d52-9bd3-4aa8-83ba-15399bd1b66c"
+        version = "1.0"
+        description = "UAC-0154 Infection chain"
+        author = "Sekoia.io"
+        creation_date = "2023-10-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "files.catbox.moe"
+        $ = "$pse = $pse.Replace"
+        $ = "start -WindowStyle Hidden -FilePath $p"
+        $ = "-bxor $xorMask"
+        $ = "SysctlHost"
+        
+    condition:
+        4 of them and filesize < 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_unc3524_quietexit_strings.yar b/yara_rules/apt_unc3524_quietexit_strings.yar
new file mode 100644
index 0000000..8e763f5
--- /dev/null
+++ b/yara_rules/apt_unc3524_quietexit_strings.yar
@@ -0,0 +1,24 @@
+rule apt_unc3524_quietexit_strings {
+    meta:
+        id = "1bfa9baa-40a3-4ad7-83dc-f9340fbed180"
+        version = "1.0"
+        description = "Detect the QUIETEXIT malware used by UNC3524"
+        author = "Sekoia.io"
+        creation_date = "2022-05-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Child connection from %s:%s" ascii
+        $ = "Failed to run %s" ascii
+        $ = "add %s %s %s" ascii
+        $ = "/usr/bin/xauth -q" ascii
+        $ = "/tmp/dropbear-%" ascii
+        $ = "cron" ascii
+        $ = { DD E5 D5 97 20 53 27 BF F0 A2 BA CD 96 35 9A AD 1C 75 EB 47 }
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize > 1MB and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_unc4990_emptyspace_pyc.yar b/yara_rules/apt_unc4990_emptyspace_pyc.yar
new file mode 100644
index 0000000..0ace5f7
--- /dev/null
+++ b/yara_rules/apt_unc4990_emptyspace_pyc.yar
@@ -0,0 +1,44 @@
+rule apt_unc4990_emptyspace_pyc {
+    meta:
+        id = "d970fd9c-1ce5-471c-96a1-146250f36b89"
+        version = "1.0"
+        description = "Detects Python Bytecode of EmptySpace"
+        author = "Sekoia.io"
+        creation_date = "2024-02-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "PYBOOTSTRAP"
+        $ = "http://google.com/generate_204"
+        $ = "from"
+        $ = "pathZ"
+        $ = "usernamez"
+        $ = "timeZ"
+        $ = "win32api"
+        $ = "base64Z"
+        $ = "json"
+        $ = "marshalZ"
+        $ = "BOOTSTRAP_VERSION"
+        $ = "getZ"
+        $ = "sleepZ    b64encode"
+        $ = "dumps"
+        $ = "executableZ"
+        $ = "GetUserNameExZ"
+        $ = "NameSamCompatible"
+        $ = "encode"
+        $ = "decodeZ"
+        $ = "request_dataZ"
+        $ = "server"
+        $ = "post"
+        $ = "raise_for_status"
+        $ = "exec"
+        $ = "loadsZ    b64decode"
+        $ = "text"
+        $ = "globals"
+        $ = "bootstrap.py"
+        $ = "<module>"
+        
+    condition:
+        uint32be(0) == 0x420d0d0a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_unc4990_explorer_ps1.yar b/yara_rules/apt_unc4990_explorer_ps1.yar
new file mode 100644
index 0000000..63b0f20
--- /dev/null
+++ b/yara_rules/apt_unc4990_explorer_ps1.yar
@@ -0,0 +1,20 @@
+rule apt_unc4990_explorer_ps1 {
+    meta:
+        id = "2e1abbbf-f9b7-4147-b7da-3544cbc4a5f1"
+        version = "1.0"
+        description = "Detects powershell script (explorer.ps1)"
+        author = "Sekoia.io"
+        creation_date = "2024-02-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s0 = "$(get-location).Path"
+        $s1 = "+ \"\\Runtime Broker.exe"
+        $s2 = "Start-Process -FilePath"
+        $s3 = "-Wait;"
+        $s4 = "Start-Sleep -s"
+        
+    condition:
+        all of them and @s3-@s2 < 35
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_unc4990_explorer_ps1_reverse_b64.yar b/yara_rules/apt_unc4990_explorer_ps1_reverse_b64.yar
new file mode 100644
index 0000000..11d97a2
--- /dev/null
+++ b/yara_rules/apt_unc4990_explorer_ps1_reverse_b64.yar
@@ -0,0 +1,18 @@
+rule apt_unc4990_explorer_ps1_reverse_b64 {
+    meta:
+        id = "35c3ffb2-2ced-426c-ac3f-a8cd0c357672"
+        version = "1.0"
+        description = "Detects reverse base64 files (explorer.ps1)"
+        author = "Sekoia.io"
+        creation_date = "2024-02-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s0 = "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\""
+        $s1 = "Wa1VHJ\"[-1..-"
+        $s2 = "-join '')))"
+        
+    condition:
+        all of them and $s0 at 0 and @s2 - @s2 < 20
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_unk_batcopier_strings.yar b/yara_rules/apt_unk_batcopier_strings.yar
new file mode 100644
index 0000000..015cb4e
--- /dev/null
+++ b/yara_rules/apt_unk_batcopier_strings.yar
@@ -0,0 +1,19 @@
+rule apt_unk_batcopier_strings {
+    meta:
+        id = "eb76bbd0-a722-4fec-a4a7-c48c70a1880b"
+        version = "1.0"
+        description = "Detects BatCopier variant"
+        author = "Sekoia.io"
+        creation_date = "2024-09-06"
+        classification = "TLP:CLEAR"
+        reference = "https://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/"
+        
+    strings:
+        $ = "@echo off"
+        $ = "echo F|xcopy"
+        $ = "attrib +r +s +h"
+        
+    condition:
+        all of them and filesize < 1KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_unk_dex_china_freedom_trap_spyware.yar b/yara_rules/apt_unk_dex_china_freedom_trap_spyware.yar
new file mode 100644
index 0000000..bd54466
--- /dev/null
+++ b/yara_rules/apt_unk_dex_china_freedom_trap_spyware.yar
@@ -0,0 +1,32 @@
+rule apt_unk_dex_china_freedom_trap_spyware {
+    meta:
+        id = "3d66b6b8-8397-441a-a337-4a282df39591"
+        version = "1.0"
+        description = "Detects China Freedom Trap spyware dex file"
+        author = "Sekoia.io"
+        creation_date = "2022-09-07"
+        classification = "TLP:CLEAR"
+        hash = "ceb70fce74898ea64ded6880a978441c"
+        
+    strings:
+        $ = "INSTALL" base64
+        $ = "FAILED" base64
+        $ = "TEST" base64
+        $ = "ONLY" base64
+        $ = "INSTALL" base64
+        $ = "INCONSISTENT" base64
+        $ = "CERTIFICATES" base64
+        $ = "Network country iso:" base64
+        $ = "Network operator name:" base64
+        $ = "SIM operator name:" base64
+        $ = "SIM country iso:" base64
+        $ = "SIM state:" base64
+        $ = "PIN REQUIRED" base64
+        $ = "PUK REQUIRED" base64
+        
+    condition:
+        uint32be(0) == 0x6465780A and
+        filesize < 100KB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_unk_hrserv_memory_commands_strings.yar b/yara_rules/apt_unk_hrserv_memory_commands_strings.yar
new file mode 100644
index 0000000..dc981d4
--- /dev/null
+++ b/yara_rules/apt_unk_hrserv_memory_commands_strings.yar
@@ -0,0 +1,20 @@
+rule apt_unk_hrserv_memory_commands_strings {
+    meta:
+        id = "1b5f442a-e758-4bd5-a612-8b504a542d29"
+        version = "1.0"
+        description = "Detects HrServ web shell memory commands"
+        author = "Sekoia.io"
+        creation_date = "2023-11-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "list all the process" ascii wide
+        $ = "equal with cmd /c tasklist" ascii wide
+        $ = "start target service by name" ascii wide
+        $ = "query local process information by wmi." ascii wide
+        $ = "upload local shellcode to" ascii wide
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_unk_hrserv_webshell_strings.yar b/yara_rules/apt_unk_hrserv_webshell_strings.yar
new file mode 100644
index 0000000..093c0f0
--- /dev/null
+++ b/yara_rules/apt_unk_hrserv_webshell_strings.yar
@@ -0,0 +1,24 @@
+rule apt_unk_hrserv_webshell_strings {
+    meta:
+        id = "684fd41c-9ea6-4f4e-8db4-82325a2ff80b"
+        version = "1.0"
+        description = "Detects HrServ web shell based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-11-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "open file error!"
+        $ = "create file error!"
+        $ = "[!] CreatePipe failed."
+        $ = "[!] CreateProcess failed."
+        $ = "[!] CreateProcess success,no result return."
+        $ = "; cadataIV="
+        $ = "cadataKey="
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 300KB and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_unk_malicious_lnk.yar b/yara_rules/apt_unk_malicious_lnk.yar
new file mode 100644
index 0000000..9a49b6a
--- /dev/null
+++ b/yara_rules/apt_unk_malicious_lnk.yar
@@ -0,0 +1,22 @@
+rule apt_unk_malicious_lnk {
+    meta:
+        id = "d2248803-7ddf-4cde-ab6a-78b20e760919"
+        version = "1.0"
+        description = "Detects a malicious LNK used by an APT"
+        author = "Sekoia.io"
+        creation_date = "2024-09-06"
+        classification = "TLP:CLEAR"
+        hash = "a8d7e56eb01a8cf576533db9af2e92ec"
+        reference = "https://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/"
+        
+    strings:
+        $ = ".pdf.lnkPK"
+        $ = ".jfifPK"
+        $ = ".batPK"
+        $ = ".pdfPK"
+        
+    condition:
+        uint32be(0) == 0x504b0304 and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_unknown_sessionmanageriis_strings.yar b/yara_rules/apt_unknown_sessionmanageriis_strings.yar
new file mode 100644
index 0000000..fb698e8
--- /dev/null
+++ b/yara_rules/apt_unknown_sessionmanageriis_strings.yar
@@ -0,0 +1,24 @@
+rule apt_unknown_sessionmanageriis_strings {
+    meta:
+        id = "7d55dd82-509f-444d-a1ba-6417b51f392f"
+        version = "1.0"
+        description = "Detects the IIS SessionManager backdoor"
+        author = "Sekoia.io"
+        creation_date = "2022-07-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Wokring OK"
+        $ = "Delete File Success :"
+        $ = "Delete File Error :"
+        $ = "SM_SESSION="
+        $ = "SM_SESSIONID"
+        $ = "attachment; filename ="
+        $ = "CHttpModule::"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize > 100KB and filesize < 400KB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_uta0178_javascript_inclusion_strings.yar b/yara_rules/apt_uta0178_javascript_inclusion_strings.yar
new file mode 100644
index 0000000..ccfb950
--- /dev/null
+++ b/yara_rules/apt_uta0178_javascript_inclusion_strings.yar
@@ -0,0 +1,24 @@
+rule apt_uta0178_javascript_inclusion_strings {
+    meta:
+        id = "af816c35-1f00-47ea-86ee-c034607c625e"
+        version = "1.0"
+        description = "Detects UTA0178 malicious inclusion strings"
+        author = "Sekoia.io"
+        creation_date = "2024-01-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s0 = ".value"
+        $s1 = "btoa("
+        $s2 = "https://"
+        $s3 = "new XMLHttpRequest();"
+        $s4 = ".send(null);"
+        
+    condition:
+        @s0 < @s1 and 
+        @s1 < @s2 and 
+        @s2 < @s3 and 
+        @s3 < @s4 and
+        @s4-@s0 < 350
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_uta0218_upstyle_backdoor_strings.yar b/yara_rules/apt_uta0218_upstyle_backdoor_strings.yar
new file mode 100644
index 0000000..5ed392a
--- /dev/null
+++ b/yara_rules/apt_uta0218_upstyle_backdoor_strings.yar
@@ -0,0 +1,28 @@
+rule apt_uta0218_upstyle_backdoor_strings {
+    meta:
+        id = "098fbad7-efaf-4198-83de-208c2ae16f89"
+        version = "1.0"
+        description = "Detects UPSTYLE backdoor"
+        author = "Sekoia.io"
+        creation_date = "2024-04-16"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1_1 = "f.write(b'''import base64;exec(base64.b64decode(b" ascii
+        $s1_2 = "atime=os.path.getatime(" ascii
+        
+        $s2_1 = "exec(base64.b64decode(functioncode))"  ascii base64
+        $s2_2 = "os.path.exists(systempth):" ascii base64
+        $s2_3 = ".read().replace(b\"\\x00\",b\" \")" ascii base64
+        
+        $s3_1 = "if WRITE_FLAG:"  ascii base64
+        $s3_2 = "re.search(SHELL_PATTERN"  ascii base64
+        $s3_3 = "import threading,time,os,re,base64"  ascii base64
+        
+    condition:
+        filesize < 1500 and
+        (2 of ($s1_*) or 
+        2 of ($s2_*) or 
+        2 of ($s3_*) )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_win_disabledefender.yar b/yara_rules/apt_win_disabledefender.yar
new file mode 100644
index 0000000..539e1e3
--- /dev/null
+++ b/yara_rules/apt_win_disabledefender.yar
@@ -0,0 +1,21 @@
+import "pe"
+        
+rule apt_win_disabledefender {
+    meta:
+        id = "a7b124ab-4c9d-47c0-a59e-211cc713b9b3"
+        version = "1.0"
+        description = "detects strings and imphash"
+        author = "Sekoia.io"
+        creation_date = "2022-09-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Restarting with privileges"
+        $ = "Windows defender is currently ACTIVE"
+        $ = "Windows defender is currently OFF"
+        $ = "Disabled windows defender"
+        $ = "Failed to disable defender..."
+        
+    condition:        4 of them or pe.imphash() == "74a6ef9e7b49c71341e439022f643c8e"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_windows_wip19_screencap.yar b/yara_rules/apt_windows_wip19_screencap.yar
new file mode 100644
index 0000000..39c710b
--- /dev/null
+++ b/yara_rules/apt_windows_wip19_screencap.yar
@@ -0,0 +1,19 @@
+import "pe"
+import "hash"
+        
+rule apt_windows_wip19_screencap {
+    meta:
+        id = "ebf5d2c5-81c9-45c3-aa61-05870f800f6b"
+        version = "1.0"
+        description = "Detects ScreenCap resource"
+        author = "Sekoia.io"
+        creation_date = "2022-10-18"
+        classification = "TLP:CLEAR"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+         for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "89f4d0e3f7f3318270aa9c8345c1402202b1a02ffefc03c7a86636e297aa0ffc"
+        ) and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/apt_yemen_apk_guardzoo.yar b/yara_rules/apt_yemen_apk_guardzoo.yar
new file mode 100644
index 0000000..dfbc56e
--- /dev/null
+++ b/yara_rules/apt_yemen_apk_guardzoo.yar
@@ -0,0 +1,41 @@
+rule apt_yemen_apk_guardzoo {
+    meta:
+        id = "f4004e7c-2904-46ea-a3e6-2bdd3e704fea"
+        version = "1.0"
+        description = "Detects Dex files containing GuardZoo strings."
+        author = "Sekoia.io"
+        creation_date = "2024-08-09"
+        classification = "TLP:CLEAR"
+        hash = "3afad114c68489e2d294720339baf570"
+        hash = "c59d0f5c8d00485199f147b96c5abca0"
+        hash = "75c58948725133160085dc1cfdf602ec"
+        hash = "d76a39ee85263900f7e6eaacb804f5e2"
+        hash = "51356c95dfe1221c0f4ca2475bc787f8"
+        hash = "1d0dd8201c051d9c8d2c945c8b31a48c"
+        hash = "b7b6be5e8eec44dd13e1df1f3908fcf0"
+        hash = "229984f004578a8fa643afb881d81e8c"
+        hash = "f3f1ccb3912c49a0a6ea710a0bd856de"
+        hash = "a3f8365bfa5f8185e8c7eba8efc63165"
+        hash = "7392deaf81ddf50b8a6f2179538f7e81"
+        hash = "c40d56e1586f9fa382c688d624d25525"
+        hash = "629fb04b91c4db4ea282440e20317dab"
+        hash = "bcebc41628196f8bd119f72e1e8eb47c"
+        hash = "f1cfdc9e91c3a20563246cf366b94f10"
+        hash = "a75ffb11adbace40a7c59128adba43ad"
+        
+    strings:
+        $classes_1 = "GuardZoo.java"
+        $classes_2 = "com/animals"
+        $path_1 = "&Password="
+        $path_2 = "&Coordinates="
+        $path_3 = "&Data="
+        $path_4 = "&Device="
+        $path_5 = "&ISPICTURE="
+        $path_6 = "&Phone_Number="
+        $path_7 = "&Provider="
+        
+    condition:
+        uint32be(0) == 0x6465780a and filesize < 10MB and
+        ((any of ($classes_*)) and (3 of ($path_*)))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_blueshell.yar b/yara_rules/backdoor_blueshell.yar
new file mode 100644
index 0000000..9f20439
--- /dev/null
+++ b/yara_rules/backdoor_blueshell.yar
@@ -0,0 +1,24 @@
+rule backdoor_blueshell {
+    meta:
+        id = "8f1cd966-c4d8-44f9-8cd5-4f5277332546"
+        version = "1.0"
+        description = "Detects BlueShell backdoor"
+        author = "Sekoia.io"
+        creation_date = "2023-09-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "BlueShell" ascii
+        $s2 = "client.go" ascii
+        $s3 = "server ip" ascii
+        $s4 = "server port" ascii
+        $s5 = "reconnect wait time" ascii
+        $s6 = "shell" ascii
+        $s7 = "socks" ascii
+        $s8 = "socks5" ascii
+        $s9 = "GetInteractiveShell" ascii
+        
+    condition:
+        filesize < 11MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_lin_bifrost.yar b/yara_rules/backdoor_lin_bifrost.yar
new file mode 100644
index 0000000..d57d817
--- /dev/null
+++ b/yara_rules/backdoor_lin_bifrost.yar
@@ -0,0 +1,21 @@
+rule backdoor_lin_bifrost {
+    meta:
+        id = "9726b5f5-8cc3-4fad-950b-f20cac04d496"
+        version = "1.0"
+        description = "Detect the Bifrost backdor based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-03-05"
+        classification = "TLP:CLEAR"
+        reference = "https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/"
+        hash1 = "8e85cb6f2215999dc6823ea3982ff4376c2cbea53286e95ed00250a4a2fe4729"
+        hash2 = "2aeb70f72e87a1957e3bc478e1982fe608429cad4580737abe58f6d78a626c05"
+        hash3 = "f2bef6bed27f4b527118dd62b4035003c14afaffa72729c8117f213623f644ec"
+        
+    strings:
+        $ = "%c2%s%c3%u%c4%u-%.2u-%.2u %.2u:%.2u"
+        $ = "%c1%s%c3D%c4%u-%.2u-%.2u %.2u:%.2u"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_lin_bpfdoor.yar b/yara_rules/backdoor_lin_bpfdoor.yar
new file mode 100644
index 0000000..d9f41d1
--- /dev/null
+++ b/yara_rules/backdoor_lin_bpfdoor.yar
@@ -0,0 +1,23 @@
+rule backdoor_lin_bpfdoor {
+    meta:
+        id = "1776ff6f-6fbb-4a81-bcad-c43b5117c67c"
+        version = "1.0"
+        description = "Detect the BPFDoor backdoor used by the Chinese TA Red Menshen"
+        author = "Sekoia.io"
+        creation_date = "2022-05-05"
+        classification = "TLP:CLEAR"
+        reference = "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar"
+        
+    strings:
+        $op1 = { e8 ?? ff ff ff 80 45 ee 01 0f b6 45 ee 3b 45 d4 7c 04 c6 45 ee 00 80 45 ff 01 80 7d ff 00 }
+        $op2 = { 55 48 89 e5 48 83 ec 30 89 7d ec 48 89 75 e0 89 55 dc 83 7d dc 00 75 0? }
+        $op3 = { e8 a? fe ff ff 0f b6 45 f6 48 03 45 e8 0f b6 10 0f b6 45 f7 48 03 45 e8 0f b6 00 8d 04 02 }
+        $op4 = { c6 80 01 01 00 00 00 48 8b 45 c8 0f b6 90 01 01 00 00 48 8b 45 c8 88 90 00 01 00 00 c6 45 ef 00 0f b6 45 ef 88 45 ee }
+        
+    condition:
+        uint32(0)==0x464c457f
+        and filesize > 10KB
+        and filesize < 50KB
+        and (all of ($op*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_lin_sysupdate.yar b/yara_rules/backdoor_lin_sysupdate.yar
new file mode 100644
index 0000000..a320c03
--- /dev/null
+++ b/yara_rules/backdoor_lin_sysupdate.yar
@@ -0,0 +1,21 @@
+rule backdoor_lin_sysupdate {
+    meta:
+        id = "9cb806cf-4ca1-44d8-809a-58cc5f364fb8"
+        version = "1.0"
+        description = "Detect the SysUpdate malware"
+        author = "Sekoia.io"
+        creation_date = "2023-03-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "generate guid path=%s"
+        $ = "3rd/asio/include/asio/detail/posix_event.hpp"
+        $ = "expires_at"
+        $ = "%s -f %s"
+        $ = "expires_after"
+        $ = "-run"
+        
+    condition:
+        uint32(0)==0x464c457f and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_mul_sparkrat.yar b/yara_rules/backdoor_mul_sparkrat.yar
new file mode 100644
index 0000000..d3efa9c
--- /dev/null
+++ b/yara_rules/backdoor_mul_sparkrat.yar
@@ -0,0 +1,60 @@
+rule backdoor_mul_sparkrat {
+    meta:
+        id = "cd818207-f8ec-41fa-abef-c29d481c7897"
+        version = "1.0"
+        description = "Detect SparkRAT using string found in the source code"
+        author = "Sekoia.io"
+        creation_date = "2023-01-30"
+        classification = "TLP:CLEAR"
+        reference = "https://github.com/XZB-1248/Spark"
+        
+    strings:
+        $ = "2006/01/02 15:04:05" wide ascii
+        $ = "can not find secret header" wide ascii
+        $ = "${i18n|COMMON.UNKNOWN_ERROR}" wide ascii
+        $ = "/api/client/update" wide ascii
+        $ = "application/octet-stream" wide ascii
+        $ = "${i18n|COMMON.OPERATION_NOT_SUPPORTED}" wide ascii
+        $ = "no IP address found" wide ascii
+        $ = "failed to read network io counters" wide ascii
+        $ = "failed to read cpu info" wide ascii
+        $ = "PING" wide ascii
+        $ = "OFFLINE" wide ascii
+        $ = "LOCK" wide ascii
+        $ = "LOGOFF" wide ascii
+        $ = "HIBERNATE" wide ascii
+        $ = "SUSPEND" wide ascii
+        $ = "RESTART" wide ascii
+        $ = "SHUTDOWN" wide ascii
+        $ = "SCREENSHOT" wide ascii
+        $ = "TERMINAL_INIT" wide ascii
+        $ = "TERMINAL_INPUT" wide ascii
+        $ = "TERMINAL_RESIZE" wide ascii
+        $ = "TERMINAL_PING" wide ascii
+        $ = "TERMINAL_KILL" wide ascii
+        $ = "FILES_LIST" wide ascii
+        $ = "FILES_FETCH" wide ascii
+        $ = "FILES_REMOVE" wide ascii
+        $ = "FILES_UPLOAD" wide ascii
+        $ = "FILE_UPLOAD_TEXT" wide ascii
+        $ = "PROCESSES_LIST" wide ascii
+        $ = "PROCESS_KILL" wide ascii
+        $ = "DESKTOP_INIT" wide ascii
+        $ = "DESKTOP_PING" wide ascii
+        $ = "DESKTOP_KILL" wide ascii
+        $ = "DESKTOP_SHOT" wide ascii
+        $ = "COMMAND_EXEC" wide ascii
+        $ = "DEVICE_UPDATE" wide ascii
+        $ = "${i18n|COMMON.INVALID_PARAMETER}" wide ascii
+        $ = "${i18n|EXPLORER.FILE_OR_DIR_NOT_EXIST}" wide ascii
+        $ = "SPARK COMMIT: " wide ascii
+        $ = "${i18n|COMMON.DISCONNECTED}" wide ascii
+        $ = "${i18n|DESKTOP.NO_DISPLAY_FOUND}" wide ascii
+        $ = "/api/bridge/push" wide ascii
+        $ = "${i18n|COMMON.OPERATION_NOT_SUPPORTED}" wide ascii
+        
+    condition:
+        17 of them
+        and filesize > 4MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_mul_supershell_client.yar b/yara_rules/backdoor_mul_supershell_client.yar
new file mode 100644
index 0000000..b9e4eb3
--- /dev/null
+++ b/yara_rules/backdoor_mul_supershell_client.yar
@@ -0,0 +1,22 @@
+rule backdoor_mul_supershell_client {
+    meta:
+        id = "3498ca9e-a165-4dda-bc15-2e5d6d43d9c1"
+        version = "1.0"
+        description = "Detect the Supershell client (unpacked) by looking for github references"
+        author = "Sekoia.io"
+        creation_date = "2024-04-25"
+        classification = "TLP:CLEAR"
+        hash1 = "a42906f8b392089fa1fe3ea264f6cb549ce5437b5ea253d9e1b8dd94bf115dad"
+        hash2 = "d97b41e8cd6b63cd55c9a4f99ccadf5a9141088319bc9eb467d96e54080f3c85"
+        hash3 = "2b54d1c064892a22f48b5742ba6da55bf62b73e5b1e0649e8b7880b286498735"
+        hash4 = "0dedab2ef8d44f9beef782a29dd8f628dd0218b90f23f729b315660437019ccd"
+        hash5 = "2484de7944889d784b8229f4fd756d3930e55c91654921019db4437877e30ab7"
+        
+    strings:
+        $ = "github.com/NHAS/reverse_ssh/internal/client/"
+        $ = "golang.org"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_opensource_northstar_strings.yar b/yara_rules/backdoor_opensource_northstar_strings.yar
new file mode 100644
index 0000000..0b0a227
--- /dev/null
+++ b/yara_rules/backdoor_opensource_northstar_strings.yar
@@ -0,0 +1,22 @@
+rule backdoor_opensource_northstar_strings {
+    meta:
+        id = "6bf2f428-ec1a-4115-9c5e-258e9176969a"
+        version = "1.0"
+        description = "Detects the NorthStar Backdoor strings"
+        author = "Sekoia.io"
+        creation_date = "2022-08-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "_SAMDUMP.zip" wide
+        $ = "northstar" wide
+        $ = "smanage.php?sid=" wide
+        $ = "File Not Exists" wide
+        $ = "<enablecmd or enable cmd>" wide
+        $ = "getjuice.php" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_oyster.yar b/yara_rules/backdoor_oyster.yar
new file mode 100644
index 0000000..0c109b4
--- /dev/null
+++ b/yara_rules/backdoor_oyster.yar
@@ -0,0 +1,17 @@
+rule backdoor_oyster {
+    meta:
+        id = "f95f98ea-1e52-45ae-8abf-a986f95d4ab2"
+        version = "1.0"
+        description = "Detects files related to the Oyster backdoor."
+        author = "Sekoia.io"
+        creation_date = "2024-08-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "CleanUp30.dll" ascii fullword
+        $s2 = "MSTeamsSetup_c_l_.exe" ascii fullword
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_powershellempire_batlauchers.yar b/yara_rules/backdoor_powershellempire_batlauchers.yar
new file mode 100644
index 0000000..cbeded1
--- /dev/null
+++ b/yara_rules/backdoor_powershellempire_batlauchers.yar
@@ -0,0 +1,18 @@
+rule backdoor_powershellempire_batlauchers {
+    meta:
+        id = "ad371665-ec59-45c8-9d99-2a675842c384"
+        version = "1.0"
+        description = "Detect BAT launchers for Empire"
+        author = "Sekoia.io"
+        creation_date = "2022-04-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "powershell -noP -sta -w 1 -enc  SQB" nocase wide ascii
+        $ = "powershell -ep bypass -noP -sta -w 1 -enc SQB" nocase wide ascii
+        $ = "-nol -nop -ep bypass \"[IO.File]::ReadAllText('%~f0')|iex" nocase wide ascii
+        
+    condition:
+        any of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_powershellempire_csharp.yar b/yara_rules/backdoor_powershellempire_csharp.yar
new file mode 100644
index 0000000..9006149
--- /dev/null
+++ b/yara_rules/backdoor_powershellempire_csharp.yar
@@ -0,0 +1,24 @@
+rule backdoor_powershellempire_csharp {
+    meta:
+        id = "952e8e9b-8e4d-4550-9cf4-7ffd2f9d0672"
+        version = "1.0"
+        description = "Detects CSharp version of Empire"
+        author = "Sekoia.io"
+        creation_date = "2022-04-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[-] Catastrophic .Net Agent Failure, Attempting Agent Restart:" ascii wide
+        $ = "[!] Upload failed - No Delimiter"  ascii wide
+        $ = "SELECT * FROM Win32_IP4RouteTable" ascii wide
+        $ = "no shell command supplied" ascii wide
+        $ = "[-] CmdletInvocationException:" ascii wide
+        $ = "[*] File download of" ascii wide
+        $ = "Script successfully saved in memory" ascii wide
+        $ = "Invoke-Empire" ascii wide
+        $ = "website to reach:" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and 5 of them  and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_powershellempire_gen.yar b/yara_rules/backdoor_powershellempire_gen.yar
new file mode 100644
index 0000000..8d5d640
--- /dev/null
+++ b/yara_rules/backdoor_powershellempire_gen.yar
@@ -0,0 +1,17 @@
+rule backdoor_powershellempire_gen {
+    meta:
+        id = "36050a5b-bdca-45cd-8e26-7129fdcbf1e8"
+        version = "1.0"
+        description = "Detects EmpirePowershell"
+        author = "Sekoia.io"
+        creation_date = "2022-04-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "%{$J=($J+$S[$_]+$K[$_%$K.COUNt])%256;" nocase wide ascii
+        $ = "($IV+$K))|IEX" nocase wide ascii
+        
+    condition:
+        all of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_powershellempire_python.yar b/yara_rules/backdoor_powershellempire_python.yar
new file mode 100644
index 0000000..5eb1089
--- /dev/null
+++ b/yara_rules/backdoor_powershellempire_python.yar
@@ -0,0 +1,17 @@
+rule backdoor_powershellempire_python {
+    meta:
+        id = "c2913f60-46a2-42c1-8569-72568eaddaed"
+        version = "1.0"
+        description = "Detects Empire Python version"
+        author = "Sekoia.io"
+        creation_date = "2022-04-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "import sys,base64;exec"
+        $ = "aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2"
+        
+    condition:
+        all of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_powershellempire_sharpire.yar b/yara_rules/backdoor_powershellempire_sharpire.yar
new file mode 100644
index 0000000..57253e3
--- /dev/null
+++ b/yara_rules/backdoor_powershellempire_sharpire.yar
@@ -0,0 +1,20 @@
+rule backdoor_powershellempire_sharpire {
+    meta:
+        id = "fed21fbd-52ed-4649-a1ff-56eae57fc9ef"
+        version = "1.0"
+        description = "Detect Sharpire version of Empire"
+        author = "Sekoia.io"
+        creation_date = "2022-04-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "GetAgentID" ascii wide
+        $ = "SetAgentID" ascii wide
+        $ = "StartAgentJob" ascii wide
+        $ = "get_JobThread" ascii wide
+        $ = "GetStagerURI" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and 4 of them  and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_sandman_strings.yar b/yara_rules/backdoor_sandman_strings.yar
new file mode 100644
index 0000000..2860578
--- /dev/null
+++ b/yara_rules/backdoor_sandman_strings.yar
@@ -0,0 +1,24 @@
+rule backdoor_sandman_strings {
+    meta:
+        id = "7bac7a1e-7d4a-4410-9ad4-1c85beb6faaf"
+        version = "1.0"
+        description = "Detect the Sandman backdoor based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-08-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "e9f7c24c-879d-49f2-b9bf-2477dc28e2ee"
+        $s2 = "System.Net.Sockets"
+        $s3 = "ntpServer"
+        $s4 = "payloadUrl"
+        $s5 = "keepRunning"
+        $s6 = "payloadSize"
+        $s7 = "defaultNtpMessageSize"
+        $s8 = "InjectShellcode"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        7 of them or $s1
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_andardoor.yar b/yara_rules/backdoor_win_andardoor.yar
new file mode 100644
index 0000000..54a3fb9
--- /dev/null
+++ b/yara_rules/backdoor_win_andardoor.yar
@@ -0,0 +1,35 @@
+import "pe"
+import "hash"
+        
+rule backdoor_win_andardoor {
+    meta:
+        id = "27f28f6e-b8fd-41dc-88a8-92f5a125a807"
+        version = "1.0"
+        description = "Detect the Andardoor backdoor used by Andariel"
+        author = "Sekoia.io"
+        creation_date = "2023-09-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = " : Deleted Dir" wide
+        $ = " : Not Exists" wide
+        $ = " : Deleted File" wide
+        $ = " : Closed." wide
+        $ = " : Opened." wide
+        $ = "GoodLuck!" wide
+        
+    condition:
+        // Strings
+        uint16(0)==0x5A4D and all of them
+        
+        // PE section
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "9fea4972270c492ca304f3663913ae63"
+        )
+        
+        // PE resource
+        or for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "34fde27c3c864efa6225e72016992d341f29cbbea638432a1c63ce05ca568300"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_blackrat.yar b/yara_rules/backdoor_win_blackrat.yar
new file mode 100644
index 0000000..3a0b7da
--- /dev/null
+++ b/yara_rules/backdoor_win_blackrat.yar
@@ -0,0 +1,34 @@
+import "pe"
+import "hash"
+        
+rule backdoor_win_blackrat {
+    meta:
+        id = "3a5a6290-6344-45ce-8929-ea5a4451840f"
+        version = "1.0"
+        description = "Detect Andariel's Black RAT malware"
+        author = "Sekoia.io"
+        creation_date = "2023-09-04"
+        classification = "TLP:CLEAR"
+        hash1 = "c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c"
+        
+    strings:
+        $s1 = "I:/01___Tools/02__RAT/Black/Client_Go/Client.go"
+        $s2 = "I:/01___Tools/02__RAT/Black/Client_Go/Define.go"
+        $s3 = "I:/01___Tools/02__RAT/Black/Client_Go/Screenshot.go"
+        
+        // It is possible that it exists a Rust version of this RAT
+        $x1 = "RAT/Black/Client"
+        
+    condition:
+        uint16be(0) == 0x4d5a and (all of ($s*) or #x1 >= 3)
+        
+        // All section of the sample are unique. I use them for research purpose
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "74c4cdc9d33fc63aee7ae9659b6f8d24"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "298948afbe85985025e176605ee21176"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "e5ca54c5def3c7a950e6d4034dc86277"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "440ae899aea859458df5b6de7dbc5b34"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "98e46f76b965ffb58f6cd53ff8dc91c0"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_feedload.yar b/yara_rules/backdoor_win_feedload.yar
new file mode 100644
index 0000000..6b9fec0
--- /dev/null
+++ b/yara_rules/backdoor_win_feedload.yar
@@ -0,0 +1,16 @@
+rule backdoor_win_feedload {
+    meta:
+        id = "29cc46c4-7ed7-4a34-9749-a8ba8d37eb4c"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-10-24"
+        classification = "TLP:CLEAR"
+        hash = "f251144f7ad0be0045034a1fc33fb896e8c32874e0b05869ff5783e14c062486"
+        
+    strings:
+        $s1 = "                                        C:\\LibreSS5\\crypto\\"
+        
+    condition:
+        uint16be(0)==0x4d5a and #s1 > 200
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_foresttiger.yar b/yara_rules/backdoor_win_foresttiger.yar
new file mode 100644
index 0000000..6e6eb09
--- /dev/null
+++ b/yara_rules/backdoor_win_foresttiger.yar
@@ -0,0 +1,22 @@
+rule backdoor_win_foresttiger {
+    meta:
+        id = "d3128da2-a86d-4db8-9b75-2f3048831c7e"
+        version = "1.0"
+        description = "Detect Lazarus' malware ForestTiger"
+        author = "Sekoia.io"
+        creation_date = "2023-10-24"
+        classification = "TLP:CLEAR"
+        hash1 = "e06f29dccfe90ae80812c2357171b5c48fba189ae103d28e972067b107e58795"
+        hash2 = "0be1908566efb9d23a98797884f2827de040e4cedb642b60ed66e208715ed4aa"
+        reference = "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/"
+        
+    strings:
+        $ = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.42"
+        $ = "biwbih="
+        $ = "rlzbiw="
+        $ = "whoami EnDePriv Erro" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_headertip.yar b/yara_rules/backdoor_win_headertip.yar
new file mode 100644
index 0000000..b4a89bb
--- /dev/null
+++ b/yara_rules/backdoor_win_headertip.yar
@@ -0,0 +1,25 @@
+import "pe"
+import "hash"
+        
+rule backdoor_win_headertip {
+    meta:
+        id = "82899406-4ec3-41d2-bcc1-bdd1ee440e77"
+        version = "1.0"
+        description = "Detect HeaderTip backdoor used by the Chinese threat actor Scarab. This backdoor has its hardcoded C2 in strings"
+        author = "Sekoia.io"
+        creation_date = "2022-03-25"
+        classification = "TLP:CLEAR"
+        hash1 = "e1523185eac41a615b8d2af8b7fd5fe07b755442df2836041be544dff6881237"
+        hash2 = "da8a98d9b9a3c176ba44fb69ad0a820a971950e05f1eb0c4bbbf6c2fbb748bdc"
+        hash3 = "63a218d3fc7c2f7fcadc0f6f907f326cc86eb3f8cf122704597454c34c141cf1"
+        
+    strings:
+        $post = "POST" wide
+        $ua = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" wide
+        
+    condition:
+        (uint16(0)==0x5A4D and $post at 7256 and $ua at 7304 and filesize < 10KB)
+        or pe.imphash() == "60d01115d6baa0f214990c6e19339133"
+        or hash.md5(pe.rich_signature.clear_data) == "48f9cf422144c033e2ca183f72587910"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_ketrum2.yar b/yara_rules/backdoor_win_ketrum2.yar
new file mode 100644
index 0000000..8c2359a
--- /dev/null
+++ b/yara_rules/backdoor_win_ketrum2.yar
@@ -0,0 +1,36 @@
+import "pe"
+import "hash"
+        
+rule backdoor_win_ketrum2 {
+    meta:
+        id = "afcc349a-d44b-4b66-b86f-c62e700fa899"
+        version = "1.0"
+        description = "Detect Ke3chang's Ketrum backdoor version 2"
+        author = "Sekoia.io"
+        creation_date = "2022-10-19"
+        classification = "TLP:CLEAR"
+        reference = "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/"
+        hash1 = "271384a078f2a2f58e14d7703febae8a28c6e2d7ddb00a3c8d3eead4ea87a0c0"
+        hash2 = "aa467945dd7b9b095e592fc96384bb385f2c95d00d5424e42bb6ab09827cb0ce"
+        hash3 = "aacaf0d4729dd6fda2e452be763d209f92d107ecf24d8a341947c545de9b7311"
+        hash4 = "ac5cb6e17f094068686225075251153e3eb21dc2d1ae744a97ab113cab034a36"
+        
+    strings:
+        $ = "powershell.exe" wide
+        $ = "cmd.exe" wide
+        $ = "%s\\adult.sft" wide
+        $ = "%s\\Notice" wide
+        $ = "%s\\Message" wide
+        $ = "\\Microsoft\\Media Player" wide
+        $ = "Windows\\CurrentVersion\\Explorer\\Shell Folders" wide ascii
+        $ = "Windows\\CurrentVersion\\Internet Settings" wide ascii
+        
+    condition:
+        all of them
+        
+        // Very common resource but appears in all Ketrum samples
+        and for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_kimsuky.yar b/yara_rules/backdoor_win_kimsuky.yar
new file mode 100644
index 0000000..55d5a58
--- /dev/null
+++ b/yara_rules/backdoor_win_kimsuky.yar
@@ -0,0 +1,39 @@
+import "pe"
+import "hash"
+        
+rule backdoor_win_kimsuky {
+    meta:
+        id = "db927d1c-34cf-4501-a6ce-3e8ecdefc5a3"
+        version = "1.0"
+        description = "Detect the backdoors used by Kimsuky based on specific PE ressources"
+        author = "Sekoia.io"
+        creation_date = "2024-06-04"
+        classification = "TLP:CLEAR"
+        hash1 = "000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7"
+        hash2 = "cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d"
+        
+    condition:
+        uint16be(0) == 0x4d5a
+        and for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "3d570af85db2bb18265d80e7209a5c90f7cc82e0c868c0088a925df6f34e9066"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "3d570af85db2bb18265d80e7209a5c90f7cc82e0c868c0088a925df6f34e9066"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ac9ed305c6dac749163db359736e7d92fca9173ff5c9e1f021d500b306e3c5ec"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "0ca965ccf7324b098da617909d38986c1e6aae3e12d9629975f1815ed4ed3907"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "25d79e59a6b625e5c22ccb55cc49373d38cc6f20cb75504b0df1bc0804bb1247"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ce5619ffe04ec569bf2565e0964156378bda7c42eb646bedbac2191a5af7bebf"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ce10e65f7bf105fc06005340f0a8eaea9b351f3750d2818c1cf2ca25a7f495be"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "5a9e2a392c530ab8b38ff917ae0f28496107f1bde94e89515931fd29a0bfb2e5"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "19f4f3a05b809d8e33bb0004f62899ca5f9eac7e4cdba68dfd5c0a6f2d71bec3"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "b9c208b9bada7bac4d5bfe53992f570e34e0b4d5cfa0862de9847ddf5630ab9a"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "3d570af85db2bb18265d80e7209a5c90f7cc82e0c868c0088a925df6f34e9066"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ac9ed305c6dac749163db359736e7d92fca9173ff5c9e1f021d500b306e3c5ec"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "0ca965ccf7324b098da617909d38986c1e6aae3e12d9629975f1815ed4ed3907"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "25d79e59a6b625e5c22ccb55cc49373d38cc6f20cb75504b0df1bc0804bb1247"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ce5619ffe04ec569bf2565e0964156378bda7c42eb646bedbac2191a5af7bebf"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ce10e65f7bf105fc06005340f0a8eaea9b351f3750d2818c1cf2ca25a7f495be"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "5a9e2a392c530ab8b38ff917ae0f28496107f1bde94e89515931fd29a0bfb2e5"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "19f4f3a05b809d8e33bb0004f62899ca5f9eac7e4cdba68dfd5c0a6f2d71bec3"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "b9c208b9bada7bac4d5bfe53992f570e34e0b4d5cfa0862de9847ddf5630ab9a"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_mgbot_main.yar b/yara_rules/backdoor_win_mgbot_main.yar
new file mode 100644
index 0000000..e951c6a
--- /dev/null
+++ b/yara_rules/backdoor_win_mgbot_main.yar
@@ -0,0 +1,36 @@
+import "pe"
+import "hash"
+        
+rule backdoor_win_mgbot_main {
+    meta:
+        id = "528baa11-58d5-470a-bd6d-963d4ac75d97"
+        version = "1.0"
+        description = "Detect MgBot main.dll file"
+        author = "Sekoia.io"
+        creation_date = "2024-03-20"
+        classification = "TLP:CLEAR"
+        reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot"
+        hash1 = "706c9030c2fa5eb758fa2113df3a7e79257808b3e79e46869d1bf279ed488c36"
+        hash2 = "017187a1b6d58c69d90d81055db031f1a7569a3b95743679b21e44ea82cfb6c7"
+        
+    condition:
+        // Imphash
+        pe.imphash() == "8e1ee04a99c77bd54c6dc55214ffa2e3"
+        
+        // Rich header hash
+        or hash.md5(pe.rich_signature.clear_data) == "67e8e8b75b981b5c8ff31149dc2c61b2"
+        
+        // Sections
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "7c6adf9987e6dfbf19b5f156b0314798"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "46fa9f5a035c8ae8de1a0d14150bd5ef"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f7895f9456f8d51125e6744960c38133"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5d82bb8a7ef37c417615381b446f715c"
+        )
+        
+        // Resource
+        or for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "d7808c6662f098e685040f7c61bc033d9e73002f674de7cf2ffcd6230d60d429"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_minibike.yar b/yara_rules/backdoor_win_minibike.yar
new file mode 100644
index 0000000..2f859e3
--- /dev/null
+++ b/yara_rules/backdoor_win_minibike.yar
@@ -0,0 +1,38 @@
+import "pe"
+import "hash"
+        
+rule backdoor_win_minibike {
+    meta:
+        id = "d758c41a-279c-4706-9cf3-87740e45f71d"
+        version = "1.0"
+        description = "Detect the MINIBIKE malware"
+        author = "Sekoia.io"
+        creation_date = "2024-04-08"
+        classification = "TLP:CLEAR"
+        hash1 = "985967e245d8fbc722e30371c9ed48c3269ceaa6b9b9b80caf2b95c920c856c2"
+        hash2 = "ab0b602665b609392eacdcbfc6c1981f216c19f21e2156a55cf9998eab02227b"
+        hash3 = "8e2429d70989bbdd2ea8842dce7c3d790ebe148490ee519b47767557f4a4a733"
+        hash4 = "be86b8559a84d97aa1cc9852e60a553f5164477bacfc69b7f3453ad37fb6fd2a"
+        hash5 = "78065411e7e8eb205ddae7215a229b7c93bdca5d628670f89caa982238ac7eb6"
+        hash6 = "73bf3a5877a7fe16544d15670e3ece034e4826323ba555b3527ad4d061f44ec4"
+        reference = "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east"
+        
+    strings:
+        $ = "Mini-Junked.dll"
+        
+    condition:
+        // Strings
+        uint16(0)==0x5A4D and all of them
+
+        // Imphash
+        or pe.imphash() == "75a9ae7d4394abdc30e2a873908fa09d"
+
+        // Rich header
+        or hash.md5(pe.rich_signature.clear_data) == "06b2ec5892ac9ad566693b04cf427f3f"
+
+        // Section
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "612006b6f68cd0b8b0d48252dbdef4be"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_minibus.yar b/yara_rules/backdoor_win_minibus.yar
new file mode 100644
index 0000000..9bf1140
--- /dev/null
+++ b/yara_rules/backdoor_win_minibus.yar
@@ -0,0 +1,42 @@
+import "pe"
+import "hash"
+        
+rule backdoor_win_minibus {
+    meta:
+        id = "f88bcf15-9a9f-4d84-adc6-db1db55fe93c"
+        version = "1.0"
+        description = "Detect the MINIBUS backdoor used by UNC1549 since August 2023"
+        author = "Sekoia.io"
+        creation_date = "2024-02-29"
+        classification = "TLP:CLEAR"
+        reference = "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east"
+        
+    strings:
+        $dll_150_1 = "TorvaldsPersist.dll"
+        $dll_150_2 = "FileCoAuth.exe"
+        
+        $dll_50_1 = "TorvaldInitial.dll"
+        $dll_50_2 = "\\essential.dat"
+        
+    condition:
+        // 150KB DLL
+        // 10e9d1eaf24ad3c63578d89f8b887adb47700aae02da1532c4842428725e77d6
+        // 720afa3e1216a9eb68b66858d50de0326f52afa279ef9ee0521aee98b312382f
+        (
+            uint16(0)==0x5A4D and all of ($dll_150_*) or
+            for any i in (0..pe.number_of_resources-1) : (
+                hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "2cf9797b1cfb5795d0fb892b7c371d506a5dd8b7c64fdc82975b3fde6d997df0"
+            )
+        )
+        
+        // 50-06KB DLL
+        // 26ca51cb067e1fdf1b8ad54ba49883bc5d1945952239aec0c4840754bff76621
+        // 90fa29cc98be1d715df26d22079bdb8ce1d1fd3ce6a4efb39a4c192134e01020
+        or (
+            uint16(0)==0x5A4D and all of ($dll_50_*) or
+            for any i in (0..pe.number_of_resources-1) : (
+                hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "de3fb5d4419eb6b943872dd6e3dd93d19584ef2b158aa3158b3b09f0a9b628ef"
+            )
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_nukesped_andariel.yar b/yara_rules/backdoor_win_nukesped_andariel.yar
new file mode 100644
index 0000000..e0ffbeb
--- /dev/null
+++ b/yara_rules/backdoor_win_nukesped_andariel.yar
@@ -0,0 +1,20 @@
+import "pe"
+import "hash"
+        
+rule backdoor_win_nukesped_andariel {
+    meta:
+        id = "a3601f0b-5782-4546-ac22-8a0514791f8f"
+        version = "1.0"
+        description = "Detect the NukeSped variant type 1 used by Andariel in October 2023"
+        author = "Sekoia.io"
+        creation_date = "2023-11-27"
+        classification = "TLP:CLEAR"
+        reference = "https://asec.ahnlab.com/en/59073/"
+        
+    condition:
+        for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "4ce43c7e358e3951f4c4ebd050d570786cbb473ee353974fc7414e3d753da9f6"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "355485cbe2bec406d60a48d7d8d25c71d9ded3c508c87273d936a92b94720d9b"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_rokrat.yar b/yara_rules/backdoor_win_rokrat.yar
new file mode 100644
index 0000000..d9ec58d
--- /dev/null
+++ b/yara_rules/backdoor_win_rokrat.yar
@@ -0,0 +1,32 @@
+rule backdoor_win_rokrat {
+    meta:
+        id = "97a3acc1-4120-4d67-a6ad-fa204f2fd7f5"
+        version = "1.0"
+        description = "Detect the RokRAT malware"
+        author = "Sekoia.io"
+        creation_date = "2023-07-11"
+        classification = "TLP:CLEAR"
+        hash1 = "84760cac26513915ebfb0a80ad3ddabe62f03ec4fda227d63e764f9c4a118c4e"
+        hash2 = "758348521331bb18241d1cfc90d7e687dbc5bad8d596a2b2d6a9deb6cfc8cb1d"
+        hash3 = "2a253c2aa1db3f809c86f410e4bd21f680b7235d951567f24d614d8e4d041576"
+        hash4 = "ebce34cdeb20bc8c75249ce87a3080054f48b03ef66572fbc9dc40e6c36310d6"
+        hash5 = "a1e4e95a20120f16adacb342672eec1e73bd7826b332096f046bb7e2b7cd80a1"
+        hash6 = "3be58a7a7a25dbceee9e7ef06ef20aa86aef083be19db9e5ffb181d3f9f6615a"
+        hash7 = "fa4df84071b9ae20b321e4d22162d8480f6992206bc046e403c2fbedd1655503"
+        hash8 = "aa76b4db29cf929b4b22457ccb8cd77308191f091cde2f69e578ade9708d7949"
+        
+    strings:
+        // String in all samples since 2019
+        $ = "--wwjaughalvncjwiajs--"
+        
+        // {"path":"%s","mode":{".tag":"overwrite"}}
+        $ = {7b 00 22 00 70 00 61 00 74 00 68 00 22 00 3a 00 22 00 25 00 73 00 22 00 2c 00 22 00 6d 00 6f 00 64 00 65 00 22 00 3a 00 7b 00 22 00 2e 00 74 00 61 00 67 00 22 00 3a 00 22 00 6f 00 76 00 65 00 72 00 77 00 72 00 69 00 74 00 65 00 22 00 7d 00 7d}
+        
+        // https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
+        $ = {68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 63 00 6c 00 6f 00 75 00 64 00 2d 00 61 00 70 00 69 00 2e 00 79 00 61 00 6e 00 64 00 65 00 78 00 2e 00 6e 00 65 00 74 00 2f 00 76 00 31 00 2f 00 64 00 69 00 73 00 6b 00 2f 00 72 00 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 73 00 2f 00 75 00 70 00 6c 00 6f 00 61 00 64 00 3f 00 70 00 61 00 74 00 68 00 3d 00 25 00 73 00 26 00 6f 00 76 00 65 00 72 00 77 00 72 00 69 00 74 00 65 00 3d 00 25 00 73}
+        
+    condition:
+        uint16(0)==0x5A4D
+        and any of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_rollsling.yar b/yara_rules/backdoor_win_rollsling.yar
new file mode 100644
index 0000000..b6e3ac6
--- /dev/null
+++ b/yara_rules/backdoor_win_rollsling.yar
@@ -0,0 +1,22 @@
+rule backdoor_win_rollsling {
+    meta:
+        id = "5ef23b9c-5bc5-4f02-b1b4-1af18a03241a"
+        version = "1.0"
+        description = "Detect Lazarus' RollSling malware (aka LazarLoader)"
+        author = "Sekoia.io"
+        creation_date = "2023-10-24"
+        classification = "TLP:CLEAR"
+        hash1 = "d9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb8bfdcdc58294eeaca"
+        hash2 = "48538a935ddf2cbeb4918d0ccf9372ec8e0a57c5fd145a584a9b1bb4ebbcd5ce"
+        hash3 = "18825be6b269087d7699f3d0aa2e6db2ae72ded36c56aa8e7b8a606dde3741fa"
+        hash4 = "645205e38dfdd560f6242ba717af1bfdd8e85baf5e710d724b853fe9808c4551"
+        hash5 = "455bab490a300d9d63b8777c223287c0a6a647ca7b98b96fd3236f83b8adc77b"
+        reference = "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/"
+        
+    strings:
+        $s1 = "LookupPrivilegeVCreateRemoteThreAdjustTokenPriviOpenProcessToken"
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_sidewinder_cobaltstrike_2022_09.yar b/yara_rules/backdoor_win_sidewinder_cobaltstrike_2022_09.yar
new file mode 100644
index 0000000..af40cbc
--- /dev/null
+++ b/yara_rules/backdoor_win_sidewinder_cobaltstrike_2022_09.yar
@@ -0,0 +1,30 @@
+import "pe"
+import "hash"
+        
+rule backdoor_win_sidewinder_cobaltstrike_2022_09 {
+    meta:
+        id = "b5e8f87a-4a2c-49bb-aa98-bf3fb5056b23"
+        version = "1.0"
+        description = "Detect the SideWinder malware"
+        author = "Sekoia.io"
+        creation_date = "2022-10-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        // eNEVER GONNA GIVE YOU UP!
+        $s1 = {65004e004500560045005200200047004f004e004e00410020004700490056004500200059004f0055002000550050002100}
+        
+    condition:
+        $s1
+
+        //Imphash
+        or pe.imphash() == "b1e345b2d78e4b82617d995d18100790"
+
+        //Sections
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ac989507d4af352fa354560efef99ba6"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "8090b29a44c750b7b21287f9639fe747"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ea8693d6bacf3e7876f717a3d8abc433"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_spacecolon.yar b/yara_rules/backdoor_win_spacecolon.yar
new file mode 100644
index 0000000..dfb4459
--- /dev/null
+++ b/yara_rules/backdoor_win_spacecolon.yar
@@ -0,0 +1,40 @@
+rule backdoor_win_spacecolon {
+    meta:
+        id = "ae09f0e2-e913-44d5-abe1-715170368cc8"
+        version = "1.0"
+        description = "Finds Spacecolon samples based on specific strings (ScHackTool component)"
+        author = "Sekoia.io"
+        reference = "https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/"
+        creation_date = "2023-08-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "Before Work" ascii
+        $str02 = "DEFENDER OFF" ascii
+        $str03 = "Stop Service" ascii
+        $str04 = "Kill All (Default)" ascii
+        $str05 = "Keyboard EN" ascii
+        $str06 = "After Work" ascii
+        $str07 = "Del Shadow Log" ascii
+        $str08 = "Kill OSK" ascii
+        $str09 = "PWGEN" ascii
+        $str10 = "Character :" ascii
+        $str11 = "PW GEN" ascii
+        $str12 = "Cobian UI Pass" ascii
+        $str13 = "Credssp" ascii
+        $str14 = "Username :" ascii
+        $str15 = "Password :" ascii
+        $str16 = "TSpeedButton" ascii
+        $str17 = "Ab1q2w3e!" ascii
+        $str18 = "PC Details" ascii
+        $str19 = "Mimi Dump" ascii
+        $str20 = "MIMI Dump" ascii
+        $str21 = "powershell -ExecutionPolicy Bypass -File \"" wide
+        $str22 = "lastlog.txt" wide
+        $str23 = "$AdminGroupName = (Get-WmiObject -Class Win32_Group -Filter 'LocalAccount = True AND SID = \"S-1-5-32-544\"').Name" wide
+        $str24 = "net localgroup $AdminGroupName " wide
+        
+    condition:
+        uint16(0) == 0x5a4d and 17 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_sponsor.yar b/yara_rules/backdoor_win_sponsor.yar
new file mode 100644
index 0000000..806d415
--- /dev/null
+++ b/yara_rules/backdoor_win_sponsor.yar
@@ -0,0 +1,25 @@
+rule backdoor_win_sponsor {
+    meta:
+        id = "d410cdb7-a2a8-481e-a90a-49ef15a7a0e3"
+        version = "1.0"
+        description = "Detect the Sponsor backdoor"
+        author = "Sekoia.io"
+        creation_date = "2024-03-29"
+        classification = "TLP:CLEAR"
+        reference = "https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/"
+        hash1 = "e5ee874bd59bb2a6dec700686544e7914312abff166a7390b34f7cb29993267a"
+        hash2 = "e2b74ed355d68bed2e7242baecccd7eb6eb480212d6cc54526bc4ff7e6f57629"
+        hash3 = "2a99cf7d73d453f3554e24bf3efa49d8109da9e8543db815a8f813559d083f8f"
+        hash4 = "c4dbda41c726af9ba3d9224f2e38fc433d2b60f4a23512437adeae8ef8986c57"
+        
+    strings:
+        $ = "Content-Type: application/x-www-form-urlencoded"
+        $ = "SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation"
+        $ = "\\Uninstall.bat"
+        $ = "\\config.txt"
+        $ = "\\node.txt"
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_volgmer.yar b/yara_rules/backdoor_win_volgmer.yar
new file mode 100644
index 0000000..2356a72
--- /dev/null
+++ b/yara_rules/backdoor_win_volgmer.yar
@@ -0,0 +1,33 @@
+rule backdoor_win_volgmer {
+    meta:
+        id = "9468a66d-787c-488f-937b-22617c7a2ded"
+        version = "1.0"
+        description = "Detect the NukeSped variant called Volgmer used by Andariel"
+        author = "Sekoia.io"
+        creation_date = "2023-09-04"
+        classification = "TLP:CLEAR"
+        hash1 = "3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061"
+        hash2 = "7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b"
+        hash3 = "8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f"
+        hash4 = "1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1"
+        
+    strings:
+        $ = "Fixed" wide
+        $ = "CDRom" wide
+        $ = "Removable" wide
+        $ = "%.2fGB" wide
+        $ = "\\*.*" wide
+        $ = "Folder" wide
+        $ = "%.1fKB" wide
+        $ = "%.1fMB" wide
+        $ = "%s\\*.*" wide
+        $ = "%s\\%s\\%s" wide
+        $ = "%s\\%s%s" wide
+        $ = "Remote PC" wide
+        $ = "%s|%s|%s|%s|%s|%s|" wide
+        $ = "%s\\cmd.exe" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_warhawk.yar b/yara_rules/backdoor_win_warhawk.yar
new file mode 100644
index 0000000..3d74772
--- /dev/null
+++ b/yara_rules/backdoor_win_warhawk.yar
@@ -0,0 +1,57 @@
+rule backdoor_win_warhawk {
+    meta:
+        id = "d0ec19a7-cb08-4bca-b153-d7b0358186b4"
+        version = "1.0"
+        description = "Detect the WarHawk backdoor used by the SideWinder intrusion-set"
+        author = "Sekoia.io"
+        creation_date = "2022-10-24"
+        classification = "TLP:CLEAR"
+        reference = "https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0"
+        hash_exe1 = "7d3574c62df44b74337fc74ec7877792b4ffa1486a49bb19668433c3ca8836b5"
+        hash_exe2 = "624c6b56ee3865f4a5792ad1946a8e86b876440a5af3bac22ac1dee92f1b7372"
+        hash_iso1 = "58b3686e4255d32dbcf7dee9dac1d5be6d4692d086cde167da1e1a5e0e1b315a"
+        hash_iso2 = "f97d5d3e1c2ceb3e9d23ae5b5d4e7c9857155df5acf7f67fee995cb041c797dc"
+        
+    strings:
+        // { \"name\": \"%s\", \"size\": \"\", \"mod\": \"%s\", \"type\": \"File folder\" },
+        $ = {7b205c226e616d655c223a205c2225735c222c205c2273697a655c223a205c225c222c205c226d6f645c223a205c2225735c222c205c22747970655c223a205c2246696c6520666f6c6465725c22207d2c}
+        
+        // { \"name\": \"%s\", \"mod\": \"%s\", \"type\": \"%s\", \"size\": \"%u\" },
+        //$ = {7b205c226e616d655c223a205c2225735c222c205c226d6f645c223a205c2225735c222c205c22747970655c223a205c2225735c222c205c2273697a655c223a205c2225755c22207d2c}
+        
+        // { "_hwid": "%s", "_computer": "%s", "_username": "%s", "_os": "%s" }
+        $ = {7b20225f68776964223a20222573222c20225f636f6d7075746572223a20222573222c20225f757365726e616d65223a20222573222c20225f6f73223a2022257322207d}
+        
+        // {\"name\": \"%s\", \"type\": \"%s\"},
+        $ = {7b5c226e616d655c223a205c2225735c222c205c22747970655c223a205c2225735c227d2c}
+        
+        // { "_hwid": "%s", "_filemgr_done": "true", "_response": "%s" }
+        $ = {7b20225f68776964223a20222573222c20225f66696c656d67725f646f6e65223a202274727565222c20225f726573706f6e7365223a2022257322207d}
+        
+        // { "_hwid": "%s", "_task": "true" }
+        $ = {7b20225f68776964223a20222573222c20225f7461736b223a20227472756522207d}
+        
+        // { "_hwid": "%s", "_task_done": "true", "_id": "%s" }
+        $ = {7b20225f68776964223a20222573222c20225f7461736b5f646f6e65223a202274727565222c20225f6964223a2022257322207d}
+        
+        // { "_hwid": "%s", "_cmd": "true" }
+        $ = {7b20225f68776964223a20222573222c20225f636d64223a20227472756522207d}
+        
+        // { "_hwid": "%s", "_cmd_done": "true", "_response": "%s" }
+        $ = {7b20225f68776964223a20222573222c20225f636d645f646f6e65223a202274727565222c20225f726573706f6e7365223a2022257322207d}
+        
+        // { "_hwid": "%s", "_filemgr": "true" }
+        $ = {7b20225f68776964223a20222573222c20225f66696c656d6772223a20227472756522207d}
+        
+        // { "_hwid": "%s" }
+        $ = {7b20225f68776964223a2022257322207d}
+        
+        // { "_hwid": "%s", "_ping": "true" }
+        $ = {7b20225f68776964223a20222573222c20225f70696e67223a20227472756522207d}
+        
+        $ = "cmd.exe"
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_win_winordll64.yar b/yara_rules/backdoor_win_winordll64.yar
new file mode 100644
index 0000000..619e0d9
--- /dev/null
+++ b/yara_rules/backdoor_win_winordll64.yar
@@ -0,0 +1,24 @@
+import "hash"
+import "pe"
+        
+rule backdoor_win_winordll64 {
+    meta:
+        id = "86a32538-bc69-47ea-9842-4af360588c27"
+        version = "1.0"
+        description = "Detect the WinorDLL64 backdoor"
+        author = "Sekoia.io"
+        creation_date = "2023-02-24"
+        classification = "TLP:CLEAR"
+        
+    condition:
+        hash.md5(pe.rich_signature.clear_data) == "d16713cbfe04151b3a9e832c8afd55df"
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "3f638774c2565594029fb52ceb67db7a"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f9416bfb43b2c70837927e43e7591a2a"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "6eede2cebaef39eec5bd1c24c809e3dc"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "1177658fb0469cd5982102c9f3cd2eea"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "658d877d1bf0d2928b2c3efec9ec06cf"
+        )
+        or pe.imphash() == "d6b6f8cdffb06f469e06c7af9639897c"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backdoor_xploitspy_strings.yar b/yara_rules/backdoor_xploitspy_strings.yar
new file mode 100644
index 0000000..3be36d9
--- /dev/null
+++ b/yara_rules/backdoor_xploitspy_strings.yar
@@ -0,0 +1,29 @@
+rule backdoor_xploitspy_strings {
+    meta:
+        id = "0aa86c2e-dba6-4ef4-a47e-f1b43e04f1f3"
+        version = "1.0"
+        description = "Detects XploitSPY DEX file"
+        author = "Sekoia.io"
+        creation_date = "2022-08-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = { 04 30 78 43 42 00 }
+        $ = { 04 30 78 43 4C 00 }
+        $ = { 04 30 78 43 4F 00 }
+        $ = { 04 30 78 46 49 00 }
+        $ = { 04 30 78 47 50 00 }
+        $ = { 04 30 78 49 4E 00 }
+        $ = { 04 30 78 4C 4F 00 }
+        $ = { 04 30 78 4D 49 00 }
+        $ = { 04 30 78 4E 4F 00 }
+        $ = { 04 30 78 50 4D 00 }
+        $ = { 04 30 78 53 4D 00 }
+        $ = { 04 30 78 57 49 00 }
+        
+    condition:
+        uint32be(0) == 0x6465780A and
+        filesize < 1MB and
+        10 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backoor_win_gobear.yar b/yara_rules/backoor_win_gobear.yar
new file mode 100644
index 0000000..26bd95e
--- /dev/null
+++ b/yara_rules/backoor_win_gobear.yar
@@ -0,0 +1,19 @@
+import "pe"
+import "hash"
+        
+rule backoor_win_gobear {
+    meta:
+        id = "f922bf1b-652e-4a2f-91e9-76ecd2e3bf6a"
+        version = "1.0"
+        description = "Detect the GoBear backdoor used by Kimsuky"
+        author = "Sekoia.io"
+        creation_date = "2024-02-13"
+        classification = "TLP:CLEAR"
+        reference = "https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2"
+        
+    condition:
+        for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "668031f53390dc749971888029911c12d4171534f77c17a962e698bf121d0e20"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/backoor_win_tinyturla_ng.yar b/yara_rules/backoor_win_tinyturla_ng.yar
new file mode 100644
index 0000000..97a6cab
--- /dev/null
+++ b/yara_rules/backoor_win_tinyturla_ng.yar
@@ -0,0 +1,29 @@
+import "pe"
+        
+rule backoor_win_tinyturla_ng {
+    meta:
+        id = "019043bb-0212-4b73-bc93-03e9a746d28d"
+        version = "1.0"
+        description = "Detect the TinyTurla-NG backdoor used by Turla"
+        author = "Sekoia.io"
+        creation_date = "2024-03-04"
+        classification = "TLP:CLEAR"
+        reference = "https://blog.talosintelligence.com/tinyturla-next-generation/"
+        hash1 = "267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b"
+        hash2 = "d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40"
+        
+    strings:
+        $ = "delkill /F /IM explENT_USER\\Softwar"
+        $ = "Set-PSReadLineOption -HistorySaveStyle SaveNothing"
+        $ = "changeshell"
+        $ = "chcp 437 > $null"
+        $ = "powershell.exe -nologo"
+        
+    condition:
+        // Strings
+        uint16be(0) == 0x4d5a and all of them
+        
+        // Imphash
+        or pe.imphash() == "2240ae6f0dcbc0537836dfd9205a1f2b"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/bot_lin_enemybot_april22.yar b/yara_rules/bot_lin_enemybot_april22.yar
new file mode 100644
index 0000000..b54b990
--- /dev/null
+++ b/yara_rules/bot_lin_enemybot_april22.yar
@@ -0,0 +1,27 @@
+rule bot_lin_enemybot_april22 {
+    meta:
+        id = "5778c653-39ce-4f5d-b10b-1503b74e5041"
+        version = "1.0"
+        description = "Detect enemybot based on command line observed in strings"
+        author = "Sekoia.io"
+        reference = "https://twitter.com/3xp0rtblog/status/137520616938452173://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet"
+        creation_date = "2022-04-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $cmd0 = "wget http://%s/update.sh" ascii
+        $cmd1 = "busybox wget http://%s/update.sh" ascii
+        $cmd2 = "curl http://%s/update.sh" ascii
+        $cmd3 = "chmod 777 update.sh" ascii
+        $cmd4 = "rm -rf update.sh" ascii
+        
+        $str0 = "ENEMEYBOT" ascii xor
+        $str1 = "KEKSEC" ascii xor
+        $str2 = "/tmp/.pwned" ascii xor
+        $str3 = "echo -e \"\x65\x6e\x65\x6d\x79"
+        
+    condition:
+        (uint32(0)==0x464c457f or uint32(0)==0xfeedfacf) //elf or mach-o
+        and (4 of ($cmd*) or 2 of ($str*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/bot_lin_kinsing_strings.yar b/yara_rules/bot_lin_kinsing_strings.yar
new file mode 100644
index 0000000..51c0344
--- /dev/null
+++ b/yara_rules/bot_lin_kinsing_strings.yar
@@ -0,0 +1,24 @@
+rule bot_lin_kinsing_strings {
+    meta:
+        id = "ce41b6d0-bc22-4a85-a3bb-ed3234871524"
+        version = "1.0"
+        description = "Catch Kinsing malware based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-11-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "MinerUrl" ascii
+        $s2 = "main.masscan" ascii
+        $s3 = "redisBrute" ascii
+        $s4 = "ActiveC2CUrl" ascii
+        $s5 = "main.getKi" ascii
+        $s6 = "main.getMu" ascii
+        $s7 = "tryToRunMiner" ascii
+        $s8 = "main.kiLoader" ascii
+        $s9 = "main.downloadAndExecute" ascii
+        
+    condition:
+        uint32(0)==0x464c457f and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/bot_lin_lucifer_strings.yar b/yara_rules/bot_lin_lucifer_strings.yar
new file mode 100644
index 0000000..9f5651d
--- /dev/null
+++ b/yara_rules/bot_lin_lucifer_strings.yar
@@ -0,0 +1,21 @@
+rule bot_lin_lucifer_strings {
+    meta:
+        id = "c341b6d0-bc22-4a85-aebb-ed323487f524"
+        version = "1.0"
+        description = "Catch Lucifer DDoS - lin version - malware based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-09-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "DealwithDDoS" ascii
+        $s2 = "DecryptData" ascii
+        $s3 = "They say I'm rude. I'm not rude at all, but I still want to say, fuck your mother" ascii
+        $s4 = "stratum+tcp://" ascii
+        $s5 = "gethostip" ascii
+        $s6 = "GetmyName" ascii
+        
+    condition:
+        uint32(0)==0x464c457f and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/bot_lin_xorddos_strings.yar b/yara_rules/bot_lin_xorddos_strings.yar
new file mode 100644
index 0000000..ec7cf1d
--- /dev/null
+++ b/yara_rules/bot_lin_xorddos_strings.yar
@@ -0,0 +1,18 @@
+rule bot_lin_xorddos_strings {
+    meta:
+        id = "2f5c70a3-fe3f-4091-905d-d779bd0cb2cd"
+        version = "1.0"
+        description = "Catch XORDDoS strings"
+        author = "Sekoia.io"
+        creation_date = "2023-11-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)" ascii fullword
+        $s2 = "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab" ascii fullword
+        $s3 = "for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done"
+        
+    condition:
+        uint32(0)==0x464c457f and filesize > 600KB and filesize < 700KB and 3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/bot_lin_zerobot_dec22.yar b/yara_rules/bot_lin_zerobot_dec22.yar
new file mode 100644
index 0000000..c9abe69
--- /dev/null
+++ b/yara_rules/bot_lin_zerobot_dec22.yar
@@ -0,0 +1,31 @@
+rule bot_lin_zerobot_dec22 {
+    meta:
+        id = "ce028297-a526-4a6a-95db-8762fb5895f6"
+        version = "1.0"
+        description = "Detect the linux Zerobot implant using specific strings"
+        author = "Sekoia.io"
+        reference = "https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities"
+        creation_date = "2022-08-05"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "rm -rf "
+        $str02 = "wget http://"
+        $str03 = "curl -O http://"
+        $str04 = "tftp"
+        $str05 = "-c get"
+        $str06 = "ftpget -v -u anonymous -P"
+        $str07 = "chmod 777"
+        $str08 = "nohup"
+        $str09 = "/dev/null 2>&1 &"
+        $str10 = "zero."
+        $str11 = "ppc64le"
+        $str12 = "riscv64"
+        $str13 = "s390x"
+        $str14 = "rm -rf ~/.bash_history"
+        $str15 = "history -c"
+        
+    condition:
+        11 of ($str*) and filesize < 10KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/bot_win_yamabot.yar b/yara_rules/bot_win_yamabot.yar
new file mode 100644
index 0000000..2b52fa4
--- /dev/null
+++ b/yara_rules/bot_win_yamabot.yar
@@ -0,0 +1,21 @@
+rule bot_win_yamabot {
+    meta:
+        id = "9f5b85c4-59e3-448f-b054-5b4932ee89bb"
+        version = "1.0"
+        description = "Detect the Yamabot implant used by Lazarus"
+        author = "Sekoia.io"
+        creation_date = "2023-08-29"
+        classification = "TLP:CLEAR"
+        hash1 = "1e4de822695570421eb2f12fdfe1d32ab8639655e12180a7ab3cf429e7811b8f"
+        hash2 = "66415464a0795d0569efa5cb5664785f74ed0b92a593280d689f3a2ac68dca66"
+        hash3 = "74529dd15d1953a47f0d7ecc2916b2b92865274a106e453a24943ca9ee434643"
+        hash4 = "def2f01fbd4be85f48101e5ab7ddd82efb720e67daa6838f30fd8dcda1977563"
+        
+    strings:
+        $s1 = "_/D_/Bot/YamaBot/"
+        $s2 = "Go build ID: \"ujRRNborth3MgXzS7HTu/aYhLszO8_95srnr8Fk1n/Xr8P792kGZ_VUqOQVc97/kgx_H7YuMZBl2Ajyac2M\""
+        
+    condition:
+        uint16be(0) == 0x4d5a and 1 of them and filesize > 3MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/botnet_lin_tsunami.yar b/yara_rules/botnet_lin_tsunami.yar
new file mode 100644
index 0000000..d31f566
--- /dev/null
+++ b/yara_rules/botnet_lin_tsunami.yar
@@ -0,0 +1,22 @@
+rule botnet_lin_tsunami {
+    meta:
+        id = "65d2ff89-064f-489a-a215-33197926a62d"
+        version = "1.0"
+        description = "Catch tsunami botnet based on string"
+        author = "Sekoia.io"
+        creation_date = "2024-09-24"
+        classification = "TLP:CLEAR"
+        hash = "536a28db011459d841652e25a852ccf2"
+        
+    strings:
+        $n = "NOTICE %s" ascii
+        $t = "TSUNAMI" ascii nocase
+        $s1 = "NICK" ascii fullword
+        $s2 = "GETSPOOFS" ascii fullword
+        $s3 = "IRC" ascii fullword
+        $s4 = "PONG" ascii
+        
+    condition:
+        uint32(0)==0x464c457f and #n > 40 and #t > 3 and 3 of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/builder_win_royalroad_rtf.yar b/yara_rules/builder_win_royalroad_rtf.yar
new file mode 100644
index 0000000..07fae26
--- /dev/null
+++ b/yara_rules/builder_win_royalroad_rtf.yar
@@ -0,0 +1,16 @@
+rule builder_win_royalroad_rtf {
+    meta:
+        id = "065e798b-eadd-4aac-a444-de61b75f0273"
+        description = "Detects RoyalRoad weaponized RTF documents"
+        creation_date = "2022-06-23"
+        author = "Sekoia.io"
+        version = "1.0"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "{\\object\\objocx{\\objdata"
+        $ = "ods0000"
+        
+    condition:        uint32be(0) == 0x7B5C7274 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/bumblebee_loader.yar b/yara_rules/bumblebee_loader.yar
new file mode 100644
index 0000000..55c5559
--- /dev/null
+++ b/yara_rules/bumblebee_loader.yar
@@ -0,0 +1,19 @@
+rule bumblebee_loader {
+    meta:
+        id = "8fd795c7-6896-498c-a892-de9da6427b60"
+        version = "1.0"
+        description = "Detect the BUMBLEBEE loader"
+        author = "Sekoia.io"
+        creation_date = "2022-05-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = { 5a 00 3a 00 5c 00 68 00 6f 00 6f 00 6b 00 65 00 72 00 32 00 5c 00 43 00 6f 00 6d 00 6d 00 6f 00 6e 00 5c 00 6d 00 64 00 35 00 2e 00 63 00 70 00 70 00 }
+        $str1 = "/gate" ascii
+        $str2 = "3C29FEA2-6FE8-4BF9-B98A-0E3442115F67" wide
+        $str3 = "BLACK" ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and 3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/bumblebee_vhd.yar b/yara_rules/bumblebee_vhd.yar
new file mode 100644
index 0000000..ff1eda2
--- /dev/null
+++ b/yara_rules/bumblebee_vhd.yar
@@ -0,0 +1,23 @@
+import "magic"
+        
+rule bumblebee_vhd {
+    meta:
+        id = "0a9d1ffa-a3ff-4b15-b660-b4c132d5a415"
+        version = "1.0"
+        description = "BumbleBee new infection vector via VHD file and powershell second stage"
+        author = "Sekoia.io"
+        creation_date = "2022-09-09"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ascii
+        $s2 = "Invalid partition table" ascii
+        $s3 = "BOOTMGR" ascii
+        $s4 = "LNK" ascii
+        
+    condition:
+        magic.mime_type() == "application/x-virtualbox-vhd" and
+        filesize > 3MB and filesize < 10MB and
+        all of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/clipper_win_atlas_strings.yar b/yara_rules/clipper_win_atlas_strings.yar
new file mode 100644
index 0000000..8d25680
--- /dev/null
+++ b/yara_rules/clipper_win_atlas_strings.yar
@@ -0,0 +1,23 @@
+rule clipper_win_atlas_strings {
+    meta:
+        id = "f08c6af6-c325-4f7d-8686-575b25550d6a"
+        version = "1.0"
+        description = "Detects Atlas Clipper"
+        author = "Sekoia.io"
+        creation_date = "2023-07-10"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "C:/Users/box/Desktop/ATLAS/ATLAS/main.go" ascii
+        $s2 = "ATLAS Clipper" ascii
+        $s3 = "Victim: %s" ascii
+        $s4 = "Attacker: %s" ascii
+        $s5 = "Install Path: %s" ascii
+        $s6 = "HWID: %s" ascii
+        $s7 = "Install Date: %s" ascii
+        $s8 = "https://t.me/atlasclipper_channel" ascii
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/clipper_win_cryptoclippy.yar b/yara_rules/clipper_win_cryptoclippy.yar
new file mode 100644
index 0000000..94f5123
--- /dev/null
+++ b/yara_rules/clipper_win_cryptoclippy.yar
@@ -0,0 +1,26 @@
+rule clipper_win_cryptoclippy {
+    meta:
+        id = "eaa98a8e-e29e-43a4-8b2d-2137d33d4116"
+        version = "1.0"
+        description = "Finds CryptoClippy samples"
+        author = "Sekoia.io"
+        reference = "https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/"
+        creation_date = "2023-04-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "C:\\mbedtls\\library\\" ascii
+        $str02 = "udp://8.8.8.8:53" ascii
+        $str03 = "Upgrade: websocket" ascii
+        $str04 = "%s\\%s.lnk" ascii
+        $str05 = "%s\\%s.ps1" ascii
+        $str06 = "%s\\%s.bat" ascii
+        $str07 = "set PSExecutionPolicyPreference=Unrestricted" ascii
+        $str08 = "schtasks /delete /tn \"%ls\" /f" ascii
+        $str09 = "SetClipboardData" ascii
+        $str10 = "SetWinEventHook" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and 8 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/clwiper_strings.yar b/yara_rules/clwiper_strings.yar
new file mode 100644
index 0000000..972241c
--- /dev/null
+++ b/yara_rules/clwiper_strings.yar
@@ -0,0 +1,21 @@
+rule clwiper_strings {
+    meta:
+        id = "91e531e2-8548-460f-88a8-cc09abb901e0"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2022-09-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $w1 = "missing args"
+        $w2 = "wp starts"
+        $w3 = "Total Bytez : %lld"
+        $w4 = "percent is %f spent time is %.2fs"
+        $d1 = "\\\\?\\RawDisk3"
+        $d2 = "B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        (3 of ($w*) or all of ($d*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/crime_sload_mainpowershellimplant.yar b/yara_rules/crime_sload_mainpowershellimplant.yar
new file mode 100644
index 0000000..15dfa98
--- /dev/null
+++ b/yara_rules/crime_sload_mainpowershellimplant.yar
@@ -0,0 +1,32 @@
+rule crime_sload_mainpowershellimplant {
+    meta:
+        id = "09d268e7-d688-4390-856e-9e9ed47aec04"
+        version = "1.0"
+        description = "Detects the main PowerShell implant"
+        author = "Sekoia.io"
+        creation_date = "2022-08-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $c1 = "priority FOREGROUND"
+        $c2 = "app|Services|RuntimeBroker|Search|host"
+        $c3 = "([wmiclass]\"win32_Process\").create("
+        $c4 = "Start-Sleep -seconds"
+        $c5 = "while($e -eq 1){ $dCnt++;"
+        
+        $d1 = "112,114,105,111,114,105,116,121,32,70,79,82,69,71,82,79,85,78,68"
+        $d2 = "97,112,112,124,83,101,114,118,105,99,101,115,124,82,117,110,116,105,109,101,66,114,111,107,101,114,124,83,101,97,114,99,104,124,104,111,115,116"
+        $d3 = "40,91,119,109,105,99,108,97,115,115,93,34,119,105,110,51,50,95,80,114,111,99,101,115,115,34,41,46,99,114,101,97,116,101,40"
+        $d4 = "83,116,97,114,116,45,83,108,101,101,112,32,45,115,101,99,111,110,100,115"
+        $d5 = "119,104,105,108,101,40,36,101,32,45,101,113,32,49,41,123,32,36,100,67,110,116,43,43,59"
+        
+        $b1 = "priority FOREGROUND" base64
+        $b2 = "app|Services|RuntimeBroker|Search|host" base64
+        $b3 = "([wmiclass]\"win32_Process\").create(" base64
+        $b4 = "Start-Sleep -seconds" base64
+        $b5 = "while($e -eq 1){ $dCnt++;" base64
+        
+    condition:
+        3 of ($c*) or 3 of ($d*) or 3 of ($b*) and filesize < 30KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/crime_sload_powershellarchiveexfiltrator_strings.yar b/yara_rules/crime_sload_powershellarchiveexfiltrator_strings.yar
new file mode 100644
index 0000000..70c0921
--- /dev/null
+++ b/yara_rules/crime_sload_powershellarchiveexfiltrator_strings.yar
@@ -0,0 +1,17 @@
+rule crime_sload_powershellarchiveexfiltrator_strings {
+    meta:
+        id = "3934696a-2116-49cb-9f75-3740767ad6f3"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2022-08-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "if ($wr1 -or $wr2){"
+        $ = "if ($zp1 -or $zp2){"
+        $ = "-join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_});"
+        
+    condition:
+        all of them and filesize < 1KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/crime_sload_scheduledtask_dropper_strings.yar b/yara_rules/crime_sload_scheduledtask_dropper_strings.yar
new file mode 100644
index 0000000..a4700ec
--- /dev/null
+++ b/yara_rules/crime_sload_scheduledtask_dropper_strings.yar
@@ -0,0 +1,17 @@
+rule crime_sload_scheduledtask_dropper_strings {
+    meta:
+        id = "01c51da8-71a5-449f-a609-933c37bc2e63"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2022-08-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "$hh='hi'+'dd'+'en';"
+        $ = { 7D 65 6C 73 65 7B 0A 24 72 73 3D 30 3B 0A 7D 0A }
+        $ = { 6B 69 6C 6C 20 2D 6E 61 6D 65 20 2A 77 65 72 73 68 65 6C 2A }
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/crime_sload_vbs_downloader_strings_1.yar b/yara_rules/crime_sload_vbs_downloader_strings_1.yar
new file mode 100644
index 0000000..9fee230
--- /dev/null
+++ b/yara_rules/crime_sload_vbs_downloader_strings_1.yar
@@ -0,0 +1,18 @@
+rule crime_sload_vbs_downloader_strings_1 {
+    meta:
+        id = "77ff0d21-9249-43b2-9a6d-87988a2dec3b"
+        version = "1.0"
+        description = "Detects an sLoad downloader based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-08-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "On Error Resume Next"
+        $ = {0A [4] 3D 41 72 72 61 79}
+        $ = { 2E 50 61 74 74 65 72 6E 20 3D 20 22 28 [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C }
+        
+    condition:
+      all of them and filesize < 20KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/crime_sload_vbs_downloader_strings_2.yar b/yara_rules/crime_sload_vbs_downloader_strings_2.yar
new file mode 100644
index 0000000..f5e4930
--- /dev/null
+++ b/yara_rules/crime_sload_vbs_downloader_strings_2.yar
@@ -0,0 +1,18 @@
+rule crime_sload_vbs_downloader_strings_2 {
+    meta:
+        id = "77ff0d21-9249-43b2-9a6d-87988a2dec3b"
+        version = "1.0"
+        description = "Detects an sLoad downloader based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-08-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "On Error Resume Next"
+        $ = {0A [4] 3D 41 72 72 61 79}
+        $ = { 2E 50 61 74 74 65 72 6E 20 3D 20 22 28 [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C }
+        
+    condition:
+    all of them and filesize < 20KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/crime_sload_vbs_wsf_downloader.yar b/yara_rules/crime_sload_vbs_wsf_downloader.yar
new file mode 100644
index 0000000..b169c03
--- /dev/null
+++ b/yara_rules/crime_sload_vbs_wsf_downloader.yar
@@ -0,0 +1,19 @@
+rule crime_sload_vbs_wsf_downloader {
+    meta:
+        id = "55d87205-5f8f-479a-a616-bf3fce571f03"
+        version = "1.0"
+        description = "Detects sLoad Downloader"
+        author = "Sekoia.io"
+        creation_date = "2022-08-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = { 53 65 74 20 6c 69 6e 6b 20 3d 20 [5-10] 2e 43 72 65 61 74 65 53 68 6f 72 74 63 75 74 28 }
+        $ = { 2e 72 75 6e 20 22 63 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 44 6f 63 75 6d 65 6e 74 73 5c [5-10] 2e 6c 6e 6b 20 2f 63 20 70 6f 77 65 72 73 68 65 6c 6c }
+        $ = { 3d 22 20 2f 63 20 70 6f 77 65 72 73 68 65 6c 6c 20 22 }
+        $ = { 20 2f 63 20 70 6f 77 65 72 73 68 65 6c 6c 20 22 20 26 20 }
+        
+    condition:
+        2 of them and filesize < 1KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/crime_sload_zip_archives.yar b/yara_rules/crime_sload_zip_archives.yar
new file mode 100644
index 0000000..ff1ae16
--- /dev/null
+++ b/yara_rules/crime_sload_zip_archives.yar
@@ -0,0 +1,20 @@
+rule crime_sload_zip_archives {
+    meta:
+        id = "5335ad65-bca5-4937-8634-46cbd7aa1b0e"
+        version = "1.0"
+        description = "Detects ZIP archives used by sLOad"
+        author = "Sekoia.io"
+        creation_date = "2022-08-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $pic = { 00 00 00 [6] 2E ( 70 6E 67 | 67 69 66 | 6a 70 67 | 6A 70 65 67 ) }
+        $pdf = { 00 00 00 [8] 2E 70 64 66 }
+        $vbs = { ( 4c 65 67 67 69 6d 69 | 66 69 73 63 ) 2e ( 77 73 66 | 76 62 73 ) }
+        
+    condition:
+        uint16be(0) == 0x504B
+        and filesize < 30KB
+        and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/crimeware_njrat_strings.yar b/yara_rules/crimeware_njrat_strings.yar
new file mode 100644
index 0000000..2485525
--- /dev/null
+++ b/yara_rules/crimeware_njrat_strings.yar
@@ -0,0 +1,25 @@
+rule crimeware_njrat_strings {
+    meta:
+        id = "215807ae-fbcb-478d-8941-e0787b883669"
+        version = "1.0"
+        description = "Detects njRAT based on some strings"
+        author = "Sekoia.io"
+        creation_date = "2022-08-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "set cdaudio door closed" wide
+        $ = "set cdaudio door open" wide
+        $ = "ping 0" wide
+        $ = "[endof]" wide
+        $ = "TiGeR-Firewall" wide
+        $ = "NetSnifferCs" wide
+        $ = "IPBlocker" wide
+        $ = "Sandboxie Control" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/crybercrime_prophetspider_proxy.yar b/yara_rules/crybercrime_prophetspider_proxy.yar
new file mode 100644
index 0000000..bf4e5dc
--- /dev/null
+++ b/yara_rules/crybercrime_prophetspider_proxy.yar
@@ -0,0 +1,42 @@
+import "pe"
+        
+rule crybercrime_prophetspider_proxy {
+    meta:
+        id = "b7637fc3-bf81-40c4-869c-1c283574e0a7"
+        version = "1.0"
+        description = "Detects the Winntaa decryption loop or imphash"
+        author = "Sekoia.io"
+        creation_date = "2022-02-17"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = { 56
+        57
+        48 8D 95 F0 FE FF FF
+        31 C0
+        66 21 02
+        48 89 CE
+        AC
+        48 89 D7
+        4C 89 C2
+        88 D4
+        30 C2
+        0F B6 CA
+        48 89 95 E8 FE FF FF
+        AC
+        30 E0
+        AA
+        E2 FA
+        88 C8
+        AA
+        48 8D 85 F0 FE FF FF
+        48 8B 95 E8 FE FF FF
+        5F
+        5E
+        C3 }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        (all of them or pe.imphash() == "55e0b8e5b4d787c680ada4e450789a4d")
+}
+        
\ No newline at end of file
diff --git a/yara_rules/crypter_vbs_to_exe.yar b/yara_rules/crypter_vbs_to_exe.yar
new file mode 100644
index 0000000..bf888d2
--- /dev/null
+++ b/yara_rules/crypter_vbs_to_exe.yar
@@ -0,0 +1,20 @@
+rule crypter_vbs_to_exe {
+    meta:
+        id = "33ed286f-3055-452e-952b-abaf11a543a1"
+        version = "1.0"
+        description = "first stage of Crypter-VBS-to-EXE dropped on infected hosted"
+        author = "Sekoia.io"
+        creation_date = "2023-01-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $theDot = ":::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::" ascii
+        $s1 = "cmd.exe /c curl" ascii
+        $s2 = "WScript.Sleep(3000)" ascii
+        $s3 = "runCmd = \"cmd.exe /c powershell.exe -exec Bypass -C \" + myVar +" ascii
+        $s4 = "WshShell.Run \"cmd /c \" & runCmd, 0, True" ascii
+        
+    condition:
+        #theDot > 200  and all of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/crypter_win_dotrunpex.yar b/yara_rules/crypter_win_dotrunpex.yar
new file mode 100644
index 0000000..302debf
--- /dev/null
+++ b/yara_rules/crypter_win_dotrunpex.yar
@@ -0,0 +1,16 @@
+rule crypter_win_dotrunpex {
+    meta:
+        id = "6fb4ffe0-3a5c-432c-8ae2-404bb5960c30"
+        version = "1.0"
+        description = "Detect the dotRunpeX crypter based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-06-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = {52 00 75 00 6e 00 70 00 65 00 58 00 2e 00 53 00 74 00 75 00 62 00 2e 00 46 00 72 00 61 00 6d 00 65 00 77 00 6f 00 72 00 6b 00 2e 00 65 00 78 00 65} //R.u.n.p.e.X...S.t.u.b...F.r.a.m.e.w.o.r.k...e.x.e
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/darkriver_encodedurl.yar b/yara_rules/darkriver_encodedurl.yar
new file mode 100644
index 0000000..a367d58
--- /dev/null
+++ b/yara_rules/darkriver_encodedurl.yar
@@ -0,0 +1,22 @@
+rule darkriver_encodedurl {
+    meta:
+        id = "60f1676f-dade-4376-9980-f510dff52ae5"
+        version = "1.0"
+        description = "Detects encoding URL inside docx documents"
+        author = "Sekoia.io"
+        creation_date = "2023-10-10"
+        classification = "TLP:CLEAR"
+        hash1 = "5c9551388213f54c4b54cd42ccb034d8d9173a4bbfcf8b666e0db8df929762e7"
+        hash1 = "13de9f39b1ad232e704b5e0b5051800fcd844e9f661185ace8287a23e9b3868e"
+        hash1 = "3b05e89ff2338472cc493d59bae450338effd29f0ed7d46fb999709e63cf2472"
+        
+    strings:
+        $s1 = "&#109;&#104;&#116;&#109;&#108;&#58;&#104;&#116;&#116;&#112;"
+        $s2 = "&#38;&#95;&#116;&#115;&#61;"
+        $header = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
+        
+    condition:
+        filesize < 500KB and
+        any of ($s*) and $header at 0
+}
+        
\ No newline at end of file
diff --git a/yara_rules/dotnet_injector_new_payload.yar b/yara_rules/dotnet_injector_new_payload.yar
new file mode 100644
index 0000000..23c46bf
--- /dev/null
+++ b/yara_rules/dotnet_injector_new_payload.yar
@@ -0,0 +1,31 @@
+import "dotnet"
+        
+rule dotnet_injector_new_payload {
+    meta:
+        id = "b0a1d471-5381-4fa8-8563-7e72ecd15bed"
+        version = "1.0"
+        description = "New dotnet injector"
+        author = "Sekoia.io"
+        creation_date = "2022-12-21"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $f1 = "DownloadFile" ascii
+        $f2 = "StreamReader" ascii
+        $f3 = "ReadToEnd" ascii
+        $f4 = "Reverse" ascii
+        $f5 = "Load" ascii
+        $f6 = "StringToByteArray" ascii
+        $s1 = "Admin" wide
+        $s2 = "User" wide
+        $p1 = "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" wide
+        $p2 = ".lnk" wide
+        
+    condition:
+        filesize < 300KB and
+        all of ($f*) and
+        all of ($s*) and
+        all of ($p*) and
+        dotnet.is_dotnet
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_kimsuky_lnk.yar b/yara_rules/downloader_kimsuky_lnk.yar
new file mode 100644
index 0000000..10c2375
--- /dev/null
+++ b/yara_rules/downloader_kimsuky_lnk.yar
@@ -0,0 +1,23 @@
+rule downloader_kimsuky_lnk {
+    meta:
+        id = "3831d115-7874-4bc9-aeb4-d2cb9bc2b5c9"
+        version = "1.0"
+        description = "Detect Kimsuky LNK"
+        author = "Sekoia.io"
+        creation_date = "2024-07-16"
+        classification = "TLP:CLEAR"
+        reference = "https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html"
+        hash1 = "3065b8e4bb91b4229d1cea671e8959da8be2e7482067e1dd03519c882738045e"
+        hash2 = "d912f49d24792aa7197509f76e2097ac3858cde23199e1b40f2516948d39c589"
+        hash3 = "e936445935c4a636614f7113e4121695a5f3e4a6c137b7cdcceb6f629aa957c4"
+        hash4 = "fe156159a26f8b7c140db61dd8b136e1c8103a800748fe9b70a3a3fdf179d3c3"
+        
+    strings:
+        $ = "AType: Text Document" wide
+        $ = "Size: 5.23 KB" wide
+        $ = "Date modified: 01/02/2020 11:23" wide
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_mac_rustbucket.yar b/yara_rules/downloader_mac_rustbucket.yar
new file mode 100644
index 0000000..9d174c8
--- /dev/null
+++ b/yara_rules/downloader_mac_rustbucket.yar
@@ -0,0 +1,32 @@
+rule downloader_mac_rustbucket {
+    meta:
+        id = "5a003b68-ad9a-47f9-b157-dd898181dac2"
+        version = "1.0"
+        description = "RustBucket fake PDF reader"
+        author = "Sekoia.io"
+        creation_date = "2023-04-24"
+        classification = "TLP:CLEAR"
+        reference = "https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/"
+        hash1 = "38106b043ede31a66596299f17254d3f23cbe1f983674bf9ead5006e0f0bf880"
+        hash2 = "bea33fb3205319868784c028418411ee796d6ee3dfe9309f143e7e8106116a49"
+        hash3 = "7981ebf35b5eff8be2f3849c8f3085b9cec10d9759ff4d3afd46990520de0407"
+        hash4 = "e74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c"
+        
+    strings:
+        $down_exec1 = "_down_update_run" nocase
+        $down_exec2 = "downAndExec" nocase
+        $encrypt1 = "_encrypt_pdf"
+        $encrypt2 = "_encrypt_data"
+        $error_msg1 = "_alertErr"
+        $error_msg2 = "_show_error_msg"
+        $view_pdf1 = "-[PEPWindow view_pdf:]"
+        $view_pdf2 = "-[PEPWindow viewPDF:]"
+        $macho_magic = {CF FA ED FE}
+        $java_magic = {CA FE BA BE}
+        
+    condition:
+        ($macho_magic at 0 or $java_magic at 0) 
+        and 5 of them
+        and filesize > 50KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_mac_rustbucket_swiftloader.yar b/yara_rules/downloader_mac_rustbucket_swiftloader.yar
new file mode 100644
index 0000000..79746ed
--- /dev/null
+++ b/yara_rules/downloader_mac_rustbucket_swiftloader.yar
@@ -0,0 +1,20 @@
+rule downloader_mac_rustbucket_swiftloader {
+    meta:
+        id = "bdbc95db-5d58-4c96-91f9-34b653e67f50"
+        version = "1.0"
+        description = "Detect the file com.EdoneViewer in the new version of RustBucker 2023-10"
+        author = "Sekoia.io"
+        creation_date = "2023-12-05"
+        classification = "TLP:CLEAR"
+        hash1 = "7c5bf60787bfd076c8806eaa4f1185f5b9fda69008376624ab3d17f207eb16a4"
+        hash2 = "bc90adde92bd47b4de7d384e5b20c1a1791d603629bd0fcba4b550fb35e93216"
+        hash3 = "c9a7b42c7b29ca948160f95f017e9e9ae781f3b981ecf6edbac943e52c63ffc8"
+        
+    strings:
+        $ = "/Users/ghost/Desktop/EdoneViewer/EdoneViewer/"
+        $ = "EdoneViewerApp.swift"
+        
+    condition:
+        1 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_mac_smooth_operator.yar b/yara_rules/downloader_mac_smooth_operator.yar
new file mode 100644
index 0000000..a3d1082
--- /dev/null
+++ b/yara_rules/downloader_mac_smooth_operator.yar
@@ -0,0 +1,17 @@
+rule downloader_mac_smooth_operator {
+    meta:
+        id = "c132b3f0-f536-4a66-bcf8-2a95c258c414"
+        version = "1.0"
+        description = "Detect the Smooth_Operator malware"
+        author = "Sekoia.io"
+        creation_date = "2023-07-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "%s/.main_storage"
+        $ = "%s/UpdateAgent"
+        
+    condition:
+        uint32be(0)==0xcafebabe and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_win_andarloader.yar b/yara_rules/downloader_win_andarloader.yar
new file mode 100644
index 0000000..e1e547a
--- /dev/null
+++ b/yara_rules/downloader_win_andarloader.yar
@@ -0,0 +1,21 @@
+import "pe"
+import "hash"
+        
+rule downloader_win_andarloader {
+    meta:
+        id = "96dd737e-601c-4370-9fa6-4bbafafae203"
+        version = "1.0"
+        description = "Detect the AndarLoader downloader used by Andariel"
+        author = "Sekoia.io"
+        creation_date = "2023-09-04"
+        classification = "TLP:CLEAR"
+        hash1 = "02135f60f3edff0b9baa4c20715ee6a80c94f282079bf879265f5e020d37cf88"
+        hash2 = "54ed7a7430974cc2ea694f49f3e637b835dcd24aa19d66af854ad47b87068c92"
+        
+    condition:
+        for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "b338ad077c7f5be85c33def7287198841d55af8cd1ad856fdcd16fdc78f18838"
+        )
+        and filesize < 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_win_apt33_tickler.yar b/yara_rules/downloader_win_apt33_tickler.yar
new file mode 100644
index 0000000..9632847
--- /dev/null
+++ b/yara_rules/downloader_win_apt33_tickler.yar
@@ -0,0 +1,30 @@
+import "pe"
+import "hash"
+        
+rule downloader_win_apt33_tickler {
+    meta:
+        id = "e1f704d6-d527-479a-8311-d286c06768ac"
+        version = "1.0"
+        description = "Detect the downloader used by APT33 to diwnload Tickler"
+        author = "Sekoia.io"
+        creation_date = "2024-08-29"
+        classification = "TLP:CLEAR"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        pe.imphash() == "e43c58659b5b3082387307603478881a"
+        or hash.md5(pe.rich_signature.clear_data) == "d30bd7875b225709ecf95bf68dbd435f"
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "d7d2079d0a656c06a03f2c277bb08bda"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "61a1425e6a0d28e29c6fd3d451ac3717"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "916bf96ed3274ce8322d9f370432844f"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "3fab9d4ae989d53cecb2f443b8ce88d0"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "e0967483e074da72ceff4dea3bc17530"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "b4a571736b6646765155ffbd57c27c83"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "35c88ba521887f8fe1b2501f8cd8bd98"
+        )
+        or for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "636dc666c7496cb3382b029fed53473f181cdc24405886c468e51a103d78b4d4"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_win_cobianrat.yar b/yara_rules/downloader_win_cobianrat.yar
new file mode 100644
index 0000000..573fbf3
--- /dev/null
+++ b/yara_rules/downloader_win_cobianrat.yar
@@ -0,0 +1,24 @@
+rule downloader_win_cobianrat {
+    meta:
+        id = "7a86c17f-bf4e-4465-9488-244b75fc36f1"
+        version = "1.0"
+        description = "Detect CobianRAT downloader"
+        author = "Sekoia.io"
+        creation_date = "2024-08-23"
+        classification = "TLP:CLEAR"
+        hash = "7a70779d9d7de5e370fac0fa2d4ccd13"
+        hash = "2ce40599a4990680db3af5defcd5381a"
+        hash = "56515c48f82475e7bb6a26b027a459d7"
+        hash = "3450bece12bd8103d5e718a2661d0404"
+        hash = "132858739129d2b863dc547facbed7e9"
+        hash = "693bd96d162c54d7e9605580eaf54a6e"
+        hash = "d03a4988e22e6c7b2a03efa2bdb1502d"
+        hash = "ab8c68b907ec2ce316bf18f00938710c"
+        
+    strings:
+        $ = {24 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 55 00 72 00 6C 00 20 00 3D 00 20 00 27}
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_win_curl_agent.yar b/yara_rules/downloader_win_curl_agent.yar
new file mode 100644
index 0000000..4da3376
--- /dev/null
+++ b/yara_rules/downloader_win_curl_agent.yar
@@ -0,0 +1,20 @@
+rule downloader_win_curl_agent {
+    meta:
+        id = "ddeb2d8f-1b10-4a33-b768-d19412e8551a"
+        version = "1.0"
+        description = "Detect the downloader used by Bluenoroff to install it CurlAgent"
+        author = "Sekoia.io"
+        creation_date = "2023-05-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "%s\\marcoor.dll" wide
+        $ = "curl -A cur1-agent -L %s -s -d dl"
+        $ = "curl -A cur1-agent -L %s -s -d da"
+        $ = "cmd /c timeout /t 10 & rundll32 \"%s\" #1" wide
+        $ = "cmd /c timeout /t 10 & Del /f /q \"%s\" & attrib -s -h \"%s\" & rundll32 \"%s\" #1" wide
+        
+    condition:
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_win_donot.yar b/yara_rules/downloader_win_donot.yar
new file mode 100644
index 0000000..7944f07
--- /dev/null
+++ b/yara_rules/downloader_win_donot.yar
@@ -0,0 +1,20 @@
+rule downloader_win_donot {
+    meta:
+        id = "31b153cc-a4b9-40a0-8bcb-ce1370645b4b"
+        version = "1.0"
+        description = "Detect the DoNot's downloader malware. There are big binaries in downloader strings."
+        author = "Sekoia.io"
+        creation_date = "2023-03-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        // start of binary, translated: bin(bin("cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s""))
+        $ = "001100000011000100110001001100000011000000110000001100010011000100110000001100010011000100110000001100010011000100110000001100010011"
+        // other binary strings
+        $ = "01010011011011110110011001110100011101110110000101110010011001010101110001001101011010010110001101110010011011110111001101101111011001100111010001011100010101110110100101101110011001000110111101110111011100110101110001000011011101010111001001110010011001010110111001110100010101100110010101110010011100110110100101101111011011100101110001010101011011100110100101101110011100110111010001100001011011000110110000000000"
+        $ = "0101110001110011011110010111001101110100011001010110110100110011001100100101110001110010011101010110111001100100011011000110110000110011001100100010111001100101011110000110010100000000"
+        
+    condition:
+        1 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_win_fake_tor_browser.yar b/yara_rules/downloader_win_fake_tor_browser.yar
new file mode 100644
index 0000000..e808d51
--- /dev/null
+++ b/yara_rules/downloader_win_fake_tor_browser.yar
@@ -0,0 +1,19 @@
+import "pe"
+import "hash"
+        
+rule downloader_win_fake_tor_browser {
+    meta:
+        id = "6b070ba6-490b-43c2-9a01-65812d829eeb"
+        version = "1.0"
+        description = "Detect fake TOR browser used to spy Chinese TOR users"
+        author = "Sekoia.io"
+        creation_date = "2022-10-05"
+        classification = "TLP:CLEAR"
+        reference = "https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627/"
+        
+    condition:
+        for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "7172f95f934574be95c0250fb42b8f51"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_win_newsterminal.yar b/yara_rules/downloader_win_newsterminal.yar
new file mode 100644
index 0000000..c008bb2
--- /dev/null
+++ b/yara_rules/downloader_win_newsterminal.yar
@@ -0,0 +1,21 @@
+rule downloader_win_newsterminal {
+    meta:
+        id = "2f9aae45-e3bd-4d87-b336-5d141738952b"
+        version = "1.0"
+        description = "Detect the PowerShell based downloader used by APT42 called NEWSTERMINAL"
+        author = "Sekoia.io"
+        creation_date = "2024-08-26"
+        classification = "TLP:CLEAR"
+        hash = "2b756515400d7e3b6e21ee3a83f313c8"
+        
+    strings:
+        $ = "Start-Process -FilePath $takeownCommand -ArgumentList $takeownArgs -Wait -NoNewWindow"
+        $ = "function Download-And-Extract-Dll {"
+        // $icaclsArgs = $destinationFilePath, "/grant", "Administrators:F", "/c", "/q"
+        $ = {24 69 63 61 63 6C 73 41 72 67 73 20 3D 20 24 64 65 73 74 69 6E 61 74 69 6F 6E 46 69 6C 65 50 61 74 68 2C 20 22 2F 67 72 61 6E 74 22 2C 20 22 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 73 3A 46 22 2C 20 22 2F 63 22 2C 20 22 2F 71 22}
+        $ = "$publicip=(iwr http://127.0.0.1:4040/api/tunnels"
+        
+    condition:
+        1 of them and filesize < 30KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/downloader_win_search.yar b/yara_rules/downloader_win_search.yar
new file mode 100644
index 0000000..9cd54a4
--- /dev/null
+++ b/yara_rules/downloader_win_search.yar
@@ -0,0 +1,19 @@
+rule downloader_win_search {
+    meta:
+        id = "8094ddda-6294-4dee-93cb-de79aaed1ec6"
+        version = "1.0"
+        description = "'Search.exe' script used by APT42"
+        author = "Sekoia.io"
+        creation_date = "2024-08-23"
+        classification = "TLP:CLEAR"
+        hash = "a29fa85ecfc0e5554c21f3b9db185de97b3504517403f4aa102adbd2c46dc1bf"
+        hash = "f83e2b3be2e6db20806a4b9b216edc7508fa81ce60bf59436d53d3ae435b6060"
+        
+    strings:
+        $ = "C:\\Users\\pc\\source\\repos\\Search\\Search\\obj\\Debug\\Search.pdb"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/dropper_mac_lazarus_manuscrypt.yar b/yara_rules/dropper_mac_lazarus_manuscrypt.yar
new file mode 100644
index 0000000..a9c5cf0
--- /dev/null
+++ b/yara_rules/dropper_mac_lazarus_manuscrypt.yar
@@ -0,0 +1,22 @@
+rule dropper_mac_lazarus_manuscrypt {
+    meta:
+        id = "6138bd0c-1fcf-4586-b2b6-29955c7d6266"
+        version = "1.0"
+        description = "MacOS Manuscrypt dropped by TraderTraitor"
+        author = "Sekoia.io"
+        creation_date = "2022-04-19"
+        classification = "TLP:CLEAR"
+        hash = "dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156"
+        hash = "9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa"
+        
+    strings:
+        $ = "networksetup -getwebproxy '%s'" ascii
+        $ = "Cookie: _ga=%s%02d%d%d%02d%s" ascii
+        $ = "networksetup -listallnetworkservices" ascii
+        $ = "gid=%s%02d%d%03d%s" ascii
+        
+    condition:
+        uint32(0) == 0xFEEDFACF
+        and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/dropper_win_konni_cab.yar b/yara_rules/dropper_win_konni_cab.yar
new file mode 100644
index 0000000..d569e1c
--- /dev/null
+++ b/yara_rules/dropper_win_konni_cab.yar
@@ -0,0 +1,19 @@
+rule dropper_win_konni_cab {
+    meta:
+        id = "87a209d5-667a-4a81-837a-660ab98c33c8"
+        version = "1.0"
+        description = "Detect the CAB files used to drop the KONNI malware"
+        author = "Sekoia.io"
+        creation_date = "2023-09-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $magic = "MSCF"
+        $file2 = "check.bat"
+        $file3 = "wpnprv64.dll"
+        $file4 = "wpnprv32.dll"
+        
+    condition:
+        $magic at 0 and all of ($file*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/dropper_win_ninerat.yar b/yara_rules/dropper_win_ninerat.yar
new file mode 100644
index 0000000..f7e2765
--- /dev/null
+++ b/yara_rules/dropper_win_ninerat.yar
@@ -0,0 +1,42 @@
+import "pe"
+import "hash"
+        
+rule dropper_win_ninerat {
+    meta:
+        id = "798e3bee-4cee-4647-abda-3c3dcc602f0a"
+        version = "1.0"
+        description = "NineRAT dropper"
+        author = "Sekoia.io"
+        creation_date = "2023-12-12"
+        classification = "TLP:CLEAR"
+        reference = "https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/"
+        hash1 = "534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433"
+        hash2 = "f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59"
+        
+    strings:
+        $ = "\\x64\\Release\\Dropper.pdb"
+        $ = "TelegramRat\\lastest\\Dropper"
+        
+    condition:
+        all of them
+
+        // Imphash
+        or pe.imphash() == "92b8e9dea06fd5719e29a510e95b92ac"
+        
+        // Rich Header
+        or hash.md5(pe.rich_signature.clear_data) == "ba1ea20fe779ef0b747e5073c0881a99"
+        
+        // Section
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "c0471e0a78eef692b567cd89eeaddf08"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "965dc8b7c98325ca3d3371ced8424823"
+        )
+        
+        // Resources
+        or for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "bae1db350e313bf7bbd3b2178b20e6f6dd9b0331780099374edae5a99625bc5b"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "1abb447513b4435837029933e722b6ed92222291571a8ce0a306c9f6a335aa19"
+            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ffbcd5bbe6c02aa5c993886811d7597f020abd6665fc82af133c5756ab72fb0a"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/dropper_win_romcom_dropper.yar b/yara_rules/dropper_win_romcom_dropper.yar
new file mode 100644
index 0000000..7462514
--- /dev/null
+++ b/yara_rules/dropper_win_romcom_dropper.yar
@@ -0,0 +1,32 @@
+import "pe"
+import "hash"
+        
+rule dropper_win_romcom_dropper {
+    meta:
+        id = "ca1b7114-5a83-4620-a9e2-8228df2be7b1"
+        version = "1.0"
+        description = "Detect the dropper of RomCom malware"
+        author = "Sekoia.io"
+        creation_date = "2022-11-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "regInjecttNew.dll"
+        
+    condition:
+        //Strings
+        uint16(0)==0x5A4D and all of them
+
+        //Imphash
+        or pe.imphash()=="643c3d5c721741ad5b90c98c48007038"
+
+        //Sections
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "1c397f4ddafdcfd12bbc41cae45cdf9f"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "b71dc0007c685c790fb2542ddcf284f4"
+        )
+
+        //Vhash
+        or vhash=="175076655d155515655038z55?z1"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/dropper_win_selfau3.yar b/yara_rules/dropper_win_selfau3.yar
new file mode 100644
index 0000000..b7035ab
--- /dev/null
+++ b/yara_rules/dropper_win_selfau3.yar
@@ -0,0 +1,25 @@
+rule dropper_win_selfau3 {
+    meta:
+        id = "2d005a54-b013-40e9-b88a-30454e4b22af"
+        version = "1.0"
+        description = "Finds SelfAU3 Dropper samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2024-02-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $sfx = "!Require Windows" ascii
+        
+        $ins01 = ";!@Install@!UTF-8!" ascii
+        $set =  {53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 3d 22 [1-15] 3d ?? 22} //SetEnvironment="??..?=?"
+        $run = "RunProgram=\"hidcon:c" ascii
+        $ins02 = ";!@InstallEnd@!" ascii
+        
+    condition:
+        $sfx at 77 and
+        $set in (@ins01..@ins01+500) and
+        #set > 5 and
+        $run in (@set..@set+1000) and
+        $ins02 in (@run..@run+500)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/emmenhtal_strings_hta_exe.yar b/yara_rules/emmenhtal_strings_hta_exe.yar
new file mode 100644
index 0000000..883680f
--- /dev/null
+++ b/yara_rules/emmenhtal_strings_hta_exe.yar
@@ -0,0 +1,22 @@
+rule emmenhtal_strings_hta_exe {
+    meta:
+        id = "64e08610-e8a4-4edd-8f6b-d4e8d2b47d87"
+        version = "1.0"
+        description = "Emmenhtal Loader string"
+        author = "Sekoia.io"
+        creation_date = "2024-09-06"
+        classification = "TLP:CLEAR"
+        hash = "e86a22f1c73b85678e64341427c7193ba65903f3c0f29af2e65d7c56d833d912"
+        
+    strings:
+        $char = / = String\.fromCharCode\([a-zA-Z]{2,4},[a-zA-Z]{2,4},/
+        $var = "var "
+        $eval = "eval("
+        $script1 = "<script>"
+        $script2 = "</script>MZ"
+        //$hta = "<HTA:APPLICATION CAPTION = \"no\" WINDOWSTATE = \"minimize\" SHOWINTASKBAR = \"no\" >"  NOT IN ALL SAMPLES
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them and $var in (@script1..@script1+2000) and $char in (@var..@var+100)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/evilnumpayload_fmtstr.yar b/yara_rules/evilnumpayload_fmtstr.yar
new file mode 100644
index 0000000..8f92f50
--- /dev/null
+++ b/yara_rules/evilnumpayload_fmtstr.yar
@@ -0,0 +1,29 @@
+rule evilnumpayload_fmtstr {
+    meta:
+        id = "980c58e4-e04d-4076-a92e-2c04ced19ece"
+        version = "1.1"
+        description = "Detect payload of EvilNum"
+        author = "Sekoia.io"
+        creation_date = "2022-07-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        
+        $fmtstr01 = "{\"v\":\"" ascii wide
+        $fmtstr02 = ",\"u\":\"" ascii wide
+        $fmtstr03 = ",\"a\":\"" ascii wide
+        $fmtstr04 = ",\"w\":\"" ascii wide
+        $fmtstr05 = ",\"d\":\"" ascii wide
+        $fmtstr06 = ",\"n\":\"" ascii wide
+        $fmtstr07 = ",\"r\":\"1\"" ascii wide
+        $fmtstr08 = ",\"r\":\"0\"" ascii wide
+        $fmtstr09 = ",\"xn\":\"" ascii wide
+        $fmtstr10 = ",\"s\":0}" ascii wide
+        $fmtstr11 = "{\"u\":\"" ascii wide
+        $fmtstr12 = "\",\"sc\":1" ascii wide
+        $fmtstr13 = ",\"dt\":\"" ascii wide
+        
+    condition:
+        8 of ($fmtstr*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/exploit_cve20191458_strings.yar b/yara_rules/exploit_cve20191458_strings.yar
new file mode 100644
index 0000000..ea42645
--- /dev/null
+++ b/yara_rules/exploit_cve20191458_strings.yar
@@ -0,0 +1,22 @@
+rule exploit_cve20191458_strings {
+    meta:
+        id = "0be4a550-0f0a-4596-ab32-aafaececf919"
+        version = "1.0"
+        description = "Detects compiled exploit for CVE-2019-1458 (Generic)"
+        author = "Sekoia.io"
+        creation_date = "2022-08-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[-] Failed to create SploitWnd window"
+        $ = "[+] ProcessCreated with pid %d!"
+        $ = "[!] Exploit fail, test:0x%p,tagWND:0x%p, error:0x%lx"
+        $ = "[*] tagWND: 0x%p, tagCLS:0x%p, gap:0x%llx"
+        $ = "[*] Simulating alt key press"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 200KB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/exploit_ez_pwnkit_strings.yar b/yara_rules/exploit_ez_pwnkit_strings.yar
new file mode 100644
index 0000000..cedb2d7
--- /dev/null
+++ b/yara_rules/exploit_ez_pwnkit_strings.yar
@@ -0,0 +1,19 @@
+rule exploit_ez_pwnkit_strings {
+    meta:
+        id = "24301f35-8174-4e0d-b14a-fc7e45a29b26"
+        version = "1.0"
+        description = "Detects ez-pwnkit exploit"
+        author = "Sekoia.io"
+        creation_date = "2024-01-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "go.buildid"
+        $s2 = "github.com/OXDBXKXO/ez-pwnkit"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize < 5MB and
+        $s1 and #s2 > 5
+}
+        
\ No newline at end of file
diff --git a/yara_rules/exploit_linux_eop_cve20177308_strings.yar b/yara_rules/exploit_linux_eop_cve20177308_strings.yar
new file mode 100644
index 0000000..afca844
--- /dev/null
+++ b/yara_rules/exploit_linux_eop_cve20177308_strings.yar
@@ -0,0 +1,19 @@
+rule exploit_linux_eop_cve20177308_strings {
+    meta:
+        id = "72d225dd-386c-47d5-afb3-c6712c0bdd9a"
+        version = "1.0"
+        description = "Detects CVE-2017-7308 exploit"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[.] SMEP & SMAP bypass enabled, turning them off"
+        $ = "[.] done, SMEP & SMAP should be off now"
+        $ = "[.] executing get root payload %p"
+        $ = "[.] done, should be root now"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/exploit_linux_eop_cve202121974_exploit_strings.yar b/yara_rules/exploit_linux_eop_cve202121974_exploit_strings.yar
new file mode 100644
index 0000000..d5f6a6a
--- /dev/null
+++ b/yara_rules/exploit_linux_eop_cve202121974_exploit_strings.yar
@@ -0,0 +1,19 @@
+rule exploit_linux_eop_cve202121974_exploit_strings {
+    meta:
+        id = "8e1fbbe5-7d51-48b4-80d5-90abff8cab9e"
+        version = "1.0"
+        description = "Detects CVE-2021-21974 Local Privesc exploit"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = ".name.replace('Thread','SLP Client'"
+        $ = "print('[' + name + '] recv: ', d)"
+        $ = "requests[28].put(connect())"
+        $ = "[+] stack enviorn address:"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/exploit_linux_eop_dirtyc0w_strings.yar b/yara_rules/exploit_linux_eop_dirtyc0w_strings.yar
new file mode 100644
index 0000000..44eb8b2
--- /dev/null
+++ b/yara_rules/exploit_linux_eop_dirtyc0w_strings.yar
@@ -0,0 +1,18 @@
+rule exploit_linux_eop_dirtyc0w_strings {
+    meta:
+        id = "f0551e56-b08f-4f6f-81df-f30fbb8ee7b8"
+        version = "1.0"
+        description = "Detects DirtyCow exploit"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "DirtyCow root privilege escalation"
+        $ = "Backing up %s to /tmp/bak"
+        $ = "(o o)_____/"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/exploit_linux_eop_dirtypipe_strings.yar b/yara_rules/exploit_linux_eop_dirtypipe_strings.yar
new file mode 100644
index 0000000..41a74d0
--- /dev/null
+++ b/yara_rules/exploit_linux_eop_dirtypipe_strings.yar
@@ -0,0 +1,19 @@
+rule exploit_linux_eop_dirtypipe_strings {
+    meta:
+        id = "712d8a01-576e-4f43-a930-63dcdc535d93"
+        version = "1.0"
+        description = "Detects DirtyPipe Local Privesc exploit"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[+] hijacking suid binary.."
+        $ = "[+] dropping suid shell.."
+        $ = "[+] restoring suid binary.."
+        $ = "[+] popping root shell.."
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/exploit_linux_eop_polkit_pkexec_strings.yar b/yara_rules/exploit_linux_eop_polkit_pkexec_strings.yar
new file mode 100644
index 0000000..0fec24a
--- /dev/null
+++ b/yara_rules/exploit_linux_eop_polkit_pkexec_strings.yar
@@ -0,0 +1,18 @@
+rule exploit_linux_eop_polkit_pkexec_strings {
+    meta:
+        id = "de45c29e-432a-4e4f-b700-a016341d56d2"
+        version = "1.0"
+        description = "Detects Polkit Local Privesc exploit"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[.] Spawning suid process (%s) ..."
+        $ = "[.] Tracing midpid ..."
+        $ = "PTRACE_TRACEME local root (CVE-2019-13272)"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/exploit_linux_eop_pwnkit_strings.yar b/yara_rules/exploit_linux_eop_pwnkit_strings.yar
new file mode 100644
index 0000000..1b8eaca
--- /dev/null
+++ b/yara_rules/exploit_linux_eop_pwnkit_strings.yar
@@ -0,0 +1,22 @@
+rule exploit_linux_eop_pwnkit_strings {
+    meta:
+        id = "8637c602-62da-4983-bcb7-ba546fb2ed82"
+        version = "1.0"
+        description = "Detects Pwnkit Local Privesc exploit"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "CHARSET=PWNKIT"
+        $ = "i/do/not/exists"
+        $ = "pwnkit/pwnkit.c"
+        $ = "/usr/bin/pkexec"
+        $ = "SHELL=pwnkit"
+        $ = "pwnkit.so"
+        $ = "./pwnkit/"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and filesize < 1MB and 2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/exploit_linux_eop_rationallove_strings.yar b/yara_rules/exploit_linux_eop_rationallove_strings.yar
new file mode 100644
index 0000000..dcba700
--- /dev/null
+++ b/yara_rules/exploit_linux_eop_rationallove_strings.yar
@@ -0,0 +1,18 @@
+rule exploit_linux_eop_rationallove_strings {
+    meta:
+        id = "e71e026e-ca2c-42b7-b552-b3fd013676db"
+        version = "1.0"
+        description = "Detects RationalLove Local Privesc exploit"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/"
+        $ = "Detected OS version: %s"
+        $ = "Content-Type: text/plain; charset=UTF-8"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/exploit_linux_eop_ubuntu_overlayfs_local_privesc_strings.yar b/yara_rules/exploit_linux_eop_ubuntu_overlayfs_local_privesc_strings.yar
new file mode 100644
index 0000000..72d8835
--- /dev/null
+++ b/yara_rules/exploit_linux_eop_ubuntu_overlayfs_local_privesc_strings.yar
@@ -0,0 +1,21 @@
+rule exploit_linux_eop_ubuntu_overlayfs_local_privesc_strings {
+    meta:
+        id = "5e0e73f5-4cb3-4a79-adac-578b17ed7660"
+        version = "1.0"
+        description = "Detects Ubuntu OverlayFS Local Privesc exploit"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "./ovlcap"
+        $ = "rm -rf '%s/'"
+        $ = "./ovlcap/work"
+        $ = "./ovlcap/lower"
+        $ = "./ovlcap/upper"
+        $ = "./ovlcap/merge"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/exploit_win_cloudatlas_cve_2018_0798.yar b/yara_rules/exploit_win_cloudatlas_cve_2018_0798.yar
new file mode 100644
index 0000000..295e0a7
--- /dev/null
+++ b/yara_rules/exploit_win_cloudatlas_cve_2018_0798.yar
@@ -0,0 +1,21 @@
+rule exploit_win_cloudatlas_cve_2018_0798 {
+    meta:
+        id = "fcff4bc7-fe88-4546-bb5b-f2a1c2f8b0a5"
+        version = "1.0"
+        description = "Detect RTF files used by CloudAtlas to exploit CVE-2018-0798"
+        author = "Sekoia.io"
+        creation_date = "2022-11-15"
+        classification = "TLP:CLEAR"
+        hash1 = "c2064c7f4826c46bc609c472597366fd"
+        hash2 = "e2281402c63d4b544b81678250d24e61"
+        hash3 = "a97fa135d7e42886bcfdacca0d96c047"
+        
+    strings:
+        $ = "6060606061616161616161616161616161616161" ascii nocase
+        $ = "FB0B00004bE8FFFFFFFFC35F83C71B33C966B908" ascii nocase
+        $ = "010f0d00ddd8d97424f4668137" ascii nocase
+        
+    condition:
+        uint32be(0) == 0x7b5c7274 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/gen_empire_onedrive_stager.yar b/yara_rules/gen_empire_onedrive_stager.yar
new file mode 100644
index 0000000..ca03f9c
--- /dev/null
+++ b/yara_rules/gen_empire_onedrive_stager.yar
@@ -0,0 +1,17 @@
+rule gen_empire_onedrive_stager {
+    meta:
+        id = "2053416f-1f53-491e-9c70-787a04362d16"
+        version = "1.0"
+        description = "Detects the Empire OneDrive stager"
+        author = "Sekoia.io"
+        creation_date = "2022-01-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $sleep = "Start-Sleep -Seconds $(($PI -as [Int])*2)" wide ascii nocase
+        $down  = "wc.DownloadData" wide ascii nocase
+        
+    condition:
+        $down in (@sleep..@sleep+1000)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_bat_script_mock_http_services.yar b/yara_rules/generic_bat_script_mock_http_services.yar
new file mode 100644
index 0000000..609cc73
--- /dev/null
+++ b/yara_rules/generic_bat_script_mock_http_services.yar
@@ -0,0 +1,24 @@
+rule generic_bat_script_mock_http_services {
+    meta:
+        id = "1cfbe5ba-6304-476d-8308-928100a85c16"
+        version = "1.0"
+        description = "Generic rule detecting BAT script using mock HTTP services (used by APT28)"
+        author = "Sekoia.io"
+        creation_date = "2023-09-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $bat1 = "@echo off"
+        $bat2 = "chcp 65001"
+        $ps1 = "WebClient"
+        $ps2 = "UploadString"
+        $dom1 = "mockbin.org"
+        $dom2 = "webhook.site"
+        $dom3 = "mocky.io"
+        $dom4 = "pipedream.com"
+        
+    condition:
+        (1 of ($bat*) or 1 of ($ps*) ) and 1 of ($dom*)
+        and filesize < 2000
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_perl_reverse_shell.yar b/yara_rules/generic_perl_reverse_shell.yar
new file mode 100644
index 0000000..5c275c8
--- /dev/null
+++ b/yara_rules/generic_perl_reverse_shell.yar
@@ -0,0 +1,18 @@
+rule generic_perl_reverse_shell {
+    meta:
+        id = "4eb2ef0d-3ada-4566-bd82-8c75d6931acc"
+        version = "1.0"
+        description = "Detects simple reverse shell written in Perl"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "open(STDIN,\">&S\");"
+        $ = "open(STDERR,\">&S\");"
+        $ = "use Socket;$i="
+        
+    condition:
+        filesize < 300 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_php_webshell.yar b/yara_rules/generic_php_webshell.yar
new file mode 100644
index 0000000..68b0c5a
--- /dev/null
+++ b/yara_rules/generic_php_webshell.yar
@@ -0,0 +1,16 @@
+rule generic_php_webshell {
+    meta:
+        id = "415a96bd-11a4-40e7-8335-ac1f1a99d17c"
+        version = "1.0"
+        description = "Detects generic webshell"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "system($_POST['a']);"
+        
+    condition:
+        all of them and filesize < 500
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_python_reverse_shell.yar b/yara_rules/generic_python_reverse_shell.yar
new file mode 100644
index 0000000..1f41a44
--- /dev/null
+++ b/yara_rules/generic_python_reverse_shell.yar
@@ -0,0 +1,19 @@
+rule generic_python_reverse_shell {
+    meta:
+        id = "ab25f8db-e39d-4aa4-b431-cf5cd2e038e5"
+        version = "1.0"
+        description = "Detects simple reverse shell written in Python"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "import pty"
+        $ = "lhost ="
+        $ = "os.dup2(s.fileno(),0)"
+        $ = "os.putenv(\"HISTFILE\",'/dev/null')"
+        
+    condition:
+        filesize < 1KB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_1.yar b/yara_rules/generic_sharpshooter_payload_1.yar
new file mode 100644
index 0000000..9d1d8ed
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_1.yar
@@ -0,0 +1,19 @@
+rule generic_sharpshooter_payload_1 {
+    meta:
+        id = "82fd284a-47c2-4d29-9c80-f3affaa61a13"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "rc4 = function(key, str)"
+        $ = "var e={},i,b=0,c,x,l=0,a,r="
+        $ = "var plain = rc4("
+        $ = "<script language="
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_10.yar b/yara_rules/generic_sharpshooter_payload_10.yar
new file mode 100644
index 0000000..eb17a8c
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_10.yar
@@ -0,0 +1,18 @@
+rule generic_sharpshooter_payload_10 {
+    meta:
+        id = "477f8b92-e231-460c-8660-487d0a97f0e2"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "length = enc.GetByteCount_2(b);"
+        $ = "ms.Write(ba, 0, (length / 4) * 3);"
+        $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);"
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_11.yar b/yara_rules/generic_sharpshooter_payload_11.yar
new file mode 100644
index 0000000..2067b81
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_11.yar
@@ -0,0 +1,19 @@
+rule generic_sharpshooter_payload_11 {
+    meta:
+        id = "703d2eb2-c9fd-4891-ba95-f94a8313618e"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "decodeHex = EL.NodeTypedValue"
+        $ = "Private Function decodeHex(hex)"
+        $ = "serialized_obj = serialized_obj & "
+        $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)"
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_12.yar b/yara_rules/generic_sharpshooter_payload_12.yar
new file mode 100644
index 0000000..1b77b78
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_12.yar
@@ -0,0 +1,19 @@
+rule generic_sharpshooter_payload_12 {
+    meta:
+        id = "b69186cf-9825-4d90-be20-7caa9e7de61f"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "ms.Write(ba, 0, (length / 4) * 3);"
+        $ = "var serialized_obj = "
+        $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);"
+        $ = "var sc ="
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_13.yar b/yara_rules/generic_sharpshooter_payload_13.yar
new file mode 100644
index 0000000..14ef95e
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_13.yar
@@ -0,0 +1,19 @@
+rule generic_sharpshooter_payload_13 {
+    meta:
+        id = "2d61d7b8-5348-4cc8-9d41-61799b573e3b"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Private Function decodeHex(hex)"
+        $ = "EL.Text = hex "
+        $ = "serialized_obj = serialized_obj & "
+        $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)"
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_2.yar b/yara_rules/generic_sharpshooter_payload_2.yar
new file mode 100644
index 0000000..0407a25
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_2.yar
@@ -0,0 +1,18 @@
+rule generic_sharpshooter_payload_2 {
+    meta:
+        id = "02bc795f-b8e0-44d4-b475-310359867577"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "var e={},i,b=0,c,x,l=0,a,r="
+        $ = "eval(plain);"
+        $ = "var plain = rc4("
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_3.yar b/yara_rules/generic_sharpshooter_payload_3.yar
new file mode 100644
index 0000000..0476d68
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_3.yar
@@ -0,0 +1,19 @@
+rule generic_sharpshooter_payload_3 {
+    meta:
+        id = "57b3ca9a-59c5-4b28-8eb9-36ff5b3633c2"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Function RC4(byteMessage, strKey)"
+        $ = "Sub Run()"
+        $ = "plain = RC4(decoded, "
+        $ = "Dim plain"
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_4.yar b/yara_rules/generic_sharpshooter_payload_4.yar
new file mode 100644
index 0000000..8f79629
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_4.yar
@@ -0,0 +1,19 @@
+rule generic_sharpshooter_payload_4 {
+    meta:
+        id = "b8327436-3f3d-441c-86b7-35cd30144dc2"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Function RC4(byteMessage, strKey)"
+        $ = "Set EL = DM.createElement("
+        $ = "decodeBase64 = EL.NodeTypedValue"
+        $ = "Execute plain"
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_5.yar b/yara_rules/generic_sharpshooter_payload_5.yar
new file mode 100644
index 0000000..7d82e2d
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_5.yar
@@ -0,0 +1,20 @@
+rule generic_sharpshooter_payload_5 {
+    meta:
+        id = "cb4d266e-f2b7-4642-a223-57180e66a9a6"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "rc4 = function(key, str)"
+        $ = "<job id=\"JS Code\""
+        $ = "var e={},i,b=0,c,x,l=0,a,r="
+        $ = "var plain = rc4("
+        $ = "eval(plain);"
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_6.yar b/yara_rules/generic_sharpshooter_payload_6.yar
new file mode 100644
index 0000000..6cd50f4
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_6.yar
@@ -0,0 +1,19 @@
+rule generic_sharpshooter_payload_6 {
+    meta:
+        id = "53506a3e-b0d8-4a1e-88d9-485e829f25cb"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "function ${rc4Function}(r,o){for("
+        $ = "function ${b64AndRC4Function}(r,o){var"
+        $ = "Real-Time Scanning: No threats detected"
+        $ = "Please wait while your file is being downloaded..."
+        
+    condition:
+        3 of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_7.yar b/yara_rules/generic_sharpshooter_payload_7.yar
new file mode 100644
index 0000000..dd0c3fa
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_7.yar
@@ -0,0 +1,19 @@
+rule generic_sharpshooter_payload_7 {
+    meta:
+        id = "de8069bb-59d7-4753-974a-f77c4b9e9bae"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "ms.Write(ba, 0, (length / 4) * 3)"
+        $ = "var serialized_obj = "
+        $ = "var n = fmt.SurrogateSelector;"
+        $ = "var o = d.DynamicInvoke(al.ToArray())"
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_8.yar b/yara_rules/generic_sharpshooter_payload_8.yar
new file mode 100644
index 0000000..3ba355b
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_8.yar
@@ -0,0 +1,19 @@
+rule generic_sharpshooter_payload_8 {
+    meta:
+        id = "e28a1cd3-f7b6-4a55-8229-484e0bbeb7cb"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Private Function decodeHex(hex)"
+        $ = "Dim serialized_obj"
+        $ = "decodeHex = EL.NodeTypedValue"
+        $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)"
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_sharpshooter_payload_9.yar b/yara_rules/generic_sharpshooter_payload_9.yar
new file mode 100644
index 0000000..ddae5f6
--- /dev/null
+++ b/yara_rules/generic_sharpshooter_payload_9.yar
@@ -0,0 +1,18 @@
+rule generic_sharpshooter_payload_9 {
+    meta:
+        id = "e4283d6e-d829-4f21-ba60-9e6232519e54"
+        version = "1.0"
+        description = "Detects payload created by SharpShooter"
+        author = "Sekoia.io"
+        creation_date = "2023-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "shell.Environment(\"Process\").Item(\"COMPLUS_Version\")"
+        $ = "(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)"
+        $ = "DebugPrint Err.Description"
+        
+    condition:
+        all of them and filesize < 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/generic_tor_hidden_service_leading_to_winports.yar b/yara_rules/generic_tor_hidden_service_leading_to_winports.yar
new file mode 100644
index 0000000..5b53388
--- /dev/null
+++ b/yara_rules/generic_tor_hidden_service_leading_to_winports.yar
@@ -0,0 +1,22 @@
+rule generic_tor_hidden_service_leading_to_winports {
+    meta:
+        id = "1e5c469b-f721-44af-87b3-1adf423719c1"
+        version = "1.0"
+        description = "Detects malicious TOR redirection affecting RDP, NetBios"
+        author = "Sekoia.io"
+        creation_date = "2023-09-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "HiddenServiceDir "
+        $s2 = "SocksPort "
+        $s3 = "HiddenServicePort "
+        $s4 = ":3389"
+        $s5 = ":445"
+        
+    condition:
+        $s1 and $s2 
+        and ($s4 in (@s3..@s3+100) or $s5 in (@s3..@s3+100))
+        and filesize < 2000
+}
+        
\ No newline at end of file
diff --git a/yara_rules/guerrilla_lemongroup.yar b/yara_rules/guerrilla_lemongroup.yar
new file mode 100644
index 0000000..c639f2c
--- /dev/null
+++ b/yara_rules/guerrilla_lemongroup.yar
@@ -0,0 +1,29 @@
+rule guerrilla_lemongroup {
+    meta:
+        id = "df635b5a-a19a-48ab-9a3a-9723e265c71d"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-05-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $dex = { 64 65 78 0A 30 33 ?? 00 }
+        $odex = { 64 65 79 0A 30 33 ?? 00 }
+        
+        $s2 = "data response code===" ascii
+        $s3 = "httpCon:" ascii
+        $s4 = "processName :" ascii
+        $s5 = "startListTasks......" ascii
+        $s6 = "url==" ascii
+        $s7 = "java core run ZYGOTE_PROCESS" ascii
+        
+        $api1 = "/api.php" ascii
+        $api2 = "/event.php" ascii
+        $api3 = "/apiRS.php" ascii
+        
+    condition:
+        ($dex at 0 or $odex at 0) and
+        filesize > 100KB and filesize < 5MB and
+        5 of ($s*) and 1 of ($api*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/guloader_lnk_file.yar b/yara_rules/guloader_lnk_file.yar
new file mode 100644
index 0000000..26ed300
--- /dev/null
+++ b/yara_rules/guloader_lnk_file.yar
@@ -0,0 +1,19 @@
+rule guloader_lnk_file {
+    meta:
+        id = "ecc07753-0910-445b-bf84-911b17195894"
+        version = "1.0"
+        description = "LNK file delivering Guloader"
+        author = "Sekoia.io"
+        creation_date = "2024-02-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "$PSHOME" wide
+        $s2= "&(${" wide
+        $s3 = "}::ToString(" wide
+        $s4 = "$([TYPE]${" wide
+        
+    condition:
+        uint32be(0) == 0x4c000000 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/guloader_powershell_1.yar b/yara_rules/guloader_powershell_1.yar
new file mode 100644
index 0000000..62337e4
--- /dev/null
+++ b/yara_rules/guloader_powershell_1.yar
@@ -0,0 +1,19 @@
+rule guloader_powershell_1 {
+    meta:
+        id = "28c68991-db8b-4f00-b3a3-17286418a4ed"
+        version = "1.0"
+        description = "Powershell downloading decoy and delivering GuLoader"
+        author = "Sekoia.io"
+        creation_date = "2024-02-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "powershell -win hidden"
+        $s2 = "=iex($"
+        $s3 = ".Replace('"
+        $s4 = "$(Get-ChildItem -Include *.lnk -Name));"
+        
+    condition:
+        all of them and filesize < 10KB and #s3 > 3
+}
+        
\ No newline at end of file
diff --git a/yara_rules/guloader_unpacker.yar b/yara_rules/guloader_unpacker.yar
new file mode 100644
index 0000000..49fa73b
--- /dev/null
+++ b/yara_rules/guloader_unpacker.yar
@@ -0,0 +1,21 @@
+rule guloader_unpacker {
+    meta:
+        id = "dee4cad4-e3b4-4a12-860b-ff750b119fa8"
+        version = "1.0"
+        description = "GuLoader Unpacker"
+        author = "Sekoia.io"
+        creation_date = "2024-02-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $p1 = "([Parameter(Position = 0)] [Type[]] $" base64
+        $p2 = "+=2){" base64
+        $p3 = "}else {" base64
+        
+    condition:
+        $p1 in (filesize-30000..filesize) and
+        $p2 in (filesize-30000..filesize) and
+        $p3 in (filesize-30000..filesize) and
+        filesize > 300KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/guloader_unpacker_decoded.yar b/yara_rules/guloader_unpacker_decoded.yar
new file mode 100644
index 0000000..07d4944
--- /dev/null
+++ b/yara_rules/guloader_unpacker_decoded.yar
@@ -0,0 +1,19 @@
+rule guloader_unpacker_decoded {
+    meta:
+        id = "ca3f4fce-b3a1-4672-a2ca-29ea347eb23d"
+        version = "1.0"
+        description = "GuLoader Unpacker b64 decoded"
+        author = "Sekoia.io"
+        creation_date = "2024-02-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $jumps = {71 01 9b 71 01 9b}
+        $s1 = "([String]$"
+        $s2 = "For($"
+        $s3 = ",[Parameter(Position = 1)] [Type] $"
+        
+    condition:
+        filesize < 500KB and @jumps < 1000 and 2 of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/guloader_vbscript.yar b/yara_rules/guloader_vbscript.yar
new file mode 100644
index 0000000..118652d
--- /dev/null
+++ b/yara_rules/guloader_vbscript.yar
@@ -0,0 +1,18 @@
+rule guloader_vbscript {
+    meta:
+        id = "3472e403-b1e6-4fdf-9770-af42d505b556"
+        version = "1.0"
+        description = "visual basic script delivering GuLoader"
+        author = "Sekoia.io"
+        creation_date = "2024-02-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = " = CreateObject(\"WScript.Shell\")"
+        $s2 = " = Join("
+        $s3 = ",vbnullstring)"
+        
+    condition:
+        filesize < 20KB and all of them and #s1 > 1 and @s3-@s2 < 16
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_credentialkatz.yar b/yara_rules/hacktool_credentialkatz.yar
new file mode 100644
index 0000000..ec37835
--- /dev/null
+++ b/yara_rules/hacktool_credentialkatz.yar
@@ -0,0 +1,35 @@
+rule hacktool_credentialkatz {
+    meta:
+        id = "4795d131-2625-40ca-bca6-02aac5030b55"
+        version = "1.0"
+        description = "Finds ChromeKatz (CredentialKatz version) standalone samples based on the strings"
+        author = "Sekoia.io"
+        reference = "https://github.com/Meckazin/ChromeKatz"
+        creation_date = "2024-10-30"
+        classification = "TLP:CLEAR"
+        hash = "2762e066128e186526c5ff272fc9184c0262d81d8c513e6515c25c189418931c"
+        
+    strings:
+        $str01 = "Don't use your cat's name as a password!" ascii
+        $str02 = "[-] Failed to parse command line argument /pid!" ascii
+        $str03 = "[*] Targeting process: %ls on PID: %lu" ascii
+        $str04 = "CredentialStore: NotSet" ascii
+        $str05 = "CredentialStore: AccountStore" ascii
+        $str06 = "CredentialStore: ProfileStore" ascii
+        $str07 = "[*] Number of available credentials: %zu" ascii
+        $str08 = "[+] Found browser process: %d" ascii
+        $str09 = "Failed to read credential struct" wide
+        $str10 = "Error reading right node" wide
+        $str11 = "Failed to read the root node from given address" wide
+        $str12 = "Error reading first node" wide
+        $str13 = "chrome.dll" wide
+        $str14 = "    Domain:" ascii
+        $str15 = "    Password:" ascii
+        $str16 = "Found %ls main process PID: %lu" ascii
+        $str17 = "---------------" ascii
+        $str18 = "CredentialKatz" ascii wide
+        
+    condition:
+        uint16(0)==0x5A4D and 5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_defendercontrol_strings.yar b/yara_rules/hacktool_defendercontrol_strings.yar
new file mode 100644
index 0000000..68617b1
--- /dev/null
+++ b/yara_rules/hacktool_defendercontrol_strings.yar
@@ -0,0 +1,20 @@
+rule hacktool_defendercontrol_strings {
+    meta:
+        id = "c6587a46-5f9b-4bf0-9231-9d2505293557"
+        version = "1.0"
+        description = "Detects DefenderControl based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-03-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "www.sordum.org All Rights Reserved." wide
+        $ = "dControl.exe" wide
+        $ = "By BlueLife" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 600KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_dnscat2_strings.yar b/yara_rules/hacktool_dnscat2_strings.yar
new file mode 100644
index 0000000..e305119
--- /dev/null
+++ b/yara_rules/hacktool_dnscat2_strings.yar
@@ -0,0 +1,23 @@
+rule hacktool_dnscat2_strings {
+    meta:
+        id = "9655cdd7-c7fe-4033-bdd9-bdfcfd2bf827"
+        version = "1.0"
+        description = "Detects DNSCat2 based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-02-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Creating a exec('%s') session!"
+        $ = "RROR parsing --dns"
+        $ = "Got a ping request! Responding!"
+        $ = "[Tunnel %d] Received %zd bytes"
+        $ = "[Tunnel %d] connection to %s:%d"
+        $ = "You'll need to use --dns server=<server>"
+        $ = "Setting delay between packets to %dms"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_duplicatedump_strings.yar b/yara_rules/hacktool_duplicatedump_strings.yar
new file mode 100644
index 0000000..2e07f49
--- /dev/null
+++ b/yara_rules/hacktool_duplicatedump_strings.yar
@@ -0,0 +1,22 @@
+rule hacktool_duplicatedump_strings {
+    meta:
+        id = "081d0124-4afe-418b-9767-3d987c0107ca"
+        version = "1.0"
+        description = "Detects Duplicate Dump"
+        author = "Sekoia.io"
+        creation_date = "2023-11-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "7d872e921a4b4b1b8b295395099b0209" wide ascii
+        $ = "[+] Named pipe connected and replying with current PID" wide ascii
+        $ = "[X] Named pipe connection error:" wide ascii
+        $ = "[X] Error occur while compressing file:" wide ascii
+        $ = "[+] Dump file saved to" wide ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 500KB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_earthworm_strings.yar b/yara_rules/hacktool_earthworm_strings.yar
new file mode 100644
index 0000000..8f4809b
--- /dev/null
+++ b/yara_rules/hacktool_earthworm_strings.yar
@@ -0,0 +1,23 @@
+rule hacktool_earthworm_strings {
+    meta:
+        id = "6c9b0225-8c41-49f9-9745-245bc7ef942f"
+        version = "1.0"
+        description = "Detects Mac/Win/Linux EarthWorm based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-02-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "the read url is %s"
+        $ = "--> %3d <-- (close)used tunnel %d , unused tunnel %d"
+        $ = "ssocksd 0.0.0.0:%d <--[%4d usec]--> socks server"
+        $ = "could not create one way tunnel"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 
+         or uint16be(0) == 0x4d5a
+         or uint32be(0) == 0xcffaedfe
+        ) and filesize < 100KB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_fscan_strings.yar b/yara_rules/hacktool_fscan_strings.yar
new file mode 100644
index 0000000..17f307c
--- /dev/null
+++ b/yara_rules/hacktool_fscan_strings.yar
@@ -0,0 +1,24 @@
+rule hacktool_fscan_strings {
+    meta:
+        id = "6bef80c3-370c-4168-9d88-3fac88f986b1"
+        version = "1.0"
+        description = "Detects fscan based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-12-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Plugins.RdpScan.func1"
+        $ = "Plugins.smb1AnonymousConnectIPC.func1"
+        $ = "WebScan/WebScan.go"
+        $ = "Plugins/CVE-2020-0796.go"
+        $ = "Plugins.SshConn.func4"
+        $ = "Plugins.PostgresScan"
+        $ = "Plugins.(*FCGIClient).Request.func1"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 30MB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_gtunnel_strings.yar b/yara_rules/hacktool_gtunnel_strings.yar
new file mode 100644
index 0000000..c46db80
--- /dev/null
+++ b/yara_rules/hacktool_gtunnel_strings.yar
@@ -0,0 +1,28 @@
+rule hacktool_gtunnel_strings {
+    meta:
+        id = "f20a4400-8ae6-4954-b643-0a8847f037f0"
+        version = "1.0"
+        description = "Detects Go gTunnel based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-04-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $repo = "github.com/hotnops/gTunnel/" ascii fullword
+        $s1 = "common.(*Tunnel).GetControlStream"
+        $s2 = "common.(*Tunnel).handleIngressCtrlMessages"
+        $s3 = "client..inittask"
+        $s4 = "client.file_client_proto_rawDescGZIP."
+        $s5 = "common.(*SocksServer).Start."
+        $s6 = "client.(*TunnelControlMessage).GetConnectionId"
+        $s7 = "protobuf/reflect/protoreflect.ProtoMessage"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or 
+         uint16be(0) == 0x4d5a or 
+         uint32be(0) == 0xfeedface or 
+         uint32be(0) == 0xfeedfacf or 
+         uint32be(0) == 0xcafebabe ) and
+         #repo > 200 or 5 of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_impacket_compiled_binary.yar b/yara_rules/hacktool_impacket_compiled_binary.yar
new file mode 100644
index 0000000..b304729
--- /dev/null
+++ b/yara_rules/hacktool_impacket_compiled_binary.yar
@@ -0,0 +1,37 @@
+rule hacktool_impacket_compiled_binary {
+    meta:
+        id = "43936dcc-0d74-43dd-996a-c27a28cef283"
+        version = "1.0"
+        description = "Detects generic PE embbeding impacket"
+        author = "Sekoia.io"
+        creation_date = "2022-02-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $i1 = "impacket.crypto" fullword
+        $i2 = "impacket.dcerpc" fullword
+        $i3 = "impacket.ese" fullword
+        $i4 = "impacket.hresult_errors" fullword
+        $i5 = "impacket.krb5" fullword
+        $i6 = "impacket.nmb" fullword
+        $i7 = "impacket.nt_errors" fullword
+        $i8 = "impacket.ntlm" fullword
+        $i9 = "impacket.smb" fullword
+        $i10 = "impacket.smb3" fullword
+        $i11 = "impacket.smb3structs" fullword
+        $i12 = "impacket.smbconnection" fullword
+        $i13 = "impacket.spnego" fullword
+        $i14 = "impacket.structure" fullword
+        $i15 = "impacket.system_errors" fullword
+        $i16 = "impacket.tds" fullword
+        $i17 = "impacket.uuid" fullword
+        $i18 = "impacket.version" fullword
+        $i19 = "impacket.winregistry" fullword
+        $py = "PYZ-00.pyz"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize > 1MB and
+        3 of ($i*) and $py
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_iox_tunneling.yar b/yara_rules/hacktool_iox_tunneling.yar
new file mode 100644
index 0000000..b2f246a
--- /dev/null
+++ b/yara_rules/hacktool_iox_tunneling.yar
@@ -0,0 +1,23 @@
+rule hacktool_iox_tunneling {
+    meta:
+        id = "45b31d67-95e9-405d-88ea-3f2006ef160a"
+        version = "1.0"
+        description = "Detects IOX tunneling tool"
+        author = "Sekoia.io"
+        creation_date = "2022-10-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "iox/operate.Local2Remote"
+        $ = "iox/operate.Local2Local"
+        $ = "iox/operate.Remote2Remote"
+        $ = "iox/operate.ProxyLocal"
+        $ = "iox/operate.ProxyRemote"
+        $ = "iox/operate.ProxyRemoteL2L"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 5MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_ipmipwner_strings.yar b/yara_rules/hacktool_ipmipwner_strings.yar
new file mode 100644
index 0000000..0527019
--- /dev/null
+++ b/yara_rules/hacktool_ipmipwner_strings.yar
@@ -0,0 +1,17 @@
+rule hacktool_ipmipwner_strings {
+    meta:
+        id = "2ac736b5-33bb-477f-a98c-57cc2744d251"
+        version = "1.0"
+        description = "Detects ipmiPwner script"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "{status} Using the list of users that the {lgcyan}script"
+        $ = "--host 192.168.1.12 -p 624 -uW /opt/SecLists/Usernames/"
+        
+    condition:
+        all of them and filesize < 10KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_lazagne_strings.yar b/yara_rules/hacktool_lazagne_strings.yar
new file mode 100644
index 0000000..b3c58b5
--- /dev/null
+++ b/yara_rules/hacktool_lazagne_strings.yar
@@ -0,0 +1,26 @@
+rule hacktool_lazagne_strings {
+    meta:
+        id = "5a5e7a07-1252-48cc-ada5-46e796c4e00e"
+        version = "1.0"
+        description = "Detects LaZagne hacktool based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-02-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        
+        $w1= "lazagne.softwares"
+        $w2= "pypykatz.lsadecryptor"
+        
+        $l0= "PyModule_GetDict"
+        $l1= "softwares.sysadmin.filezilla"
+        $l2= "softwares.walle"
+        $l3= "softwares.databases.sqldeveloper"
+        $l4= "softwares.wifi.wpa_supplicant"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 and all of ($l*))
+        or (uint16be(0) == 0x4d5a and all of ($w*)) and
+        filesize < 40MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_ligolo_relay_strings.yar b/yara_rules/hacktool_ligolo_relay_strings.yar
new file mode 100644
index 0000000..bd5125b
--- /dev/null
+++ b/yara_rules/hacktool_ligolo_relay_strings.yar
@@ -0,0 +1,21 @@
+rule hacktool_ligolo_relay_strings {
+    meta:
+        id = "1e32f2e5-b66b-4b55-9dd4-1402b2f627ed"
+        version = "1.0"
+        description = "Detects Ligolo Relay based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-02-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "ligolo/cmd/localrelay"
+        $ = "main.LigoloRelay.Start"
+        $ = "main.LigoloRelay.startRelayHandler"
+        $ = "main.LigoloRelay.startLocalHandler"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize > 2MB and filesize < 5MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_ligolo_strings.yar b/yara_rules/hacktool_ligolo_strings.yar
new file mode 100644
index 0000000..b2ab70c
--- /dev/null
+++ b/yara_rules/hacktool_ligolo_strings.yar
@@ -0,0 +1,22 @@
+rule hacktool_ligolo_strings {
+    meta:
+        id = "5013256b-eda3-417e-ac72-959055b01c7e"
+        version = "1.0"
+        description = "Detects ligolo based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-02-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Restarting Ligolo..."
+        $ = "Ligolo starts a socks5 proxy server"
+        $ = "main.startSocksProxy"
+        $ = "main.handleRelay"
+        $ = "main.StartLigolo"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize > 2MB and filesize < 5MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_microsocks_strings.yar b/yara_rules/hacktool_microsocks_strings.yar
new file mode 100644
index 0000000..55ecf10
--- /dev/null
+++ b/yara_rules/hacktool_microsocks_strings.yar
@@ -0,0 +1,19 @@
+rule hacktool_microsocks_strings {
+    meta:
+        id = "20e82008-249b-47a3-885b-7c4b04b31a57"
+        version = "1.0"
+        description = "Detects Microsocks"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "microsocks -1 -i listenip -p port -u user -P password"
+        $ = "user/pass, it is added to a whitelist"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_mimikat_ssp_strings.yar b/yara_rules/hacktool_mimikat_ssp_strings.yar
new file mode 100644
index 0000000..5ecd893
--- /dev/null
+++ b/yara_rules/hacktool_mimikat_ssp_strings.yar
@@ -0,0 +1,21 @@
+rule hacktool_mimikat_ssp_strings {
+    meta:
+        id = "33b3620f-e02d-4d29-adcc-fea3b49ab780"
+        version = "1.0"
+        description = "Detects mimikat_ssp"
+        author = "Sekoia.io"
+        creation_date = "2023-11-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[*] Building RPC packet" ascii
+        $ = "[*] Connecting to lsasspirpc RPC service" ascii
+        $ = "[*] Sending SspirConnectRpc call" ascii
+        $ = "[*] Sending SspirCallRpc call" ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 500KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_mimikatz_obfuscated.yar b/yara_rules/hacktool_mimikatz_obfuscated.yar
new file mode 100644
index 0000000..0d472f2
--- /dev/null
+++ b/yara_rules/hacktool_mimikatz_obfuscated.yar
@@ -0,0 +1,26 @@
+rule hacktool_mimikatz_obfuscated {
+    meta:
+        id = "bac4bb61-d250-4fc3-95a5-edd4e3c7ff83"
+        version = "1.0"
+        description = "Detects Mimikatz on strings obfuscation"
+        author = "Sekoia.io"
+        creation_date = "2022-07-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $xor1 = "Benjamin Delpy" xor
+        $xor2 = "sekurlsa" xor wide
+        $xor3 = "minidumpfile.dmp" wide
+        $xor4 = "lsadump_dcsync"  xor wide
+        $xor5 = "kuhl_m_lsadump_getSamKey" xor wide
+        
+        $b1 = "Benjamin Delpy" base64
+        $b2 = "sekurlsa" base64 wide
+        $b3 = "minidumpfile.dmp" base64 wide
+        $b4 = "lsadump_dcsync" base64 wide
+        $b5 = "kuhl_m_lsadump_getSamKey" base64 wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and 3 of them and filesize < 5MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_mimilite.yar b/yara_rules/hacktool_mimilite.yar
new file mode 100644
index 0000000..36cc7d8
--- /dev/null
+++ b/yara_rules/hacktool_mimilite.yar
@@ -0,0 +1,38 @@
+rule hacktool_mimilite {
+    meta:
+        id = "abb92a9d-0978-4ef2-b2cc-53ce6e83e3e4"
+        version = "1.0"
+        description = "Detects Mimilite"
+        author = "Sekoia.io"
+        creation_date = "2023-12-05"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $chunk = {
+        FF C7
+        48 63 D7
+        46 0F B6 04 22
+        41 03 F0
+        81 E6 ?? ?? ?? ??
+        7D ??
+        FF CE
+        81 CE ?? ?? ?? ??
+        FF C6
+        48 63 CE
+        42 0F B6 04 21
+        42 88 04 22
+        46 88 04 21 }
+        $imp1 = "CryptGetHashParam"
+        $imp2 = "CryptDestroyHash"
+        $imp3 = "CryptHashData"
+        $imp4 = "CryptReleaseContext"
+        $imp5 = "CryptCreateHash"
+        $imp6 = "CryptAcquireContextA"
+        $imp7 = "VirtualAlloc"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 200KB and
+        all of ($imp*) and $chunk
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_nbtscan_strings.yar b/yara_rules/hacktool_nbtscan_strings.yar
new file mode 100644
index 0000000..627c74c
--- /dev/null
+++ b/yara_rules/hacktool_nbtscan_strings.yar
@@ -0,0 +1,22 @@
+rule hacktool_nbtscan_strings {
+    meta:
+        id = "8883b56c-a085-459c-9ec6-a139ad5a2671"
+        version = "1.0"
+        description = "Detects NBTScan hacktool based on strings, ELF & PE variants"
+        author = "Sekoia.io"
+        creation_date = "2022-02-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "CHT:nfp:bt:vw:mVO:1P"
+        $ = "usage: %s [options] target [targets...]"
+        $ = "Targets are lists of IP addresses, DNS names, or address"
+        $ = "net bits [%d] must be 1..32"
+        $ = "subnet /%d is too large (%d max)"
+        $ = "[%s] is invalid IP address"
+        $ = "[%s] is an invalid target (bad IP/hostname)"
+        
+    condition:
+        uint16be(0) == 0x4d5a and 5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_ntdsdumpex_strings.yar b/yara_rules/hacktool_ntdsdumpex_strings.yar
new file mode 100644
index 0000000..070daaa
--- /dev/null
+++ b/yara_rules/hacktool_ntdsdumpex_strings.yar
@@ -0,0 +1,22 @@
+rule hacktool_ntdsdumpex_strings {
+    meta:
+        id = "9a0fe20a-49e9-4aaf-8f0e-d51800e0a6e0"
+        version = "1.0"
+        description = "Detects NTDSDumpEx based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-02-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Example : ntdsdumpex.exe -r" ascii wide
+        $ = "[x]can not open output file %s for write." ascii wide
+        $ = "[+]dump completed in %.3f seconds." ascii wide
+        $ = "[+]total %d entries dumped,%d" ascii wide
+        $ = "[x]can not get PEK!" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 200KB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_ntospy_strings.yar b/yara_rules/hacktool_ntospy_strings.yar
new file mode 100644
index 0000000..225b529
--- /dev/null
+++ b/yara_rules/hacktool_ntospy_strings.yar
@@ -0,0 +1,20 @@
+rule hacktool_ntospy_strings {
+    meta:
+        id = "c3281666-6a31-4718-a9c0-82944c6fdcb0"
+        version = "1.0"
+        description = "Detects Ntospy based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-12-05"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "NPGetCaps"
+        $ = "NPLogonNotify"
+        $ = {43 00 3A 00 5C 00 [10-150] 00 2E 00 6D 00 73 00 75}
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 300KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_pplblade_strings.yar b/yara_rules/hacktool_pplblade_strings.yar
new file mode 100644
index 0000000..06ffc62
--- /dev/null
+++ b/yara_rules/hacktool_pplblade_strings.yar
@@ -0,0 +1,20 @@
+rule hacktool_pplblade_strings {
+    meta:
+        id = "1a443621-fc95-4a70-873e-c1389943d4ab"
+        version = "1.0"
+        description = "Detects PPLBlade"
+        author = "Sekoia.io"
+        creation_date = "2023-11-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "shirou/gopsutil/internal/"
+        $ = ".miniDumpWriteDump"
+        $ = ".DRIVER_FULL_PATH"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize > 4MB and filesize < 6MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_rubeus_strings.yar b/yara_rules/hacktool_rubeus_strings.yar
new file mode 100644
index 0000000..e8908f2
--- /dev/null
+++ b/yara_rules/hacktool_rubeus_strings.yar
@@ -0,0 +1,22 @@
+rule hacktool_rubeus_strings {
+    meta:
+        id = "048cab99-c288-44c2-9dc6-74eed02ef8f5"
+        version = "1.0"
+        description = "Detects Rubeus based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-02-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "includeComputerAccounts" ascii
+        $ = "passwordsOutfile" ascii
+        $ = "monitorIntervalSeconds" ascii
+        $ = "displayNewTickets" ascii
+        $ = "658c8b7f-3664-4a95-9572-a3e5871dfc06" ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_sharpview_strings.yar b/yara_rules/hacktool_sharpview_strings.yar
new file mode 100644
index 0000000..e7adbfc
--- /dev/null
+++ b/yara_rules/hacktool_sharpview_strings.yar
@@ -0,0 +1,23 @@
+rule hacktool_sharpview_strings {
+    meta:
+        id = "585ead98-36d0-402c-b527-4dec308cb1c9"
+        version = "1.0"
+        description = "Detects SharpView based on strings."
+        author = "Sekoia.io"
+        creation_date = "2022-02-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Args_Get_DomainGPOComputerLocalGroupMapping"
+        $ = "Args_Get_ForestGlobalCatalog"
+        $ = "Args_Find_DomainLocalGroupMember"
+        $ = "Args_Get_DomainFileServer"
+        $ = "Ex: SharpView.exe Method-Name" wide
+        $ = "[Get-PathAcl] error: {0}" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 800KB and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_socat_strings.yar b/yara_rules/hacktool_socat_strings.yar
new file mode 100644
index 0000000..80547ae
--- /dev/null
+++ b/yara_rules/hacktool_socat_strings.yar
@@ -0,0 +1,19 @@
+rule hacktool_socat_strings {
+    meta:
+        id = "7c7e4085-39b2-445e-a9ff-52f21936e714"
+        version = "1.0"
+        description = "Detects socat"
+        author = "Sekoia.io"
+        creation_date = "2023-12-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[options] <bi-address> <bi-address>"
+        $ = "version %s on %s"
+        $ = "socat_signal():"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 5MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_stowaway_strings.yar b/yara_rules/hacktool_stowaway_strings.yar
new file mode 100644
index 0000000..f4667df
--- /dev/null
+++ b/yara_rules/hacktool_stowaway_strings.yar
@@ -0,0 +1,25 @@
+rule hacktool_stowaway_strings {
+    meta:
+        id = "a952b45a-269b-4075-bf72-16d6d863e97c"
+        version = "1.0"
+        description = "Detects Stowaway based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-11-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "agent.CloseLowConn"
+        $ = "agent.CloseListener"
+        $ = "agent.SimpleNodeInit"
+        $ = "agent.HandleConnToLowerNode"
+        $ = "agent.HandleConnFromLowerNode"
+        $ = "common.NewPassToLowerNodeData"
+        $ = "agent.HandleSimpleNodeConn"
+        $ = "agent.HandleConnToUpperNode"
+        $ = "agent.HandleConnFromUpperNode"
+        $ = "agent.StartSocks"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_win_cookiekatz.yar b/yara_rules/hacktool_win_cookiekatz.yar
new file mode 100644
index 0000000..432b9f2
--- /dev/null
+++ b/yara_rules/hacktool_win_cookiekatz.yar
@@ -0,0 +1,37 @@
+rule hacktool_win_cookiekatz {
+    meta:
+        id = "a32769bb-4ec4-46c7-9402-21afdf8d4293"
+        version = "1.0"
+        description = "Finds ChromeKatz (CookieKatz version) standalone samples based on the strings"
+        author = "Sekoia.io"
+        reference = "https://github.com/Meckazin/ChromeKatz"
+        creation_date = "2024-10-30"
+        classification = "TLP:CLEAR"
+        hash = "fef9fc33a788489af44b2f732c450d4ef018fbaced7f5471230b282dfd6f1169"
+        
+    strings:
+        $str01 = "CookieKatz.exe" ascii
+        $str02 = "--utility-sub-type=network.mojom.NetworkService" wide
+        $str03 = "chrome.dll" wide
+        $str04 = "msedge.dll" wide
+        $str05 = "msedgewebview2.exe" wide
+        $str06 = "Failed to read cookie struct" wide
+        $str07 = "Failed to read the root node from given address" wide
+        $str08 = "Error reading left node" wide
+        $str09 = "By Meckazin" ascii
+        $str10 = "By default targets first available Chrome process" ascii
+        $str11 = "Kittens love cookies too!" ascii
+        $str12 = "Attempting to read the cookie value from address: 0x%p" ascii
+        $str13 = "szCookieMonster" ascii
+        $str14 = "[*] Targeting Chrome" ascii
+        $str15 = "[*] Targeting Edge" ascii
+        $str16 = "[*] This Cookie map was empty" ascii
+        $str17 = "[+] Found browser process: %d" ascii wide
+        $str18 = "[*] Targeting process PID: %d" wide
+        $str19 = "[*] Found CookieMonster on 0x%p" wide
+        $str20 = "[*] CookieMap should be found in address 0x%p" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 8 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_win_gmer.yar b/yara_rules/hacktool_win_gmer.yar
new file mode 100644
index 0000000..d25ba56
--- /dev/null
+++ b/yara_rules/hacktool_win_gmer.yar
@@ -0,0 +1,25 @@
+import "pe"
+        
+rule hacktool_win_gmer {
+    meta:
+        version = "1.0"
+        description = "Dtect the GMER hacktool based string and UPX usage"
+        author = "Sekoia.io"
+        creation_date = "2022-09-09"
+        id = "d2f1aba1-4222-45e5-95bd-4d7f08595cea"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $pac = "IDI_GMER" wide
+        
+        $str0 = "---- Processes - GMER %s ----" ascii
+        $str1 = "E:\\projects\\cpp\\gmer\\Release\\gmer.pdb" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and
+        (($pac and for any i in (0..pe.number_of_sections-1) : (
+                pe.sections[i].name == "UPX0"
+        )) or
+        any of ($str*)) and filesize < 900KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_win_powertool.yar b/yara_rules/hacktool_win_powertool.yar
new file mode 100644
index 0000000..350aa9b
--- /dev/null
+++ b/yara_rules/hacktool_win_powertool.yar
@@ -0,0 +1,22 @@
+rule hacktool_win_powertool {
+    meta:
+        version = "1.0"
+        description = "Detect PowerTool based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-09-09"
+        id = "ab8355b8-322d-41a4-82f0-43896c96b9bc"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "C:\\dev\\pt64_en\\Release\\PowerTool.pdb" ascii
+        $str1 = "Chage language nedd to restart PowerTool" ascii
+        $str2 = "(http://twitter.com/ithurricanept && https://www.linkedin.com/in/powertool)" wide
+        $str3 = "Infected=Before Fix, whether to back up the drive files will be fixed?" wide
+        $str4 = "Infected?-Are you sure to Fix the Infected Driver File?" wide
+        $str5 = "shellex\\ContextMenuHandlers\\PowerTool" wide
+        $str6 = "[PowerTool] name=%s, size=%d, %d" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and any of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_win_processhacker.yar b/yara_rules/hacktool_win_processhacker.yar
new file mode 100644
index 0000000..a987b49
--- /dev/null
+++ b/yara_rules/hacktool_win_processhacker.yar
@@ -0,0 +1,18 @@
+rule hacktool_win_processhacker {
+    meta:
+        version = "1.0"
+        description = "Detect ProcessHacker hacktool"
+        author = "Sekoia.io"
+        creation_date = "2022-09-09"
+        id = "1dffe8c9-2ab7-4265-965e-8673b80f17d5"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "Unable to uninstall KProcessHacker" wide
+        $str1 = "Process Hacker's settings file is corrupt. Do you want to reset it?" wide
+        $str2 = "Process Hacker uses the following components:" wide
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hacktool_win_uknowseckeylogger.yar b/yara_rules/hacktool_win_uknowseckeylogger.yar
new file mode 100644
index 0000000..1317348
--- /dev/null
+++ b/yara_rules/hacktool_win_uknowseckeylogger.yar
@@ -0,0 +1,21 @@
+rule hacktool_win_uknowseckeylogger {
+    meta:
+        version = "1.0"
+        description = "Detect the uknowsec keylogger based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-10-05"
+        id = "ab08136d-b1f3-4e64-b73c-e6344b610f91"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "github.com/atotto/clipboard" ascii
+        $str1 = "github.com/TheTitanrain/w32" ascii
+        $str2 = "github.com/aliyun/aliyun-oss-go-sdk" ascii
+        $str3 = "golang.org/x/sys" ascii
+        $str4 = "golang.org/x/time" ascii
+        $str5 = "WSARecvWSASend[Print][Right][Shift][Sleep][debug][error]" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/hafnium_tarrask_malware.yar b/yara_rules/hafnium_tarrask_malware.yar
new file mode 100644
index 0000000..4db8c14
--- /dev/null
+++ b/yara_rules/hafnium_tarrask_malware.yar
@@ -0,0 +1,17 @@
+rule hafnium_tarrask_malware {
+    meta:
+        id = "6f1728d6-dc9b-4ea7-8656-2b069ee269a0"
+        version = "1.0"
+        description = "Hunting rule to look for Tarrask malware"
+        author = "Sekoia.io"
+        creation_date = "2022-04-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "delete sd success" wide ascii nocase
+        $s2 = "Task successfully registered." wide ascii nocase
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/icebot_exported_function.yar b/yara_rules/icebot_exported_function.yar
new file mode 100644
index 0000000..2b0c5b8
--- /dev/null
+++ b/yara_rules/icebot_exported_function.yar
@@ -0,0 +1,25 @@
+import "pe"
+import "hash"
+        
+rule icebot_exported_function {
+    meta:
+        id = "1a1fb651-6ce3-4751-be23-c27a3d8dabde"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2022-01-17"
+        classification = "TLP:CLEAR"
+        description = "Detects the IceBot RAT used by FIN7 based on the exported function"
+        hash1 = "5ee5b869689686d9352c73173304627bb424b8d0a8510e6f16726ac84fdec79d"
+        hash2 = "0f76768f65775329d7a0ddb977ea822d992d086ce48a23679cef66e3b4d2f4ed"
+        hash3 = "f06c7f1b91fb2f64e1f38df6eaf2b52a74b16cc958d74c4401fdaf180deb595a"
+        hash4 = "cbed0cf3273ce544a7e4e316d5c8f5e9c9ac6deaefa485a6afad2654fe75ff1e"
+        
+    strings:
+        $a = {cc cc cc 48 89 4c 24 ?? 53 55 56 57 41 54 41 55 41 56 41 57 ?? ?? ?? ?? 33 f6 44 8b ee 48 89 74 24 ?? 8b ee 48 89 b4 24 ?? ?? ?? ?? 44 8b f6 48 89 74 24 ?? 44 8b e6 e8 bf ff ff ff 4c 8b f8 8d 5e ?? b8 ?? ?? ?? ?? 66 41 39 07 75 1b 49 63 57 ?? 48 8d 4a ?? 48 81 f9 ?? ?? ?? ?? 77 0a 42 81 3c 3a ?? ?? ?? ?? 74 05 4c 2b fb eb d5 65 48 8b 04 25 ?? ?? ?? ?? bf ?? ?? ?? ?? 4c 89 bc 24 ?? ?? ?? ?? 48 8b 48 ?? 4c 8b 59 ?? 4c 89 9c 24 ?? ?? ?? ?? 4d 85 db 0f 84 d5 01 00 00 41 b9 ff ff 00 00 49 8b 53 ?? 48 8b c6 45 0f b7 43 ?? 0f b6 0a c1 c8 ?? 80 f9 ?? 72 04 48 83 c0 ?? 48 03 c1 48 03 d3 66 45 03 c1 75 e5 3d ?? ?? ?? ?? 0f 85 d2 00 00 00 49 8b 53 ?? 41 bb ff ff 00 00 48 63 42 ?? 8b b4 10 ?? ?? ?? ?? 44 8b 54 16 ?? 8b 5c 16 ?? 4c 03 d2 48 03 da 45 33 c9 45 8d 79 ?? 45 8b 02 41 8b c9 4c 03 c2 41 8a 00 4d 03 c7 c1 c9 ?? 0f be c0 03 c8 41 8a 00 84 c0 75 ee 81 f9 ?? ?? ?? ?? 74 10 81 f9 ?? ?? ?? ?? 74 08 81 f9 ?? ?? ?? ?? 75 44 44 8b 4c 16 ?? 44 0f b7 03 4c 03 ca 81 f9 ?? ?? ?? ?? 75 09 47 8b 2c 81 4c 03 ea eb 20 81 f9 ?? ?? ?? ?? 75 09 43 8b 2c 81 48 03 ea eb 0f 81 f9 ?? ?? ?? ?? 75 07 47 8b 34 81 4c 03 f2 66 41 03 fb 45 33 c9 49 83 c2 ?? 48 83 c3 ?? 66 85 ff 0f 85 75 ff ff ff 4c 8b 9c 24 ?? ?? ?? ?? 33 f6 48 89 ac 24 ?? ?? ?? ?? 4c 89 6c 24 ?? e9 8d 00 00 00 3d ?? ?? ?? ?? 0f 85 90 00 00 00 4d 8b 43 ?? 41 bf ?? ?? ?? ?? 41 0f b7 ff bd ff ff 00 00 49 63 40 ?? 42 8b 9c 00 ?? ?? ?? ?? 46 8b 4c 03 ?? 46 8b 54 03 ?? 4d 03 c8 4d 03 d0 41 8b 11 8b ce 49 03 d0 8a 02 49 03 d7 c1 c9 ?? 0f be c0 03 c8 8a 02 84 c0 75 ef 81 f9 ?? ?? ?? ?? 75 16 42 8b 4c 03 ?? 41 0f b7 12 49 03 c8 44 8b 24 91 4d 03 e0 66 03 fd 49 83 c1 ?? 49 83 c2 ?? 66 85 ff 75 ba 48 8b ac 24 ?? ?? ?? ?? 4c 89 64 24 ?? 41 b9 ff ff 00 00 bf ?? ?? ?? ?? 49 8b df 4d 85 ed 74 0f 48 85 ed 74 0a 4d 85 f6 74 05 4d 85 e4 75 14 4d 8b 1b 4c 89 9c 24 ?? ?? ?? ?? 4d 85 db 0f 85 39 fe ff ff 4c 8b bc 24 ?? ?? ?? ?? 49 63 6f ?? 33 c9 49 03 ef 89 b4 24 ?? ?? ?? ?? 41 b8 00 ?? ?? ?? 48 89 6c 24 ?? 4c 8b e6 44 8d 49 ?? 8b 55 ?? 41 ff d6 44 0f b7 45 ?? 48 8b f8 44 0f b7 55 ?? 49 83 c0 ?? 4d 85 d2 74 4f 4c 03 c5 41 8b 00 4c 2b d3 45 8b 48 ?? 41 8b 48 ?? 48 03 cf 49 8d 14 07 41 03 c1 89 84 24 ?? ?? ?? ?? 48 8b c1 48 2b c2 4d 85 e4 49 0f 45 c4 4c 8b e0 4d 85 c9 74 0f 8a 02 48 03 d3 88 01 48 03 cb 4c 2b cb 75 f1 49 83 c0 ?? 4d 85 d2 75 b4 8b 85 ?? ?? ?? ?? 41 be ?? ?? ?? ?? 85 c0 0f 84 e8 00 00 00 48 8d 1c 07 8b 43 ?? 85 c0 0f 84 d9 00 00 00 48 8b ac 24 ?? ?? ?? ?? 8b c8 48 03 cf 41 ff d5 44 8b 7b ?? 33 c9 8b 33 4c 03 ff 48 03 f7 4c 8b e8 49 39 0f 74 7d 48 85 f6 74 31 48 39 0e 7d 2c 49 63 45 ?? 0f b7 16 42 8b 8c 28 ?? ?? ?? ?? 42 8b 44 29 ?? 42 8b 4c 29 ?? 48 2b d0 49 03 cd 8b 04 91 49 03 c5 49 89 07 33 c9 eb 2a 4d 8b 37 49 8b cd 49 83 c6 ?? 4c 03 f7 49 8b d6 ff d5 33 c9 49 89 07 41 38 0e 74 0e 8d 41 ?? 41 88 0e 4c 03 f0 41 38 0e 75 f5 49 83 c7 ?? 48 8d 46 ?? 48 85 f6 48 0f 44 c6 48 8b f0 49 39 0f 75 89 41 be ?? ?? ?? ?? 8b 43 ?? 48 03 c7 33 f6 eb 06 40 88 30 49 03 c6 40 38 30 75 f5 8b 43 ?? 48 83 c3 ?? 4c 8b 6c 24 ?? 85 c0 0f 85 3c ff ff ff 48 8b 6c 24 ?? 4c 8b bc 24 ?? ?? ?? ?? 4c 8b cf 4c 2b 4d ?? 39 b5 ?? ?? ?? ?? 0f 84 b5 00 00 00 8b 95 ?? ?? ?? ?? 48 03 d7 8b 42 ?? 85 c0 0f 84 a1 00 00 00 41 bf ?? ?? ?? ?? bb ff ?? ?? ?? 45 8d 6f ?? 44 8b 02 4c 8d 5a ?? 44 8b d0 4c 03 c7 49 83 ea ?? 49 d1 ea 74 62 41 be ?? ?? ?? ?? 41 0f b7 0b 4d 2b d6 0f b7 c1 66 c1 e8 ?? 66 83 f8 ?? 75 09 48 23 cb 4e 01 0c 01 eb 34 66 41 3b c5 75 09 48 23 cb 46 01 0c 01 eb 25 66 41 3b c6 75 11 48 23 cb 49 8b c1 48 c1 e8 ?? 66 42 01 04 01 eb 0e 66 41 3b c7 75 08 48 23 cb 66 46 01 0c 01 4d 03 df 4d 85 d2 75 a7 8b 42 ?? 48 03 d0 8b 42 ?? 85 c0 0f 85 7a ff ff ff 4c 8b bc 24 ?? ?? ?? ?? 44 8d 70 ?? 8b 5d ?? 45 33 c0 33 d2 48 83 c9 ff 48 03 df ff 54 24 ?? e8 21 fb ff ff 4d 85 e4 74 13 48 85 c0 74 0e 4a 8d 0c 20 4c 8b e6 e8 67 00 00 00 eb 3b 8b 94 24 ?? ?? ?? ?? c1 ea ?? 89 b4 24 ?? ?? ?? ?? eb 1d 48 63 84 24 ?? ?? ?? ?? 41 89 34 87 8b 84 24 ?? ?? ?? ?? 41 03 c6 89 84 24 ?? ?? ?? ?? 8b 84 24 ?? ?? ?? ?? 3b c2 72 d8 4c 8b 84 24 ?? ?? ?? ?? ba ?? ?? ?? ?? 48 8b cf ff d3 49 8d 04 3c ?? ?? ?? ?? 41 5f 41 5e 41 5d 41 5c 5f 5e 5d 5b c3}
+        
+    condition:
+        uint16(0)==0x5A4D and $a
+        or pe.imphash() == "37af5cd8fc35f39f0815827f7b80b304"
+        or hash.md5(pe.rich_signature.clear_data) == "b857cf76a54ce175c225eaaae66547a2"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/icedid_chm_ttp.yar b/yara_rules/icedid_chm_ttp.yar
new file mode 100644
index 0000000..d6aad80
--- /dev/null
+++ b/yara_rules/icedid_chm_ttp.yar
@@ -0,0 +1,23 @@
+import "magic"
+        
+rule icedid_chm_ttp {
+    meta:
+        id = "cae771d4-a9cf-4325-81b3-c00090cbc05e"
+        version = "1.0"
+        description = "IcedID campaign delivering ISO file with CHM attack chain"
+        author = "Sekoia.io"
+        creation_date = "2022-09-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $hta1 = "<HTA:APPLICATION " ascii
+        $hta2 = "<script language=\"Javascript\">" ascii
+        $hta3 = "ActiveXObject" ascii
+        $hta4 = "cmd /c rundll32 \\" ascii
+        $chm1 = "CHM" ascii
+        $chm2 = ".htm" ascii
+        
+    condition:
+        3 of ($hta*) and all of ($chm*) and magic.mime_type() == "application/x-iso9660-image" and filesize > 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_any_sliver.yar b/yara_rules/implant_any_sliver.yar
new file mode 100644
index 0000000..bc501cf
--- /dev/null
+++ b/yara_rules/implant_any_sliver.yar
@@ -0,0 +1,29 @@
+rule implant_any_sliver {
+    meta:
+        id = "4b16f28a-2048-4044-8620-8e7a1651f2b1"
+        author = "Sekoia.io"
+        creation_date = "2021-11-08"
+        description = "Rule which detects any Sliver implant PE/Dlls/ELFs/MAC-O."
+        version = "1.1"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = ").GetActiveC2" ascii
+        $s2 = ").GetVersion" ascii
+        $s3 = ").GetReconnectInterval" ascii
+        $s4 = ").GetProxyURL" ascii
+        $s5 = ").GetPollInterval" ascii
+        
+    condition:
+        ( uint16be(0) == 0x4d5a or
+        uint32be(0) == 0x7f454c46 or
+        uint32be(0) == 0xcffaedfe
+        ) and (
+            true and
+            filesize < 11MB and
+            filesize > 7MB
+        ) and (
+            all of ($s*)
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_any_sliver_not_stripped.yar b/yara_rules/implant_any_sliver_not_stripped.yar
new file mode 100644
index 0000000..c9e238a
--- /dev/null
+++ b/yara_rules/implant_any_sliver_not_stripped.yar
@@ -0,0 +1,25 @@
+rule implant_any_sliver_not_stripped {
+    meta:
+        id = "35543c7c-c39b-4f96-b37c-1d27736e40fc"
+        author = "Sekoia.io"
+        creation_date = "2021-11-08"
+        modification_date = "2021-12-22"
+        description = "Rule which detects non stripped Sliver PE/Dlls/ELFs/MAC-O."
+        version = "1.1"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $a1 = "github.com/bishopfox/sliver/implant/sliver/"
+        
+    condition:
+        (
+        uint16be(0) == 0x4d5a or
+        uint32be(0) == 0x7f454c46 or
+        uint32be(0) == 0xcffaedfe
+        )
+        
+        and filesize < 11MB
+        and filesize > 8MB
+        and #a1 > 200
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_lin_geacon.yar b/yara_rules/implant_lin_geacon.yar
new file mode 100644
index 0000000..81941a3
--- /dev/null
+++ b/yara_rules/implant_lin_geacon.yar
@@ -0,0 +1,36 @@
+rule implant_lin_geacon {
+    meta:
+        id = "ad71522e-270b-47d0-9c01-081f05a2b72a"
+        version = "1.0"
+        description = "Finds Geacon samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2024-01-11"
+        classification = "TLP:CLEAR"
+        reference = "https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/"
+        
+    strings:
+        $gea01 = "geacon/config.init" ascii
+        $gea02 = "geacon_pro-master/config/config.go" ascii
+        $gea03 = "geacon_plus-main/config/config.go" ascii
+        $gea04 = "command type %d is not support by geacon now" ascii
+        $gea05 = "main/sysinfo.GeaconID" ascii
+        
+        $str01 = "command.StealToken" ascii
+        $str02 = "command.MakeToken" ascii
+        $str03 = "command/misc.go" ascii
+        $str04 = "config/c2profile.go" ascii
+        $str05 = "crypt.AesCBCDecrypt" ascii
+        $str06 = "packet.File_Browse" ascii
+        $str07 = "packet.FirstBlood" ascii
+        $str08 = "packet.ParseCommandShell" ascii
+        $str09 = "packet.ParseCommandUpload" ascii
+        $str10 = "packet.PushResult" ascii
+        $str11 = "sysinfo.GetComputerName" ascii
+        $str12 = "sysinfo.IsOSX64" ascii
+        $str13 = "util..inittask" ascii
+        
+    condition:
+        uint32(0) == 0x464C457F and
+        ((1 of ($gea*) and 2 of ($str*)) or 8 of ($str*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_lin_lightning.yar b/yara_rules/implant_lin_lightning.yar
new file mode 100644
index 0000000..d43c48a
--- /dev/null
+++ b/yara_rules/implant_lin_lightning.yar
@@ -0,0 +1,28 @@
+rule implant_lin_lightning {
+    meta:
+        id = "56f53e89-3b63-4ce7-a3c8-da0ba37246f1"
+        version = "1.0"
+        description = "Detect the Lightning framework (Core & Downloader plugin)"
+        author = "Sekoia.io"
+        creation_date = "2022-07-21"
+        classification = "TLP:CLEAR"
+        reference = "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
+        
+    strings:
+        $ = "{\"ComputerName\":\"%s\",\"Guid\":\"%s\",\"RequestName\":\"%s\",\"Licence\":\"%s\"}"
+        $ = "kill -9 %s"
+        $ = "{%08X-%04X-%04X-%04X-%04X%04X%04X}"
+        $ = "sleep 60 && ./%s &"
+        $ = "cat /sys/class/net/%s/address"
+        $ = "/usr/bin/netstat"
+        $ = "/usr/bin/whoami"
+        $ = "/usr/bin/su"
+        $ = "dup2: %s"
+        $ = "Linux.Plugin.Kernel_%s"
+        $ = "Lightning"
+        
+    condition:
+        uint32(0)==0x464c457f
+        and 9 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_mac_rustbucket.yar b/yara_rules/implant_mac_rustbucket.yar
new file mode 100644
index 0000000..a7184c3
--- /dev/null
+++ b/yara_rules/implant_mac_rustbucket.yar
@@ -0,0 +1,22 @@
+rule implant_mac_rustbucket {
+    meta:
+        id = "fcbb745d-7f56-4c51-9db5-427da22a0c68"
+        version = "1.0"
+        description = "Detect the RustBucket malware"
+        author = "Sekoia.io"
+        creation_date = "2023-04-24"
+        classification = "TLP:CLEAR"
+        hash = "9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747"
+        reference = "https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/"
+        
+    strings:
+        $ = "/Users/hero/"
+        $ = "PATHIpv6Ipv4Bodyslotpath"
+        $macho_magic = {CF FA ED FE}
+        $java_magic = {CA FE BA BE}
+        
+    condition:
+        ($macho_magic at 0 or $java_magic at 0) 
+        and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_mac_smoothoperator_update_agent.yar b/yara_rules/implant_mac_smoothoperator_update_agent.yar
new file mode 100644
index 0000000..1e4f9d2
--- /dev/null
+++ b/yara_rules/implant_mac_smoothoperator_update_agent.yar
@@ -0,0 +1,19 @@
+rule implant_mac_smoothoperator_update_agent {
+    meta:
+        id = "45a1d0d9-083b-4b4a-b53c-e5d86f804f01"
+        version = "1.0"
+        description = "UpdateAgent payload delivered by SmoothOperator during the 3CX supply chain attack"
+        author = "Sekoia.io"
+        creation_date = "2023-07-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "3CX Desktop App/.main_storage"
+        $ = "3CX Desktop App/config.json"
+        $ = "3cx_auth_token_content=%s"
+        $ = "3cx_auth_id=%s"
+        
+    condition:
+        uint32be(0)==0xcffaedfe and 2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_macos_geacon.yar b/yara_rules/implant_macos_geacon.yar
new file mode 100644
index 0000000..1e68d87
--- /dev/null
+++ b/yara_rules/implant_macos_geacon.yar
@@ -0,0 +1,36 @@
+rule implant_macos_geacon {
+    meta:
+        id = "a7784bfa-66a7-47df-b88b-d98217d8cca5"
+        version = "1.0"
+        description = "Finds Geacon samples based on specific strings"
+        author = "Sekoia.io"
+        reference = "https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/"
+        creation_date = "2024-01-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $gea01 = "geacon/config.init" ascii
+        $gea02 = "geacon_pro-master/config/config.go" ascii
+        $gea03 = "geacon_plus-main/config/config.go" ascii
+        $gea04 = "command type %d is not support by geacon now" ascii
+        $gea05 = "main/sysinfo.GeaconID" ascii
+        
+        $str01 = "command.StealToken" ascii
+        $str02 = "command.MakeToken" ascii
+        $str03 = "command/misc.go" ascii
+        $str04 = "config/c2profile.go" ascii
+        $str05 = "crypt.AesCBCDecrypt" ascii
+        $str06 = "packet.File_Browse" ascii
+        $str07 = "packet.FirstBlood" ascii
+        $str08 = "packet.ParseCommandShell" ascii
+        $str09 = "packet.ParseCommandUpload" ascii
+        $str10 = "packet.PushResult" ascii
+        $str11 = "sysinfo.GetComputerName" ascii
+        $str12 = "sysinfo.IsOSX64" ascii
+        $str13 = "util..inittask" ascii
+        
+    condition:
+        uint32(0) == 0xFEEDFACF and
+        ((1 of ($gea*) and 2 of ($str*)) or 8 of ($str*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_mul_alchimist.yar b/yara_rules/implant_mul_alchimist.yar
new file mode 100644
index 0000000..23f5946
--- /dev/null
+++ b/yara_rules/implant_mul_alchimist.yar
@@ -0,0 +1,22 @@
+rule implant_mul_alchimist {
+    meta:
+        version = "1.0"
+        description = "Detect the Alchimist implant based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-10-18"
+        id = "66330cc6-a7da-4717-9977-0cede48f46f5"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "POST /users/loginpage.html HTTP/1.1" ascii
+        $str02 = "pm3/apps/Insekt/main.go" ascii
+        $str03 = "generate new insekt err" ascii
+        $str04 = "[SHELLCODE][filesize]:[scan]" ascii
+        $str05 = "\\Device\\NamedPipe\\cygwinbad" ascii
+        $str06 = "pm3/utils.GetTmpDir" ascii
+        $str07 = "os/exec.Command" ascii
+        
+    condition:
+        (uint16(0)==0x5A4D or uint32(0)==0x464C457F) and 5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_apt29_2022_10.yar b/yara_rules/implant_win_apt29_2022_10.yar
new file mode 100644
index 0000000..d2684b1
--- /dev/null
+++ b/yara_rules/implant_win_apt29_2022_10.yar
@@ -0,0 +1,21 @@
+import "pe"
+import "hash"
+        
+rule implant_win_apt29_2022_10 {
+    meta:
+        id = "0f270e75-f687-4fdc-a980-fde81107a4d6"
+        version = "1.0"
+        description = "APT29 implants from October 2022"
+        author = "Sekoia.io"
+        creation_date = "2023-02-15"
+        classification = "TLP:CLEAR"
+        hash1 = "1cffaf3be725d1514c87c328ca578d5df1a86ea3b488e9586f9db89d992da5c4"
+        hash2 = "381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c"
+        
+    condition:
+        pe.imphash() == "39b818e7bac0a276f509f8c47e467666"
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "6621113d9f212c71b8dd3ce85c62b251"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_flagpro.yar b/yara_rules/implant_win_flagpro.yar
new file mode 100644
index 0000000..3099dc6
--- /dev/null
+++ b/yara_rules/implant_win_flagpro.yar
@@ -0,0 +1,27 @@
+rule implant_win_flagpro {
+    meta:
+        id = "08dd2de4-b359-424f-af04-7f294d519363"
+        version = "1.0"
+        description = "Detect the Flagpro malware used by Blacktech"
+        author = "Sekoia.io"
+        creation_date = "2022-04-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "<BODY ID=CV20_LoaderDlg BGCOLOR=LIGHTGREY style=\"font-family:MS Shell Dlg;font-size:8\">" ascii
+        $ = "<TABLE WIDTH=100% HEIGHT=100%>" ascii
+        $ = "<TR WIDTH=100% HEIGHT=45%>" ascii
+        $ = "<TD ALIGN=CENTER VALIGN=BOTTOM>" ascii
+        $ = "TODO: Place controls here." ascii
+        $ = "<TD ALIGN=RIGHT VALIGN=BOTTOM>" ascii
+        $ = "<BUTTON STYLE=\"WIDTH:100\" ID=\"ButtonHelp\">Help</BUTTON>&nbsp;&nbsp;<BUTTON STYLE=\"WIDTH:100\" ID=\"ButtonOK\">OK</BUTTON>&nbsp;<BUTTON STYLE=\"WIDTH:100\" ID=\"ButtonCancel\">Cancel</BUTTON>" ascii
+        
+        $about_loader = /About V[0-9]+\.[0-9]+_Loader.../ wide
+        $path = "f:\\dd\\vctools\\vc7libs\\ship\\atlmfc\\include\\" wide
+        $regitry = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\" wide
+        
+    condition:
+        uint16(0)==0x5A4D
+        and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_geacon.yar b/yara_rules/implant_win_geacon.yar
new file mode 100644
index 0000000..2602689
--- /dev/null
+++ b/yara_rules/implant_win_geacon.yar
@@ -0,0 +1,36 @@
+rule implant_win_geacon {
+    meta:
+        id = "064eabe0-aee5-4e5e-9f5e-69b32b1ba0da"
+        version = "1.0"
+        description = "Finds Geacon samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2024-01-11"
+        classification = "TLP:CLEAR"
+        reference = "https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/"
+        
+    strings:
+        $gea01 = "geacon/config.init" ascii
+        $gea02 = "geacon_pro-master/config/config.go" ascii
+        $gea03 = "geacon_plus-main/config/config.go" ascii
+        $gea04 = "command type %d is not support by geacon now" ascii
+        $gea05 = "main/sysinfo.GeaconID" ascii
+        
+        $str01 = "command.StealToken" ascii
+        $str02 = "command.MakeToken" ascii
+        $str03 = "command/misc.go" ascii
+        $str04 = "config/c2profile.go" ascii
+        $str05 = "crypt.AesCBCDecrypt" ascii
+        $str06 = "packet.File_Browse" ascii
+        $str07 = "packet.FirstBlood" ascii
+        $str08 = "packet.ParseCommandShell" ascii
+        $str09 = "packet.ParseCommandUpload" ascii
+        $str10 = "packet.PushResult" ascii
+        $str11 = "sysinfo.GetComputerName" ascii
+        $str12 = "sysinfo.IsOSX64" ascii
+        $str13 = "util..inittask" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and
+        ((1 of ($gea*) and 2 of ($str*)) or 8 of ($str*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_graphiron_downloader.yar b/yara_rules/implant_win_graphiron_downloader.yar
new file mode 100644
index 0000000..f9f248d
--- /dev/null
+++ b/yara_rules/implant_win_graphiron_downloader.yar
@@ -0,0 +1,23 @@
+import "pe"
+import "hash"
+        
+rule implant_win_graphiron_downloader {
+    meta:
+        id = "c50c4bd2-3828-43bf-b45c-8e911c298536"
+        version = "1.0"
+        description = "Detect the downloader of Graphiron"
+        author = "Sekoia.io"
+        creation_date = "2023-02-10"
+        classification = "TLP:CLEAR"
+        hash1 = "0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63"
+        hash2 = "878450da2e44f5c89ce1af91479b9a9491fe45211fee312354dfe69e967622db"
+        
+    condition:
+        for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "1b614f8d813125f56d2e772ed0ca5dae"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5c6496d33de5a35bd38ddb12d8b42e03"
+        )
+        and filesize > 3MB
+        and filesize < 6MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_havoc_default_strings.yar b/yara_rules/implant_win_havoc_default_strings.yar
new file mode 100644
index 0000000..ea11f41
--- /dev/null
+++ b/yara_rules/implant_win_havoc_default_strings.yar
@@ -0,0 +1,24 @@
+rule implant_win_havoc_default_strings {
+    meta:
+        version = "1.0"
+        author = "Sekoia.io"
+        description = "Finds Havoc implants based on the embedded default strings"
+        creation_date = "2022-10-07"
+        id = "955c2211-4502-4258-ba4c-0d96a5624283"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "C:\\Windows\\System32\\notepad.exe" ascii
+        $str02 = "C:\\Windows\\SysWOW64\\notepad.exe" ascii
+        $str03 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" ascii
+        $str04 = "POST" wide
+        $str05 = "\\??\\C:\\Windows\\System32\\ntdll.dll" wide
+        $str06 = "X-Havoc: true" ascii
+        $str07 = "X-Havoc-Agent: Demon" ascii
+        $str08 = "/text.gif" ascii
+        $str09 = "SeImpersonatePrivilege" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_incontroller.yar b/yara_rules/implant_win_incontroller.yar
new file mode 100644
index 0000000..3f9b4d6
--- /dev/null
+++ b/yara_rules/implant_win_incontroller.yar
@@ -0,0 +1,50 @@
+import "pe"
+import "hash"
+        
+rule implant_win_incontroller {
+    meta:
+        id = "c346c6ea-c5c0-4e9f-a632-1e8ed0286fbc"
+        version = "1.0"
+        description = "Detect the INCONTROLLER implant "
+        author = "Sekoia.io"
+        creation_date = "2022-04-14"
+        classification = "TLP:CLEAR"
+        hash = "69296ca3575d9bc04ce0250d734d1a83c1348f5b6da756944933af0578bd41d2"
+        reference = "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"
+        
+    strings:
+        $ = "AsRockDrv.sys" ascii
+        $ = "C:\\Users\\User1\\Desktop\\dev projects\\SignSploit1\\x64\\Release\\AsrDrv_exploit.pdb" ascii
+        $ = "found map in %.3f sec physical address : %016I64x" ascii
+        $ = "get physical regions error : %x!"
+        $ = "Device AsrDrv103 was opened successefuly!" ascii
+        $ = "Ioctl handler AsrDrv103 was found successefuly!" ascii
+        $ = "cant open the AsrDrv103!" ascii
+        $ = "can't read a unsigned driver ! " ascii
+        $ = "cant drop and load exploatable driver ! " ascii
+        $ = "please set unsigned driver as argument to program!" ascii
+        $ = "\\DosDevices\\AsrDrv103" wide
+        $t = "This program cannot be run in DOS mode."
+        
+    condition:
+        (uint16(0)==0x5A4D
+        and 4 of them
+        and filesize < 800KB
+        and #t == 2)
+        
+        // Imphash
+        or pe.imphash() == "f139e860bc959a7e65a008399425c090"
+        
+        // Section MD5
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "a2fe4d32d74354c391a283178f0291e6"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "c33f9caa68fe46c6996a928ba5a38fd6"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "d9a1f1a4d48906da1d9f33eae0f0eaef"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "76426b0209a87fa32ca28e9f2361be67"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "9e63a5064b755925598b8d72ace52dc9"
+        )
+        
+        // Rich Header
+        or hash.md5(pe.rich_signature.clear_data) == "140d7fb360dbebb03edab903b5d08285"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_knotweed_jumplump.yar b/yara_rules/implant_win_knotweed_jumplump.yar
new file mode 100644
index 0000000..553ae11
--- /dev/null
+++ b/yara_rules/implant_win_knotweed_jumplump.yar
@@ -0,0 +1,76 @@
+import "pe"
+        
+rule implant_win_knotweed_jumplump {
+    meta:
+        id = "8f8cec7a-624b-4306-87f4-bde8ccc3a2d0"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2022-07-27"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "DllCanUnloadNow"
+        $s2 = "DllGetClassObject"
+        $s3 = "_initterm"
+        $s4 = "__C_specific_handler"
+        $s5 = "HeapFree"
+        $s6 = "EnterCriticalSection"
+        $s7 = "EventUnregister"
+        $s8 = "LeaveCriticalSection"
+        $s9 = "WaitForSingleObject"
+        $s10 = "GetCurrentThreadId"
+        $s11 = "GetLastError"
+        $s12 = "CloseHandle"
+        $s13 = "HeapAlloc"
+        $s14 = "EventRegister"
+        $s15 = "GetProcAddress"
+        $s16 = "DeleteCriticalSection"
+        $s17 = "GetCurrentProcessId"
+        $s18 = "GetProcessHeap"
+        $s19 = "DisableThreadLibraryCalls"
+        $s20 = "Sleep"
+        $s21 = "RtlCaptureContext"
+        $s22 = "RtlLookupFunctionEntry"
+        $s23 = "RtlVirtualUnwind"
+        $s24 = "UnhandledExceptionFilter"
+        $s25 = "SetUnhandledExceptionFilter"
+        $s26 = "GetCurrentProcess"
+        $s27 = "TerminateProcess"
+        $s28 = "QueryPerformanceCounter"
+        $s29 = "GetSystemTimeAsFileTime"
+        $s30 = "GetTickCount"
+        $s31 = "CoCreateInstance"
+        $s32 = "RegCloseKey"
+        $s33 = "GetModuleFileNameW"
+        $s34 = "RegCreateKeyExW"
+        $s35 = "RegSetValueExW"
+        $s36 = "LocalFree"
+        $s37 = "RegOpenKeyExW"
+        $s38 = "OLEAUT32.dll"
+        $s39 = "memcpy"
+        $s40 = "memcmp"
+        $s41 = "memset"
+        $s42 = "LoadLibraryW"
+        $s43 = "OpenProcessToken"
+        $s44 = "DllRegisterServer"
+        $s45 = "DllUnregisterServer"
+        $s46 = "040904B0" wide
+        
+        $api_hash1 = {5D 44 11 FF} //GetModuleFileNameW
+        $api_hash2 = {4C 77 D6 07} //LoadLibraryW
+        $api_hash3 = {38 68 0D 16} //CreateThread
+        $api_hash4 = {40 DE CE 72} //GetWindowsDirectoryW
+        $api_hash5 = {08 87 1D 60} //WaitForSingleObject
+        $api_hash6 = {26 C6 0B 1B} //OpenProcessToken
+        $api_hash7 = {0C DC 67 55} //GetTokenInformation
+        $api_hash8 = {AA C5 E2 5D} //GetLastError
+        $api_hash9 = {C6 96 87 52} //CloseHandle
+        $api_hash10 = {F8 8E C2 92} //IsWellKnownSid
+        
+    condition:
+        uint16(0)==0x5A4D
+        and pe.number_of_sections == 7
+        and all of ($s*)
+        and 1 of ($api_hash*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_lyceum.yar b/yara_rules/implant_win_lyceum.yar
new file mode 100644
index 0000000..c56ca8c
--- /dev/null
+++ b/yara_rules/implant_win_lyceum.yar
@@ -0,0 +1,31 @@
+import "pe"
+import "hash"
+        
+rule implant_win_lyceum {
+    meta:
+        id = "e061562f-9c17-4ef4-b7f9-2c6708bb6570"
+        version = "1.0"
+        description = "Detect the DnsSystem malware used by Lyceum in March 2022"
+        author = "Sekoia.io"
+        creation_date = "2022-06-13"
+        classification = "TLP:CLEAR"
+        reference = "https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor"
+        
+    strings:
+        $ = "$02c7afab-7f96-4dfa-b452-832e3624e270" ascii
+        $ = "C:\\Users\\u1\\Downloads\\Compressed\\article_src\\DnsDig\\DnsDig\\obj\\Release\\DnsDig.pdb" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 1 of them
+        
+        // Section
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "d0e0c140e4831f835bcdcc6b463f3acc"
+        )
+        
+        // Resource
+        or for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "22c92a1ba6ffd828637d7045261db7a45608ddd6d7c85836af011b3c679c725f"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_magicrat.yar b/yara_rules/implant_win_magicrat.yar
new file mode 100644
index 0000000..c4b63e1
--- /dev/null
+++ b/yara_rules/implant_win_magicrat.yar
@@ -0,0 +1,25 @@
+import "pe"
+import "hash"
+        
+rule implant_win_magicrat {
+    meta:
+        id = "74973682-b214-48ee-98c3-f4b6bef76587"
+        version = "1.0"
+        description = "Detect Lazarus' MagicRAT"
+        author = "Sekoia.io"
+        creation_date = "2022-09-13"
+        classification = "TLP:CLEAR"
+        reference = "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html"
+        hash1 = "9dc04153455d054d7e04d46bcd8c13dd1ca16ab2995e518ba9bf33b43008d592"
+        hash2 = "c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f"
+        hash3 = "f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332"
+        
+    condition:
+        uint16(0)==0x5A4D
+        and filesize > 15MB
+        and for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "39dfb9f035cba21ffd90973904f90469"
+            and pe.sections[i].name == ".qtmetad"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_mysterysnail.yar b/yara_rules/implant_win_mysterysnail.yar
new file mode 100644
index 0000000..7da5e8b
--- /dev/null
+++ b/yara_rules/implant_win_mysterysnail.yar
@@ -0,0 +1,28 @@
+import "pe"
+import "hash"
+        
+rule implant_win_mysterysnail {
+    meta:
+        id = "dfd2eba8-eb9c-411a-b5e0-663593453e3d"
+        version = "1.0"
+        description = "Detect the MysterySnail using section hashes"
+        author = "Sekoia.io"
+        creation_date = "2021-10-13"
+        classification = "TLP:CLEAR"
+        
+    condition:
+        uint16(0)==0x5A4D and (
+            pe.imphash() == "de0c9e6aec27d278ccdb6718b3e96e32"
+            or for any i in (0..pe.number_of_sections-1) : (
+                hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "a41b6fb1cc34d6393e30c13a58f6ecd4"
+                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f263a2be76694feab7e2ce79ecf8b724"
+                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "e9056ae96619d7aa18daa973da592afc"
+                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "3e38e89e9e8329f5cff8a7022d88fff7"
+                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ce78f8599167c63e8f1c8d3e789c4a60"
+                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "456d4f1096bf5c72cd6e1e3eb9980ec6"
+                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "37e2bff637001fc64566fe651757f66e"
+            )
+            or hash.md5(pe.rich_signature.clear_data) == "e4116fffa240ba6d91b400541ce85182"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_pingpull.yar b/yara_rules/implant_win_pingpull.yar
new file mode 100644
index 0000000..5ff192b
--- /dev/null
+++ b/yara_rules/implant_win_pingpull.yar
@@ -0,0 +1,17 @@
+rule implant_win_pingpull {
+    meta:
+        id = "521615d4-912b-4581-b5a9-a8b158ac9496"
+        version = "1.0"
+        description = "Detect the PingPull malware used by GALLUM in 2022"
+        author = "Sekoia.io"
+        creation_date = "2022-06-13"
+        classification = "TLP:CLEAR"
+        reference = "https://unit42.paloaltonetworks.com/pingpull-gallium/#Protections-and-Mitigations"
+        
+    strings:
+        $ = "PROJECT_%s_%s_%08X"
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_quantum_builder_lnk.yar b/yara_rules/implant_win_quantum_builder_lnk.yar
new file mode 100644
index 0000000..eb18bac
--- /dev/null
+++ b/yara_rules/implant_win_quantum_builder_lnk.yar
@@ -0,0 +1,45 @@
+rule implant_win_quantum_builder_lnk {
+    meta:
+        id = "65f8a426-8bf3-4f7f-b7d2-fd8da5b660f7"
+        version = "1.0"
+        description = "Detect .LNK files created using Quantum Builder"
+        author = "Sekoia.io"
+        creation_date = "2022-06-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $magic_lnk = { 4C 00 00 00 01 14 02 00 }
+        $powershell_ascii = "\\WindowsPowerShell\\v1.0\\powershell.exe"
+        $powershell_wide = "powershell.exe" wide
+        
+        $start = "<#" wide
+        $end = "#>" wide
+        $foreach = "=$Null;foreach(" wide
+        $return = "};return" wide
+        $char = "[char]" wide
+        
+        $aes = "New-Object 'System.Security.Cryptography.AesManaged'" wide nocase
+        $base64 = "[System.Convert]::FromBase64String" wide nocase
+        $decryptor = "CreateDecryptor();" wide nocase
+        
+    condition:
+        $magic_lnk at 0
+        and all of ($powershell*)
+        
+        and (
+            // Obfuscated
+            $start
+            and $end
+            and $foreach
+            and $return
+            and $char
+            
+            or
+            
+            // AES + Base64
+            $aes
+            and $base64
+            and $decryptor
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_quasarrat.yar b/yara_rules/implant_win_quasarrat.yar
new file mode 100644
index 0000000..ca30238
--- /dev/null
+++ b/yara_rules/implant_win_quasarrat.yar
@@ -0,0 +1,26 @@
+rule implant_win_quasarrat {
+    meta:
+        id = "492fdffc-8e5f-4225-a2eb-cd6d80e6bcb8"
+        version = "1.0"
+        description = "Detect QuasarRAT (reted from samples 2023-03)"
+        author = "Sekoia.io"
+        creation_date = "2023-03-17"
+        classification = "TLP:CLEAR"
+        reference = "https://blog.alyac.co.kr/5103"
+        
+    strings:
+        // chcp 65001
+        $ = {63 00 68 00 63 00 70 00 20 00 36 00 35 00 30 00 30 00 31 00}
+        // echo DONT CLOSE THIS WINDOW!
+        $ = {65 00 63 00 68 00 6f 00 20 00 44 00 4f 00 4e 00 54 00 20 00 43 00 4c 00 4f 00 53 00 45 00 20 00 54 00 48 00 49 00 53 00 20 00 57 00 49 00 4e 00 44 00 4f 00 57 00 21 00}
+        // ping -n 10 localhost > nul
+        $ = {70 00 69 00 6e 00 67 00 20 00 2d 00 6e 00 20 00 31 00 30 00 20 00 6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 20 00 3e 00 20 00 6e 00 75 00 6c 00}
+        // del /a /q /f "
+        $ = {64 00 65 00 6c 00 20 00 2f 00 61 00 20 00 2f 00 71 00 20 00 2f 00 66 00 20 00 22 00}
+        $ = "DoShellExecute"
+        $ = "DoDownloadFile"
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/implant_win_sliver_dll.yar b/yara_rules/implant_win_sliver_dll.yar
new file mode 100644
index 0000000..747b0c8
--- /dev/null
+++ b/yara_rules/implant_win_sliver_dll.yar
@@ -0,0 +1,33 @@
+import "pe"
+        
+rule implant_win_sliver_dll {
+    meta:
+        id = "41d83011-a08b-4245-b633-79fe6afaa4d2"
+        author = "Sekoia.io"
+        creation_date = "2021-11-08"
+        modification_date = "2021-12-22"
+        description = "Detect the Sliver DLL based on export names (standalone and process/memory dumps)"
+        version = "1.1"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $a1 = "main.RunSliver"
+        $a2 = "main.DllInstall"
+        
+    condition:
+        (   filesize > 8MB and
+        filesize < 11MB and
+        uint16be(0) == 0x4d5a and
+        pe.characteristics & pe.DLL and
+        pe.exports("RunSliver") and
+        pe.exports("DllInstall") and
+        pe.exports("VoidFunc")
+        )
+        or
+        (
+            true and ( uint32be(0) == 0x4d444d50 or
+            uint32be(0) == 0x00000000
+        ) and $a2 in (@a1..@a1+100)
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/in2al5d_p3in4er_loader.yar b/yara_rules/in2al5d_p3in4er_loader.yar
new file mode 100644
index 0000000..57c8bc4
--- /dev/null
+++ b/yara_rules/in2al5d_p3in4er_loader.yar
@@ -0,0 +1,18 @@
+import "pe"
+        
+rule in2al5d_p3in4er_loader {
+    meta:
+        id = "6dd3046d-55fb-4bcc-8735-dbc0add4d570"
+        version = "1.0"
+        description = "Invalid printer loader detection based on the XOR key"
+        author = "Sekoia.io"
+        creation_date = "2023-04-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $xor_key = "in2al5d p3in4er" ascii fullword
+        
+    condition:
+        all of them and (filesize > 4MB and filesize < 7MB) and pe.is_pe
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_mac_realst.yar b/yara_rules/infostealer_mac_realst.yar
new file mode 100644
index 0000000..e8f4663
--- /dev/null
+++ b/yara_rules/infostealer_mac_realst.yar
@@ -0,0 +1,33 @@
+rule infostealer_mac_realst {
+    meta:
+        id = "16a89317-c92d-4e13-94d3-a85a915f52e5"
+        version = "1.0"
+        description = "Finds Realst Stealer samples based on specific strings"
+        author = "Sekoia.io"
+        reference = "https://iamdeadlyz.gitbook.io/malware-research/july-2023/fake-blockchain-games-deliver-redline-stealer-and-realst-stealer-a-new-macos-infostealer-malware#realst-stealer-macos"
+        creation_date = "2023-09-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str00 = "realst@" ascii
+        $str01 = "IP:" ascii
+        $str02 = "OS:" ascii
+        $str03 = "PC PASSWORD:" ascii
+        $str04 = "Cookies:" ascii
+        $str05 = "Wallets:" ascii
+        $str06 = "Apps:" ascii
+        $str07 = "USERNAME: ]" ascii
+        $str08 = "FILENAME:" ascii
+        $str09 = "multipart/form-data; boundary=" ascii
+        $str10 = "src/browsers/firefox/modules/decryptors.rs" ascii
+        $str11 = "{\"event_id\":\"" ascii
+        $str12 = "..browsers..firefox..modules..data_stealers.." ascii
+        $str13 = "..browsers..chromium..modules..key_stealers.." ascii
+        $str14 = "..browsers..firefox..modules..decryptors.." ascii
+        $str15 = "url: , login: , password:" ascii
+        
+    condition:
+        (uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca) //macho
+        and 13 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_44caliber.yar b/yara_rules/infostealer_win_44caliber.yar
new file mode 100644
index 0000000..6d4e7b9
--- /dev/null
+++ b/yara_rules/infostealer_win_44caliber.yar
@@ -0,0 +1,29 @@
+rule infostealer_win_44caliber {
+    meta:
+        id = "44e5bbc1-f442-47d3-8431-25182f38439d"
+        version = "1.0"
+        description = "Finds samples of the 44Caliber stealer"
+        author = "Sekoia.io"
+        reference = "https://github.com/razexgod/44CALIBER"
+        creation_date = "2022-03-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "44 CALIBER" fullword ascii
+        $str1 = "https://api.vimeworld.ru/user/name/" wide
+        $str2 = "https://freegeoip.app/xml/" wide
+        $str3 = "SOFTWARE\\Wow6432Node\\Valve\\Steam" wide
+        $str4 = "VPN\\NordVPN\\\\accounts.txt" wide
+        $str5 = "OpenVPN Connect\\profiles" wide
+        $str6 = "FuckTheSystem Copyright"  wide
+        $str7 = "lolz.guru"  wide
+        $str8 = "xss.is" wide
+        $str9 = "Test message recieved successfully! :raised_hands:" wide
+        $str10 = "Specify a single character: either D or F" wide
+        
+    condition:
+        uint16(0)==0x5A4D and
+        9 of ($str*) and
+        filesize > 100KB and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_acridrain_mar23.yar b/yara_rules/infostealer_win_acridrain_mar23.yar
new file mode 100644
index 0000000..067c377
--- /dev/null
+++ b/yara_rules/infostealer_win_acridrain_mar23.yar
@@ -0,0 +1,41 @@
+rule infostealer_win_acridrain_mar23 {
+    meta:
+        id = "049b502a-0fb6-4fa9-a1ce-f01a40269bdb"
+        version = "1.0"
+        description = "Finds AcridRain samples"
+        author = "Sekoia.io"
+        creation_date = "2023-03-21"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "\",\"r\":" ascii
+        $str02 = "\",\"s\":\"" ascii
+        $str03 = "\",\"p\":\"" ascii
+        $str04 = "\",\"a\":\"" ascii
+        $str05 = ",\"c\":" ascii
+        $str06 = ",\"g\" :" ascii
+        $str07 = "v7166637466625297979 t2537736810932639330 ath5ee645e0 altpriv cvcv=2 cexpw=1 smf=0" ascii
+        $str08 = "Content-Type: multipart/form-data; boundary=----974767299852498929531610575" ascii
+        $str09 = "\\Roaming\\Bitwarden\\data\\bitwarden.sqlite3" ascii
+        
+        $ste01 = "\\Roaming\\Exodus\\exodus.wallet" ascii
+        $ste02 = "\\Roaming\\Electron Cash\\wallets" ascii
+        $ste03 = "\\Roaming\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb" ascii
+        $ste04 = "\\Local Extension Settings\\" ascii
+        $ste05 = "cnmamaachppnkjgnildpdmkaakejnhae" ascii
+        $ste06 = "ffnbelfdoeiohenkjibnmadjiehjhajb" ascii
+        $ste07 = "\\formhistory.sqlite" ascii
+        $ste08 = "\\logins.json" ascii
+        $ste09 = "encrypted_key" ascii
+        $ste10 = "\\Login Data" ascii
+        
+        $enc01 = "bX5cVw8FKyAKZVxXXUAdSTUXCXdCV0FoOxoSF0ZEUEZS" ascii
+        $enc02 = "bX5cVw8FKywUaVVbRlkyPAQAFCB1U0dV" ascii
+        $enc03 = "bX5cVw8FKzQvUBFhRkYINSIWA3IRdlJADw==" ascii
+        $enc04 = "bX5cVw8FKzYWdUVcWl8iCBU5NXBERl1dBTUiFgNyEXZSQA8=" ascii
+        $enc05 = "bWBcVQMAGQI6UEJbGGgeGxgDD2xUQW9QCw8WEAp0" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and 5 of ($str*) and 7 of ($ste*) and 1 of ($enc*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_acrstealer_str.yar b/yara_rules/infostealer_win_acrstealer_str.yar
new file mode 100644
index 0000000..3f6df98
--- /dev/null
+++ b/yara_rules/infostealer_win_acrstealer_str.yar
@@ -0,0 +1,30 @@
+rule infostealer_win_acrstealer_str {
+    meta:
+        id = "63b4d6ff-0cab-44ec-9d53-bb2612371a48"
+        version = "1.0"
+        description = "Finds ACR Stealer standalone samples based on specific strings."
+        author = "Sekoia.io"
+        creation_date = "2024-04-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "ref.txt" ascii
+        $str02 = "Wininet.dll" ascii
+        $str03 = "Content-Type: application/octet-stream; boundary=----" ascii
+        $str04 = "POST" ascii
+        $str05 = "os_c" ascii fullword
+        $str06 = "en_k" ascii fullword
+        $str07 = "MyApp/1.0" ascii
+        $str08 = "/Up/b" ascii
+        $str09 = "Hello, World!" ascii
+        $str10 = "/ujs/" ascii
+        $str11 = "/Up/" ascii fullword
+        $str12 = "ostr" ascii fullword
+        $str13 = "brCH" ascii fullword
+        $str14 = "brGk" ascii fullword
+        $str15 = "https://steamcommunity.com/profiles/" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 10 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_agrat.yar b/yara_rules/infostealer_win_agrat.yar
new file mode 100644
index 0000000..b5fe247
--- /dev/null
+++ b/yara_rules/infostealer_win_agrat.yar
@@ -0,0 +1,28 @@
+rule infostealer_win_agrat {
+    meta:
+        id = "472effe8-5044-4ca1-88e0-3e19d445b9d1"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2022-06-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str00 = "Vault.txt" wide
+        $str01 = "Credman.txt" wide
+        $str02 = "[Networks] {0}" wide
+        $str03 = "[Screenshot] {0}" wide
+        $str04 = "[Twitch] {0}" wide
+        $str05 = "Servers.txt" wide
+        $str06 = "[WindscribeVPN] {0}" wide
+        $str07 = "[{0}] Thread finished!" wide
+        $str08 = "[ERROR] Unable to enumerate vaults. Error (0x" wide
+        $str09 = "snowflake-ssh" wide
+        $str10 = "//setting[@name='Password']/value" wide
+        $str11 = "MakeScreenshot" ascii
+        
+        $sys = "System.Collections.Generic.IEnumerator<Stealer." ascii
+        
+    condition:
+        uint16(0)==0x5A4D and all of them and #sys > 10
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_aurora.yar b/yara_rules/infostealer_win_aurora.yar
new file mode 100644
index 0000000..1520500
--- /dev/null
+++ b/yara_rules/infostealer_win_aurora.yar
@@ -0,0 +1,36 @@
+rule infostealer_win_aurora {
+    meta:
+        version = "1.0"
+        description = "Finds Aurora samples based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2022-11-15"
+        id = "22ae81b4-647f-4b46-9b2a-dd96e0615d65"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str00 = "I'm a teapot" ascii
+        $str01 = "wmic cpu get name" ascii
+        $str02 = "wmic path win32_VideoController get" ascii
+        $str03 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones" ascii
+        $str04 = "Exodus\\exodus.wallet" ascii
+        $str05 = "PaliWallet" ascii
+        $str06 = "cookies.sqlite" ascii
+        $str07 = "Startup\\Documents\\User Data" ascii
+        $str08 = "atomic\\Local Storage\\leveldb" ascii
+        $str09 = "com.liberty.jaxx\\IndexedDB" ascii
+        $str10 = "Guarda\\Local Storage\\leveldb" ascii
+        $str11 = "AppData\\Roaming\\Telegram Desktop\\tdata" ascii
+        $str12 = "Ethereum\\keystore" ascii
+        $str13 = "Coin98" ascii
+        $str14 = ".bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml.zip" ascii
+        $str15 = "type..eq.main.Grabber" ascii
+        $str16 = "type..eq.main.Loader_A" ascii
+        $str17 = "type..eq.net/http.socksUsernamePassword" ascii
+        $str18 = "powershell" ascii
+        $str19 = "start-process" ascii
+        $str20 = "http/httpproxy" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 15 of them and filesize > 4MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_aurora_str.yar b/yara_rules/infostealer_win_aurora_str.yar
new file mode 100644
index 0000000..c53bf00
--- /dev/null
+++ b/yara_rules/infostealer_win_aurora_str.yar
@@ -0,0 +1,35 @@
+import "pe"
+        
+rule infostealer_win_aurora_str {
+    meta:
+        version = "1.0"
+        description = "Finds Aurora botnet samples based on characteristic strings."
+        author = "Sekoia.io"
+        creation_date = "2022-07-21"
+        id = "1f4391b8-700f-4702-9ef6-68ce3d55a176"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "Logs.tar" ascii
+        $str02 = "*main.StealerData" ascii
+        $str03 = "AppData\\Roaming\\Armory" ascii
+        $str04 = "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data" ascii
+        $str05 = "github.com/TheTitanrain/w32" ascii
+        $str06 = "github.com/mattn/go-sqlite3" ascii
+        $str07 = "ScreenShot" ascii
+        $str08 = "*sql.stmtConnGrabber" ascii
+        $str09 = "Default\\Network\\Cookies" ascii
+        $str10 = "BuildID" ascii
+        $str11 = "Clipper" ascii
+        $str12 = "GeoPos" ascii
+        $str13 = "AppData\\Roaming\\Exodus\\exodus.wallet" ascii
+        $str14 = "FileGrabber\\Documents" ascii
+        $str15 = "193.233.48." ascii
+        $str16 = "ShellExecute" ascii
+        $str17 = "crypto/aes.(*aesCipherGCM).Encrypt" ascii
+        $str18 = "File-Download" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and (14 of them or pe.imphash() == "8ee5c1c09f740fbe63e8b35dac5d6f70" or pe.imphash() == "369b4f5b6c99674f15070689e1f675af")
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_banditstealer.yar b/yara_rules/infostealer_win_banditstealer.yar
new file mode 100644
index 0000000..8f3d5c2
--- /dev/null
+++ b/yara_rules/infostealer_win_banditstealer.yar
@@ -0,0 +1,36 @@
+rule infostealer_win_banditstealer {
+    meta:
+        id = "d1e45a5c-c06d-4161-8d30-fa94bcf0ea7a"
+        version = "1.0"
+        description = "Finds BanditStealer samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-07-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $spe01 = "Banditstealer" ascii
+        $spe02 = "BANDIT STEALER" ascii
+        $spe03 = "Location: Geolocation: " ascii
+        $spe04 = "awesomeProject2/core.GetWallets" ascii
+        $spe05 = "awesomeProject2/core.GetCreditCards" ascii
+        $spe06 = "awesomeProject2/core.GetCookies" ascii
+        $spe07 = "awesomeProject2/core.KillProcessByName" ascii
+        $spe08 = "main.sendZipToTelegram" ascii
+        
+        $str01 = "json:\"city\"" ascii
+        $str02 = "UAC disabled" ascii
+        $str03 = "\\OpenVPN Connect\\profiles\\" ascii
+        $str04 = "\\Documents\\Monero\\wallets\\" ascii
+        $str05 = "cookies.sqlite" ascii
+        $str06 = "creditcard.txt" ascii
+        $str07 = "vmware.exe" ascii
+        $str08 = "aeachknmefphepccionboohckonoeemg" ascii
+        $str09 = "\\Documents\\NetSarang\\Xftp\\Sessions\\" ascii
+        $str10 = "\\WhatsApp\\Local Storage\\leveldb\\" ascii
+        $str11 = "Visited Time: %s" ascii
+        $str12 = "\\Google\\Chrome\\User Data\\Telegram Desktop\\tdata\\" ascii
+        
+    condition:
+        uint16(0) == 0x5a4d and 2 of ($spe*) and 6 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_bebra.yar b/yara_rules/infostealer_win_bebra.yar
new file mode 100644
index 0000000..0b7c550
--- /dev/null
+++ b/yara_rules/infostealer_win_bebra.yar
@@ -0,0 +1,27 @@
+rule infostealer_win_bebra {
+    meta:
+        id = "e84d04a7-1232-47e5-b797-ac8e56066796"
+        version = "1.0"
+        description = "Find samples of Bebra Stealer based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-02-06"
+        classification = "TLP:CLEAR"
+        hash = "7841746c54c53dbcafdf3f357c7a84b90fe3b089e07f30dea15ef6f7f15b0f00"
+        
+    strings:
+        $str01 = "https://studio.youtube.com/youtubei/v1/att/esr?alt=json&key=" ascii
+        $str02 = "https://www.youtube.com/getAccountSwitcher" ascii
+        $str03 = "\"challenge\":\"" ascii
+        $str04 = "\"botguardResponse\":\"" ascii
+        $str05 = "\"continueUrl\":\"https://studio.youtube.com/reauth\"," ascii
+        $str06 = "\"flow\":\"REAUTH_FLOW_YT_STUDIO_COLD_LOAD\"," ascii
+        $str07 = "\"xguardClientStatus\":0" ascii
+        $str08 = "SAPISIDHASH" ascii
+        $str09 = "system32\\cmd.exe /C choice /C Y /N /D Y /T 0 &Del" ascii
+        $str10 = "/new.php" ascii
+        $str11 = "github.com/mattn/go-sqlite3" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 9 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_blackcap.yar b/yara_rules/infostealer_win_blackcap.yar
new file mode 100644
index 0000000..38b4321
--- /dev/null
+++ b/yara_rules/infostealer_win_blackcap.yar
@@ -0,0 +1,20 @@
+rule infostealer_win_blackcap {
+    meta:
+        id = "1aa1fadb-3413-46e2-b733-1ad2134f7be2"
+        version = "1.0"
+        description = "Finds BlackCap Grabber samples (Python code obfuscated using Py-Fuscate)"
+        author = "Sekoia.io"
+        creation_date = "2023-03-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $imp01 = "import asyncio, json, ntpath, random, re, shutil, sqlite3, subprocess, threading, winreg, zipfile, httpx, psutil, win32gui, win32con, pyperclip, base64, requests, ctypes, time" ascii
+        $imp02 = "from ctypes import windll, wintypes, byref, cdll, Structure, POINTER, c_char, c_buffer;from Crypto.Cipher import AES;from PIL import ImageGrab;from win32crypt import CryptUnprotectData" ascii
+        
+        $pyf01 = "import marshal,lzma,gzip,bz2,binascii,zlib;exec(marshal.loads(binascii.a2b_base64(b'YwAAAAAA" ascii
+        
+    condition:
+        ($imp01 in (0..500) and $pyf01 in (@imp01+200..@imp01+1000) or $imp02 in (0..1000) and $pyf01 in (@imp02+100..@imp02+500)) and
+        filesize > 100KB and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_blackguard_mar23.yar b/yara_rules/infostealer_win_blackguard_mar23.yar
new file mode 100644
index 0000000..e1f4772
--- /dev/null
+++ b/yara_rules/infostealer_win_blackguard_mar23.yar
@@ -0,0 +1,25 @@
+rule infostealer_win_blackguard_mar23 {
+    meta:
+        id = "65804d31-2a0c-4b22-a8d9-8cbe1497f155"
+        version = "1.0"
+        description = "Finds BlackGuard samples based on specific strings (March 2023, version 5)"
+        author = "Sekoia.io"
+        creation_date = "2023-03-27"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "==================  5.0 ==============" wide
+        $str02 = "/concerts/disk.php" wide
+        $str03 = "/concerts/memory.php" wide
+        $str04 = "/loader_v2.txt" wide
+        $str05 = "io.solarwallet.app\\Local Storage\\leveldb" wide
+        $str06 = "costura.dotnetzip.dll.compressed" ascii wide
+        $str07 = "set_Laskakakaska" ascii
+        $str08 = "get_Yliana" ascii
+        $str09 = "set_Illeona" ascii
+        $str10 = "set_Gyttettfd" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and 4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_blustealer.yar b/yara_rules/infostealer_win_blustealer.yar
new file mode 100644
index 0000000..15f2b0b
--- /dev/null
+++ b/yara_rules/infostealer_win_blustealer.yar
@@ -0,0 +1,30 @@
+rule infostealer_win_blustealer {
+    meta:
+        version = "1.0"
+        description = "Detect the BluStealer infostealer based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2022-10-05"
+        id = "a56b3c12-9d83-4a0b-81e8-43332e64d599"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $cha01 = "@top\\LOGGERS\\DARKCLOUD" wide
+        $cha02 = "===============DARKCLOUD===============" wide
+        $cha03 = "#######################################DARKCLOUD#######################################" wide
+        $cha04 = "fireballsabadafirebricksfisherboat" ascii
+        $cha05 = "Moonchild Pro2ductions" wide
+        
+        $str01 = "\\Microsoft\\Windows\\Templates\\credentials.txt" wide
+        $str02 = "\\NETGATE Technologies\\BlackHawK\\Profiles" wide
+        $str03 = "SysWOW64\\winsqlite3.dll" wide
+        $str04 = "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*RD_" wide
+        $str05 = "Expiry Date;" wide
+        $str06 = "SELECT c0subject, c3author, c4recipients, c1body  FROM messagesText_content" wide
+        $str07 = "http://www.mediacollege.com/internet/utilities/show-ip.shtml" wide
+        $str08 = "\\163MailContacts.txt" wide
+        $key_0  = {ba ?? ?? 40 00 8d 4?}
+        
+    condition:
+        uint16(0)==0x5A4D and 2 of ($cha*) and 4 of ($str*) and $key_0
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_cinoshistealer.yar b/yara_rules/infostealer_win_cinoshistealer.yar
new file mode 100644
index 0000000..fe8367d
--- /dev/null
+++ b/yara_rules/infostealer_win_cinoshistealer.yar
@@ -0,0 +1,30 @@
+rule infostealer_win_cinoshistealer {
+    meta:
+        id = "2e9c066b-d5e3-4a25-8954-c10af285bcd3"
+        version = "1.0"
+        description = "Finds Cinoshi Stealer samples based on specific strings, or PE resources"
+        author = "Sekoia.io"
+        creation_date = "2023-06-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "Anaida.exe" ascii wide
+        $str02 = "Anaida.pdb" ascii
+        $str03 = "embedder_download_data" ascii
+        $str04 = "date_password_modified" ascii
+        $str05 = "card_number_encrypted" ascii
+        $str06 = "set_UseZip64WhenSaving" ascii
+        $str07 = "set_CommandText" ascii
+        $str08 = "Nss3CouldNotBeLoaded" ascii
+        $str09 = "formhistory.sqlite" wide
+        $str10 = "logins.json" wide
+        $str11 = "\\nss3.dll" wide
+        $str12 = "\\cookies.sqlite" wide
+        $str13 = "\\places.sqlite" wide
+        $str14 = "\\autofill-profiles.json" wide
+        
+    condition:
+        uint16(0) == 0x5a4d and 9 of them 
+        and filesize > 400KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_daolpu_str.yar b/yara_rules/infostealer_win_daolpu_str.yar
new file mode 100644
index 0000000..211264f
--- /dev/null
+++ b/yara_rules/infostealer_win_daolpu_str.yar
@@ -0,0 +1,27 @@
+rule infostealer_win_daolpu_str {
+    meta:
+        id = "dde1cf12-48d8-45b6-b453-b7196e6b1271"
+        version = "1.0"
+        description = "Finds Daolpu Stealer samples based on specific strings."
+        author = "Sekoia.io"
+        reference = "https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer/"
+        creation_date = "2024-07-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "Content-Type: %s%s%s" ascii
+        $str02 = "Content-Disposition: %s%s%s%s%s%s%s" ascii
+        $str03 = "\\CocCoc\\Browser\\User Data\\Local State" ascii
+        $str04 = "\\Microsoft\\Edge\\User Data\\Default\\Login Data" ascii
+        $str05 = "\\Mozilla\\Firefox\\Profiles" ascii
+        $str06 = "No MAC Address Found" ascii
+        $str07 = "C:\\Windows\\Temp\\" ascii
+        $str08 = "C:\\Windows\\Temp\\result.txt" ascii
+        $str09 = "Privatekey@2211#$" ascii
+        $str10 = "CryptStringToBinaryA Failed to convert BASE64 private key." ascii
+        $str11 = "taskkill /F /IM chrome.exe" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 8 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_doenerium_str.yar b/yara_rules/infostealer_win_doenerium_str.yar
new file mode 100644
index 0000000..ea43c0a
--- /dev/null
+++ b/yara_rules/infostealer_win_doenerium_str.yar
@@ -0,0 +1,30 @@
+rule infostealer_win_doenerium_str {
+    meta:
+        id = "1645a86f-1063-4e98-a1fa-85fc8c4e9691"
+        version = "1.0"
+        description = "Detect the Doenerium infostealer based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-09-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "doenerium" ascii
+        $str02 = "<================[   User Info   ]>================>" ascii
+        $str03 = "<================[WiFi connections]>================>" ascii
+        $str04 = "<================[Executable Info]>================>" ascii
+        $str05 = "<================[ Network Data ]>================>" ascii
+        $str06 = "\\Network Data.txt" ascii
+        $str07 = "\\Update.exe\" --processStart" ascii
+        $str09 = "\\WiFi Connections.txt" ascii
+        $str10 = "\\User Info.txt" ascii
+        $str11 = "\\Executable Info.txt" ascii
+        $str12 = "\\Found Wallets.txt" ascii
+        $str13 = "SELECT origin_url, username_value, password_value FROM logins" ascii
+        $str14 = "https://cdn.discordapp.com/embed/avatars/0.png" ascii
+        $str15 = "detectClipboard" ascii
+        $str16 = ".gofile.io/uploadFile" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_ducklogs.yar b/yara_rules/infostealer_win_ducklogs.yar
new file mode 100644
index 0000000..181af88
--- /dev/null
+++ b/yara_rules/infostealer_win_ducklogs.yar
@@ -0,0 +1,31 @@
+rule infostealer_win_ducklogs {
+    meta:
+        version = "1.0"
+        description = "Detects DuckLogs based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-12-01"
+        id = "165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $dck = "DuckLogs" ascii wide
+        
+        $str01 = "CheckRemoteDebuggerPresent" ascii
+        $str02 = "MozGlueNotFound" ascii
+        $str03 = "get_DecryptedPassword" ascii
+        $str04 = "get_Extension" ascii
+        $str05 = "set_UseShellExecute" ascii
+        $str06 = "FirefoxPasswords" ascii
+        $str07 = "GetAllGeckoCookies" ascii
+        $str08 = "GetAllBlinkDownloadsBy" ascii
+        $str09 = "Grabbers" ascii
+        $str10 = "Utility" ascii
+        $str11 = "Persistance" ascii
+        $str12 = "Clipboard" ascii
+        $str13 = "WaterfoxGrabber" ascii
+        $str14 = "AvastGrabber" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and ((#dck > 4 and 2 of ($str*)) or 12 of them)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_edgeguard.yar b/yara_rules/infostealer_win_edgeguard.yar
new file mode 100644
index 0000000..ff19355
--- /dev/null
+++ b/yara_rules/infostealer_win_edgeguard.yar
@@ -0,0 +1,33 @@
+rule infostealer_win_edgeguard {
+    meta:
+        id = "bbdb362f-d235-48f8-8fa5-d340d4e3e3f0"
+        version = "1.0"
+        description = "Finds EdgeGuard Stealer samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-08-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "main.downloadnecessary" ascii
+        $str02 = "main.extractchromepasswords" ascii
+        $str03 = "main.extracttasksch" ascii
+        $str04 = "main.BrowserDownloadsViewExtract" ascii
+        $str05 = "main.stealmetamask" ascii
+        $str06 = "main.stealexoduswallet" ascii
+        $str07 = "main.moveatomic" ascii
+        $str08 = "main.movefirefoxcookies" ascii
+        $str09 = "main.movepasswords" ascii
+        $str10 = "main.FinallyZIPIPFolder" ascii
+        $str11 = "edgeguard.business" ascii
+        $str12 = "/License.XenArmor" ascii
+        $str13 = "/TaskSchedulerView.exe" ascii
+        $str14 = "/BrowsingHistoryView.exe" ascii
+        $str15 = "/outlookfiles/starter.exe" ascii
+        $str16 = "/outlookfiles/External.zip" ascii
+        $str17 = "/outlookfiles/XenManager.dll" ascii
+        $str18 = "/outlookfiles/EmailPasswordRecoveryPro.exe" ascii
+        
+    condition:
+        uint16(0) == 0x5a4d and 10 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_enigma_initial_loader.yar b/yara_rules/infostealer_win_enigma_initial_loader.yar
new file mode 100644
index 0000000..f1f3c6e
--- /dev/null
+++ b/yara_rules/infostealer_win_enigma_initial_loader.yar
@@ -0,0 +1,25 @@
+rule infostealer_win_enigma_initial_loader {
+    meta:
+        id = "664fe8de-b406-4d63-9a4b-1c350b444f00"
+        version = "1.0"
+        description = "Find initial loader of Enigma Stealer based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-01-30"
+        classification = "TLP:CLEAR"
+        hash = "03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23"
+        
+    strings:
+        $str01 = "/getFile?file_id=" ascii
+        $str02 = "/file/bot" ascii
+        $str03 = "?file_id=" ascii
+        $str04 = "pInternetSetOptionA failed" wide
+        $str05 = "list_messages[file_path] failed" wide
+        $str06 = "iE&xit" wide
+        $str07 = "[GetTgFileById][GetTgRequest] reply is NULL" wide
+        $str08 = "Telegram request failed" wide
+        $str09 = "bot getted" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_enigma_loader_module.yar b/yara_rules/infostealer_win_enigma_loader_module.yar
new file mode 100644
index 0000000..957172b
--- /dev/null
+++ b/yara_rules/infostealer_win_enigma_loader_module.yar
@@ -0,0 +1,26 @@
+rule infostealer_win_enigma_loader_module {
+    meta:
+        id = "664fe8de-b406-4d63-9a4b-1c350b444f01"
+        version = "1.0"
+        description = "Find loader module of Enigma Stealer based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-01-30"
+        classification = "TLP:CLEAR"
+        hash = "f1623c2f7c00affa3985cf7b9cdf25e39320700fa9d69f9f9426f03054b4b712"
+        
+    strings:
+        $str01 = "Enigma.Loader.Driver_x64.dll" ascii
+        $str02 = "C:\\projects\\driver\\Driver\\x64\\Release\\driver.pdb" ascii
+        $str03 = "/getFile?file_id=" ascii
+        $str04 = "/file/bot" ascii
+        $str05 = "Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator." wide
+        $str06 = "[GetTgFileById][GetTgRequest] reply is NULL" wide
+        $str07 = "Telegram request failed" wide
+        $str08 = "Vul driver data destroyed before unlink" wide
+        $str09 = "GetExportAddress hash not found: %x" wide
+        $str10 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\PnP Manager\\PnpManager" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_enigma_stealer_module.yar b/yara_rules/infostealer_win_enigma_stealer_module.yar
new file mode 100644
index 0000000..e433642
--- /dev/null
+++ b/yara_rules/infostealer_win_enigma_stealer_module.yar
@@ -0,0 +1,29 @@
+rule infostealer_win_enigma_stealer_module {
+    meta:
+        id = "664fe8de-b406-4d63-9a4b-1c350b444f02"
+        version = "1.0"
+        description = "Find stealer module of Enigma Stealer based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-01-30"
+        classification = "TLP:CLEAR"
+        hash = "4d2fb518c9e23c5c70e70095ba3b63580cafc4b03f7e6dce2931c54895f13b2c"
+        
+    strings:
+        $eni01 = "enigma.common" nocase ascii wide
+        $eni02 = "--ENIGMA STEALER--" wide
+        
+        $str01 = "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')" wide
+        $str02 = "/C chcp 65001 && netsh wlan show profile | findstr All" wide
+        $str03 = "/C chcp 65001 && netsh wlan show networks mode=bssid" wide
+        $str04 = "[Open google maps]" wide
+        $str05 = "Stealerium.Target." ascii
+        $str06 = "--- ClipperBCH ---" wide
+        $str07 = "//setting[@name='Username']/value" wide
+        $str08 = "Stealer >> Failed recursive remove directory with passwords" wide
+        $str09 = "[a-zA-Z0-9]{24}\\.[a-zA-Z0-9]{6}\\.[a-zA-Z0-9_\\-]{27}|mfa\\.[a-zA-Z0-9_\\-]{84}" wide //Discord Token regex
+        $str10 = "^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$" wide //Maestro Card regex
+        
+    condition:
+        uint16(0)==0x5A4D and 1 of ($eni*) and 4 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_eternity.yar b/yara_rules/infostealer_win_eternity.yar
new file mode 100644
index 0000000..85a4d84
--- /dev/null
+++ b/yara_rules/infostealer_win_eternity.yar
@@ -0,0 +1,32 @@
+import "pe"
+        
+rule infostealer_win_eternity {
+    meta:
+        id = "0ed8d4bd-d57f-40a8-a709-d69531d59847"
+        version = "1.0"
+        description = "Detect the Eternity infostealer based on specific strings"
+        author = "Sekoia.io"
+        reference = "hxxp://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.]onion/threads/62331/"
+        creation_date = "2022-03-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "Sending info to Eternity.." wide
+        $str1 = "Debug mode, dont share this stealer anywhere." wide
+        $str2 = "\\Growtopia.exe" wide
+        $str3 = "Software\\Growtopia" wide
+        $str4 = "Corrupting Growtopia.." wide
+        $str5 = "Disabling Task Manager.." wide
+        $str6 = "Deleting previous file from startup and copying new one." wide
+        $str7 = "Hiding file in Startup folder.." wide
+        $str8 = "Initializing File watcher.." wide
+        $str9 = "Decoder: Failed to delete temp login. No problem, continuing.." wide
+        $str10 = "dcd.exe" wide
+        
+    condition:
+        uint16(0)==0x5A4D and
+        (for any i in (0..pe.number_of_sections-1) : ( pe.sections[i].name == ".eter0" ) and
+        for any i in (0..pe.number_of_sections-1) : ( pe.sections[i].name == ".eter1" )) or 
+        4 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_fwit_strings.yar b/yara_rules/infostealer_win_fwit_strings.yar
new file mode 100644
index 0000000..322a8a1
--- /dev/null
+++ b/yara_rules/infostealer_win_fwit_strings.yar
@@ -0,0 +1,19 @@
+rule infostealer_win_fwit_strings {
+    meta:
+        id = "332e89ad-d1fe-4da6-9354-0978ef173e78"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-06-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "C:\\ProgramData\\Temp" wide
+        $s2 = "{:08x}" wide
+        $s3 = "CURL_SSLVERSION" ascii // curl embedded
+        
+    condition:
+        (uint16be(0) == 0x4d5a) and
+        
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_ginzostealer_str.yar b/yara_rules/infostealer_win_ginzostealer_str.yar
new file mode 100644
index 0000000..f1dcf29
--- /dev/null
+++ b/yara_rules/infostealer_win_ginzostealer_str.yar
@@ -0,0 +1,21 @@
+rule infostealer_win_ginzostealer_str {
+    meta:
+        id = "ef87e94b-9c53-44b4-b8a1-87d371a6d2cb"
+        version = "1.0"
+        description = "Finds samples of the Ginzo Stealer"
+        author = "Sekoia.io"
+        reference = "https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html"
+        creation_date = "2022-04-21"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "Ginzo.pdb" ascii
+        $str1 = "Ginzo.exe" wide
+        $str2 = "SELECT creation_utc,top_frame_site_key,host_key,name,value,encrypted_value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,samesite,source_scheme,source_port,is_same_party FROM cookies" wide
+        $str3 = "SELECT origin_url,action_url,username_element,username_value,password_element,password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id,date_last_used,moving_blocked_for,date_password_modified FROM logins" wide
+        $str4 = "SELECT id,originAttributes,name,value,host,path,expiry,lastAccessed,creationTime,isSecure,isHttpOnly,inBrowserElement,sameSite,rawSameSite,schemeMap FROM moz_cookies" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_gomorrah.yar b/yara_rules/infostealer_win_gomorrah.yar
new file mode 100644
index 0000000..fd36f54
--- /dev/null
+++ b/yara_rules/infostealer_win_gomorrah.yar
@@ -0,0 +1,31 @@
+rule infostealer_win_gomorrah {
+    meta:
+        id = "df8f06ba-6c93-4ce3-9857-ced93753f917"
+        version = "1.0"
+        description = "Detect the Gomorrah infostealer based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-08-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $gom01 = "-------------Developed By th3darkly [ https://gomorrah.pw ]-------------" wide
+        $gom02 = "-------------Created By Lucifer [ https://t.me/th3darkly ]-------------" wide
+        $gom03 = "--- Dev By https://t.me/@th3darkly ---" wide
+        $gom04 = "\\Gomorrah\\Gomorrah\\obj\\Debug\\Gomorrah.pdb" wide
+        $gom05 = "Gomorrah.Resources.resources" wide
+        
+        $str01 = "logs.php?hwid=" wide
+        $str02 = "gate.php?hwid=" wide
+        $str03 = "task.php?hwid=" wide
+        $str04 = "ownloadAndRun" wide
+        $str05 = "oftware\\\\Microsoft\\\\Windows Messaging Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676" wide
+        $str06 = "FileZilla\\\\recentservers.xml" wide
+        $str07 = "http://ip-api.com/json/" wide
+        $str08 = "OutkookStealer" ascii
+        $str09 = "update_windows10.youknowcaliber" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and
+        ((1 of ($gom*) and 1 of ($str*)) or (7 of ($str*)))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_grmsk_strings.yar b/yara_rules/infostealer_win_grmsk_strings.yar
new file mode 100644
index 0000000..5a5b23e
--- /dev/null
+++ b/yara_rules/infostealer_win_grmsk_strings.yar
@@ -0,0 +1,28 @@
+rule infostealer_win_grmsk_strings {
+    meta:
+        version = "1.0"
+        description = "Finds GrMsk samples based on the specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-11-30"
+        id = "58f32339-5e0f-405c-9acc-14b93f6c208b"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "ref.txt" ascii fullword
+        $str02 = "--------" ascii fullword
+        $str03 = "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.834.0 Mobile Safari/5362" ascii fullword
+        $str04 = "POST" ascii fullword
+        $str05 = "\\SearchWallet\\" ascii
+        $str06 = "1234niwef" ascii
+        $str07 = "afbcbjpbpfadlkmhmclhkeeodmamcflc" ascii
+        $str08 = "lodccjjbdhfakaekdiahmedfbieldgik" ascii
+        $str09 = "wallets" ascii
+        $str10 = "config" ascii
+        $str11 = "\"recently_open\": [" ascii
+        $str12 = "\"gui_last_wallet\": " ascii
+        $str13 = "YUOhtyugjKgdfgjFGghj676jj" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 10 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_irontiger_chrome_stealer.yar b/yara_rules/infostealer_win_irontiger_chrome_stealer.yar
new file mode 100644
index 0000000..66d5b91
--- /dev/null
+++ b/yara_rules/infostealer_win_irontiger_chrome_stealer.yar
@@ -0,0 +1,33 @@
+import "pe"
+        
+rule infostealer_win_irontiger_chrome_stealer {
+    meta:
+        id = "8c5c3ed0-e1ea-4079-b330-ace8724bff2a"
+        version = "1.0"
+        description = "Detect the chrome_stealer malware"
+        author = "Sekoia.io"
+        creation_date = "2023-03-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "passwords.txt"
+        $ = "CryptUnprotectData: 0x%08x"
+        $ = "cookies.txt"
+        $ = "decrypt to %s"
+        $ = ".\\chromedb_tmp" wide ascii
+        $ = "SELECT ORIGIN_URL,USERNAME_VALUE,PASSWORD_VALUE FROM LOGINS;"
+        $ = "decrypt successful!"
+        $ = "url: %s"
+        $ = "user: %s"
+        $ = "pass: %s"
+        $ = "aes key:"
+        $ = "\\Google\\Chrome\\User Data\\Default\\Login Data" wide
+        $ = "password file %s" wide
+        $ = "cookies file %s" wide
+        $ = "keyfile: %s" wide
+        
+    condition:
+        (uint16(0)==0x5A4D and all of them)
+        or pe.imphash() == "e862f5a6671f9dbd6f53d3d557e568f0"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_leaf.yar b/yara_rules/infostealer_win_leaf.yar
new file mode 100644
index 0000000..06c9987
--- /dev/null
+++ b/yara_rules/infostealer_win_leaf.yar
@@ -0,0 +1,33 @@
+rule infostealer_win_leaf {
+    meta:
+        id = "17d8e384-1092-4f27-b4f7-c0c0f7efcaa3"
+        version = "1.0"
+        description = "Find samples of Leaf Stealer based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-02-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "Leaf $tealer" ascii
+        $str02 = "KiwiFolder" ascii
+        $str03 = "key_wordsFiles" ascii
+        $str04 = "**[Click to copy](https://superfurrycdn.nl/copy/" ascii
+        $str05 = "Early_Verified_Bot_Developer" ascii
+        $str06 = "getCookie.<locals>.<genexpr>" ascii
+        $str07 = "C:\\Program Files (x86)\\Steam\\config" ascii
+        $str08 = "[crunchyroll](https://crunchyroll.com)" ascii
+        $str09 = "-m pip install" ascii
+        $str10 = "taskkill /im " ascii
+        $str11 = "/loginusers.vdf" ascii
+        $str12 = "mot_de_passe" ascii
+        $str13 = "Interesting files found on user PC" ascii
+        $str14 = "NationsGlory/Local Storage/leveldb" ascii
+        $str15 = "wppassw.txt" ascii
+        $str16 = "wpcook.txt" ascii
+        $str17 = "ProcesName < 1 >" ascii
+        $str18 = "Metamask_" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 10 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_lighting.yar b/yara_rules/infostealer_win_lighting.yar
new file mode 100644
index 0000000..34d398b
--- /dev/null
+++ b/yara_rules/infostealer_win_lighting.yar
@@ -0,0 +1,41 @@
+rule infostealer_win_lighting {
+    meta:
+        id = "3c160c16-f417-4fa2-aa44-fb7b981fb2b3"
+        version = "1.0"
+        description = "Detect the Lighting infostealer based on specific strings"
+        author = "Sekoia.io"
+        reference = "https://blog.cyble.com/2022/04/05/inside-lightning-stealer/"
+        creation_date = "2022-04-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "\\logins.json" wide
+        $str1 = "key3.db" wide
+        $str2 = "\\key4.db" wide
+        $str3 = "cert9.db" wide
+        $str4 = "\\places.sqlite" wide
+        $str5 = "7D78CB380BF5EFB7B851409CA6A875F77DECF09D19B9149DA17A3EBF674BC0F9" ascii
+        $str6 = "potentiallyVulnerablePasswords" wide
+        
+        $dll0 = "\\mozglue.dll" wide
+        $dll1 = "\\nss3.dll" wide
+        $dll2 = "SbieDll.dll" wide
+        
+        $app00 = "\\discord\\Local Storage\\leveldb\\" wide
+        $app01 = "Software\\Valve\\Steam" wide
+        $app02 = "Telegram Desktop\\tdata" wide
+        $app03 = "\\Wallets\\Armory\\" wide
+        $app04 = "\\Wallets\\Atomic\\Local Storage\\leveldb\\" wide
+        $app05 = "\\Exodus\\exodus.wallet\\" wide
+        $app06 = "\\Wallets\\Zcash\\" wide
+        $app07 = "uCozMedia\\Uran" wide
+        $app08 = "Comodo\\IceDragon" wide
+        $app09 = "8pecxstudios\\Cyberfox" wide
+        $app10 = "NETGATE Technologies\\BlackHaw" wide
+        $app11 = "Moonchild Productions\\Pale Moon" wide
+        
+    condition:
+        uint16(0)==0x5A4D and
+        6 of ($str*) and all of ($dll*) and 10 of ($app*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_lumma_strings_aug23.yar b/yara_rules/infostealer_win_lumma_strings_aug23.yar
new file mode 100644
index 0000000..695fd5a
--- /dev/null
+++ b/yara_rules/infostealer_win_lumma_strings_aug23.yar
@@ -0,0 +1,24 @@
+rule infostealer_win_lumma_strings_aug23 {
+    meta:
+        version = "1.0"
+        description = "Finds Lumma samples based on the specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-09-14"
+        id = "728f7825-a463-4b19-b2d3-3460e4c06dc9"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "lid=%s&j=%s&ver" ascii
+        $str02 = "%s (%d.%d.%d)" ascii
+        $str03 = "- Screen Resoluton:" ascii
+        $str04 = "- Physical Installed Memory:" ascii
+        $str05 = "Content-Type: attachment/x-object" ascii
+        $str06 = "Content-Type: application/x-www-form-urlencoded" ascii
+        $str07 = "Content-Type: multipart/form-data; boundary=%s" wide
+        $str08 = "SysmonDrv" wide
+        $str09 = "TeslaBrowser/5.5" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_lumma_strings_sept23.yar b/yara_rules/infostealer_win_lumma_strings_sept23.yar
new file mode 100644
index 0000000..fc37eb4
--- /dev/null
+++ b/yara_rules/infostealer_win_lumma_strings_sept23.yar
@@ -0,0 +1,24 @@
+rule infostealer_win_lumma_strings_sept23 {
+    meta:
+        version = "1.0"
+        description = "Finds Lumma samples based on the specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-09-14"
+        modification_date = "2023-10-31"
+        id = "45900760-c10d-40c0-a49a-c66358a8a66a"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str10 = "CryptStringToBinaryA" ascii
+        $str11 = "WinHttpQueryDataAvailable" ascii
+        $str12 = "GetComputerNameExA" ascii
+        $str13 = "GetCurrentHwProfileW" ascii
+        $str14 = "ntdll.dll" wide
+        //$str15 = "%appdata%\\Thunderbird\\Profiles" wide
+        $str16 = "minkernel\\crts\\ucrt\\inc\\corecrt_internal_strtox.h" wide
+        $str17 = "xxxxxxxxxxx" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_mars_stealer.yar b/yara_rules/infostealer_win_mars_stealer.yar
new file mode 100644
index 0000000..82d287e
--- /dev/null
+++ b/yara_rules/infostealer_win_mars_stealer.yar
@@ -0,0 +1,45 @@
+import "pe"
+        
+rule infostealer_win_mars_stealer {
+    meta:
+        id = "3e2c7440b2fc9e4b039e6fa8152ac8fd"
+        version = "1.0"
+        description = "Detect Mars Stealer based on specific strings"
+        author = "Sekoia.io"
+        reference = "https://3xp0rt.com/posts/mars-stealer"
+        creation_date = "2022-02-03"
+        modification_date = "2022-02-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $dec = {a3 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? 00 00 83 c4 ??} //decryption op code
+        
+        $api00 = "LoadLibrary" ascii
+        $api01 = "GetProcAddress" ascii
+        $api02 = "ExitProcess" ascii
+        $api03 = "advapi32.dll" ascii
+        $api04 = "crypt32.dll" ascii
+        $api05 = "GetTickCount" ascii
+        $api06 = "Sleep" ascii
+        $api07 = "GetUserDefaultLangID" ascii
+        $api08 = "CreateMutex" ascii
+        $api09 = "GetLastError" ascii
+        $api10 = "HeapAlloc" ascii
+        $api11 = "GetProcessHeap" ascii
+        $api12 = "GetComputerName" ascii
+        $api13 = "VirtualProtect" ascii
+        $api14 = "GetUserName" ascii
+        $api15 = "CryptStringToBinary" ascii
+        
+        $str0 = "JohnDoe" ascii
+        //$str1 = "/c timeout /t 5 & del /f /q \"%s\" & exit" ascii
+        //$str2 = "C:\\Windows\\System32\\cmd.exe" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and
+        (#dec > 400 and
+        12 of ($api*) and $str0) or
+        for any i in ( 0..pe.number_of_sections-1 ) : (
+            pe.sections[i].name == "LLCPPC" and pe.sections[i].raw_data_size < 5000 )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_mars_stealer_variant_llcppc1.yar b/yara_rules/infostealer_win_mars_stealer_variant_llcppc1.yar
new file mode 100644
index 0000000..fbb323b
--- /dev/null
+++ b/yara_rules/infostealer_win_mars_stealer_variant_llcppc1.yar
@@ -0,0 +1,16 @@
+rule infostealer_win_mars_stealer_variant_llcppc1 {
+    meta:
+        id = "3e2c7440b2fc9e4b039e6fa8152ac8fe"
+        version = "1.0"
+        description = "Detect Mars Stealer variand llcppc1"
+        author = "Sekoia.io"
+        creation_date = "2022-03-10"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $a = {ff 15 ?? ?? ?? ?? 89 45 ?? 6a 14 68 ?? ?? ?? ?? ff 75 ?? e8 23 00 00 00 ff 75 ?? ff 75 ?? ff 75 ?? e8 5c 00 00 00}
+        
+    condition:
+        uint16(0)==0x5A4D and $a
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_mars_stealer_xor_routine.yar b/yara_rules/infostealer_win_mars_stealer_xor_routine.yar
new file mode 100644
index 0000000..05e70e0
--- /dev/null
+++ b/yara_rules/infostealer_win_mars_stealer_xor_routine.yar
@@ -0,0 +1,16 @@
+rule infostealer_win_mars_stealer_xor_routine {
+    meta:
+        id = "3e2c7440b2fc9e4b039e6fa8152ac8ff"
+        version = "1.0"
+        description = "Detect Mars Stealer based on a specific XOR routine"
+        author = "Sekoia.io"
+        creation_date = "2022-04-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $xor = {8b 4d ?? 03 4d ?? 0f be 19 8b 55 ?? 52 e8 ?? ?? ?? ?? 83 c4 ?? 8b c8 8b 45 ?? 33 d2 f7 f1 8b 45 ?? 0f be 0c 10 33 d9 8b 55 ?? 03 55 ?? 88 1a eb be}
+        
+    condition:
+        uint16(0)==0x5A4D and $xor
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_meduzastealer.yar b/yara_rules/infostealer_win_meduzastealer.yar
new file mode 100644
index 0000000..1386429
--- /dev/null
+++ b/yara_rules/infostealer_win_meduzastealer.yar
@@ -0,0 +1,27 @@
+rule infostealer_win_meduzastealer {
+    meta:
+        id = "1276f485-aa5d-491b-89d8-77f98dc496e1"
+        version = "1.0"
+        description = "Finds MeduzaStealer samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-06-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "emoji" ascii
+        $str02 = "%d-%m-%Y, %H:%M:%S" ascii
+        $str03 = "[UTC" ascii
+        $str04 = "user_name" ascii
+        $str05 = "computer_name" ascii
+        $str06 = "timezone" ascii
+        $str07 = "current_path()" ascii
+        $str08 = "[json.exception." ascii
+        $str09 = "GDI32.dll" ascii
+        $str10 = "GdipGetImageEncoders" ascii
+        $str11 = "GetGeoInfoA" ascii
+        
+    condition:
+        uint16(0) == 0x5a4d and 8 of them 
+        and filesize > 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_metastealer_strings.yar b/yara_rules/infostealer_win_metastealer_strings.yar
new file mode 100644
index 0000000..0315340
--- /dev/null
+++ b/yara_rules/infostealer_win_metastealer_strings.yar
@@ -0,0 +1,23 @@
+import "pe"
+        
+rule infostealer_win_metastealer_strings {
+    meta:
+        id = "1f4b6f0b-706e-48b0-889d-01c1b7f92776"
+        version = "1.0"
+        description = "Detects IOCs related to Metastealer"
+        author = "Sekoia.io"
+        creation_date = "2023-12-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "FileScannerRule"
+        $s2 = "MSObject"
+        $s3 = "MSValue"
+        $s4 = "GetBrowsers"
+        $s5 = "Biohazard"
+        
+    condition:
+    4 of ($s*) 
+    and pe.imports("mscoree.dll")
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_monster_stub.yar b/yara_rules/infostealer_win_monster_stub.yar
new file mode 100644
index 0000000..21d3fb9
--- /dev/null
+++ b/yara_rules/infostealer_win_monster_stub.yar
@@ -0,0 +1,32 @@
+rule infostealer_win_monster_stub {
+    meta:
+        id = "10d27d49-79ae-4edc-8c30-35506bdf2c42"
+        version = "1.0"
+        description = "Finds Monster Stealer stub (Python payload) based on specific strings."
+        author = "Sekoia.io"
+        creation_date = "2024-08-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "https://t.me/monster_free_cloud" ascii
+        $str02 = "MonsterUpdateService" ascii
+        $str03 = "Monster.exe" ascii
+        $str04 = "schtasks /create /f /sc daily /ri 30 /tn" ascii
+        $str05 = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\" ascii
+        $str06 = "banned_uuids" ascii
+        $str07 = "banned_computer_names" ascii
+        $str08 = "banned_process" ascii
+        $str09 = "register_X_browsers" ascii
+        $str10 = "register_payload" ascii
+        $str11 = "tiktok_sessions.txt" ascii
+        $str12 = "spotify_sessions.txt" ascii
+        $str13 = "network_info.txt" ascii
+        $str14 = "lolz.guru" ascii
+        $str15 = "echo ####System Info####" ascii
+        $str16 = "echo ####Firewallinfo####" ascii
+        $str17 = "/injection/main/injection.js" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 10 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_nekostealer.yar b/yara_rules/infostealer_win_nekostealer.yar
new file mode 100644
index 0000000..45f2cfd
--- /dev/null
+++ b/yara_rules/infostealer_win_nekostealer.yar
@@ -0,0 +1,21 @@
+rule infostealer_win_nekostealer {
+    meta:
+        id = "8b7d2708-9d33-4855-8e02-f6afedb7dda8"
+        version = "1.0"
+        description = "Detect the NekoStealer infostealer based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-01-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $nek = "NekoStealer.Stealing" ascii
+        
+        $str01 = "\\Local Storage\\leveldb" wide
+        $str02 = "======================= Discord Tokens =======================" wide
+        $str03 = "======================== IP Information ========================" wide
+        $str04 = "https://ipapi.co/" wide
+        
+    condition:
+        uint16(0) == 0x5A4D and (#nek > 10 or all of ($str*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_nemesis_in_memory.yar b/yara_rules/infostealer_win_nemesis_in_memory.yar
new file mode 100644
index 0000000..ff4efb9
--- /dev/null
+++ b/yara_rules/infostealer_win_nemesis_in_memory.yar
@@ -0,0 +1,28 @@
+rule infostealer_win_nemesis_in_memory {
+    meta:
+        id = "01d85bd5-ea93-44ff-b36a-9cd9eb54d634"
+        version = "1.0"
+        description = "Finds Nemesis Stealer samples based on specific strings, from samples without strings obsucation, or from memory"
+        author = "Sekoia.io"
+        creation_date = "2023-03-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "NemesisProject.Modules." ascii
+        $str02 = "~[NEMESIS INIZIALIZE]~" wide
+        $str03 = "Clip_BoardText.txt" wide
+        $str04 = "stealer_out.zip" wide
+        $str05 = "<span style=\"color:#FFFFFF\">Number of running processes:</span>" wide
+        $str06 = "<span style=\"color:#FFFFFF\">Installed FireWall: </span>" wide
+        $str07 = "~[Panel_Receiving_Data]~ Incorrect data when receiving data on the panel" wide
+        $str08 = "ProcessInfo_Log.txt" wide
+        $str09 = "Installed_Software_Log.txt" wide
+        $str10 = "Detect Data ClipBoard] - [ {DateTime.Now:MM.dd.yyyy - HH:mm:ss}]" wide
+        $str11 = "VPN/ProtonVPN_Log.txt" wide
+        $str12 = "VPN/Nord_Log.txt" wide
+        $str13 = "Steam/SteamID_Log.txt" wide
+        
+    condition:
+    uint16(0) == 0x5A4D and 6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_nosu.yar b/yara_rules/infostealer_win_nosu.yar
new file mode 100644
index 0000000..2dd71e5
--- /dev/null
+++ b/yara_rules/infostealer_win_nosu.yar
@@ -0,0 +1,18 @@
+rule infostealer_win_nosu {
+    meta:
+        version = "1.0"
+        description = "Finds Nosu samples based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2022-12-15"
+        id = "9823af25-e30b-4514-a59c-02dd19fe368d"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "C:\\xampp\\htdocs\\nosu\\core\\release\\lilly.pdb" ascii
+        $str1 = "{\"gp\":\"%s\",\"app\":\"%S\"," ascii
+        $str2 = "stored in zip:\\%s" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 1 of them and filesize<1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_pennywise_mar23.yar b/yara_rules/infostealer_win_pennywise_mar23.yar
new file mode 100644
index 0000000..4a45d75
--- /dev/null
+++ b/yara_rules/infostealer_win_pennywise_mar23.yar
@@ -0,0 +1,27 @@
+rule infostealer_win_pennywise_mar23 {
+    meta:
+        id = "9852b7e7-dfff-44e6-9068-d287cc84b069"
+        version = "1.0"
+        description = "Finds PennyWise samples based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-03-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $chr01 = "MvgmsudRT3loHygSj1F9K" ascii
+        $chr02 = "WebInfidelity2023" ascii
+        $chr03 = "PennyWise" ascii
+        
+        $str01 = "get_Handle" ascii
+        $str02 = "get_Now" ascii
+        $str03 = "get_Ticks" ascii
+        $str04 = "set_Expect100Continue" ascii
+        $str05 = "get_Jpeg" ascii
+        $str06 = "set_UseShellExecute" ascii
+        $str07 = "get_ProcessName" ascii
+        $str08 = "get_UtcNow" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and 1 of ($chr*) and 5 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_phoenix.yar b/yara_rules/infostealer_win_phoenix.yar
new file mode 100644
index 0000000..d39610e
--- /dev/null
+++ b/yara_rules/infostealer_win_phoenix.yar
@@ -0,0 +1,34 @@
+rule infostealer_win_phoenix {
+    meta:
+        id = "d63a8fcf-f897-4c36-a6ce-4bd4ae0154e5"
+        version = "1.0"
+        description = "Finds Phoenix Stealer samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-06-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "nkbihfbeogaeaoehlefnkodbefgpgknn" ascii
+        $str02 = "Discord\\Tokens.txt" ascii
+        $str03 = "SOFTWARE\\OpenVP" ascii
+        $str04 = "config_dir" ascii
+        $str05 = "| Last Login:" ascii
+        $str06 = "| Games:" ascii
+        $str07 = "| Host:" ascii
+        $str08 = "| Port:" ascii
+        $str09 = "| User:" ascii
+        $str10 = "| Pass:" ascii
+        $str11 = "Grabber.rar" ascii
+        $str12 = "\\GHISLER\\wcx_ftp.ini" ascii
+        $str13 = "Clipboard.txt" ascii
+        $str14 = "PROCESSOR_ARCHITECTURE" ascii
+        $str15 = "PROCESSOR_IDENTIFIER" ascii
+        $str16 = "Log.txt" ascii
+        $str17 = "xXxXxXxXxXx" ascii
+        $str18 = "hq101ejedmwcvvasd02kw" ascii
+        
+    condition:
+        uint16(0) == 0x5a4d and 15 of them 
+        and filesize > 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_phoenixwave.yar b/yara_rules/infostealer_win_phoenixwave.yar
new file mode 100644
index 0000000..fdc2b5b
--- /dev/null
+++ b/yara_rules/infostealer_win_phoenixwave.yar
@@ -0,0 +1,36 @@
+rule infostealer_win_phoenixwave {
+    meta:
+        id = "67c05ea8-2f1b-4c60-b108-e05d7d0c6508"
+        version = "1.0"
+        description = "Detect the PhoenixWave infostealer based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-04-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "##################################################\n                  Information\n##################################################\n" wide
+        $str1 = "Specify a single character: either D or F" wide
+        $str2 = "// This SFX source file was generated by DotNetZip " wide
+        $str3 = "aHR0cDovL2lwLWFwaS5jb20vanNvbg==" wide //ip-api.com/json
+        $str4 = "TG9jYWxBcHBEYXRh" wide //LocalAppData
+        $str5 = "UGhvZW5peFdhdmU=" wide //PhoenixWave
+        $str6 = "virustotal" wide
+        $str7 = "SELECT * FROM win32_operatingsystem" wide
+        $str8 = "SELECT * FROM Win32_VideoController" wide
+        
+        $app0 = "\\discordcanary\\Local Storage\\leveldb" wide
+        $app1 = "\\discordptb\\Local Storage\\leveldb" wide
+        $app2 = "\\discorddevelopment\\Local Storage\\leveldb" wide
+        $app3 = "\\D877F783D5D3EF8C\\" wide //Telegram
+        $app4 = "\\IndexedDB\\file__0.indexeddb.leveldb" wide
+        $app5 = "\\Steam\\Games.txt" wide
+        $app6 = "nkbihfbeogaeaoehlefnkodbefgpgknn" wide
+        $app7 = "fhbohimaelbohpjbbldcngcnapndodjp" wide
+        $app8 = "fnjhmkhhmkbjkkabndcnnogagogbneec" wide
+        $app9 = "\\Opera Software\\Opera GX Stable" wide
+        
+    condition:
+        uint16(0)==0x5A4D and
+        7 of ($str*) and 8 of ($app*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_raccoon_str_takemypainback.yar b/yara_rules/infostealer_win_raccoon_str_takemypainback.yar
new file mode 100644
index 0000000..810afde
--- /dev/null
+++ b/yara_rules/infostealer_win_raccoon_str_takemypainback.yar
@@ -0,0 +1,20 @@
+rule infostealer_win_raccoon_str_takemypainback {
+    meta:
+        version = "1.0"
+        description = "Detect Raccoon based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-10-03"
+        id = "2148636e-47c7-4bf2-8d1e-df68faf65111"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "\\ffcookies.txt" wide
+        $str1 = "TakeMyPainBack" wide
+        $str2 = "wallet.dat" wide
+        $str3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" wide
+        $str4 = "Network\\Cookies" wide
+        
+    condition:
+        uint16(0) == 0x5a4d and 4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_redline_strings.yar b/yara_rules/infostealer_win_redline_strings.yar
new file mode 100644
index 0000000..ac8dd81
--- /dev/null
+++ b/yara_rules/infostealer_win_redline_strings.yar
@@ -0,0 +1,48 @@
+rule infostealer_win_redline_strings {
+    meta:
+        version = "1.0"
+        description = "Finds Redline samples based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2022-09-07"
+        id = "0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $gen01 = "ChromeGetRoamingName" ascii
+        $gen02 = "ChromeGetLocalName" ascii
+        $gen03 = "get_UserDomainName" ascii
+        $gen04 = "get_encrypted_key" ascii
+        $gen05 = "browserPaths" ascii
+        $gen06 = "GetBrowsers" ascii
+        $gen07 = "get_InstalledInputLanguages" ascii
+        $gen08 = "BCRYPT_INIT_AUTH_MODE_INFO_VERSION" ascii
+        
+        $spe0 = "Profile_encrypted_value" wide
+        $spe1 = "[AString-ZaString-z\\d]{2String4}\\.[String\\w-]{String6}\\.[\\wString-]{2String7}" wide
+        $spe2 = "AFileSystemntivFileSystemirusPrFileSystemoduFileSystemct|AntiFileSystemSpyWFileSystemareProFileSystemduct|FireFileSystemwallProdFileSystemuct" wide
+        $spe3 = "OpHandlerenVPHandlerN ConHandlernect%DSK_23%Opera GXcookies" wide
+        $spe4 = "//settinString.Removeg[@name=\\PasswString.Removeord\\]/valuString.RemoveeROOT\\SecurityCenter" wide
+        $spe5 = "ROOT\\SecurityCenter2Web DataSteamPath" wide
+        $spe6 = "windows-1251, CommandLine:" wide
+        $spe7 = "OFileInfopeFileInfora GFileInfoX StabFileInfole" wide
+        $spe8 = "ApGenericpDaGenericta\\RGenericoamiGenericng\\" wide
+        $spe9 = "*wallet*" wide
+        
+        $typ01 = "359A00EF6C789FD4C18644F56C5D3F97453FFF20" ascii
+        $typ02 = "F413CEA9BAA458730567FE47F57CC3C94DDF63C0" ascii
+        $typ03 = "A937C899247696B6565665BE3BD09607F49A2042" ascii
+        $typ04 = "D67333042BFFC20116BF01BC556566EC76C6F7E2" ascii
+        $typ05 = "4E3D7F188A5F5102BEC5B820632BBAEC26839E63" ascii
+        $typ06 = "FB10FF1AD09FE8F5CA3A85B06BC96596AF83B350" ascii
+        $typ07 = "77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60" ascii
+        $typ08 = "A8F9B62160DF085B926D5ED70E2B0F6C95A25280" ascii
+        $typ09 = "718D1294A5C2D3F3D70E09F2F473155C4F567201" ascii
+        $typ10 = "2FBDC611D3D91C142C969071EA8A7D3D10FF6301" ascii
+        $typ11 = "2A19BFD7333718195216588A698752C517111B02" ascii
+        $typ12 = "EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2" ascii
+        $typ13 = "04EC68A0FC7D9B6A255684F330C28A4DCAB91F13" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and (7 of ($gen*) or 3 of ($spe*) or 2 of ($typ*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_solarmarker_dll.yar b/yara_rules/infostealer_win_solarmarker_dll.yar
new file mode 100644
index 0000000..87f0bb1
--- /dev/null
+++ b/yara_rules/infostealer_win_solarmarker_dll.yar
@@ -0,0 +1,29 @@
+rule infostealer_win_solarmarker_dll {
+    meta:
+        version = "1.0"
+        description = "Finds SolarMarker DLL based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2022-12-09"
+        id = "a2fe7f09-7134-4054-ba40-5ea66785a26c"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $zka = "zkabsr" wide
+        
+        $str0 = "set_PersistKeyInCsp" ascii
+        $str1 = "get_IV" ascii
+        $str2 = "get_MachineName" ascii
+        $str3 = "get_Current" ascii
+        $str4 = "ps_script" ascii
+        $str5 = "request_data" ascii
+        $str6 = "WindowsBuiltInRole" ascii
+        $str7 = "DllImportAttribute" ascii
+        $str8 = "get_BlockSize" ascii
+        $str9 = "GetRequestStream" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and
+        (($zka and 3 of ($str*)) or (all of ($str*)))
+        and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_solarmarker_powershell.yar b/yara_rules/infostealer_win_solarmarker_powershell.yar
new file mode 100644
index 0000000..380b6f1
--- /dev/null
+++ b/yara_rules/infostealer_win_solarmarker_powershell.yar
@@ -0,0 +1,26 @@
+rule infostealer_win_solarmarker_powershell {
+    meta:
+        version = "1.0"
+        description = "Finds SolarMarker PowerShell script based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2022-12-09"
+        id = "a2fe7f09-7134-4054-ba40-5ea66785a26d"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $fun = "function " ascii
+        
+        $ps0 = "return -join (0..(10..30|Get-Random)|%{[char]((65..90)+(97..122)|Get-Random)})" ascii
+        $ps1 = /new-item -path \$[a-zA-Z0-9_]* -itemtype registrykey -force;/
+        $ps2 = /set-item -path \$[a-zA-Z0-9_]* -value \$[a-zA-Z0-9_]*;/
+        
+        $str0 = "[IO.File]::WriteAllText($" ascii
+        $str1 = "CreateShortcut($env:appdata+" ascii
+        $str2 = "Registry::HKEY_CURRENT_USER\\Software\\Classes\\" ascii
+        $str3 = "New-Object System.Security.Cryptography.AesCryptoServiceProvider" ascii
+        $str4 = "[Convert]::FromBase64String([IO.File]::ReadAllText(" ascii
+        
+    condition:
+        $fun at 0 and 1 of ($ps*) and 2 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_spacestealer.yar b/yara_rules/infostealer_win_spacestealer.yar
new file mode 100644
index 0000000..f8b5c67
--- /dev/null
+++ b/yara_rules/infostealer_win_spacestealer.yar
@@ -0,0 +1,32 @@
+rule infostealer_win_spacestealer {
+    meta:
+        version = "1.0"
+        description = "Detects SpaceStealer based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-11-29"
+        id = "aceae3b3-1f5a-48b4-84cb-d0ba68d26df5"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "spacestealerxD" ascii
+        $str02 = "\\spacex" ascii
+        $str03 = "@~$~@spacex-" ascii
+        $str04 = "StealerClient" ascii
+        $str05 = "kill-process-by-name" ascii
+        $str06 = "\\BetterDiscord\\data\\betterdiscord.asar" ascii
+        $str07 = "api/webhooks" ascii
+        $str08 = "discordPath" ascii
+        $str09 = "SELECT host_key, name, encrypted_value FROM cookies" ascii
+        $str10 = "SELECT origin_url, username_value, password_value FROM logins" ascii
+        $str11 = "SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards" ascii
+        $str12 = "Cookies don't found." ascii
+        $str13 = "/api/cookies?auth=" ascii
+        $str14 = "/api/passwords?auth=" ascii
+        $str15 = "/api/autofill?auth=" ascii
+        $str16 = "/api/creditcards?auth=" ascii
+        $str17 = "\\Yandex\\YandexBrowser\\User Data\\Guest Profile\\Network\\" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and filesize > 10MB and 13 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_stealc.yar b/yara_rules/infostealer_win_stealc.yar
new file mode 100644
index 0000000..e7d1c39
--- /dev/null
+++ b/yara_rules/infostealer_win_stealc.yar
@@ -0,0 +1,24 @@
+rule infostealer_win_stealc {
+    meta:
+        id = "aa78772e-9b31-40f3-84f4-b8302ea63a28"
+        version = "1.0"
+        description = "Find standalone Stealc sample based on decryption routine or characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2023-02-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $dec = { 55 8b ec 8b 4d ?? 83 ec 0c 56 57 e8 ?? ?? ?? ?? 6a 03 33 d2 8b f8 59 f7 f1 8b c7 85 d2 74 04 } //deobfuscation function
+        
+        $str01 = "------" ascii
+        $str02 = "Network Info:" ascii
+        $str03 = "- IP: IP?" ascii
+        $str04 = "- Country: ISO?" ascii
+        $str05 = "- Display Resolution:" ascii
+        $str06 = "User Agents:" ascii
+        $str07 = "%s\\%s\\%s" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and ($dec or 5 of ($str*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_stealc_str_oct24.yar b/yara_rules/infostealer_win_stealc_str_oct24.yar
new file mode 100644
index 0000000..8782ccd
--- /dev/null
+++ b/yara_rules/infostealer_win_stealc_str_oct24.yar
@@ -0,0 +1,28 @@
+rule infostealer_win_stealc_str_oct24 {
+    meta:
+        id = "7448fafe-206c-4f9c-b5a3-cbabec12a45b"
+        version = "1.0"
+        description = "Finds Stealc standalone samples (or dumps) based on the strings"
+        author = "Sekoia.io"
+        creation_date = "2024-10-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "-nop -c \"iex(New-Object Net.WebClient).DownloadString(" ascii //also include in Vidar samples
+        $str02 = "Azure\\.IdentityService" ascii //also include in Vidar samples
+        $str03 = "steam_tokens.txt" ascii
+        $str04 = "\"encrypted_key\":\"" ascii //also include in Vidar samples
+        $str05 = "prefs.js" ascii //also include in Vidar samples
+        $str06 = "browser: FileZilla" ascii
+        $str07 = "profile: null" ascii
+        $str08 = "url:" ascii
+        $str09 = "login:" ascii
+        $str10 = "password:" ascii //also include in Vidar samples
+        $str11 = "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" ascii //also include in Vidar samples
+        $str12 = "ChromeFuckNewCookies" ascii //also include in Vidar samples
+        $str13 = "/c timeout /t 10 & del /f /q \"" ascii //also include in Vidar samples
+        
+    condition:
+        uint16(0)==0x5A4D and 9 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_stealerium.yar b/yara_rules/infostealer_win_stealerium.yar
new file mode 100644
index 0000000..5836f59
--- /dev/null
+++ b/yara_rules/infostealer_win_stealerium.yar
@@ -0,0 +1,37 @@
+rule infostealer_win_stealerium {
+    meta:
+        version = "1.0"
+        description = "Detects Stealerium based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-12-01"
+        id = "165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $stl = "Stealerium" ascii wide
+        
+        $str01 = "Processe: " wide
+        $str02 = "Compname: " wide
+        $str03 = "Language: " wide
+        $str04 = "SandBoxie: " wide
+        $str05 = "== System Info ==" wide
+        $str06 = "== Hardware ==" wide
+        $str07 = "== Domains ==" wide
+        $str08 = "WEBCAMS COUNT: " wide
+        $str09 = "[Virtualization]" wide
+        $str10 = "[Open google maps](" wide
+        $str11 = "Remember password: " wide
+        $str12 = "Target.Browsers.Firefox" ascii
+        $str13 = "Modules.Keylogger" ascii
+        $str14 = "ClipperAddresses" ascii
+        $str15 = "ChromiumPswPaths" ascii
+        $str16 = "DetectedBankingServices" ascii
+        $str17 = "DetectCryptocurrencyServices" ascii
+        $str18 = "CheckRemoteDebuggerPresent" ascii
+        $str19 = "GetConnectedCamerasCount" ascii
+        $str20 = "costura.discord-webhook-client.dll.compressed" ascii wide
+        
+    condition:
+        uint16(0) == 0x5A4D and filesize>1MB and ((#stl > 5 and 2 of ($str*)) or 15 of ($str*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_stormkitty.yar b/yara_rules/infostealer_win_stormkitty.yar
new file mode 100644
index 0000000..3ee25ec
--- /dev/null
+++ b/yara_rules/infostealer_win_stormkitty.yar
@@ -0,0 +1,32 @@
+rule infostealer_win_stormkitty {
+    meta:
+        id = "5014d2e5-af5c-4800-ab1e-b57de37a2450"
+        version = "1.0"
+        description = "Finds StormKitty samples (or their variants) based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-03-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $sk01 = "LimerBoy/StormKitty" ascii wide
+        $sk02 = "StormKitty-Latest.log" wide
+        $sk03 = "StormKitty.exe" ascii
+        $sk04 = "Debug\\StormKitty.pdb" ascii
+        $sk05 = "StormKitty.Implant" ascii
+        
+        $str01 = "set_sUsername" ascii
+        $str02 = "set_sIsSecure" ascii
+        $str03 = "set_sExpMonth" ascii
+        $str04 = "WritePasswords" ascii
+        $str05 = "WriteCookies" ascii
+        $str06 = "sChromiumPswPaths" ascii
+        $str07 = "sGeckoBrowserPaths" ascii
+        $str08 = "Username: {1}" wide
+        $str09 = "Password: {2}" wide
+        $str10 = "encrypted_key\":\"(.*?)\"" wide
+        
+    condition:
+    uint16(0) == 0x5A4D and
+    ((1 of ($sk*) and 3 of ($str*)) or 7 of ($str*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_stormkitty_exfil_urls.yar b/yara_rules/infostealer_win_stormkitty_exfil_urls.yar
new file mode 100644
index 0000000..dab2e0d
--- /dev/null
+++ b/yara_rules/infostealer_win_stormkitty_exfil_urls.yar
@@ -0,0 +1,20 @@
+rule infostealer_win_stormkitty_exfil_urls {
+    meta:
+        id = "d3b6e778-85da-4ab6-bc98-921897677485"
+        version = "1.0"
+        description = "Detect the open-source StormKitty spyware by looking for the github path"
+        author = "Sekoia.io"
+        creation_date = "2022-04-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "https://github.com/LimerBoy/StormKitty" ascii
+        $telegram = "https://api.telegram.org" wide
+        $discord = "https://cdn.discordapp.com" wide
+        
+    condition:
+        uint16(0)==0x5A4D
+        and all of them
+        and (#telegram > 3 or #discord > 3)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_titan.yar b/yara_rules/infostealer_win_titan.yar
new file mode 100644
index 0000000..33ec62c
--- /dev/null
+++ b/yara_rules/infostealer_win_titan.yar
@@ -0,0 +1,26 @@
+rule infostealer_win_titan {
+    meta:
+        id = "0adbe616-0d91-4b05-b7a8-812cd79f9252"
+        version = "1.0"
+        description = "Finds samples of the Titan Stealer"
+        author = "Sekoia.io"
+        creation_date = "2023-01-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "/sendlog" ascii
+        $str1 = "/stealer/grabfiles.go" ascii
+        $str2 = "/stealer/installedsoft.go" ascii
+        $str3 = "/stealer/screenshot.go" ascii
+        $str4 = "/stealer/sendlog.go" ascii
+        $str5 = "/stealer/userinformation.go" ascii
+        $str6 = "C:/Program Files (x86)/Steam/config/" ascii
+        $str7 = "/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/" ascii
+        $str8 = "MAC Adresses:" ascii
+        $str9 = "/Coowon/Coowon/" ascii
+        $str10 = "_/C_/Users/admin/Desktop/stealer_v7/stealer" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_vidar_str_jul22.yar b/yara_rules/infostealer_win_vidar_str_jul22.yar
new file mode 100644
index 0000000..5b6d5e3
--- /dev/null
+++ b/yara_rules/infostealer_win_vidar_str_jul22.yar
@@ -0,0 +1,30 @@
+rule infostealer_win_vidar_str_jul22 {
+    meta:
+        id = "1dc18694-aaac-41e6-979a-c06d5d62f5ea"
+        version = "1.0"
+        description = "Detect the Vidar infostealer based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-07-26"
+        modification_date = "2022-08-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "vcruntime140.dll" ascii
+        $str02 = "\\screenshot.jpg" ascii
+        $str03 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor" ascii
+        $str04 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" ascii
+        $str05 = "%s\\%s\\%s\\chrome-extension_%s_0.indexeddb.leveldb" ascii
+        $str06 = "\\CC\\%s_%s.txt" ascii
+        $str07 = "\\Autofill\\%s_%s.txt" ascii
+        $str08 = "\\History\\%s_%s.txt" ascii
+        $str09 = "\\Downloads\\%s_%s.txt" ascii
+        $str10 = "Content-Disposition: form-data; name=" ascii
+        $str11 = "Exodus\\exodus.wallet" ascii
+        $str12 = "*%DRIVE_REMOVABLE%*" ascii
+        
+        $opc = {55 8b ec 51 56 8b 75 ?? 33 c0 c7 46 14 ?? ?? ?? ?? 89 46 ?? 68 ?? ?? ?? ?? 8b ce 89 45 ?? 88 06 e8 1f b6 ff ff 8b c6 5e c9 c2 ?? ??}
+        
+    condition:
+        uint16(0)==0x5A4D and (7 of them or $opc)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_vidar_strings_nov23.yar b/yara_rules/infostealer_win_vidar_strings_nov23.yar
new file mode 100644
index 0000000..aa7a9a6
--- /dev/null
+++ b/yara_rules/infostealer_win_vidar_strings_nov23.yar
@@ -0,0 +1,34 @@
+rule infostealer_win_vidar_strings_nov23 {
+    meta:
+        version = "1.0"
+        description = "Finds Vidar samples based on the specific strings"
+        author = "Sekoia.io"
+        reference = "https://twitter.com/crep1x/status/1722652451319202242"
+        creation_date = "2023-11-10"
+        id = "b2c17627-f9b8-4401-b657-1cce560edc76"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "MachineID:" ascii
+        $str02 = "Work Dir: In memory" ascii
+        $str03 = "[Hardware]" ascii
+        $str04 = "VideoCard:" ascii
+        $str05 = "[Processes]" ascii
+        $str06 = "[Software]" ascii
+        $str07 = "information.txt" ascii
+        $str08 = "%s\\*" ascii
+        $str09 = "Select * From AntiVirusProduct" ascii
+        $str10 = "SELECT target_path, tab_url from downloads" ascii
+        $str11 = "Software\\Martin Prikryl\\WinSCP 2\\Configuration" ascii
+        $str12 = "UseMasterPassword" ascii
+        $str13 = "Soft: WinSCP" ascii
+        $str14 = "<Pass encoding=\"base64\">" ascii
+        $str15 = "Soft: FileZilla" ascii
+        $str16 = "passwords.txt" ascii
+        $str17 = "build_id" ascii
+        $str18 = "file_data" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 10 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_vulturi.yar b/yara_rules/infostealer_win_vulturi.yar
new file mode 100644
index 0000000..a56e16c
--- /dev/null
+++ b/yara_rules/infostealer_win_vulturi.yar
@@ -0,0 +1,36 @@
+rule infostealer_win_vulturi {
+    meta:
+        id = "5369cbfb-ff94-4484-b5a4-894feeed97e1"
+        version = "1.0"
+        description = "Detect the Vulturi infostealer based on specific strings"
+        author = "Sekoia.io"
+        reference = "https://lamp-ret.club/t/vulturi-cracked-by-tr0uble-and-eshelon_mayskih.193/"
+        creation_date = "2022-03-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $vul = "Vulturi_" ascii
+        
+        $str01 = "/C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A" wide
+        $str02 = "SELECT ExecutablePath, ProcessID FROM Win32_Process" wide
+        $str03 = "Apps\\Gaming\\Minecraft" wide
+        $str04 = "Apps\\Gaming\\Steam\\Apps" wide
+        $str05 = "Messengers\\Facebook\\Contacts.txt" wide
+        $str06 = "Messengers\\Discord\\Tokens.txt" wide
+        $str07 = "Apps\\VPN\\NordVPN\\accounts.txt" wide
+        $str08 = "Apps\\VPN\\DUC\\credentials.txt" wide
+        $str09 = "System\\Screenshots\\Webcam.png" wide
+        $str10 = "System\\Screenshots\\Desktop.png" wide
+        $str11 = "GTA San Andreas User Files\\SAMP\\USERDATA.DAT" wide
+        $str12 = "http://ip-api.com/line?fields=query" wide
+        $str13 = "Wireshark" wide
+        $str14 = "KeePass.config.xml" wide
+        $str15 = "Apps\\TheBat!" wide
+        $str16 = "Vulturi" wide
+        $str17 = "StealerStub" wide
+        
+    condition:
+        uint16(0)==0x5A4D and
+        (#vul > 50 or 12 of ($str*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_whitesnake_loader_feb23.yar b/yara_rules/infostealer_win_whitesnake_loader_feb23.yar
new file mode 100644
index 0000000..50e1a5b
--- /dev/null
+++ b/yara_rules/infostealer_win_whitesnake_loader_feb23.yar
@@ -0,0 +1,24 @@
+rule infostealer_win_whitesnake_loader_feb23 {
+    meta:
+        id = "f81a8a96-6fd2-4f5c-8a56-ff66ff1a80d3"
+        version = "1.0"
+        description = "Finds WhiteSnake samples (loader module, bat file)"
+        author = "Sekoia.io"
+        creation_date = "2023-03-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "echo         Please wait... a while Loading data ...." ascii
+        $str02 = "CERTUTIL -f -decode"  ascii
+        $str03 = "%Temp%\\build.exe" ascii
+        
+        $crt = "-----BEGIN CERTIFICATE-----" ascii
+        
+        $mz = "TVqQAAMAAAAEAAAA" ascii
+        
+    condition:
+        ($str01 in (0..200) or $str02 in (0..200) or $str03 in (0..200)) and
+        $mz in (@crt..@crt+50) and
+        filesize < 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_whitesnake_stealer_feb23.yar b/yara_rules/infostealer_win_whitesnake_stealer_feb23.yar
new file mode 100644
index 0000000..1994551
--- /dev/null
+++ b/yara_rules/infostealer_win_whitesnake_stealer_feb23.yar
@@ -0,0 +1,32 @@
+rule infostealer_win_whitesnake_stealer_feb23 {
+    meta:
+        id = "68ae7fbc-4486-4b60-af5e-f37ddc58f170"
+        version = "1.0"
+        description = "Finds WhiteSnake samples (stealer module)"
+        author = "Sekoia.io"
+        creation_date = "2023-03-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $fun01 = "Ibhiyptxjhiacrnxomvqjb" ascii
+        $fun02 = "Irwcvmgzsduiiizaabbczm" ascii
+        
+        $whi = "WhiteSnake.Properties.Resources" ascii
+        
+        $str01 = "get_UtcNow" ascii
+        $str02 = "get_IPAddress" ascii
+        $str03= "get_Ticks" ascii
+        $str04 = "set_commands" ascii
+        $str05 = "set_Information" ascii
+        $str06 = "set_filedata" ascii
+        $str07 = "get_Jpeg" ascii
+        $str08 = "set_Culture" ascii
+        $str09 = "MakeScreenshot" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and
+        ((all of ($fun*) or $whi) and 3 of ($str*) or
+        7 of ($str*)) and
+        filesize < 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_whitesnake_xor_rc4_july12.yar b/yara_rules/infostealer_win_whitesnake_xor_rc4_july12.yar
new file mode 100644
index 0000000..74757fa
--- /dev/null
+++ b/yara_rules/infostealer_win_whitesnake_xor_rc4_july12.yar
@@ -0,0 +1,21 @@
+rule infostealer_win_whitesnake_xor_rc4_july12 {
+    meta:
+        id = "f2ebfcbd-9667-459a-a543-ce0be62c0dc4"
+        version = "1.0"
+        description = "Detects WhiteSnake Stealer XOR and RC4 version"
+        author = "Sekoia.io"
+        creation_date = "2023-07-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $1 = {FE 0C 00 00 FE 09 00 00 FE 0C 02 00 6F ?? 00 00 0A FE 0C 03 00 61 D1 FE 0E 04 00 FE}
+        $2 = {61 6e 61 6c 2e 6a 70 67}
+        $3 = {73 68 69 74 2e 6a 70 67}
+        $4 = {FE 0C ?? 00 20 00 01 00 00 3F ?? FF FF FF 20 00 00 00 00 FE 0E ?? 00 38 ?? 00 00 00 FE 0C}
+        $5 = "qemu" wide
+        $6 = "vbox" wide
+        
+    condition:
+        ($1 and $2 and filesize < 600KB) or ($3 and $4 and $5 and $6 and filesize < 300KB)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_xehook_str.yar b/yara_rules/infostealer_win_xehook_str.yar
new file mode 100644
index 0000000..02a928b
--- /dev/null
+++ b/yara_rules/infostealer_win_xehook_str.yar
@@ -0,0 +1,33 @@
+rule infostealer_win_xehook_str {
+    meta:
+        id = "fa76988d-f0a2-4fc2-a122-c104fd585f34"
+        version = "1.0"
+        description = "Finds XehookStealer standalone samples based on specific strings."
+        author = "Sekoia.io"
+        creation_date = "2024-06-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "xehook" ascii
+        $str02 = "Classes.LogRecord" ascii
+        $str03 = "__  _____| |__   ___   ___ | | __" wide
+        $str04 = "\\ \\/ / _ \\ '_ \\ / _ \\ / _ \\| |/ /" wide
+        $str05 = " >  <  __/ | | | (_) | (_) |   <" wide
+        $str06 = "/_/\\_\\___|_| |_|\\___/ \\___/|_|\\_\\" wide
+        $str07 = "https://t.me/xehook" wide
+        $str08 = "About PC.txt" wide
+        $str09 = "Browser: {4} v{5} ({6})" wide
+        $str10 = "http://ip-api.com/json/?fields=11827" wide
+        $str11 = "{0}gate.php?id={1}&build={2}&passwords={3}&cookies={4}" wide
+        $str12 = "getjson.php?id=" wide
+        
+        $com01 = "CheckRemoteDebuggerPresent" ascii
+        $com02 = "get_CurrentThread" ascii
+        $com03 = "get_InstalledInputLanguages" ascii
+        $com04 = "get_Ticks" ascii
+        $com05 = "System.Security.Cryptography" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 2 of ($str*) and 4 of ($com*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_xenostealer_strings.yar b/yara_rules/infostealer_win_xenostealer_strings.yar
new file mode 100644
index 0000000..87c199a
--- /dev/null
+++ b/yara_rules/infostealer_win_xenostealer_strings.yar
@@ -0,0 +1,36 @@
+rule infostealer_win_xenostealer_strings {
+    meta:
+        id = "0a41788b-1fa7-44ff-af85-9c1ff1892aad"
+        version = "1.0"
+        description = "Finds XenoStealer standalone samples based on the strings"
+        author = "Sekoia.io"
+        reference = "https://github.com/moom825/XenoStealer/"
+        creation_date = "2024-10-30"
+        classification = "TLP:CLEAR"
+        hash = "b74733d68e95220ab0630a68ddf973b0c959fd421628e639c1b91e465ba9299b"
+        
+    strings:
+        $str01 = "XenoStealer" ascii wide
+        $str02 = "$d05de59c-9ee5-4e7e-abb5-8f2cc3f72cd1" ascii
+        $str03 = "SteamInfo" ascii
+        $str04 = "TelegramInfo" ascii
+        $str05 = "NgrokInfo" ascii
+        $str06 = "pAuthInfo" ascii
+        $str07 = "FoxMailInfo" ascii
+        $str08 = "_hasNitro" ascii
+        $str09 = "_games" ascii
+        $str10 = "_profiles" ascii
+        $str11 = "_cookies" ascii
+        $str12 = "_creditCards" ascii
+        $str13 = "_cryptoExtensions" ascii
+        $str14 = "_passwordManagerExtensions" ascii
+        $str15 = "ChromiumBrowsersLikelyLocations" ascii
+        $str16 = "EdgeCryptoExtensions" ascii
+        $str17 = "ChromePasswordManagerExtensions" ascii
+        $str18 = "GeckoBrowserOptions" ascii
+        $str19 = "get_programFiles" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 15 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/infostealer_win_xfiles.yar b/yara_rules/infostealer_win_xfiles.yar
new file mode 100644
index 0000000..31bec41
--- /dev/null
+++ b/yara_rules/infostealer_win_xfiles.yar
@@ -0,0 +1,51 @@
+rule infostealer_win_xfiles {
+    meta:
+        id = "3ad3ee19-6be8-484b-943c-05813cdcbd18"
+        version = "1.0"
+        description = "Detect the X-FILES infostealer based on specific strings"
+        author = "Sekoia.io"
+        reference = "https://twitter.com/3xp0rtblog/status/1375206169384521730"
+        creation_date = "2022-02-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $xfi0 = "Telegram bot - @XFILESShop_Bot" wide
+        $xfi1 = "Telegram support - @XFILES_Seller" wide
+        
+        $brw0 = "\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" wide
+        $brw1 = "\\Chromium\\User Data\\Default\\Cookies" wide
+        $brw2 = "\\Slimjet\\User Data\\Default\\Cookies" wide
+        $brw3 = "\\Vivaldi\\User Data\\Default\\Cookies" wide
+        $brw4 = "\\Opera Software\\Opera GX Stable\\Cookies" wide
+        $brw5 = "\\Opera Software\\Opera Stable\\Cookies" wide
+        
+        $crp00 = "Tronlink" wide
+        $crp01 = "NiftyWallet" wide
+        $crp02 = "MetaMask" wide
+        $crp03 = "MathWallet" wide
+        $crp04 = "Coinbase" wide
+        $crp05 = "BinanceChain" wide
+        $crp06 = "GuardaWallet" wide
+        $crp07 = "EqualWallet" wide
+        $crp08 = "BitAppWallet" wide
+        $crp09 = "iWallet" wide
+        $crp10 = "Wombat" wide
+        $crp11 = "Zcash" wide
+        $crp12 = "Armory" wide
+        $crp13 = "Bytecoin" wide
+        $crp14 = "Jaxx" wide
+        $crp15 = "Exodus" wide
+        $crp16 = "Ethereum" wide
+        $crp17 = "AtomicWallet" wide
+        $crp18 = "Guarda" wide
+        $crp19 = "Coinomi" wide
+        $crp20 = "Litecoin" wide
+        $crp21 = "Dash" wide
+        $crp22 = "Bitcoin" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 
+        any of ($xfi*) or 
+        5 of ($brw*) and 20 of ($crp*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/installer_win_minibus.yar b/yara_rules/installer_win_minibus.yar
new file mode 100644
index 0000000..83c487d
--- /dev/null
+++ b/yara_rules/installer_win_minibus.yar
@@ -0,0 +1,28 @@
+import "pe"
+import "hash"
+        
+rule installer_win_minibus {
+    meta:
+        id = "0f7f600d-d93b-4b5a-aa0e-7d91038409e6"
+        version = "1.0"
+        description = "Detect MINIBUS installer"
+        author = "Sekoia.io"
+        creation_date = "2024-04-08"
+        classification = "TLP:CLEAR"
+        hash1 = "26ca51cb067e1fdf1b8ad54ba49883bc5d1945952239aec0c4840754bff76621"
+        hash2 = "90fa29cc98be1d715df26d22079bdb8ce1d1fd3ce6a4efb39a4c192134e01020"
+        
+    strings:
+        $ = "\\essential.dat"
+        $ = "TorvaldInitial.dll"
+        
+    condition:
+        // Strings
+        uint16be(0) == 0x4d5a and 1 of them
+        
+        // Resources
+        or for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "de3fb5d4419eb6b943872dd6e3dd93d19584ef2b158aa3158b3b09f0a9b628ef"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/keylogger_win_donot.yar b/yara_rules/keylogger_win_donot.yar
new file mode 100644
index 0000000..82b98e5
--- /dev/null
+++ b/yara_rules/keylogger_win_donot.yar
@@ -0,0 +1,17 @@
+rule keylogger_win_donot {
+    meta:
+        id = "4f67dda7-da68-4496-a8b4-a8a769ddd763"
+        version = "1.0"
+        description = "Detect the DoNot's keylogger malware"
+        author = "Sekoia.io"
+        creation_date = "2023-03-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "iwrct2mTFAu0ew1nyqQgoaNtNo0+52R0XiTKbwy1W48Bn1b2YcNt0+tptyY6oGoAeLDGekM/yHcdikNGi8bLqkUQ8CIdkWeT3QiympOTfjs="
+        $ = "ZmVwZW9kbWZ2c24ucHMuZ3h4LngweXBvdWpkYm1qcXE7YnFmVXp1LmZvb3VEcA=="
+        
+    condition:
+       1 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/killfloor_avkiller_strings.yar b/yara_rules/killfloor_avkiller_strings.yar
new file mode 100644
index 0000000..38a8446
--- /dev/null
+++ b/yara_rules/killfloor_avkiller_strings.yar
@@ -0,0 +1,26 @@
+rule killfloor_avkiller_strings {
+    meta:
+        id = "ae6908c3-27d4-4d2c-af21-a9548dfcd487"
+        version = "1.0"
+        description = "Kill-Floor strings"
+        author = "Sekoia.io"
+        creation_date = "2024-10-29"
+        classification = "TLP:CLEAR"
+        hash = "9f16176ac20f7855fa960d321e156d69"
+        hash = "4b019e9ed2de734e242602abce06f7c1"
+        hash = "81ae32d9de8fd21acfc61d62f3292277"
+        hash = "7cb2c4560e02c25463ec70e222ad0018"
+        
+    strings:
+        $ = "sc create aswArPot.sys type=kernel binpath=%s" ascii
+        $ = "sc start aswArPot.sys" ascii
+        $ = "[*] Enumerating target processes" ascii
+        $ = "[*] Entering main loop... " ascii
+        $ = "aswArPot.pdb" ascii
+        $ = "SeConvertStringSecurityDescriptorToSecurityDescriptor" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 1MB and filesize > 20KB and 
+        6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/kimsuky_konni_dll.yar b/yara_rules/kimsuky_konni_dll.yar
new file mode 100644
index 0000000..13642de
--- /dev/null
+++ b/yara_rules/kimsuky_konni_dll.yar
@@ -0,0 +1,30 @@
+rule kimsuky_konni_dll {
+    meta:
+        id = "6a20c492-e932-41bd-ac4a-01d35bfb0c49"
+        version = "1.0"
+        description = "Rule based on structure offset and file extension"
+        author = "Sekoia.io"
+        creation_date = "2022-09-12"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ext_1 = ".zip" wide ascii fullword
+        $ext_2 = ".cab" wide ascii fullword
+        $ext_3 = ".rar" wide ascii fullword
+        $ext_4 = ".ini" wide ascii fullword
+        $ext_5 = ".dat" wide ascii fullword
+        
+        $offset_structure_1 = { 8d ?? 08 02 00 00 } //offset 0x208
+        $offset_structure_2 = { 8d ?? 10 04 00 00 } //offset 0x410
+        $offset_structure_3 = { 8d ?? 18 06 00 00 } //offset 0x618
+        $offset_structure_4 = { 8d ?? 20 08 00 00 } //offset 0x820
+        $offset_structure_5 = { 8d ?? 28 0a 00 00 } //offset 0xa28
+        $offset_structure_6 = { 89 ?? f8 11 00 00 } //offset 0x11f8
+        $offset_structure_7 = { 8d ?? fc 11 00 00 } //offset 0x11fc
+        $offset_structure_8 = { 89 ?? 0c 12 00 00 } //offset 0x120c
+        $offset_structure_9 = { 89 ?? 10 12 00 00 } //offset 0x1210
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 11MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/koi_koiloader.yar b/yara_rules/koi_koiloader.yar
new file mode 100644
index 0000000..28d90ca
--- /dev/null
+++ b/yara_rules/koi_koiloader.yar
@@ -0,0 +1,20 @@
+rule koi_koiloader {
+    meta:
+        id = "b8289d78-42de-4919-b2c5-3c926ddd8043"
+        version = "1.0"
+        description = "Detects Koi Loader"
+        author = "Sekoia.io"
+        creation_date = "2024-03-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s2 = "%d|%s|%.16s|" ascii wide
+        $s3 = "Release" ascii wide
+        $s4 = "%s|%d.%d (%d)|%S|%S|%S" ascii wide
+        $s5 = "InitiateSystemShutdownExW" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 11MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/koi_netstealer.yar b/yara_rules/koi_netstealer.yar
new file mode 100644
index 0000000..0649e89
--- /dev/null
+++ b/yara_rules/koi_netstealer.yar
@@ -0,0 +1,21 @@
+rule koi_netstealer {
+    meta:
+        id = "deb06e2a-848c-44b3-be95-017ebccf11f8"
+        version = "1.0"
+        description = "Detects NET ofbuscated Stealer used loaded by KoiLoader"
+        author = "Sekoia.io"
+        creation_date = "2024-03-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $name_1 = "pg20"
+        $name_2 = "pg40"
+        $s1 = "Curve25519"
+        $s2 = "ConsoleApp"
+        $s3 = "e0d2eec7-eb14-48ba-8709-dcc9de65947d"
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 150KB and 
+        any of ($name_*) and all of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/koi_powershell_loading_obfuscatednet.yar b/yara_rules/koi_powershell_loading_obfuscatednet.yar
new file mode 100644
index 0000000..d1776ac
--- /dev/null
+++ b/yara_rules/koi_powershell_loading_obfuscatednet.yar
@@ -0,0 +1,19 @@
+rule koi_powershell_loading_obfuscatednet {
+    meta:
+        id = "75a7460d-cc28-470e-9841-da8e46ee0101"
+        version = "1.0"
+        description = "Powershell script loading obfuscated .NET Koi module"
+        author = "Sekoia.io"
+        creation_date = "2024-03-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "# [Net.ServicePointManager]::SecurityProtocol +='tls12'"
+        $s2 = "$binary[$i] = $binary[$i] -bxor $k[$i % $k.Length]"
+        $s3 = "\").Split('|')"
+        $s4 = "$ep.Invoke($null, "
+        
+    condition:
+        $s3 and 3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/koiloader_lnk.yar b/yara_rules/koiloader_lnk.yar
new file mode 100644
index 0000000..7301805
--- /dev/null
+++ b/yara_rules/koiloader_lnk.yar
@@ -0,0 +1,19 @@
+rule koiloader_lnk {
+    meta:
+        id = "e82975b9-94b7-4de8-8cd5-d594aa80cf02"
+        version = "1.0"
+        description = "LNK file leading to deploy KoiLoader"
+        author = "Sekoia.io"
+        creation_date = "2024-03-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "bat & schtasks /create" wide
+        $s2 = "/sc minute /mo 1" wide
+        $s3 = "c3RhcnQgL21pbiBwb3dlcnNoZWxsIC1jb21tYW5kICJJV1IgLVVzZUJhc2ljUGFyc2luZyAnaHR0cHM6" wide
+        $s4 = " & certutil -f -decode " wide
+        
+    condition:
+        uint32(0) == 0x0000004c and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/koiloader_powershell_reflective_loading.yar b/yara_rules/koiloader_powershell_reflective_loading.yar
new file mode 100644
index 0000000..9fce3a8
--- /dev/null
+++ b/yara_rules/koiloader_powershell_reflective_loading.yar
@@ -0,0 +1,20 @@
+rule koiloader_powershell_reflective_loading {
+    meta:
+        id = "9bbe4cea-3e64-4377-bf93-def9fb629734"
+        version = "1.0"
+        description = "Powershell script loading service.exe (related to Koi Loader)"
+        author = "Sekoia.io"
+        creation_date = "2024-03-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "[Byte[]]$image" ascii fullword
+        $s2 = "function GDT"
+        $s3 = "function GPA"
+        $s4 = "GDT @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])"
+        $s5 = "$marshal::GetDelegateForFunctionPointer($CTAddr, $CTDeleg)"
+        
+    condition:
+        $s1 at 0 and 4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/latrodectus_br4_js_dropper.yar b/yara_rules/latrodectus_br4_js_dropper.yar
new file mode 100644
index 0000000..24562a4
--- /dev/null
+++ b/yara_rules/latrodectus_br4_js_dropper.yar
@@ -0,0 +1,17 @@
+rule latrodectus_br4_js_dropper {
+    meta:
+        id = "042a598d-66fa-4994-a793-228355abd5dd"
+        version = "1.0"
+        description = "Detect the JS script used to drop Latrodectus"
+        author = "Sekoia.io"
+        creation_date = "2024-06-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = " installer.InstallProduct(msiPath);" ascii
+        $s2 = "new ActiveXObject(\"WindowsInstaller.Installer\");" ascii
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/latrodectus_exports.yar b/yara_rules/latrodectus_exports.yar
new file mode 100644
index 0000000..6111aa8
--- /dev/null
+++ b/yara_rules/latrodectus_exports.yar
@@ -0,0 +1,16 @@
+import "pe"
+        
+rule latrodectus_exports {
+    meta:
+        version = "1.0"
+        description = "detection based on the exports"
+        creation_date = "2024-07-03"
+        classification = "TLP:CLEAR"
+        author = "Sekoia.io"
+        id = "29076cf5-f391-42f2-918f-e1c929bd368d"
+        
+    condition:
+        (pe.exports("stow") or pe.exports("homq") or pe.exports("scub")) and 
+        pe.number_of_exports >= 3 and uint16(0) == 0x5a4d
+}
+        
\ No newline at end of file
diff --git a/yara_rules/launcher_win_bluehaze.yar b/yara_rules/launcher_win_bluehaze.yar
new file mode 100644
index 0000000..7d56040
--- /dev/null
+++ b/yara_rules/launcher_win_bluehaze.yar
@@ -0,0 +1,36 @@
+import "pe"
+import "hash"
+        
+rule launcher_win_bluehaze {
+    meta:
+        id = "ccfe0593-0a9f-4369-952e-5cef2f459bb3"
+        version = "1.0"
+        description = "Detect the BLUEHAZE malware"
+        author = "Sekoia.io"
+        creation_date = "2022-12-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Libraries\\CNNUDTV"
+        $ = "cmd.exe /C wuwebv.exe -t -e"
+        $ = "cmd.exe /C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v ACNTV /t REG_SZ /d \"Rundll32.exe SHELL32.DLL,ShellExec_RunDLL"
+        
+    condition:
+        // Strings
+        uint16(0)==0x5A4D and 3 of them
+        
+        // Imphash
+        or pe.imphash() == "1b3d8fae6035e34f91baa59643746efe"
+
+        // Rich header
+        or hash.md5(pe.rich_signature.clear_data) == "44022b7cefeae4d55edcceb5b9bcd295"
+
+        // Sections
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "1cdcb493593f8793b10e109f6b5b2993"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "276d668ed7d1b46e101425e02a16460f"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f6a474220add335b5696256235ce8c9c"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "82bccb3330d50080f86ab1aa566cae8e"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/launcher_win_mistcloak.yar b/yara_rules/launcher_win_mistcloak.yar
new file mode 100644
index 0000000..4762ca7
--- /dev/null
+++ b/yara_rules/launcher_win_mistcloak.yar
@@ -0,0 +1,34 @@
+import "hash"
+import "pe"
+        
+rule launcher_win_mistcloak {
+    meta:
+        id = "3dbf5efa-d77c-436a-a080-9ac58a78425f"
+        version = "1.0"
+        description = "Detect the MISTCLOAK malware"
+        author = "Sekoia.io"
+        creation_date = "2022-12-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "\\usb.ini"
+        $ = "autorun.inf\\Protection for Autorun\\System Volume Information"
+        $ = "G:\\project\\APT\\U"
+        $ = "\\new\\u2ec\\Release\\u2ec.pdb"
+        $ = "CheckUsbService"
+        
+    condition:
+        // Strings
+        uint16(0)==0x5A4D and 3 of them
+
+        // Rich header
+        or hash.md5(pe.rich_signature.clear_data) == "0f5082fd7ddd1950fa332a8fa4df052f"
+
+        // Sections
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "0ceac625db1e8405efe45d47486e9e2d"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "6968e6ac7b9c1dfbf40a0b3c4f6f4157"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "e6ed2da41f74e948cba7a002c41c6af5"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/launcher_win_romcom_launcher.yar b/yara_rules/launcher_win_romcom_launcher.yar
new file mode 100644
index 0000000..133ac2b
--- /dev/null
+++ b/yara_rules/launcher_win_romcom_launcher.yar
@@ -0,0 +1,17 @@
+rule launcher_win_romcom_launcher {
+    meta:
+        id = "e8fa8239-a763-4be2-8f34-8e112e65b35e"
+        version = "1.0"
+        description = "Detect the launcher of RomCom malware"
+        author = "Sekoia.io"
+        creation_date = "2022-11-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        // C:\Users\123\source\repos\ins_asi\Win32\Release\setup.pdb
+        $ = {43 3a 5c 55 73 65 72 73 5c 31 32 33 5c 73 6f 75 72 63 65 5c 72 65 70 6f 73 5c 69 6e 73 5f 61 73 69 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 73 65 74 75 70 2e 70 64 62}
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/launcher_win_stealthmutant_bat_launcher.yar b/yara_rules/launcher_win_stealthmutant_bat_launcher.yar
new file mode 100644
index 0000000..7edae10
--- /dev/null
+++ b/yara_rules/launcher_win_stealthmutant_bat_launcher.yar
@@ -0,0 +1,27 @@
+rule launcher_win_stealthmutant_bat_launcher {
+    meta:
+        id = "7452291f-2244-469e-bb7c-5eff1ca17aa2"
+        version = "1.0"
+        description = "StealthMutant/StealthVector bat launcher"
+        author = "Sekoia.io"
+        creation_date = "2021-08-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "set \"WORK_DIR=" ascii
+        $s2 = "set \"DLL_NAME=" ascii
+        $s3 = "set \"SERVICE_NAME=" ascii
+        $s4 = "set \"DISPLAY_NAME=" ascii
+        $s5 = "set \"DESCRIPTION=" ascii
+        
+        $start = "@echo off" ascii
+        $end = "net start \"%SERVICE_NAME%\"" ascii
+        
+    condition:
+        uint16(0)!=0x5A4D  
+        and all of ($s*)
+        and filesize < 2KB
+        and $start at 0
+        and $end in (filesize-30..filesize)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/lnk_astaroth.yar b/yara_rules/lnk_astaroth.yar
new file mode 100644
index 0000000..d17ece2
--- /dev/null
+++ b/yara_rules/lnk_astaroth.yar
@@ -0,0 +1,34 @@
+rule lnk_astaroth {
+    meta:
+        id = "1f4ce619-6f94-400a-9b32-46f2018da25c"
+        version = "1.0"
+        description = "Astaroth LNK"
+        author = "Sekoia.io"
+        creation_date = "2024-09-18"
+        classification = "TLP:CLEAR"
+        hash = "5611ea372f63ccd3a2e860e763714bb9"
+        hash = "3e4c01180fd7e9bffbf5cc9fe9e9c8ae"
+        hash = "ce4a3cfc450a8bbf8399c71d67c09954"
+        
+    strings:
+        $all1 = "S-1-5-21-" wide
+        $all2 = "..\\..\\Windows\\System32\\cmd.exe" wide
+        
+        $ver2_1 = "&&<nul" wide
+        $ver2_2 = "|call !" wide
+        $ver2_3 = "\\shell32.dll" wide
+        $ver2_4 = ";eval(" wide
+        $ver2_5 = "\\u" wide
+        
+        $ver1_1 = "/c mshtA \"JaVAsCrIpT:" nocase wide
+        $ver1_2 = "}catch(" nocase wide
+        $ver1_3 = "){}" nocase wide
+        $ver1_4 = "close()" nocase wide
+        $ver1_5 = "\\x" wide
+        $ver1_6 = "\\1" wide
+        
+    condition:
+        uint32be(0) == 0x4c000000 and filesize<3KB and all of ($all*) and
+        ((all of ($ver2*) and #ver2_5 > 20) or (all of ($ver1*) and #ver1_5 > 20 and #ver1_6 > 7))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_amadey_clipper_plugin.yar b/yara_rules/loader_amadey_clipper_plugin.yar
new file mode 100644
index 0000000..49670a9
--- /dev/null
+++ b/yara_rules/loader_amadey_clipper_plugin.yar
@@ -0,0 +1,22 @@
+rule loader_amadey_clipper_plugin {
+    meta:
+        version = "1.0"
+        description = "Finds Amadey's clipper plugin based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2023-05-16"
+        id = "487b6657-8834-45ee-8fd4-03df9c0dd7be"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "CLIPPERDLL.dll" ascii
+        $str02 = "??4CClipperDLL@@QAEAAV0@$$QAV0@@Z" ascii
+        $str03 = "??4CClipperDLL@@QAEAAV0@ABV0@@Z" ascii
+        $str04 = "Main" ascii fullword
+        $str05 = "OpenClipboard" ascii
+        $str06 = "GetClipboardData" ascii
+        $str07 = "D:\\Mktmp\\Amadey\\ClipperDLL\\Release\\CLIPPERDLL.pdb" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_amadey_standalone_may23.yar b/yara_rules/loader_amadey_standalone_may23.yar
new file mode 100644
index 0000000..2f45623
--- /dev/null
+++ b/yara_rules/loader_amadey_standalone_may23.yar
@@ -0,0 +1,18 @@
+rule loader_amadey_standalone_may23 {
+    meta:
+        version = "1.0"
+        description = "Finds standalone samples of Amadey based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2023-05-17"
+        id = "5013586c-5ac3-4c1a-a82e-edce4889eedc"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "\\Amadey\\Release\\Amadey.pdb" ascii
+        
+        $hex01 = { 6E 74 64 6C 6C 2E 64 6C  6C 00 00 00 72 75 6E 61 73 } //ntdll.dll   runas
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_amadey_stealer_plugin.yar b/yara_rules/loader_amadey_stealer_plugin.yar
new file mode 100644
index 0000000..ded8861
--- /dev/null
+++ b/yara_rules/loader_amadey_stealer_plugin.yar
@@ -0,0 +1,28 @@
+rule loader_amadey_stealer_plugin {
+    meta:
+        version = "1.0"
+        description = "Finds Amadey's stealer plugin based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2023-05-16"
+        id = "50154e39-98b3-40e5-8986-18bbb7b15647"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "STEALERDLL.dll" ascii
+        $str02 = "?wal=1" fullword ascii
+        $str03 = "Content-Disposition: form-data; name=\"data\"; filename=\"" ascii
+        $str04 = "tar.exe -cf \"" ascii
+        $str05 = "SELECT origin_url, username_value, password_value FROM logins" ascii
+        $str06 = "\\Google\\Chrome\\User Data\\Default\\Login Data" ascii
+        $str07 = "\\SputnikLab\\Sputnik\\User Data\\Default\\Login Data" ascii
+        $str08 = "\\Mozilla\\Firefox\\Profiles\\" ascii
+        $str09 = "\"hostname\":\"([^\"]+)\"" ascii
+        $str10 = "\"encryptedUsername\":\"([^\"]+)\"" ascii
+        $str11 = "\"encryptedPassword\":\"([^\"]+)\"" ascii
+        $str12 = "&cred=" fullword ascii
+        $str13 = "D:\\Mktmp\\Amadey\\StealerDLL\\x64\\Release\\STEALERDLL.pdb" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 7 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_fakebat_initial_powershell_may24.yar b/yara_rules/loader_fakebat_initial_powershell_may24.yar
new file mode 100644
index 0000000..fc8b3bc
--- /dev/null
+++ b/yara_rules/loader_fakebat_initial_powershell_may24.yar
@@ -0,0 +1,22 @@
+rule loader_fakebat_initial_powershell_may24 {
+    meta:
+        id = "adf0e4fc-fa98-470b-9535-bd30d0bdb3aa"
+        version = "1.0"
+        description = "Finds FakeBat initial PowerShell script downloading and executing the next-stage payload."
+        author = "Sekoia.io"
+        creation_date = "2024-05-28"
+        modification_date = "2024-06-21"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "='http" wide
+        $str02 = "=(iwr -Uri $" wide
+        $str03 = " -UserAgent $" wide
+        $str04 = " -UseBasicParsing).Content; iex $" wide
+        
+    condition:
+        3 of ($str*) and
+        filesize < 1KB and
+        true
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_fakebat_powershell_fingerprint_may24.yar b/yara_rules/loader_fakebat_powershell_fingerprint_may24.yar
new file mode 100644
index 0000000..95b614a
--- /dev/null
+++ b/yara_rules/loader_fakebat_powershell_fingerprint_may24.yar
@@ -0,0 +1,28 @@
+rule loader_fakebat_powershell_fingerprint_may24 {
+    meta:
+        id = "7efcf9cf-78fe-400e-abe3-6955c394e358"
+        version = "1.0"
+        description = "Finds FakeBat PowerShell script fingerprinting the infected host."
+        author = "Sekoia.io"
+        creation_date = "2024-06-21"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "Get-WmiObject Win32_ComputerSystem" ascii
+        $str02 = "-Class AntiVirusProduct" ascii
+        $str03 = "status = \"start\"" ascii
+        $str04 = " | ConvertTo-Json" ascii
+        $str05 = ".FromXmlString(" ascii
+        $str06 = " = Invoke-RestMethod -Uri " ascii
+        $str07 = ".Exception.Response.StatusCode -eq 'ServiceUnavailable'" ascii
+        $str08 = "Invoke-WebRequest -Uri $url -OutFile " ascii
+        $str09 = "--batch --yes --passphrase-fd" ascii
+        $str10 = "--decrypt --output" ascii
+        $str11 = "Invoke-Expression \"tar --extract --file=" ascii
+        
+    condition:
+        7 of them and
+        filesize < 10KB and
+        true
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_latrodectus_dll.yar b/yara_rules/loader_latrodectus_dll.yar
new file mode 100644
index 0000000..d127451
--- /dev/null
+++ b/yara_rules/loader_latrodectus_dll.yar
@@ -0,0 +1,36 @@
+rule loader_latrodectus_dll {
+    meta:
+        version = "1.0"
+        description = "Finds Latrodectus samples based on the specific strings"
+        author = "Sekoia.io"
+        reference = "https://twitter.com/Myrtus0x0/status/1732997981866209550"
+        creation_date = "2023-12-08"
+        id = "c60676ad-31cb-4f4d-9073-757a0ad7d23d"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "c:\\temp\\debug.pdb" fullword ascii
+        $str02 = "Bottmp64.dll" fullword ascii
+        $str03 = "scab" fullword ascii
+        $str04 = "&wmic=" fullword ascii
+        $str05 = "&ipconfig=" fullword ascii
+        $str06 = "&systeminfo=" fullword ascii
+        $str07 = "&domain_trusts=" fullword ascii
+        $str08 = "&domain_trusts_all=" fullword ascii
+        $str09 = "&net_view_all_domain=" fullword ascii
+        $str10 = "&net_view_all=" fullword ascii
+        $str11 = "&net_group=" fullword ascii
+        $str12 = "&net_config_ws=" fullword ascii
+        $str13 = "&net_wmic_av=" fullword ascii
+        $str14 = "&whoami_group=" fullword ascii
+        $str15 = "\"subproc\": [" fullword ascii
+        $str16 = "&proclist=[" fullword ascii
+        $str17 = "&desklinks=[" fullword ascii
+        $str18 = "Update_%x" fullword wide
+        $str19 = "Custom_update" fullword wide
+        $str20 = "\\update_data.dat" fullword wide
+        
+    condition:
+        uint16(0)==0x5A4D and 10 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_abcloader.yar b/yara_rules/loader_win_abcloader.yar
new file mode 100644
index 0000000..e78f38f
--- /dev/null
+++ b/yara_rules/loader_win_abcloader.yar
@@ -0,0 +1,29 @@
+import "pe"
+import "hash"
+        
+rule loader_win_abcloader {
+    meta:
+        id = "c286ce75-a041-478e-a567-4bf1d5e66c01"
+        version = "1.0"
+        description = "Detect ABCloader"
+        author = "Sekoia.io"
+        creation_date = "2024-08-19"
+        classification = "TLP:CLEAR"
+        reference = "https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/"
+        hash = "0d1dca5eaad49c2dbd979e1bf0b5f8d0"
+        hash = "9a640889e82407b06c546fea15be668f"
+        
+    strings:
+        $ = "qSii.LI4"
+        $ = "Cabinet.dll"
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+        
+        // Imphash
+        or pe.imphash() == "45c6b272631aa9e0c4b2ba675699b803"
+        
+        // Rich PE header hash
+        or hash.md5(pe.rich_signature.clear_data) == "b33158757dc039859e272f4528e10e80"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_aresloader.yar b/yara_rules/loader_win_aresloader.yar
new file mode 100644
index 0000000..4ab744e
--- /dev/null
+++ b/yara_rules/loader_win_aresloader.yar
@@ -0,0 +1,29 @@
+rule loader_win_aresloader {
+    meta:
+        version = "1.0"
+        description = "Finds AresLoader samples based on characteristic strings"
+        author = "Sekoia.io"
+        reference = "https://blog.cyble.com/2023/04/28/citrix-users-at-risk-aresloader-spreading-through-disguised-gitlab-repo/"
+        creation_date = "2023-05-02"
+        id = "bf5070fc-c8ca-4458-8702-cd1830667b7a"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "{\\\"ip\\\": '%s', \\\"UID\\\": '%s', \\\"geo\\\": '%s', \\\"service\\\": '%s', \\\"owner_token\\\": '%s'}" ascii
+        $str02 = "AresLdr_v_3" ascii
+        $str03 = "https://ipinfo.io/ip" ascii
+        $str04 = "C:\\Users\\%s\\AppData\\Roaming\\%s\\%s" ascii
+        $str05 = "/manager/payload" ascii
+        $str06 = "/manager/loader" ascii
+        $str07 = "/manager/legit" ascii
+        $str08 = "/manager/hvnc" ascii
+        $str09 = "C%p %d V=%0X w=%ld %s" ascii
+        $str10 = "rundll32.exe %s,%s" ascii
+        $str11 = "%startinfo" ascii
+        $str12 = "%managedapp" ascii
+        $str13 = "%has_cctor" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_batloader_scripts.yar b/yara_rules/loader_win_batloader_scripts.yar
new file mode 100644
index 0000000..112368e
--- /dev/null
+++ b/yara_rules/loader_win_batloader_scripts.yar
@@ -0,0 +1,31 @@
+rule loader_win_batloader_scripts {
+    meta:
+        version = "1.0"
+        description = "Finds BatLoader samples based on the specific download URL"
+        author = "Sekoia.io"
+        creation_date = "2022-11-30"
+        id = "31a04ad3-74f8-4aa5-b3fc-df792bdc71b5"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $url = /https?:\/\/[^\s]{15,35}\/index\/[^\s]{1,40}servername=msi/ ascii wide
+        
+        $str00 = "Invoke-WebRequest" ascii wide
+        $str01 = "PSScriptRoot" ascii wide
+        $str02 = "Add-MpPreference" ascii wide
+        $str03 = "Install-GnuPG" ascii wide
+        $str04 = "wmic computersystem get domain" ascii wide
+        $str05 = "ArpInfo" ascii wide
+        $str06 = "$script:List_ProccesCheck" ascii wide
+        $str07 = "Get-Process -Name" ascii wide
+        $str08 = "f001_SetProcessList" ascii wide
+        $str09 = "var WshShell" ascii wide
+        $str10 = "WScript.Sleep" ascii wide
+        $str11 = "WshShell.Run" ascii wide
+        $str12 = "powershell Invoke-WebRequest" ascii wide
+        $str13 = "-nop -w hidden " ascii wide
+        
+    condition:
+        $url and 2 of ($str*) and filesize < 50KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_bumblebee.yar b/yara_rules/loader_win_bumblebee.yar
new file mode 100644
index 0000000..fd408ed
--- /dev/null
+++ b/yara_rules/loader_win_bumblebee.yar
@@ -0,0 +1,18 @@
+rule loader_win_bumblebee {
+    meta:
+        id = "ff36f512-c700-4f52-bc89-68ab9c69462c"
+        version = "1.0"
+        description = "Detect BUMBLEBEE based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-04-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "Z:\\hooker2\\Common\\md5.cpp" wide
+        $str1 = "3C29FEA2-6FE8-4BF9-B98A-0E3442115F67" wide
+        $str2 = "bumblebee" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_dodgebox.yar b/yara_rules/loader_win_dodgebox.yar
new file mode 100644
index 0000000..62a0ff0
--- /dev/null
+++ b/yara_rules/loader_win_dodgebox.yar
@@ -0,0 +1,30 @@
+import "pe"
+import "hash"
+        
+rule loader_win_dodgebox {
+    meta:
+        id = "8d5f94f3-1add-4f34-ba9e-f8f576c4e5b8"
+        version = "1.0"
+        description = "Detect the DodgeBox malware using several criteria"
+        author = "Sekoia.io"
+        creation_date = "2024-07-15"
+        classification = "TLP:CLEAR"
+        reference = "https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1"
+        hash1 = "c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db"
+        hash2 = "33fd050760e251ab932e5ca4311b494ef72cee157b20537ce773420845302e49"
+        
+    condition:
+        // Imphash
+        pe.imphash() == "aeea1135af87e6b6b23fa7da995967ea"
+        
+        // Rich PE header
+        or hash.md5(pe.rich_signature.clear_data) == "1c850cf955b35f60ee6c12d01161d95d"
+        
+        // Sections
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "4a80edcce2a5ac85c3f849172ee89c0f"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "53781057440f51882c38d3a9ef611775"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "801b286d84a97fe919721843ab77210d"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_doppeldridex.yar b/yara_rules/loader_win_doppeldridex.yar
new file mode 100644
index 0000000..88ced7d
--- /dev/null
+++ b/yara_rules/loader_win_doppeldridex.yar
@@ -0,0 +1,34 @@
+import "pe"
+        
+rule loader_win_doppeldridex {
+    meta:
+        id = "ee5111ae-ba0b-4cd3-abe6-c66324d16840"
+        version = "1.1"
+        description = "Detect the DoppelDridex banking trojan using its Rich header"
+        author = "Sekoia.io"
+        creation_date = "2021-09-28"
+        classification = "TLP:CLEAR"
+        
+    condition:
+        pe.rich_signature.toolid(122, 50727)
+        and pe.rich_signature.toolid(1, 0)
+        and pe.rich_signature.toolid(222, 40629)
+        and pe.rich_signature.toolid(131, 30729)
+        and pe.rich_signature.toolid(220, 31101)
+        and pe.rich_signature.toolid(202, 60315)
+        and pe.rich_signature.toolid(202, 50727)
+        and pe.rich_signature.toolid(261, 23506)
+        and pe.rich_signature.toolid(149, 21022)
+        and pe.rich_signature.toolid(261, 23918)
+        and pe.rich_signature.toolid(219, 21005)
+        and pe.rich_signature.toolid(171, 30319)
+        and pe.rich_signature.toolid(225, 21005)
+        and pe.rich_signature.toolid(221, 21005)
+        and pe.rich_signature.toolid(259, 24210)
+        and pe.rich_signature.toolid(258, 24213)
+        and pe.rich_signature.toolid(158, 40219)
+        and pe.rich_signature.toolid(145, 21022)
+        and pe.rich_signature.toolid(207, 60315)
+        and pe.rich_signature.toolid(256, 23026)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_erbium.yar b/yara_rules/loader_win_erbium.yar
new file mode 100644
index 0000000..d8bd730
--- /dev/null
+++ b/yara_rules/loader_win_erbium.yar
@@ -0,0 +1,20 @@
+rule loader_win_erbium {
+    meta:
+        version = "1.0"
+        description = "Detect the Erbium loader based on specific user-agent and URI"
+        author = "Sekoia.io"
+        creation_date = "2022-09-30"
+        id = "d1e5be62-5677-4ef4-9f10-65baf36ab619"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36" wide
+        $str02 = "cloud/getHost.php?method=getstub&bid=" wide
+        $str03 = "api.php?method=getstub&bid=" wide
+        
+        $api = "WinHttp" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 2 of ($str*) and #api > 6
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_fudloader.yar b/yara_rules/loader_win_fudloader.yar
new file mode 100644
index 0000000..9f39211
--- /dev/null
+++ b/yara_rules/loader_win_fudloader.yar
@@ -0,0 +1,25 @@
+rule loader_win_fudloader {
+    meta:
+        id = "4c2ac614-89af-4449-9fd2-9f935e4c27b8"
+        version = "1.0"
+        description = "Finds FUD-Loader samples based on specific strings"
+        author = "Sekoia.io"
+        reference = "https://github.com/0day2/FUD-Loader/"
+        creation_date = "2023-09-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "set_WindowStyle" ascii
+        $str02 = "set_FileName" ascii
+        $str03 = "get_StartInfo" ascii
+        $str04 = "GetRandomFileName" ascii
+        $str05 = "DownloadFile" ascii
+        $str06 = "GetTempPath" ascii
+        $str07 = "ProcessStartInfo" ascii
+        $str08 = "System.Diagnostics" ascii
+        
+    condition:
+        uint16(0) == 0x5a4d and all of them and
+        filesize < 10KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_gcleaner.yar b/yara_rules/loader_win_gcleaner.yar
new file mode 100644
index 0000000..4181652
--- /dev/null
+++ b/yara_rules/loader_win_gcleaner.yar
@@ -0,0 +1,23 @@
+rule loader_win_gcleaner {
+    meta:
+        version = "1.0"
+        description = "Detect the GCleaner loader using specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-10-11"
+        id = "0c085da3-ec77-4141-a927-bef1578a6dee"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "G-Cleaner can clean unneeded files, settings, and Registry entries" ascii
+        $str02 = "3.  Click \"Run G-Cleaner\"" ascii
+        $str03 = "Garbage_Cleaner" ascii
+        $str04 = "GCleaner.Properties" ascii
+        $str05 = "SOFTWARE\\GCleaner\\Install" wide
+        $str06 = "SOFTWARE\\GCleaner\\Trial" wide
+        $str07 = "SOFTWARE\\GCleaner\\License" wide
+        $str08 = "G-Cleaner activation" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_goshellcode.yar b/yara_rules/loader_win_goshellcode.yar
new file mode 100644
index 0000000..fe16207
--- /dev/null
+++ b/yara_rules/loader_win_goshellcode.yar
@@ -0,0 +1,24 @@
+rule loader_win_goshellcode {
+    meta:
+        version = "1.0"
+        description = "Finds GoShellcode samples based on the specific strings"
+        author = "Sekoia.io"
+        reference = "https://github.com/yoda66/GoShellcode/blob/main/gosc.go"
+        creation_date = "2023-11-15"
+        id = "61346225-325a-4067-a4d6-3b8c001dd380"
+        classification = "TLP:CLEAR"
+        hash1 = "94445af999055bf7d7cddc0d1d5183ab2776d85285f0522a28fac6c5a6101906"
+        hash2 = "fdea8b01b2597ceafe6f08b5fd12cc603b1e3ce2037731c0b6defde6935b1ce0"
+        
+    strings:
+        $str01 = "main.VirtualAlloc" ascii
+        $str02 = "main.RtlMoveMemory" ascii
+        $str03 = "syscall.Syscall" ascii
+        $str04 = "syscall.NewLazyDLL" ascii
+        $str05 = "runtime.getGetProcAddress" ascii
+        $str06 = "runtime.useAeshash" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and all of ($str*) and filesize < 8MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_jennlog.yar b/yara_rules/loader_win_jennlog.yar
new file mode 100644
index 0000000..7659f9f
--- /dev/null
+++ b/yara_rules/loader_win_jennlog.yar
@@ -0,0 +1,25 @@
+import "pe"
+import "hash"
+        
+rule loader_win_jennlog {
+    meta:
+        id = "a69088e5-207f-494f-876b-766b8050e8c2"
+        version = "1.0"
+        description = "Jennlog loader used to deliver the Apostle ransomware"
+        author = "Sekoia.io"
+        creation_date = "2021-10-04"
+        classification = "TLP:CLEAR"
+        reference = "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/"
+        
+    condition:
+        pe.timestamp == 3140259112
+        or
+        for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "4c4577276ff0323d9aedcc39ecf2c964"
+        )
+        or
+        for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "8476a7fca587f1e5d3ae076293b9fbcccbebc4bd4f7b783228ad5da39305a3d9"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_jinxloader_strings.yar b/yara_rules/loader_win_jinxloader_strings.yar
new file mode 100644
index 0000000..5f235e4
--- /dev/null
+++ b/yara_rules/loader_win_jinxloader_strings.yar
@@ -0,0 +1,21 @@
+rule loader_win_jinxloader_strings {
+    meta:
+        version = "1.0"
+        description = "Finds JinxLoader samples based on the specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-12-04"
+        id = "fd2f7e8c-f4a8-4452-bbc6-e03790f8ed89"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "JinxV2" ascii
+        $str02 = "main.main.func1" ascii
+        $str03 = "go.shape.struct" ascii
+        
+        $str04 = ".glob..func" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and all of them and #str04 > 100
+        and filesize > 8MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_konni_bat.yar b/yara_rules/loader_win_konni_bat.yar
new file mode 100644
index 0000000..a660f59
--- /dev/null
+++ b/yara_rules/loader_win_konni_bat.yar
@@ -0,0 +1,23 @@
+rule loader_win_konni_bat {
+    meta:
+        id = "e8921336-6c91-4b46-bd3f-3cf4a9b31082"
+        version = "1.0"
+        description = "Detect the BAT files (named trap.bat or yup.bat) used by KONNI"
+        author = "Sekoia.io"
+        creation_date = "2023-09-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "del /f /q \"%~dp0\\*.zip\" > nul"
+        $ = "del /f /q \"%~dp0\\*.xml\" > nul"
+        $ = "del /f /q \"%~dp0\\wpnprv*.dll\" > nul"
+        $ = "del /f /q \"%~dp0\\*.bat\" > nul"
+        $ = "del /f /q \"%~dpnx0\" > nul"
+        $ = "echo %~dp0 | findstr /i \"system32\" > nul"
+        $ = "if %ERRORLEVEL% equ 0 (goto INSTALL) else (goto COPYFILE)"
+        $ = "if exist \"%ProgramFiles(x86)%\" ("
+        
+    condition:
+        3 of them and filesize < 3KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_konni_wpnprv.yar b/yara_rules/loader_win_konni_wpnprv.yar
new file mode 100644
index 0000000..22dfe2a
--- /dev/null
+++ b/yara_rules/loader_win_konni_wpnprv.yar
@@ -0,0 +1,22 @@
+rule loader_win_konni_wpnprv {
+    meta:
+        id = "02162533-4ace-42bf-8df0-38b140487f01"
+        version = "1.0"
+        description = "Detect the wpnprv DLLs used for KONNI for UAC bypass"
+        author = "Sekoia.io"
+        creation_date = "2023-09-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "wpnprv.dll"
+        // Name of the malicious export
+        $ = "IIIIIIII" fullword
+        $ = "wusa.exe" wide
+        $ = "winver.exe" wide
+        $ = "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" wide
+        $ = "taskmgr.exe" wide
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_ninerat.yar b/yara_rules/loader_win_ninerat.yar
new file mode 100644
index 0000000..1b378d7
--- /dev/null
+++ b/yara_rules/loader_win_ninerat.yar
@@ -0,0 +1,38 @@
+import "pe"
+import "hash"
+        
+rule loader_win_ninerat {
+    meta:
+        id = "b9aa3ddc-7892-402f-b045-182884ee9bad"
+        version = "1.0"
+        description = "Detect the NineRAT instrumentator"
+        author = "Sekoia.io"
+        creation_date = "2023-12-12"
+        classification = "TLP:CLEAR"
+        reference = "https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/"
+        hash1 = "ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4"
+        hash2 = "5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541"
+        
+    strings:
+        $ = "TelegramRat\\lastest\\Dropper"
+        $ = "\\Release\\ServiceMid.pdb"
+        
+    condition:
+        // Strings
+        all of them
+        
+        // Imphash
+        or pe.imphash() == "104a3dc970a385f64de39e0dad61a9a2"
+        
+        // Rich Header
+        or hash.md5(pe.rich_signature.clear_data) == "aab0aa6b89d883e42be8b65a4e41a139"
+        
+        // Sections
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "827d5fd4b1a0426037529ee9bba48da0"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "82354f92508dcb33acda01c226de2975"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ccd0f5d837a6cc05a861f040cbdfe080"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "8d2c169356afe8b53b0ecb83de3084b9"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_operationmagalenha_vbs.yar b/yara_rules/loader_win_operationmagalenha_vbs.yar
new file mode 100644
index 0000000..a8d64bc
--- /dev/null
+++ b/yara_rules/loader_win_operationmagalenha_vbs.yar
@@ -0,0 +1,40 @@
+rule loader_win_operationmagalenha_vbs {
+    meta:
+        version = "1.0"
+        description = "Finds VBS file loading the PeepingTitle backdoor"
+        author = "Sekoia.io"
+        reference = "https://www.sentinelone.com/labs/operation-magalenha-long-running-campaign-pursues-portuguese-credentials-and-pii/"
+        creation_date = "2023-05-31"
+        id = "b1f705d1-de3e-4ce6-9bb7-0e39b6e79add"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "'Skip to content" ascii
+        $str02 = "'Search" ascii
+        $str03 = "'Sign in" ascii
+        $str04 = "'Sign up" ascii
+        $str05 = "'Code" ascii
+        $str06 = "'Terms" ascii
+        $str07 = "'Privacy" ascii
+        $str08 = "'Security" ascii
+        $str09 = "'Status" ascii
+        $str10 = "'Docs" ascii
+        $str11 = "'Contact GitHub" ascii
+        $str12 = "'Pricing" ascii
+        $str13 = "'API" ascii
+        $str14 = "'Training" ascii
+        $str15 = "'Blog" ascii
+        $str16 = "'About" ascii
+        
+        $vbs01 = "WScript.Sleep" ascii nocase
+        $vbs02 = "Set obj" ascii nocase
+        $vbs03 = "Dim obj" ascii nocase
+        $vbs04 = "https://tinyurl.com" ascii nocase
+        $vbs05 = "C:\\Users\\Public" ascii nocase
+        $vbs06 = "CreateObject(\"WScript.Shell\")" ascii nocase
+        $vbs07 = ".SaveToFile" ascii nocase
+        
+    condition:
+        10 of ($str*) and 5 of ($vbs*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_piccassoloader.yar b/yara_rules/loader_win_piccassoloader.yar
new file mode 100644
index 0000000..23ce52a
--- /dev/null
+++ b/yara_rules/loader_win_piccassoloader.yar
@@ -0,0 +1,17 @@
+rule loader_win_piccassoloader {
+    meta:
+        id = "91d9c2de-451e-467e-8f5c-38bbcce92b72"
+        version = "1.0"
+        description = "Detect the variant of Picasso used by GhostWriter as CVE-2023-38831 exploitation payload"
+        author = "Sekoia.io"
+        creation_date = "2023-09-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = {2c 27 44 65 63 72 79 70 74 6f 72 27 2c 27 6e 6f 64 65 27 2c 27 55 73 65 72 2d}
+        $ = {5c 78 32 30 43 68 72 6f 6d 65 2f 31 30 27 2c 27 67 67 65 72 27 2c 27 73 65 64 43 69 70 68 65 72 27 2c 27 5f 61 70 70 65 6e 64 27 2c 27 5f 45 4e 43 5f 58 46 4f 52 4d 27 2c 27 57 53 63 72 69 70 74 2e 53 68 27}
+        
+    condition:
+        1 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_purecrypter.yar b/yara_rules/loader_win_purecrypter.yar
new file mode 100644
index 0000000..3661b75
--- /dev/null
+++ b/yara_rules/loader_win_purecrypter.yar
@@ -0,0 +1,17 @@
+rule loader_win_purecrypter {
+    meta:
+        version = "1.0"
+        description = "Detect the PureCrypter loader"
+        author = "Sekoia.io"
+        creation_date = "2022-09-22"
+        id = "500b4d9e-55f8-41d1-ad4f-d587bbeb4507"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $hex01 = /http:\/\/[^\s]{5,90}_[A-Z][a-z]{7}\.(bmp|jpg|png)/ wide
+        $hex02 = "WrapNonExceptionThrows" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and ($hex02 in (@hex01..@hex01 + 1000) or $hex01 in (@hex02..@hex02 + 1000))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_red0044_powershell_may24.yar b/yara_rules/loader_win_red0044_powershell_may24.yar
new file mode 100644
index 0000000..aafcd5a
--- /dev/null
+++ b/yara_rules/loader_win_red0044_powershell_may24.yar
@@ -0,0 +1,27 @@
+rule loader_win_red0044_powershell_may24 {
+    meta:
+        id = "ba3454b4-31cf-458d-8d78-c5cc5fa348ff"
+        version = "1.0"
+        description = "Finds PowerShell scripts used in a malvertising campaign to deliver NetSupport RAT"
+        author = "Sekoia.io"
+        reference = "https://twitter.com/crep1x/status/1786150734121120075"
+        creation_date = "2024-05-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "Start-Job -ScriptBlock" ascii
+        $str02 = "Get-WmiObject" ascii
+        $str03 = "-Class Win32_OperatingSystem" ascii
+        $str04 = "-Class AntiVirusProduct" ascii
+        $str05 = "$_.Exception.Message" ascii
+        $str06 = ".DownloadString" ascii
+        $str07 = "New-Object Net.WebClient" ascii
+        $str08 = "myUserAgentHere" ascii
+        $str09 = "GetFolderPath('Desktop'))\\document.pdf" ascii
+        $str10 = "Receive-Job -Job" ascii
+        $str11 = "Start-Process" ascii
+        
+    condition:
+        8 of them and filesize < 20KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_revil_loader.yar b/yara_rules/loader_win_revil_loader.yar
new file mode 100644
index 0000000..226f7c6
--- /dev/null
+++ b/yara_rules/loader_win_revil_loader.yar
@@ -0,0 +1,35 @@
+import "pe"
+import "hash"
+        
+rule loader_win_revil_loader {
+    meta:
+        id = "3c293e87-e2d7-475a-9536-8b991961fa11"
+        version = "1.0"
+        description = "Detect the REvil loader using DDL side loading. The detected ressource is a legitimate executable used to load the malicious .dll containing the ransomware"
+        author = "Sekoia.io"
+        creation_date = "2021-07-19"
+        classification = "TLP:CLEAR"
+        reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading"
+        hash1 = "1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e"
+        hash2 = "50416e50797cf88a48d086e718c003e2d10c3847b1a251669d6f10f8d3546e03"
+        hash3 = "66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8"
+        hash4 = "81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471"
+        hash5 = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
+        hash6 = "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e"
+        hash7 = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
+        hash8 = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e"
+        
+    strings:
+        $crypto = ".\\crypto\\" ascii
+        
+        $dropped_name1 = "MsMpEng.exe" wide
+        $dropped_name2 = "mpsvc.dll" ascii
+        
+    condition:
+        all of ($dropped_name*)
+        and #crypto > 100
+        and for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_squirrelwaffle.yar b/yara_rules/loader_win_squirrelwaffle.yar
new file mode 100644
index 0000000..27714df
--- /dev/null
+++ b/yara_rules/loader_win_squirrelwaffle.yar
@@ -0,0 +1,17 @@
+rule loader_win_squirrelwaffle {
+    meta:
+        id = "bea3125e-6e84-435f-855b-fd3239a0deac"
+        version = "1.0"
+        description = "Detect the Squirrelwaffle DLL"
+        author = "Sekoia.io"
+        creation_date = "2021-09-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "AEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" ascii
+        $s2 = "c:\\equal\\True\\bird_Select\\780\\true.pdb" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_squirrelwaffle_doc.yar b/yara_rules/loader_win_squirrelwaffle_doc.yar
new file mode 100644
index 0000000..0b8353d
--- /dev/null
+++ b/yara_rules/loader_win_squirrelwaffle_doc.yar
@@ -0,0 +1,19 @@
+rule loader_win_squirrelwaffle_doc {
+    meta:
+        id = "caadeac3-d4c7-4d84-b539-c03cc4c6c274"
+        version = "1.0"
+        description = "Detect the Squirrelwaffle malicious document (not xls)"
+        author = "Sekoia.io"
+        creation_date = "2021-09-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        // OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr"
+        $s1 = {4f4b31203d2022636d64202f632072756e646c6c33322e65786520433a5c50726f6772616d446174615c777777312e646c6c2c6c647222}
+        // AERO BIZ COM COOP EDU GOV INFO INT MIL MUSEUM NAME NET ORG PRO
+        $s2 = {4145524f2042495a20434f4d20434f4f502045445520474f5620494e464f20494e54204d494c204d555345554d204e414d45204e4554204f52472050524f}
+        
+    condition:
+        any of them and filesize > 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_stealthvector.yar b/yara_rules/loader_win_stealthvector.yar
new file mode 100644
index 0000000..8cfc9bb
--- /dev/null
+++ b/yara_rules/loader_win_stealthvector.yar
@@ -0,0 +1,33 @@
+import "pe"
+import "hash"
+        
+rule loader_win_stealthvector {
+    meta:
+        id = "ecf6421a-f492-43c4-9ed7-eb4724d24779"
+        version = "1.0"
+        description = "Detect the StealthVector malware, updated in July 2024"
+        author = "Sekoia.io"
+        creation_date = "2021-08-26"
+        modification_date = "2024-07-15"
+        classification = "TLP:CLEAR"
+        hash1 = "166b6dcdac31f4bf51e4b20a7c3f7d4f7017ca0c30fa123d5591e25c3fa66107"
+        hash2 = "ab56501167fe689fe55f6e6ddc3bb91952299bd5c3ef004b02bf1c3b4061c7cf"
+        hash3 = "0faddbe1713455e3fc9777ec45adf07b28e24f4c3ddca37586c2aa6b539898c0"
+        hash4 = "1c88150ec85a07c3db5f18c5eedcb0b653467b897af01d690ed996e5e07ba8e3"
+        hash5 = "ec10a9396dca694fe64366e0dab82d046cf92457f97efd50a68ceb85adef6b74"
+        
+    strings:
+        $s1 = "Global\\kREwdFrOlvASgP4zWZyV89m6T2K0bIno" ascii
+        $s2 = "Global\\v5EPQFOImpTLaGZes3Nl1JSKHku8AyCw" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 1 of them
+
+        // Imphash
+        or pe.imphash() == "0cd7b92b97ccc7e255df1f46b5299986"
+        or pe.imphash() == "be777e91e3c42ac62471cfb7239be471"
+        
+        // Rich PE Header
+        or hash.md5(pe.rich_signature.clear_data) == "fcc67611d136cce0e785029bbb879b45"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/loader_win_svcready_imports.yar b/yara_rules/loader_win_svcready_imports.yar
new file mode 100644
index 0000000..3de8dab
--- /dev/null
+++ b/yara_rules/loader_win_svcready_imports.yar
@@ -0,0 +1,26 @@
+import "pe"
+        
+rule loader_win_svcready_imports {
+    meta:
+        id = "e89aa736-acee-4881-b367-a9abfe9784ec"
+        version = "1.0"
+        description = "Finds samples of the SVCReady loader"
+        author = "Sekoia.io"
+        reference = "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/"
+        creation_date = "2022-06-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "Svc:RunPEDllNative" ascii
+        $str1 = "RunPEDllNative::" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and
+        filesize > 200KB and filesize < 2MB and
+        pe.imports("GDI32.dll", "Ellipse") and
+        pe.imports("GDI32.dll", "SelectObject") and
+        pe.imports("GDI32.dll", "GetStockObject") and
+        pe.imports("GDI32.dll") == 3 and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/luckymouse_sysupdate_loader.yar b/yara_rules/luckymouse_sysupdate_loader.yar
new file mode 100644
index 0000000..d00a98f
--- /dev/null
+++ b/yara_rules/luckymouse_sysupdate_loader.yar
@@ -0,0 +1,18 @@
+rule luckymouse_sysupdate_loader {
+    meta:
+        id = "6007e846-d467-4d07-b345-e25191b7c8bc"
+        version = "1.0"
+        description = "Detects decryption routine prologue of sysupdate loader"
+        author = "Sekoia.io"
+        creation_date = "2022-08-19"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = { DB D4 33 C9 66 B9 ?? ?? E8 FF FF FF FF }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/luckymouse_sysupdate_payload.yar b/yara_rules/luckymouse_sysupdate_payload.yar
new file mode 100644
index 0000000..1155355
--- /dev/null
+++ b/yara_rules/luckymouse_sysupdate_payload.yar
@@ -0,0 +1,17 @@
+rule luckymouse_sysupdate_payload {
+    meta:
+        id = "97df4700-de35-49a0-869e-ed89a6d9cbdd"
+        version = "1.0"
+        description = "Detects decryption routine prologue of sysupdate samples"
+        author = "Sekoia.io"
+        creation_date = "2022-08-19"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = { DB ?? ?? C9 66 B9 ?? ?? E8 FF FF FF FF }
+        
+    condition:
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malicious_lnk_exploiting_webdav_share_generic.yar b/yara_rules/malicious_lnk_exploiting_webdav_share_generic.yar
new file mode 100644
index 0000000..b98627b
--- /dev/null
+++ b/yara_rules/malicious_lnk_exploiting_webdav_share_generic.yar
@@ -0,0 +1,21 @@
+rule malicious_lnk_exploiting_webdav_share_generic {
+    meta:
+        id = "b228643c-ab23-46e1-b170-3da6bcb2dd23"
+        version = "1.0"
+        description = "Detects some malicious LNK"
+        author = "Sekoia.io"
+        creation_date = "2024-11-22"
+        classification = "TLP:CLEAR"
+        hash = "cffb40e13e3aa6761330090b42314c36"
+        
+    strings:
+        $ = "powershell.exe" wide
+        $ = "-Name explorer; \\\\" wide
+        $ = "@80\\"
+        $ = "desktop-tcrdu4c"
+        
+    condition:
+        uint32be(0) == 0x4c000000 and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_httpshell_strings.yar b/yara_rules/malware_httpshell_strings.yar
new file mode 100644
index 0000000..1698922
--- /dev/null
+++ b/yara_rules/malware_httpshell_strings.yar
@@ -0,0 +1,21 @@
+rule malware_httpshell_strings {
+    meta:
+        id = "58f25666-5dc2-4f4f-9fac-fc05d1e66945"
+        version = "1.0"
+        description = "Detects HTTPShell based on URL patterns"
+        author = "Sekoia.io"
+        creation_date = "2024-01-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "/api/v1/Client/Info" wide ascii
+        $ = "/api/v1/Client/Download" wide ascii
+        $ = "/api/v1/Client/Upload" wide ascii
+        $ = "/api/v1/Client/Info" base64 base64wide
+        $ = "/api/v1/Client/Download" base64 base64wide
+        $ = "/api/v1/Client/Upload" base64 base64wide
+        
+    condition:
+        3 of them and filesize < 5MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_remcom_strings.yar b/yara_rules/malware_remcom_strings.yar
new file mode 100644
index 0000000..e32bd38
--- /dev/null
+++ b/yara_rules/malware_remcom_strings.yar
@@ -0,0 +1,23 @@
+rule malware_remcom_strings {
+    meta:
+        id = "7a56d55a-2f35-41ef-b7af-259baf215a62"
+        version = "1.0"
+        description = "Detects RemCom based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-08-30"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "RemComSvc"
+        $ = "RemCom_stderr"
+        $ = "RemCom_stdin"
+        $ = "\\\\.\\pipe\\%s%s%d"
+        $ = "RemCom_stdout"
+        $ = "\\\\.\\pipe\\RemCom_communicaton"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_sugargh0st_strings.yar b/yara_rules/malware_sugargh0st_strings.yar
new file mode 100644
index 0000000..f2f2051
--- /dev/null
+++ b/yara_rules/malware_sugargh0st_strings.yar
@@ -0,0 +1,21 @@
+rule malware_sugargh0st_strings {
+    meta:
+        id = "51930498-b04a-4f13-8d14-ee975a28126e"
+        version = "1.0"
+        description = "Detects SugarGh0st based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-12-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "%sd.%s /c \"%s\"" wide
+        $ = "[Num Lock]" wide
+        $ = "#32770" wide
+        $ = "]%s (%4d-%02d-%02d %02d:%02d:%02d)" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 100KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_swordldr.yar b/yara_rules/malware_swordldr.yar
new file mode 100644
index 0000000..00f503c
--- /dev/null
+++ b/yara_rules/malware_swordldr.yar
@@ -0,0 +1,30 @@
+rule malware_swordldr {
+    meta:
+        id = "4068c007-50f4-4913-a352-4a40dd4e452b"
+        version = "1.0"
+        description = "Detects Swordldr. Maybe chunk_1 is too restrictive"
+        author = "Sekoia.io"
+        creation_date = "2024-09-25"
+        classification = "TLP:CLEAR"
+        hash = "d0cc758082e303275cbb8cd6b2048eff"
+        hash = "7aa57da44718cd88f7d37b33a5d3ad74"
+        
+    strings:
+        $ = { CC CC CC CC B0 01 C3 CC CC CC CC }
+        $ = { CC CC CC CC B0 02 C3 CC CC CC CC }
+        $ = { CC CC CC CC B0 03 C3 CC CC CC CC }
+        $ = { CC CC CC CC B0 04 C3 CC CC CC CC }
+        $ = { CC CC CC CC B0 05 C3 CC CC CC CC }
+        $ = { CC CC CC CC B0 06 C3 CC CC CC CC }
+        $ = { CC CC CC CC B0 07 C3 CC CC CC CC }
+        $ = { CC CC CC CC B0 08 C3 CC CC CC CC }
+        $ = { CC CC CC CC B0 09 C3 CC CC CC CC }
+        $chunk_1 = {
+        48 63 44 24 40 44 8B 44 86 04 48 63 44 24 40 45 23 ?? 45 03 C0 8B 54 86 04 48 63 44 24 40 41 2B D0 41 03 ?? 89 54 86 04
+        }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        4 of them and #chunk_1 > 5
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_tinyshell_strings.yar b/yara_rules/malware_tinyshell_strings.yar
new file mode 100644
index 0000000..ca3e8f3
--- /dev/null
+++ b/yara_rules/malware_tinyshell_strings.yar
@@ -0,0 +1,25 @@
+rule malware_tinyshell_strings {
+    meta:
+        id = "51fe9986-cb33-4802-bb8d-fe3d4cdfdcc8"
+        version = "1.0"
+        description = "Detects TinyShell based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-09-04"
+        classification = "TLP:CLEAR"
+        hash = "fffc89ebbe6ea37072077996e27f86dd"
+        hash = "59a97d4fbd3a54e991dc7e1f0451acf5"
+        hash = "d7ee59eab7f703bfaf1002a39b05c7b9"
+        hash = "3f2dfe47d4563919d889132b2759fd9c"
+        
+    strings:
+        $ = "_tsh_get_file"
+        $ = "_tsh_put_file"
+        $ = "_tsh_runshell"
+        $ = "Authentication failed."
+        $ = "pel_send_msg"
+        $ = "exec bash --login"
+        
+    condition:
+        3 of them and filesize < 150KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_valleyrat_1ststage_strings.yar b/yara_rules/malware_valleyrat_1ststage_strings.yar
new file mode 100644
index 0000000..ac30006
--- /dev/null
+++ b/yara_rules/malware_valleyrat_1ststage_strings.yar
@@ -0,0 +1,22 @@
+rule malware_valleyrat_1ststage_strings {
+    meta:
+        id = "6628ba47-37ad-4bdb-bbc0-7286d777000e"
+        version = "1.0"
+        description = "Detects ValleyRat 1stage"
+        author = "Sekoia.io"
+        creation_date = "2024-06-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "%016llX.DLL" wide
+        $ = "%s\\%s" wide
+        $ = "%016llX\\%s" wide
+        $ = "connection already in progress"
+        $ = "SleepConditionVariableSRW"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 4MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_valleyrat_downloader_strings.yar b/yara_rules/malware_valleyrat_downloader_strings.yar
new file mode 100644
index 0000000..191dc08
--- /dev/null
+++ b/yara_rules/malware_valleyrat_downloader_strings.yar
@@ -0,0 +1,21 @@
+rule malware_valleyrat_downloader_strings {
+    meta:
+        id = "12985f34-f894-402b-80d1-5d6b2486d730"
+        version = "1.0"
+        description = "Detects ValleyRat downloader"
+        author = "Sekoia.io"
+        creation_date = "2024-06-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = { 43 00 3a 00 5c [0-30]
+        5c 00 4e 00 54 00 55
+        00 53 00 45 00 52 00
+        2e 00 44 00 58 }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 2MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_valleyrat_strings_config.yar b/yara_rules/malware_valleyrat_strings_config.yar
new file mode 100644
index 0000000..b7641e0
--- /dev/null
+++ b/yara_rules/malware_valleyrat_strings_config.yar
@@ -0,0 +1,28 @@
+rule malware_valleyrat_strings_config {
+    meta:
+        id = "bb186ab7-60cd-487e-8b9c-c2ff8f121454"
+        version = "1.0"
+        description = "ValleyRAT strings based on HIVE KEYS and config. "
+        author = "Sekoia.io"
+        creation_date = "2024-08-19"
+        classification = "TLP:CLEAR"
+        hash = "b1887a48e59ac7b1b1742854d2a228af"
+        hash = "f6c69e83ce61aacacfbc410345008268"
+        hash = "63ad42e03aca6ce447fb447e21aeb385"
+        hash = "e1d41e5fdfebf8062911ef3c3853b807"
+        hash = "e6cafb4136a9438227086a5826eafe10"
+        hash = "54ba4bbeacd1521164a40e92262b15f6"
+        
+    strings:
+        $key1 = "IpDateInfo" ascii fullword
+        $key2 = "IpDate" ascii fullword
+        $key3 = "SelfPath" ascii fullword
+        $config1 = {7c 00 69 00 3a 00 } // |i:
+        $config2 = {7c 00 70 00 3a 00 } // |p:
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        1 of ($key*) and $config2 in (@config1..@config1+100) 
+        and filesize > 300KB and filesize < 100MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_venom_admin_strings.yar b/yara_rules/malware_venom_admin_strings.yar
new file mode 100644
index 0000000..04e7b15
--- /dev/null
+++ b/yara_rules/malware_venom_admin_strings.yar
@@ -0,0 +1,23 @@
+rule malware_venom_admin_strings {
+    meta:
+        id = "4929340c-310b-4c59-a111-23409f973d22"
+        version = "1.0"
+        description = "Detects Venom admin strings"
+        author = "Sekoia.io"
+        creation_date = "2022-08-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "/admin/admin.go"
+        $ = "/cli/interactive.go"
+        $ = "/cli/cli.go"
+        $ = "/dispather/sender.go"
+        $ = "/dispather/proxy.go"
+        $ = "/dispather/handler.go"
+        $ = "/dispather/forward.go"
+        $ = "/utils/reuse_port.go"
+        
+    condition:
+        filesize < 11MB and 6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_venom_agent_strings.yar b/yara_rules/malware_venom_agent_strings.yar
new file mode 100644
index 0000000..d94b406
--- /dev/null
+++ b/yara_rules/malware_venom_agent_strings.yar
@@ -0,0 +1,32 @@
+rule malware_venom_agent_strings {
+    meta:
+        id = "87633510-8b39-4eb1-b95b-4ebff21f3bba"
+        version = "1.0"
+        description = "Detects Venom agent strings"
+        author = "Sekoia.io"
+        creation_date = "2022-08-29"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "dispather.handleDownloadCmd"
+        $ = "dispather.handleUploadCmd"
+        $ = "dispather.handleShellCmd"
+        $ = "dispather.handleSocks5Cmd"
+        $ = "dispather.handleLForwardCmd"
+        $ = "dispather.localLForwardServer"
+        $ = "dispather.handleRForwardCmd"
+        $ = "dispather.AgentHandShake"
+        $ = "dispather.AgentParseTarget"
+        $ = "dispather.PipeWhenClose"
+        $ = "dispather.handleSshConnectCmd"
+        $ = "node.(*NetworkTopology).InitNetworkMap"
+        $ = "node.CopyNet2Node"
+        $ = "node.(*Node).CommandHandler.func1"
+        $ = "node.(*Buffer).WriteLowLevelPacket"
+        $ = "protocol.(*Packet).ResolveDat"
+        $ = "netio.InitTCP.func2"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and filesize < 10MB and 6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_win_lyceum_maldoc_macro_20220613.yar b/yara_rules/malware_win_lyceum_maldoc_macro_20220613.yar
new file mode 100644
index 0000000..37ace4c
--- /dev/null
+++ b/yara_rules/malware_win_lyceum_maldoc_macro_20220613.yar
@@ -0,0 +1,16 @@
+rule malware_win_lyceum_maldoc_macro_20220613 {
+    meta:
+        id = "3046bffd-261f-4d5b-9015-f2e5fc31c9c9"
+        version = "1.0"
+        description = "Detect the macro contained in Lyceum maldoc to deploy its malware"
+        author = "Sekoia.io"
+        creation_date = "2022-06-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "ActiveDocument.InlineShapes(i).PictureFormat.Brightness = 0.5" ascii
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_win_mex.yar b/yara_rules/malware_win_mex.yar
new file mode 100644
index 0000000..47fbf29
--- /dev/null
+++ b/yara_rules/malware_win_mex.yar
@@ -0,0 +1,58 @@
+rule malware_win_mex {
+    meta:
+        id = "57fe8525-4bab-4078-ac6f-635f0f7963ec"
+        version = "1.0"
+        description = "Detect the MEX malware"
+        author = "Sekoia.io"
+        creation_date = "2022-07-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "MEX: In-memory execution of offensive tradecraft (Version:" wide
+        $ = "Available Options:" wide
+        $ = "-meh <help>" wide
+        $ = "-mep <payload_name_to_use>" wide
+        $ = "-mec <payload_args>" wide
+        $ = "Execution examples:" wide
+        $ = "mex.exe -mep sharphound" wide
+        $ = "mex.exe -mep sharphound -mec -arg1" wide
+        $ = "mex.exe -mep get_version" wide
+        $ = "mex.exe -mep list_plugins" wide
+        $ = "Available plugins:" wide
+        $ = "Payload to execute:" wide
+        $ = "No payload arguments were provided" wide
+        $ = "Payload arguments:" wide
+        $ = "MEX - About to execute payload %s with command line arguments: %s" wide
+        $ = "MEX - About to execute payload %s with no command line arguments" wide
+        $ = "Execution of payload %s just finished. Quitting now." wide
+        $ = "There was a problem executing payload %s. Quitting now." wide
+        $ = "chisel" wide
+        $ = "enum_script" wide
+        $ = "eop_script" wide
+        $ = "mexecatz" wide
+        $ = "scshell" wide
+        $ = "shares_script" wide
+        $ = "internalmonologue" wide
+        $ = "inveigh" wide
+        $ = "pingcastle" wide
+        $ = "rubeus" wide
+        $ = "seatbelt" wide
+        $ = "sharpexec" wide
+        $ = "sharphound3" wide
+        $ = "spoolsample" wide
+        $ = "standin" wide
+        $ = "grouper2" wide
+        $ = "lockless" wide
+        $ = "sharpoxidresolver" wide
+        $ = "sharpprinter" wide
+        $ = "list_plugins" wide
+        $ = "get_version" wide
+        $ = "Current version is %s" wide
+        $ = "Supported plugins:" wide
+        
+    condition:
+        uint16(0)==0x5A4D
+        and filesize > 10MB
+        and 15 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/malware_win_passlib.yar b/yara_rules/malware_win_passlib.yar
new file mode 100644
index 0000000..179f93d
--- /dev/null
+++ b/yara_rules/malware_win_passlib.yar
@@ -0,0 +1,33 @@
+rule malware_win_passlib {
+    meta:
+        id = "609999e2-a644-4bf3-bce2-b0e1b0e7094b"
+        version = "1.0"
+        description = "Detect the Passlib malware"
+        author = "Sekoia.io"
+        creation_date = "2022-07-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Passlib test utility - Version %s" wide
+        $ = "-l <full_path_to_dll_to_load_into_lsass> (arbitrary dll injection into LSASS)" wide
+        $ = "-u <dll_to_unload_from_lsass> (arbitrary dll uninjection from LSASS)" wide
+        $ = "DLL %s injection was successful requested!" wide
+        $ = "DLL %s uninjection was successful requested!" wide
+        $ = "Process %s was succesfully created with full privileges and system integrity!" wide
+        $ = "full_path_to_volatile_payload_dll" wide
+        $ = "%s: [%s]:[%s] (http_only:%d)" wide
+        $ = "LEX server has been deployed at lsass." wide
+        $ = "LEX client is using volatile payload at: %s" wide
+        $ = "LEX client is using permanent payload at: %s" wide
+        $ = "Passlib execution finished" wide
+        $ = "Running on Passlib version %ws" wide
+        $ = "There was a problem initializing passlib manager interface." wide
+        $ = "Passlib running without high integrity" wide
+        $ = "About to dump passwords through passlib manager interface" wide
+        
+    condition:
+        uint16(0)==0x5A4D
+        and filesize > 1500KB
+        and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/manjusaka_samples.yar b/yara_rules/manjusaka_samples.yar
new file mode 100644
index 0000000..165a321
--- /dev/null
+++ b/yara_rules/manjusaka_samples.yar
@@ -0,0 +1,42 @@
+rule manjusaka_samples {
+    meta:
+        id = "7aa8edb3-2e67-4632-af68-5b65c9aefe39"
+        version = "1.0"
+        author = "Sekoia.io"
+        description = "Detects Manjusaka via protobuf struture names (Windows / Linux / implants / C2)"
+        creation_date = "2022-08-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = ".protos.AgentStatusR" ascii wide
+        $ = ".protos.AgentsR" ascii wide
+        $ = ".protos.FileActionR" ascii wide
+        $ = ".protos.FileEntryR" ascii wide
+        $ = ".protos.HttpFileActionR" ascii wide
+        $ = ".protos.HttpFileEntryR" ascii wide
+        $ = ".protos.PassResultR" ascii wide
+        $ = ".protos.PortResultR" ascii wide
+        $ = ".protos.PortResultR" ascii wide
+        $ = ".protos.PortResultR" ascii wide
+        $ = ".protos.ConfigH" ascii wide
+        $ = ".protos.AgentUpdateH" ascii wide
+        $ = ".protos.PluginExecH" ascii wide
+        $ = ".protos.PluginLoadH" ascii wide
+        $ = ".protos.ReqCwdH" ascii wide
+        $ = ".protos.ReqCmdH" ascii wide
+        $ = ".protos.ReqListFileH" ascii wide
+        $ = ".protos.ReqCatFileH" ascii wide
+        $ = ".protos.ReqNetStatH" ascii wide
+        $ = ".protos.ReqTaskListH" ascii wide
+        $ = ".protos.ReqScreenH" ascii wide
+        $ = ".protos.FileEventH" ascii wide
+        $ = ".protos.HttpFileEventH" ascii wide
+        $ = ".protos.PassGetEventH" ascii wide
+        $ = ".protos.FileGetEventH" ascii wide
+        $ = ".protos.AgentEventR" ascii wide
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        15 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/merlin_crossplatform.yar b/yara_rules/merlin_crossplatform.yar
new file mode 100644
index 0000000..b56358b
--- /dev/null
+++ b/yara_rules/merlin_crossplatform.yar
@@ -0,0 +1,24 @@
+rule merlin_crossplatform {
+    meta:
+        id = "c9c57f5e-26c3-43be-b2cf-10f5129d3be6"
+        author = "Sekoia.io"
+        creation_date = "2022-01-03"
+        description = "Detects Merlin agent cross platform"
+        version = "1.0"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = ".CRT" ascii
+        $s2 = ".tls" ascii
+        $s3 = "github.com/Ne0nd0g/merlin" ascii
+        $s4 = "github.com/refraction-networking" ascii
+        $s5 = "SendMerlinMessage" ascii
+        $s6 = "ifconfigH9" ascii
+        
+    condition:
+        (uint16(0) == 0x5a4d or uint16(0) == 0x457f)
+        and all of them
+        and filesize > 5MB
+        and filesize < 15MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/merlin_linux_elf.yar b/yara_rules/merlin_linux_elf.yar
new file mode 100644
index 0000000..09e8b8f
--- /dev/null
+++ b/yara_rules/merlin_linux_elf.yar
@@ -0,0 +1,35 @@
+import "elf"
+import "hash"
+        
+rule merlin_linux_elf {
+    meta:
+        id = "d9c57f5e-26c3-43be-b2cf-10f5129d3be6"
+        author = "Sekoia.io"
+        creation_date = "2022-01-03"
+        description = "Detects Merling agent (ELF)"
+        version = "1.0"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "github.com/Ne0nd0g/merlin" ascii
+        $s2 = "github.com/refraction-networking" ascii
+        $s3 = "SendMerlinMessage" ascii
+        
+    condition:
+        uint32(0)==0x464c457f
+                and for any i in (0..elf.number_of_sections-1) : (
+                        hash.md5(elf.sections[i].offset, elf.sections[i].size) == "80199718ff1821a3fe914cd2279ab3a0"
+        )
+                and for any i in (0..elf.number_of_sections-1) : (
+                        hash.md5(elf.sections[i].offset, elf.sections[i].size) == "7dea362b3fac8e00956a4952a3d4f474"
+        )
+                and for any i in (0..elf.number_of_sections-1) : (
+                        hash.md5(elf.sections[i].offset, elf.sections[i].size) == "d41d8cd98f00b204e9800998ecf8427e"
+        )
+                and for any i in (0..elf.number_of_sections-1) : (
+                        hash.md5(elf.sections[i].offset, elf.sections[i].size) == "91476dafa5ef669483350538fa6ec4cb"
+                )
+        and all of them
+        and filesize < 15MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/merlin_win_dll.yar b/yara_rules/merlin_win_dll.yar
new file mode 100644
index 0000000..7d1c2d6
--- /dev/null
+++ b/yara_rules/merlin_win_dll.yar
@@ -0,0 +1,43 @@
+import "pe"
+import "hash"
+        
+rule merlin_win_dll {
+    meta:
+        id = "c9c57f5e-26c3-43be-b2cf-10f5129d3be5"
+        author = "Sekoia.io"
+        creation_date = "2022-01-03"
+        description = "Detects Merling agent (DLL)"
+        version = "1.0"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = ".CRT" ascii
+        $s2 = ".tls" ascii
+        $s3 = "github.com/Ne0nd0g/merlin" ascii
+        $s4 = "github.com/lucas-clemente" ascii
+        $s5 = "SendMerlinMessage" ascii
+        
+    condition:
+        uint16(0)==0x5A4D
+                and pe.imphash() == "da7f8acb6151c95be088a02465d68ef8"
+                and for any i in (0..pe.number_of_sections-1) : (
+                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "491d9a18aea3d0eb3653fdaf0b9b86bb"
+        )
+                and for any i in (0..pe.number_of_sections-1) : (
+                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "d41d8cd98f00b204e9800998ecf8427e"
+        )
+                and for any i in (0..pe.number_of_sections-1) : (
+                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "bf619eac0cdf3f68d496ea9344137e8b"
+        )
+                and for any i in (0..pe.number_of_sections-1) : (
+                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ce7969c1e894363133e386361be064e5"
+        )
+                and for any i in (0..pe.number_of_sections-1) : (
+                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "c6179cdcd9ba0758a18a1280f98062eb"
+                )
+        and all of them
+        and $s1 at 712 
+        and $s2 at 752 
+        and filesize < 15MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/merlin_win_exe.yar b/yara_rules/merlin_win_exe.yar
new file mode 100644
index 0000000..a3dbf2c
--- /dev/null
+++ b/yara_rules/merlin_win_exe.yar
@@ -0,0 +1,28 @@
+import "pe"
+import "hash"
+        
+rule merlin_win_exe {
+    meta:
+        id = "c9c57f5e-26c3-43be-b2cf-10f5129d3be4"
+        author = "Sekoia.io"
+        creation_date = "2022-01-03"
+        description = "Detects Merling agent (PE)"
+        version = "1.0"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "B.symtab" ascii
+        $s2 = "github.com/Ne0nd0g/merlin" ascii
+        $s3 = "github.com/lucas-clemente" ascii
+        $s4 = "SendMerlinMessage" ascii
+        
+    condition:
+        uint16(0)==0x5A4D
+        and for any i in (0..pe.number_of_sections-1) : (
+                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "07b5472d347d42780469fb2654b7fc54"
+                )
+        and all of them
+        and $s1 at 591
+        and filesize < 15MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/miner_lin_xmrig_strings.yar b/yara_rules/miner_lin_xmrig_strings.yar
new file mode 100644
index 0000000..991bc48
--- /dev/null
+++ b/yara_rules/miner_lin_xmrig_strings.yar
@@ -0,0 +1,37 @@
+rule miner_lin_xmrig_strings {
+    meta:
+        id = "2f99020b-424c-4433-860c-5e9ab4e1f1de"
+        version = "1.0"
+        description = "Detects XMRig ELF"
+        author = "Sekoia.io"
+        creation_date = "2022-09-08"
+        modification_date = "2024-01-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "XMRig "
+        $ = "pool_wallet"
+        $ = "IP Address currently banned"
+        $ = "rigid"
+        $ = "diff_current"
+        $ = "shares_good"
+        $ = "shares_total"
+        $ = "avg_time"
+        $ = "avg_time_ms"
+        $ = "hashes_total"
+        $ = "pool address"
+        $ = "ping time"
+        $ = "connection time"
+        $ = "daemon+wss://"
+        $ = "daemon+https://"
+        $ = "daemon+http://"
+        $ = "socks5://"
+        $ = "stratum+ssl://"
+        $ = "stratum+tcp://"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize < 10MB and
+        7 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/miner_win_xmrig_strings.yar b/yara_rules/miner_win_xmrig_strings.yar
new file mode 100644
index 0000000..e2be74a
--- /dev/null
+++ b/yara_rules/miner_win_xmrig_strings.yar
@@ -0,0 +1,36 @@
+rule miner_win_xmrig_strings {
+    meta:
+        id = "35f203aa-20cd-4235-9ead-b34be14255d5"
+        version = "1.0"
+        description = "Detects XMRig EXE"
+        author = "Sekoia.io"
+        creation_date = "2024-01-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "XMRig "
+        $ = "pool_wallet"
+        $ = "IP Address currently banned"
+        $ = "rigid"
+        $ = "diff_current"
+        $ = "shares_good"
+        $ = "shares_total"
+        $ = "avg_time"
+        $ = "avg_time_ms"
+        $ = "hashes_total"
+        $ = "pool address"
+        $ = "ping time"
+        $ = "connection time"
+        $ = "daemon+wss://"
+        $ = "daemon+https://"
+        $ = "daemon+http://"
+        $ = "socks5://"
+        $ = "stratum+ssl://"
+        $ = "stratum+tcp://"
+        
+    condition:
+        uint32be(0) == 0x5A4D and
+        filesize < 15MB and
+        7 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/nomercy.yar b/yara_rules/nomercy.yar
new file mode 100644
index 0000000..f28f24b
--- /dev/null
+++ b/yara_rules/nomercy.yar
@@ -0,0 +1,62 @@
+rule nomercy {
+    meta:
+        id = "2591f74b-8ab8-45ef-ba64-62a93df305c1"
+        version = "1.0"
+        hash1 = "9ecc76d4cda47a93681ddbb67b642c2e1f303ab834160ab94b79b47381e23a65"
+        hash2 = "557acce8b787aba87c8eeb939438b52c5ca953f28ad680a7faeb2b3046d3fda0"
+        description = "Detect NoMercy sample version up to 1.1.0"
+        author = "Sekoia.io"
+        creation_date = "2022-07-11"
+        classification = "TLP:CLEAR"
+        reference = "https://blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features/"
+        
+    strings:
+        $debug1 = "Posted uid and version" wide ascii
+        $debug2 = "Posted cli info to server" wide ascii
+        $debug3 = "Posted other info to server" wide ascii
+        $debug4 = "Sending screenshot..." wide ascii
+        $debug5 = "Sent screenshot" wide ascii
+        $debug6 = "Listening to Microphone..." wide ascii
+        $debug7 = "Collecting other info..." wide ascii
+        $url1 = "/a?uid=" wide ascii
+        $url2 = "/c?uid=" wide ascii
+        $url3 = "/d?uid=" wide ascii
+        $url4 = "/e?uid=" wide ascii
+        $url5 = "/b?sysinfoother=" wide ascii
+        $url6 = "/b?sysinfocli=" wide ascii
+        $info1 = "PUBLIC IP:" wide ascii
+        $info2 = "HWID:" wide ascii
+        $info3 = "RAM:" wide ascii
+        $info4 = "GPU:" wide ascii
+        $info5 = "MEDIA ACCESS CONTROL ADDRESS:" wide ascii
+        $info6 = "PRIVATE IP:" wide ascii
+        $info7 = "OS VERSION:" wide ascii
+        $info8 = "ANTIVIRUS:" wide ascii
+        $info9 = "KEYBOARD LANGUAGE:" wide ascii
+        $info10 = "CLIPBOARD: {0}{1}{2}" wide ascii
+        $info11 = "RUNNING PROCESSES:" wide ascii
+        $info12 = "WINDOW TITLE:" wide ascii
+        $cmd1 = "/c whoami /all" wide ascii
+        $cmd2 = "/c whoami" wide ascii
+        $cmd3 = "/c arp -a" wide ascii
+        $cmd4 = "/c ipconfig /all" wide ascii
+        $cmd5 = "/c net view /all" wide ascii
+        $cmd6 = "/c net share" wide ascii
+        $cmd7 = "/c route print" wide ascii
+        $cmd8 = "/c netstat -nao" wide ascii
+        $cmd9 = "/c net localgroup" wide ascii
+        $cmd10 = "/c systeminfo" wide ascii
+        $inv1 = "http://api.ipify.org" wide ascii
+        $inv2 = "NoMercy" wide ascii
+        
+    condition:
+    uint16be(0) == 0x4d5a 
+    and 3 of ($debug*)
+    and 8 of ($info*) 
+    and 2 of ($url*)
+    and 6 of ($cmd*) 
+    and 1 of ($inv*) 
+    and filesize > 700KB 
+    and filesize < 3000KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/observerstealer.yar b/yara_rules/observerstealer.yar
new file mode 100644
index 0000000..d56d253
--- /dev/null
+++ b/yara_rules/observerstealer.yar
@@ -0,0 +1,23 @@
+rule observerstealer {
+    meta:
+        id = "52314870-c100-441d-9ccf-07588325a401"
+        version = "1.0"
+        description = "detection based on the strings"
+        author = "Sekoia.io"
+        creation_date = "2024-02-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "URLOpenBlockingStreamW" ascii
+        $s2 = "processGrabber" wide
+        $s3 = "grabbers" wide
+        $s4 = {2F 00 73}
+        $s5 = "UNKNOWN_HWID" ascii
+        $s6 = {48 00 57 00 49 00 44}
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 400KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/pe_princeransomware_strings.yar b/yara_rules/pe_princeransomware_strings.yar
new file mode 100644
index 0000000..83100f9
--- /dev/null
+++ b/yara_rules/pe_princeransomware_strings.yar
@@ -0,0 +1,19 @@
+rule pe_princeransomware_strings {
+    meta:
+        id = "9c5cad6e-2b11-469c-ace1-2dc51562b035"
+        version = "1.0"
+        description = "Prince Ransomware exe files"
+        author = "Sekoia.io"
+        creation_date = "2024-08-07"
+        classification = "TLP:CLEAR"
+        hash = "8bd8de169f45e32bab53f6e06088836d6f0526105f03efa1faf84f3b02c43011"
+        hash = "a83aad6861c8fdfe2392b8e286ab7051d223c6b0bbba5996165964f429657a37"
+        
+    strings:
+        $ = "https://i.imgur.com/RfsCOES.png" ascii
+        $ = {596f75722066696c65732068617665206265656e20656e63727970746564207573696e67205072696e63652052616e736f6d77617265} //Your files have been encrypted using Prince Ransomware
+        
+    condition:
+        all of them and uint16(0) == 0x5a4d and filesize > 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/pe_stealer_axilestealer_strings.yar b/yara_rules/pe_stealer_axilestealer_strings.yar
new file mode 100644
index 0000000..b865b9d
--- /dev/null
+++ b/yara_rules/pe_stealer_axilestealer_strings.yar
@@ -0,0 +1,29 @@
+rule pe_stealer_axilestealer_strings {
+    meta:
+        id = "412bfc3e-6bb7-4b0d-8bb3-96eae0cc9782"
+        version = "1.0"
+        description = "AxileStealer strings"
+        author = "Sekoia.io"
+        creation_date = "2023-12-13"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "http://ip-api.com/line/?fields=query,country,countryCode,city,regionName,zip,isp" wide
+        $s2 = "Axile.su" wide
+        $s3 = "Unknown Tokens.txt" wide
+        $a1 = "[ <b>General</b> ]" wide
+        $a2 = "[ <b>Browsers</b> ]" wide
+        $a3 = "[ <b>Wallets</b> ]" wide
+        $a4 = "[ <b>Messengers</b> ]" wide
+        $a5 = "[ <b>Applications</b> ]" wide
+        $a6 = "[ <b>Games</b> ]" wide
+        $a7 = "[ <b>Mails</b> ]" wide
+        $a8 = "[ <b>VPNs</b> ]" wide
+        $a9 = "[ <b>FTPs</b> ]" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize > 50KB and filesize < 200KB and
+        2 of ($s*) and 7 of ($a*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/pe_stealer_scarletstealer_strings.yar b/yara_rules/pe_stealer_scarletstealer_strings.yar
new file mode 100644
index 0000000..a5347cc
--- /dev/null
+++ b/yara_rules/pe_stealer_scarletstealer_strings.yar
@@ -0,0 +1,34 @@
+rule pe_stealer_scarletstealer_strings {
+    meta:
+        id = "ca930851-513f-44e5-abb4-ca0edfde3428"
+        version = "1.0"
+        description = "ScarletStealer strings"
+        author = "Sekoia.io"
+        creation_date = "2023-12-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "Scarlet Client" wide
+        $s2 = "] PC NAME:   (" wide
+        $s3 = "] IP:   (" wide
+        $s4 = " - Wallets -" wide
+        $s5 = "] Exodus:  (" wide
+        $s6 = "] Electrum:  (" wide
+        $s7 = "] Atomic:  (" wide
+        $s8 = "] Guarda:  (" wide
+        $s9 = "] Coinomi: (" wide
+        $s10 = "] Monero:  (" wide
+        $s11 = "] Ledger:  (" wide
+        $s12 = "] Bitbox:  (" wide
+        $s13 = "] Trezor:  (" wide
+        $s14 = ") Support: PointX@exploit.im - @isPointX" wide
+        $a2 = "/config/tk.txt" wide
+        $a3 = "/config/chatid.txt" wide
+        $a1 = "telebyt.com" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize > 50KB and filesize < 2MB and
+        13 of ($s*) and 2 of ($a*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/platypus_winlinmac_strings.yar b/yara_rules/platypus_winlinmac_strings.yar
new file mode 100644
index 0000000..187981e
--- /dev/null
+++ b/yara_rules/platypus_winlinmac_strings.yar
@@ -0,0 +1,23 @@
+rule platypus_winlinmac_strings {
+    meta:
+        id = "4519448d-b91b-4794-9521-359b8cf4af78"
+        version = "1.0"
+        description = "Catch Platypus based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-12-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $pl1 = "platypus.go" ascii
+        $pl2 = "Platypus/lib/context/server.go" ascii
+        $pl3 = "Platypus/lib/context/context.go" ascii
+        $pl4 = "Platypus/lib/context/client.go" ascii
+        $pl5 = "github.com/WangYihang/" ascii
+        $f1 = "reflection/reflection.go" ascii
+        $f2 = "socksUsernamePassword" ascii
+        $go = "/golang" ascii
+        
+    condition:
+        uint32(0)==0x464c457f and 4 of ($pl*) and 1 of ($f*) and #go > 30
+}
+        
\ No newline at end of file
diff --git a/yara_rules/plugx_final_payload.yar b/yara_rules/plugx_final_payload.yar
new file mode 100644
index 0000000..f2827dc
--- /dev/null
+++ b/yara_rules/plugx_final_payload.yar
@@ -0,0 +1,24 @@
+import "pe"
+        
+rule plugx_final_payload {
+    meta:
+        id = "a4047324-81a7-4c17-be84-c0fa479d2f89"
+        version = "1.0"
+        description = "Detects encrypted plugx config with a specific size"
+        author = "Sekoia.io"
+        creation_date = "2023-07-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = {30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 88 13 00 00 60 ea 00 00 ?? ?? ?? ?? 00 00 00 00}
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 8MB and 
+        for any i in (0..pe.number_of_sections-1) : 
+        (
+            pe.sections[i].name == ".data"
+            and $s1 in (pe.sections[i].raw_data_offset..pe.sections[i].raw_data_offset + pe.sections[i].raw_data_size)
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/radx_stealer.yar b/yara_rules/radx_stealer.yar
new file mode 100644
index 0000000..6b412e9
--- /dev/null
+++ b/yara_rules/radx_stealer.yar
@@ -0,0 +1,21 @@
+rule radx_stealer {
+    meta:
+        id = "bf2aae08-169c-4bc9-a1ac-80f4b79ef6d7"
+        version = "1.0"
+        description = "detection of RADX stealer based on function named in the .NET payload"
+        author = "Sekoia.io"
+        creation_date = "2023-12-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "get_FileName" ascii fullword
+        $s2 = "set_FileName" ascii fullword
+        $f1 = "TripleDESCryptoServiceProvider" ascii fullword
+        $f2 = "SendBase64ToServer" ascii fullword
+        $f3 = "SendCommandOutputToServer" ascii fullword
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize > 500KB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_lin_avoslocker_sections.yar b/yara_rules/ransomware_lin_avoslocker_sections.yar
new file mode 100644
index 0000000..701b842
--- /dev/null
+++ b/yara_rules/ransomware_lin_avoslocker_sections.yar
@@ -0,0 +1,26 @@
+import "elf"
+import "hash"
+        
+rule ransomware_lin_avoslocker_sections {
+    meta:
+        id = "3a7bf14d-24fb-47c9-b073-dd734f808983"
+        version = "1.0"
+        description = "Detect AvosLocker ransomware for Linux by using its section hashes"
+        author = "Sekoia.io"
+        creation_date = "2022-02-21"
+        classification = "TLP:CLEAR"
+        hash1 = "0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6"
+        hash2 = "7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1"
+        hash3 = "10ab76cd6d6b50d26fde5fe54e8d80fceeb744de8dbafddff470939fac6a98c4"
+        
+    condition:
+        uint32(0)==0x464c457f and
+        for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "91476dafa5ef669483350538fa6ec4cb")
+        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "c2b21b2556c9d751e203965c825f8a81")
+        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "f858d36231ba743ad8c898d86a67a864")
+        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "7dea362b3fac8e00956a4952a3d4f474")
+        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "489c87d7b1a694980587dfb413fb2afc")
+        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "972e27e9f115278244f5e4ae89dd412a")
+        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "d1f5b688a92b611e1363945fa552a9d7")
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_lin_avoslocker_strings.yar b/yara_rules/ransomware_lin_avoslocker_strings.yar
new file mode 100644
index 0000000..46ee072
--- /dev/null
+++ b/yara_rules/ransomware_lin_avoslocker_strings.yar
@@ -0,0 +1,21 @@
+rule ransomware_lin_avoslocker_strings {
+    meta:
+        version = "1.0"
+        description = "Detect AvosLocker ransomware for Linux by using strings from its ransom note and the onion domains"
+        author = "Sekoia.io"
+        creation_date = "2022-02-21"
+        classification = "TLP:CLEAR"
+        hash1 = "0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6"
+        hash2 = "7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1"
+        hash3 = "10ab76cd6d6b50d26fde5fe54e8d80fceeb744de8dbafddff470939fac6a98c4"
+        id = "6056e15c-d656-41cb-bea0-704776c52c92"
+        
+    strings:
+        $s1 = "The corporations whom don't pay or fail to respond in a swift manner can be found in our blog, accessible at" ascii
+        $s2 = "http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion" ascii
+        $s3 = "http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion" ascii
+        
+    condition:
+        uint32(0)==0x464c457f and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_linux_icefire_2023.yar b/yara_rules/ransomware_linux_icefire_2023.yar
new file mode 100644
index 0000000..4c70bba
--- /dev/null
+++ b/yara_rules/ransomware_linux_icefire_2023.yar
@@ -0,0 +1,25 @@
+rule ransomware_linux_icefire_2023 {
+    meta:
+        id = "b04964f4-3fdc-4745-9f4a-95a5a79bc7e1"
+        version = "1.0"
+        description = "Rule to detect Linux IceFire ransomware samples."
+        author = "Sekoia.io"
+        creation_date = "2023-02-13"
+        classification = "TLP:CLEAR"
+        hash1 = "e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b"
+        
+    strings:
+        $string01 = "********************Your network has been infected!!!********************"
+        $string02 = "IMPORTANT : DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED!!!"
+        $string03 = "username:"
+        $string04 = "password:"
+        $string05 = ".cfg.o.sh.img.txt.xml.jar.pid.ini.pyc.a.so.run.env.cache.xmlb"
+        $string06 = "./boot./dev./etc./lib./proc./srv./sys./usr./var./run"
+        $string07 = "/iFire-readme.txt"
+        $string08 = ".iFire"
+        $string09 = "iFire.pid"
+        
+    condition:
+        uint32be(0) == 0x7F454C46  and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_mallox.yar b/yara_rules/ransomware_mallox.yar
new file mode 100644
index 0000000..3bc30db
--- /dev/null
+++ b/yara_rules/ransomware_mallox.yar
@@ -0,0 +1,39 @@
+rule ransomware_mallox {
+    meta:
+        id = "7e2edc94-26e4-4024-8bc0-8e90d76f5a96"
+        version = "1.0"
+        description = "Rule to detect mallox ransomware samples."
+        author = "Sekoia.io"
+        creation_date = "2023-02-20"
+        modification_date = "2023-05-24"
+        classification = "TLP:CLEAR"
+        hash1 = "2a549489e2455a2d84295604e29c727dd20d65f5a874209840ce187c35d9a439"
+        hash2 = "3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673"
+        hash3 = "4075d6e02c022ee45e0cd1c826abf749200639ee8ebc42375dac2430abafb5d6"
+        hash4 = "4db69a0643f6ec795e5450a0563605e91293f233aa60715ae09ed8effa3b7267"
+        hash5 = "77fdce66e7f909300e4493cbe7055254f7992ba65f9b7445a6755d0dbd9f80a5"
+        hash6 = "8e974a3be94b7748f7971f278160a74d738d5cab2c3088b1492cfbbd05e83e22"
+        hash7 = "a5085e571857ec54cf9625050dfc29a195dad4d52bea9b69d3f22e33ed636525"
+        hash8 = "df64e87ecb30f4cadf54f2c1b3d3cba8cc2d315db0fd4af2d11add57baa56f6a"
+        hash9 = "e7e00e0f817fcb305f82aec2e60045fcdb1b334b2621c09133b6b81284002009"
+        
+    strings:
+        $s1 = "C:\\HOW TO RECOVER !!.TXT" wide ascii nocase
+        $s2 = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\Raccine" wide ascii nocase
+        $s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\vssadmin.exe" wide ascii nocase
+        $s4 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\wmic.exe" wide ascii nocase
+        $s5 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\wbadmin.exe" wide ascii nocase
+        $s6 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\bcdedit.exe" wide ascii nocase
+        $s7 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\powershell.exe" wide ascii nocase
+        $s8 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\diskshadow.exe" wide ascii nocase
+        $s9 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\net.exe" wide ascii nocase
+        $s10 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskkill.exe" wide ascii nocase
+        $s11 = "bcdedit /set {current} recoveryenabled no" wide ascii nocase
+        $mallox_fargo = ".FARGO" wide ascii nocase
+        $mallox_mallox = ".mallox" wide ascii nocase
+        $mallox_exploit = "newexploit@tutanota.com"
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of ($s*) and 1 of ($mallox_*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_agenda.yar b/yara_rules/ransomware_win_agenda.yar
new file mode 100644
index 0000000..c9f05e3
--- /dev/null
+++ b/yara_rules/ransomware_win_agenda.yar
@@ -0,0 +1,27 @@
+rule ransomware_win_agenda {
+    meta:
+        version = "1.0"
+        description = "Finds Agenda ransomware (aka Qilin) samples based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2022-12-15"
+        id = "b0ea8e69-8f29-452f-95f7-67ee0e545b66"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str00 = "\"note\": \"-- Qilin" ascii
+        $str01 = "README-RECOVER-.txt" ascii
+        $str02 = "\"file_black_list\": [" ascii
+        $str03 = "\"file_pattern_black_list\": [" ascii
+        $str04 = "Encrypted files have new extension." ascii
+        $str05 = "We have downloaded compromising and sensitive data from you system/network" ascii
+        $str06 = "Employees personal dataCVsDLSSN." ascii
+        $str07 = "ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion" ascii
+        $str08 = "cmdvssadmin.exe delete shadows /all /quiet" ascii
+        $str09 = "[WARNING] Removing shadows failed." ascii
+        $str10 = "[INFO] Shadow copies removed" ascii
+        $str11 = "[WARNING] net sahre enum failed with:" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_avoslocker.yar b/yara_rules/ransomware_win_avoslocker.yar
new file mode 100644
index 0000000..0376dbc
--- /dev/null
+++ b/yara_rules/ransomware_win_avoslocker.yar
@@ -0,0 +1,25 @@
+rule ransomware_win_avoslocker {
+    meta:
+        id = "fc5c2483-48cb-4282-b6cb-ac728b948607"
+        version = "1.0"
+        description = "Detect AvosLocker ransomware (2021-07)"
+        author = "Sekoia.io"
+        creation_date = "2021-08-03"
+        classification = "TLP:CLEAR"
+        hash6 = "f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f"
+        hash7 = "c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02"
+        hash8 = "84d94c032543e8797a514323b0b8fd8bd69b4183f17351628b13d1464093af2d"
+        
+    strings:
+        $s1 = "cryptopp850\\rijndael_simd.cpp" ascii
+        $s2 = "cryptopp850\\sha_simd.cpp" ascii
+        $s3 = "cryptopp850\\gf2n_simd.cpp" ascii
+        $s4 = "cryptopp850\\sse_simd.cpp" ascii
+        
+    condition:
+        all of them
+        and uint16(0)==0x5A4D
+        and filesize > 900KB
+        and filesize < 950KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_blackcat.yar b/yara_rules/ransomware_win_blackcat.yar
new file mode 100644
index 0000000..5c53350
--- /dev/null
+++ b/yara_rules/ransomware_win_blackcat.yar
@@ -0,0 +1,32 @@
+rule ransomware_win_blackcat {
+    meta:
+        id = "873355f7-3942-4171-9df7-f524bb6b6903"
+        description = "Detect the BlackCat ransomware (Windows version)"
+        author = "Sekoia.io"
+        creation_date = "2022-01-19"
+        classification = "TLP:CLEAR"
+        version = "1.1"
+        
+    strings:
+        $s1 = "desktop_image::set_desktop_wallpaper=" ascii
+        $s2 = "C:\\Users\\Public\\All Usersdeploy_note_and_image_for_all_users=" ascii
+        $s3 = "propagate::none" ascii
+        $s4 = "propagate::failed=" ascii
+        $s5 = "propagate::ok=" ascii
+        $s6 = "query_status_process::ok=" ascii
+        $s7 = "enum_dependent_services::ok=" ascii
+        $s8 = "enum_dependent_services::error=" ascii
+        $s9 = "try_stop=" ascii
+        $s10 = "try_stop::ok=" ascii
+        $s11 = "try_stop::failed=" ascii
+        $s12 = "stop=" ascii
+        $s13 = "dependent_service_name=" ascii
+        $s14 = "kill_all=" ascii
+        $s15 = "detach=" ascii
+        
+    condition:
+        uint16(0)==0x5A4D
+        and filesize > 2MB and filesize < 4MB
+        and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_blackmatter.yar b/yara_rules/ransomware_win_blackmatter.yar
new file mode 100644
index 0000000..e2e7257
--- /dev/null
+++ b/yara_rules/ransomware_win_blackmatter.yar
@@ -0,0 +1,18 @@
+import "pe"
+import "hash"
+        
+rule ransomware_win_blackmatter {
+    meta:
+        id = "9b2d8ac3-b4d1-40f5-ac57-411547dcb2cf"
+        version = "1.0"
+        description = "Detect Black matter ransomware (2021-07-23)"
+        author = "Sekoia.io"
+        creation_date = "2021-08-03"
+        classification = "TLP:CLEAR"
+        
+    condition:
+        for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5e89d335de2021a2c268acf00ec513e5"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_chaos.yar b/yara_rules/ransomware_win_chaos.yar
new file mode 100644
index 0000000..c073a8d
--- /dev/null
+++ b/yara_rules/ransomware_win_chaos.yar
@@ -0,0 +1,47 @@
+rule ransomware_win_chaos {
+    meta:
+        id = "c1876a18-0618-44e2-8919-b4a041de97e7"
+        description = "Detects the Chaos Ransomware"
+        author = "Sekoia.io"
+        version = "1.0"
+        creation_date = "2022-01-18"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $rep00 = "\\Desktop" wide
+        $rep01 = "\\Links" wide
+        $rep02 = "\\Contacts" wide
+        $rep03 = "\\Documents" wide
+        $rep04 = "\\Downloads" wide
+        $rep05 = "\\Pictures" wide
+        $rep06 = "\\Music" wide
+        $rep07 = "\\OneDrive" wide
+        $rep08 = "\\Saved Games" wide
+        $rep09 = "\\Favorites" wide
+        $rep10 = "\\Searches" wide
+        $rep11 = "\\Videos" wide
+        $rep12 = "C:\\Users\\" wide
+        
+        $str0 = "svchost.exe" wide
+        $str1 = "\\privateKey.chaos" wide
+        $str2 = "Chaos Ransomware" wide
+        $str3 = "read_it.txt" wide
+        $str4 = "<EncryptedKey>" wide
+        $str5 = "passwordBytes" ascii
+        $str6 = "lookForDirectories" ascii
+        $str7 = "Rfc2898DeriveBytes" ascii
+        $str8 = "ICryptoTransform" ascii
+        $str9 = "FromBase64String" ascii
+        
+        $ext0 = ".torrent" wide
+        $ext1 = ".ibank" wide
+        $ext2 = ".wallet" wide
+        $ext3 = ".swift" wide
+        $ext4 = ".onetoc2" wide
+        
+    condition:
+        uint16(0) == 0x5a4d and
+    filesize > 50KB and filesize < 2MB and
+        6 of ($str*) and 10 of ($rep*) and 4 of ($ext*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_dodo_2023.yar b/yara_rules/ransomware_win_dodo_2023.yar
new file mode 100644
index 0000000..fea42be
--- /dev/null
+++ b/yara_rules/ransomware_win_dodo_2023.yar
@@ -0,0 +1,23 @@
+rule ransomware_win_dodo_2023 {
+    meta:
+        id = "190977d4-5a7a-4e15-8f90-085f82ec56c8"
+        version = "1.0"
+        description = "Rule to detect Dodo ransomware samples."
+        author = "Sekoia.io"
+        creation_date = "2023-02-13"
+        classification = "TLP:CLEAR"
+        hash1 = "aee45cc2540d49a28e765c30f1c4d0b853c1a74ea2260bd7614ece8e54c3bcb3"
+        
+    strings:
+        $s1 = "DODOCRYPTER" ascii wide
+        $s2 = "dodov2" ascii wide
+        $s3 = "dodov2SPREAD.exe" ascii wide
+        $s4 = "dodov2_readit.txt" ascii wide
+        $s5 = "WELCOME, DODO has returned" ascii wide
+        $s6 = "Monero Address: 442n8nf9zojie1JdkZqxDQJFDumBEgZmVZozLdYd5jVPSMws2oUPvNLJKca6JKojyA7zDCZCnMyYnKbY1JLNsbzWK6HNNqW" ascii wide
+        $s7 = "The price for the software is $15. Payment can be made in Bitcoin or XMR." ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a  and 4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_eking_rich_header.yar b/yara_rules/ransomware_win_eking_rich_header.yar
new file mode 100644
index 0000000..38b7bb4
--- /dev/null
+++ b/yara_rules/ransomware_win_eking_rich_header.yar
@@ -0,0 +1,16 @@
+import "hash"
+import "pe"
+        
+rule ransomware_win_eking_rich_header {
+    meta:
+        id = "9fe76f89-f27a-4a47-a61c-2d767a1a8acb"
+        version = "1.0"
+        description = "Detect Eking ransomware using its rich header"
+        author = "Sekoia.io"
+        creation_date = "2021-10-07"
+        classification = "TLP:CLEAR"
+        
+    condition:
+        hash.md5(pe.rich_signature.clear_data) == "256b60751602028612562b73ecdb163c"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_fonix.yar b/yara_rules/ransomware_win_fonix.yar
new file mode 100644
index 0000000..85ea38e
--- /dev/null
+++ b/yara_rules/ransomware_win_fonix.yar
@@ -0,0 +1,17 @@
+rule ransomware_win_fonix {
+    meta:
+        id = "b28467d5-69a0-4a8b-8938-8fdac2ae8d19"
+        version = "1.0"
+        description = "Detect the Fonix / XINOF ransomware by spotting its specific debug path"
+        author = "Sekoia.io"
+        creation_date = "2021-10-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "Ransomware\\Fonix" ascii
+        $s2 = "Release\\Fonix.pdb" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_honkai_jan2023.yar b/yara_rules/ransomware_win_honkai_jan2023.yar
new file mode 100644
index 0000000..95212f4
--- /dev/null
+++ b/yara_rules/ransomware_win_honkai_jan2023.yar
@@ -0,0 +1,24 @@
+rule ransomware_win_honkai_jan2023 {
+    meta:
+        id = "6ef91cb5-e122-4f91-bc15-3813b8f91cbf"
+        version = "1.0"
+        description = "Rule to detect Honkai ransomware samples."
+        author = "Sekoia.io"
+        creation_date = "2023-02-13"
+        classification = "TLP:CLEAR"
+        hash1 = "989cf96da60d9ebfb6f364717b4f0cae1667fdc7f9d89f77acc254ab47d439e6"
+        
+    strings:
+        $s1 = "DP_Main.exe" ascii wide
+        $s2 = "DP_MainForm" ascii wide
+        $s3 = "DP_Main" ascii wide
+        $s4 = "#DECRYPT MY FILES#.html" ascii wide
+        $s5 = "/api/Encrypted.php" ascii wide
+        $s6 = "http://upload.paradisenewgenshinimpact.top:2095" ascii wide
+        $s7 = "main@paradisenewgenshinimpact.top" ascii wide
+        $s8 = ".honkai" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and 6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_karma.yar b/yara_rules/ransomware_win_karma.yar
new file mode 100644
index 0000000..e1151c2
--- /dev/null
+++ b/yara_rules/ransomware_win_karma.yar
@@ -0,0 +1,22 @@
+rule ransomware_win_karma {
+    meta:
+        id = "efd87a17-7c99-404a-8ea6-2f5c2121f9f2"
+        version = "1.0"
+        description = "Detect the Karma ransomware payload"
+        author = "Sekoia.io"
+        creation_date = "2021-08-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $a1 = "KARMA" ascii
+        
+        $u1 = "KARMA" wide
+        $u2 = "-ENCRYPTED.txt" wide
+        $u3 = "Encrypting directory:" wide
+        $u4 = "Encrypting file:" wide
+        $u5 = "Trying to import ECC public key..." wide
+        
+    condition:
+        uint16(0)==0x5A4D and filesize < 150KB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_lorenz.yar b/yara_rules/ransomware_win_lorenz.yar
new file mode 100644
index 0000000..3ff3176
--- /dev/null
+++ b/yara_rules/ransomware_win_lorenz.yar
@@ -0,0 +1,28 @@
+rule ransomware_win_lorenz {
+    meta:
+        id = "6936cc61-efe5-4d13-b76f-e808ab331457"
+        version = "1.1"
+        description = "Detect the Lorenz ransomware"
+        author = "Sekoia.io"
+        creation_date = "2022-02-10"
+        classification = "TLP:CLEAR"
+        reference = "https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware"
+        
+    strings:
+        $s1 = ".onion" ascii
+        $s2 = "---===Lorenz. Welcome. Again. ===--" ascii
+        $s3 = ".Lorenz.sz40" ascii
+        
+        $url1 = "egypghtljedbs3x3ui45tfhosakzb376epl7baq2ruzfyewcypswhgqd.onion" ascii
+        $url2 = "lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion" ascii
+        $url3 = "vsoonropylvbfqnq2urk7uhaxn7afiwgldnj3ntc743awigojm4p7lid.onion" ascii
+        $url4 = "kpb3ss3vwvfejd4g3gvpvqo6ad7nnmvcqoik4mxt2376yu2adlg5fwyd.onion" ascii
+        $url5 = "vldkrmiqriwlgm2wuxg42nvc6kqsdzsdhsybn27hyn34d66465fxz7id.onion" ascii
+        
+    condition:
+        uint16(0) == 0x5a4d
+        and filesize > 900KB
+        and filesize < 1200KB
+        and (all of ($s*) or 1 of ($url*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_masons_jan2023.yar b/yara_rules/ransomware_win_masons_jan2023.yar
new file mode 100644
index 0000000..e1b3d14
--- /dev/null
+++ b/yara_rules/ransomware_win_masons_jan2023.yar
@@ -0,0 +1,19 @@
+rule ransomware_win_masons_jan2023 {
+    meta:
+        id = "cf2af08b-b4a8-4245-9308-242e15aeb346"
+        version = "1.0"
+        description = "Rule to detect Masons ransomware samples."
+        author = "Sekoia.io"
+        creation_date = "2023-02-13"
+        classification = "TLP:CLEAR"
+        hash1 = "7826978642c568f975e2b65d1575fdf92e634f7c80db2c86c9d7c8066e8955b8"
+        
+    strings:
+        $s1 = "Masons" wide
+        $s2 = "@mineralIaha/@root_king1" wide
+        $s3 = "Glory @six62ix" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_raworld.yar b/yara_rules/ransomware_win_raworld.yar
new file mode 100644
index 0000000..40be9b0
--- /dev/null
+++ b/yara_rules/ransomware_win_raworld.yar
@@ -0,0 +1,24 @@
+rule ransomware_win_raworld {
+    meta:
+        id = "a9ed9c5a-7a0e-4c2e-90f4-d52f5589b2b8"
+        version = "1.0"
+        description = "Detects files related to stage 1 of a campaign from the ransomware group RA World."
+        author = "Sekoia.io"
+        creation_date = "2024-07-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "Loder.exe" ascii fullword
+        $s2 = "Stage2.exe" wide
+        $s3 = "SYSVOL" wide
+        $s4 = "Finish.exe" wide
+        $s5 = "Exclude.exe" wide
+        $s6 = "Stage3.exe" wide
+        $s7 = "Pay.txt" ascii fullword
+        $s8 = "RA World" ascii fullword
+        $s9 = "Stage1.exe" ascii fullword
+        
+    condition:
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_redeemer.yar b/yara_rules/ransomware_win_redeemer.yar
new file mode 100644
index 0000000..620e6eb
--- /dev/null
+++ b/yara_rules/ransomware_win_redeemer.yar
@@ -0,0 +1,25 @@
+rule ransomware_win_redeemer {
+    meta:
+        version = "1.0"
+        description = "Finds Redeemer samples based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2022-12-09"
+        id = "ef94c1b0-d292-4fae-9801-4860e7347745"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "RedeemerMutex" ascii
+        $str1 = "SOFTWARE\\Redeemer" ascii
+        $str2 = "-----BEGIN REDEEMER PUBLIC KEY-----" ascii
+        $str3 = "dnNzYWRtaW4gZGVsZXRlIHNoYWRvd3MgL0FsbCAvUXVpZXQ=" ascii //vssadmin delete shadows /All /Quiet
+        $str4 = "d2V2dHV0aWwgY2xlYXItbG9nIEFwcGxpY2F0aW9u" ascii //wevtutil clear-log Application
+        $str5 = "d2JhZG1pbiBkZWxldGUgc3lzdGVtc3RhdGViYWNrdXAgLWRlbGV0ZW9sZGVzdCAtcXVpZXQ=" ascii //wbadmin delete systemstatebackup -deleteoldest -quiet
+        $str6 = "YXNzb2MgLnJlZGVlbT1yZWRlZW1lcg==" ascii //assoc .redeem=redeemer
+        $str7 = "UmVkZWVtZXIgUmFuc29td2FyZSAtIFlvdXIgRGF0YSBJcyBFbmNyeXB0ZWQ=" ascii //Redeemer Ransomware - Your Data Is Encrypted
+        $str8 = "redeemer\\DefaultIcon" wide
+        $str9 = "\\Redeemer.sys" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_scransom.yar b/yara_rules/ransomware_win_scransom.yar
new file mode 100644
index 0000000..b3f7f6a
--- /dev/null
+++ b/yara_rules/ransomware_win_scransom.yar
@@ -0,0 +1,32 @@
+rule ransomware_win_scransom {
+    meta:
+        id = "ea799295-1332-49c6-9816-035b91fc9b4f"
+        version = "1.0"
+        description = "Finds ScRansom samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-08-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "TIMATOMAFULL" wide
+        $str02 = ".Encrypted" wide
+        $str03 = ".Encrypting" wide
+        $str04 = "File Name :" wide
+        $str05 = "File size :" wide
+        $str06 = "TIMATOMA#" wide
+        $str07 = "Already Encrypted" wide
+        $str08 = "HOW TO RECOVERY FILES.TXT" wide
+        $str09 = "%d folder(s) searched and %d file(s) found - %.3f second(s)" wide
+        $str10 = "Search cancelled -" wide
+        $str11 = "note.txt" wide
+        $str12 = "Cannot sort the list while a search is in progress." wide
+        $str13 = "Cancelling search, please wait..." wide
+        $str14 = "Error showing process list" wide
+        $str15 = "[System Process]" wide
+        $str16 = "taskkill /f /im" wide
+        $str17 = "kill.bat" wide
+        
+    condition:
+        uint16(0) == 0x5a4d and 15 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_shrinklocker.yar b/yara_rules/ransomware_win_shrinklocker.yar
new file mode 100644
index 0000000..3b8e29f
--- /dev/null
+++ b/yara_rules/ransomware_win_shrinklocker.yar
@@ -0,0 +1,26 @@
+rule ransomware_win_shrinklocker {
+    meta:
+        id = "93a6fbdd-ad62-456a-a1a5-b5ae3b242004"
+        version = "1.0"
+        description = "Detects files related to the ShrinkLocker ransomware"
+        author = "Sekoia.io"
+        creation_date = "2024-06-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $a = "shrinkdisk" ascii fullword
+        $b = "BitLocker" ascii fullword
+        $c = "diskpart" ascii fullword
+        $d = "disk.vbs" ascii fullword
+        $e = "strDriveLetter" ascii fullword
+        $f = "shrinkcomplate" ascii fullword
+        $g = "ADODB.Stream" ascii fullword
+        $h = "Win32_OperatingSystem" ascii fullword
+        $i = "HKLM\\System\\CurrentControlSet\\Control\\Terminal Server" ascii fullword
+        $j = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" ascii fullword
+        $k = "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE" ascii fullword
+        
+    condition:
+        9 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_voidcrypt.yar b/yara_rules/ransomware_win_voidcrypt.yar
new file mode 100644
index 0000000..dd9dd4d
--- /dev/null
+++ b/yara_rules/ransomware_win_voidcrypt.yar
@@ -0,0 +1,18 @@
+rule ransomware_win_voidcrypt {
+    meta:
+        id = "394033cc-20fe-4ced-8d77-5f1061bb8c96"
+        version = "1.0"
+        description = "Detect the Limbozar / VoidCrypt ransomware"
+        author = "Sekoia.io"
+        creation_date = "2021-10-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "C:\\ProgramData\\pkey.txt" ascii
+        $s2 = "C:\\ProgramData\\IDk.txt" ascii
+        $s3 = "fuckyoufuckyoufuckyoufuckyou" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ransomware_win_wing.yar b/yara_rules/ransomware_win_wing.yar
new file mode 100644
index 0000000..c60a0d4
--- /dev/null
+++ b/yara_rules/ransomware_win_wing.yar
@@ -0,0 +1,53 @@
+rule ransomware_win_wing {
+    meta:
+        id = "c2fe8321-8013-4aa4-91a6-c0face3e6b52"
+        version = "1.0"
+        description = "Finds Wing ransomware samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2024-01-30"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $fun01 = "LockBIT" ascii fullword
+        $fun02 = "BigEncrypt" ascii
+        $fun03 = "RunEncrypt" ascii
+        $fun04 = "AesEncrypt" ascii
+        $fun05 = "KeyGenerator" ascii
+        $fun06 = "GetUniqueKey" ascii
+        $fun07 = "SearchFolder" ascii
+        $fun08 = "ThreadFolders" ascii
+        $fun09 = "ContainsKeyword" ascii
+        $fun10 = "ReadMeMaker" ascii
+        $fun11 = "StopAndConfigureSqlServices" ascii
+        $fun12 = "WipeRecycleBin" ascii
+        $fun13 = "TelSender" ascii
+        
+        $str01 = "AnyDesk" wide
+        $str02 = "firebird" wide
+        $str03 = "Acronis" wide
+        $str04 = "config \"" wide
+        $str05 = " start= demand" wide
+        $str06 = "' stopped and configured to start automatically." wide
+        $str07 = "Error processing service '" wide
+        $str08 = "$RECYCLE.BIN" wide
+        $str09 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide
+        $str10 = "UniqueID:" wide
+        $str11 = "PersonalID:" wide
+        
+        $ran01 = "C:\\Readme.txt" wide
+        $ran02 = "C:\\LockBIT\\systemID" wide
+        $ran03 = "Your system has been encrypted by our team, and your files have been locked using our proprietary algorithm !" wide
+        $ran04 = "* Please read this message carefully and patiently *" wide
+        $ran05 = "* If you use any tools, programs, or methods to recover your files and they get damaged, we will not be responsible for any harm to your files !" wide
+        $ran06 = "* Note that your files have not been harmed in any way they have only been encrypted by our algorithm." wide
+        $ran07 = "Your files and your entire system will return to normal mode through the program we provide to you. No one but us will be able to decrypt your files !" wide
+        $ran08 = "* To gain trust in us, you can send us a maximum of 2 non-important files, and we will decrypt them for you free of charge." wide
+        $ran09 = "Please put your Unique ID as the title of the email or as the starting title of the conversation." wide
+        $ran10 = "* For faster decryption, first message us on Telegram. If there is no response within 24 hours, please email us *" wide
+        
+    condition:
+        uint16(0) == 0x5a4d and
+        ((5 of ($fun*) and 5 of ($str*) and 2 of ($ran*)) or
+        12 of ($fun*) or 10 of ($ran*) or 8 of ($ran*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_darkvision_string.yar b/yara_rules/rat_darkvision_string.yar
new file mode 100644
index 0000000..b6dfa59
--- /dev/null
+++ b/yara_rules/rat_darkvision_string.yar
@@ -0,0 +1,29 @@
+rule rat_darkvision_string {
+    meta:
+        id = "ab698a79-42ee-452a-a3ba-1a9872d5e2bc"
+        version = "1.0"
+        description = "DarkVision RAT based on string"
+        author = "Sekoia.io"
+        creation_date = "2024-09-17"
+        classification = "TLP:CLEAR"
+        hash = "8ec5526cecc596e0711c82e39cd4f2ce"
+        hash = "2dd476464e46d91ffe68483cb478d9b4"
+        hash = "20de7547d79d3637430b6a0787e59df5"
+        hash = "60d1e02316e6f22e078f9aa710790912"
+        hash = "e136e51efc22b0e071c11e7d652ea3be"
+        hash = "f466be81310147fcdd9a7886735a3786"
+        hash = "5065134cf4ba765bd97bb2edb61c5869"
+        hash = "6ed21c4f507e8cc830141ff732bd5acc"
+        hash = "40b2641150f291ca07bd08ab629fe1ed"
+        hash = "3f20cd14137e0abfa84b39e29a277350"
+        hash = "7dc8427be8b4d26a49fd380ad40d3b96"
+        
+    strings:
+        $ = "DarkVision Installation" wide
+        $ = "You are about to install DarkVision Remote Access Tool." wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_lin_gobrat_2023.yar b/yara_rules/rat_lin_gobrat_2023.yar
new file mode 100644
index 0000000..2b3285e
--- /dev/null
+++ b/yara_rules/rat_lin_gobrat_2023.yar
@@ -0,0 +1,21 @@
+rule rat_lin_gobrat_2023 {
+    meta:
+        id = "ca36a586-f87f-445f-95dc-52d447c1d2a2"
+        version = "1.0"
+        description = "This rule detect samples that are downloaded on the GobRAT C2 URL path /a, /b and /c."
+        author = "Sekoia.io"
+        creation_date = "2023-06-09"
+        classification = "TLP:CLEAR"
+        hash1 = "36cb17d9d118bd9692106c8aafab2462aacf1cdad3a6afb0e4f1de898a7db0e1"
+        hash2 = "28a714f7cec4445dbd507b85016c8e96ed5e378bcabe2e422c499975122b3f03"
+        hash3 = "1e80a084ab89da2375bc3cc2f5a37975edff709ef29a3fa2b4df4ccb6d5afe10"
+        
+    strings:
+        $s1 = "Z:/Go/awesomeProject3/main.go" wide ascii
+        
+    condition:
+        uint32(0)==0x464c457f
+        and filesize < 4000KB
+        and $s1
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_arrow_str.yar b/yara_rules/rat_win_arrow_str.yar
new file mode 100644
index 0000000..79b1930
--- /dev/null
+++ b/yara_rules/rat_win_arrow_str.yar
@@ -0,0 +1,28 @@
+rule rat_win_arrow_str {
+    meta:
+        version = "1.0"
+        description = "Finds Arrow RAT samples based on the specific malware strings"
+        author = "Sekoia.io"
+        creation_date = "2022-08-19"
+        id = "69f6572c-91ed-4fb6-b886-5ad2dabef3d3"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $hvnc01 = "DESKTOP_JOURNALRECORD" ascii
+        $hvnc02 = "DESKTOP_ENUMERATE" ascii
+        $hvnc03 = "DESKTOP_SWITCHDESKTOP" ascii
+        $hvnc04 = "DESKTOP_CREATEWINDOW" ascii
+        $hvnc05 = "StartHVNC" ascii
+        
+        $str01 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c" wide //Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
+        $str02 = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath" wide
+        $str03 = "cvtres.exe" wide
+        $str04 = "qbkTHriRRbQjaArtJfF" wide
+        $str05 = "29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb24=" wide
+        $str06 = "Stub.exe" ascii wide
+        $str07 = "DePikoloData" ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and 4 of ($hvnc*) and 5 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_asbit.yar b/yara_rules/rat_win_asbit.yar
new file mode 100644
index 0000000..a0af7ea
--- /dev/null
+++ b/yara_rules/rat_win_asbit.yar
@@ -0,0 +1,19 @@
+rule rat_win_asbit {
+    meta:
+        version = "1.0"
+        description = "Finds Asbit samples based on characteristic strings"
+        author = "Sekoia.io"
+        reference = "https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan"
+        creation_date = "2022-09-19"
+        id = "b2d60eff-3dc8-4857-a0ea-d4fcd34c40bc"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "/build?project=libexpat&_={0}" wide
+        $str02 = "/resolve?name={0}&short=true&_={1}" wide
+        $str03 = "/c ping 127.0.0.1 & del {0} /q & del /a:H {0} /q" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 1 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_asyncrat.yar b/yara_rules/rat_win_asyncrat.yar
new file mode 100644
index 0000000..d208ab9
--- /dev/null
+++ b/yara_rules/rat_win_asyncrat.yar
@@ -0,0 +1,27 @@
+rule rat_win_asyncrat {
+    meta:
+        id = "d698e4a1-77ff-4cd7-acb3-27fb16168ceb"
+        version = "1.0"
+        description = "Detect AsyncRAT based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-01-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "get_ActivatePong" ascii
+        $str02 = "get_SslClient" ascii
+        $str03 = "get_TcpClient" ascii
+        $str04 = "get_SendSync" ascii
+        $str05 = "get_IsConnected" ascii
+        $str06 = "set_UseShellExecute" ascii
+        $str07 = "Pastebin" wide
+        $str08 = "Select * from AntivirusProduct" wide
+        $str09 = "Stub.exe" wide
+        $str10 = "timeout 3 > NUL" wide
+        $str11 = "/c schtasks /create /f /sc onlogon /rl highest /tn " wide
+        $str12 = "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" wide
+        
+    condition:
+        uint16(0) == 0x5A4D and 9 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_atharvan.yar b/yara_rules/rat_win_atharvan.yar
new file mode 100644
index 0000000..cf81bc6
--- /dev/null
+++ b/yara_rules/rat_win_atharvan.yar
@@ -0,0 +1,16 @@
+rule rat_win_atharvan {
+    meta:
+        id = "61347490-d281-4892-adba-89cf6187545f"
+        version = "1.0"
+        description = "Detect Atharvan RAT"
+        author = "Sekoia.io"
+        creation_date = "2023-02-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = {44 3a 5c 72 61 6e 67 5c 54 4f 4f 4c 5c 33 52 41 54}
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_babylon.yar b/yara_rules/rat_win_babylon.yar
new file mode 100644
index 0000000..75efcb9
--- /dev/null
+++ b/yara_rules/rat_win_babylon.yar
@@ -0,0 +1,28 @@
+rule rat_win_babylon {
+    meta:
+        id = "ba9ab80a-ad7e-4746-aff2-9328440cbb25"
+        version = "1.0"
+        description = "Finds Babylon RAT samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-08-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "ParadoxRAT_Client" ascii
+        $str02 = "*** in database %s ***" ascii
+        $str03 = "\\drivers\\etc\\HOSTS" ascii
+        $str04 = "Babylon RAT Client" wide
+        $str05 = "ClipBoard.txt" wide
+        $str06 = "a,ccs=UTF-16LE" wide
+        $str07 = "[%02d/%02d/%d %02d:%02d:%02d] [%s] (%s):" wide
+        $str08 = "Update Failed [OpenProcess]..." wide
+        $str09 = "DoS Already Active..." wide
+        $str10 = "File Download and Execution Failed..." wide
+        $str11 = "LgDError33x98dGetProcAddress" wide
+        $str12 = "FriendlyName" wide
+        $str13 = "@SPYNET" wide
+        
+    condition:
+        uint16(0) == 0x5a4d and 8 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_borat.yar b/yara_rules/rat_win_borat.yar
new file mode 100644
index 0000000..09daa39
--- /dev/null
+++ b/yara_rules/rat_win_borat.yar
@@ -0,0 +1,26 @@
+rule rat_win_borat {
+    meta:
+        id = "9f8badb3-ee8b-45d9-8515-c847351bb1f5"
+        version = "1.0"
+        description = "Detect the Borat RAT besed on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-04-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "BoratRatMutex_Sa8XOfH1BudX" ascii
+        $str1 = "BoratRat.exe" ascii
+        $str2 = "BoratRat" ascii
+        $str3 = "CN=BoratRat" wide
+        $str4 = "Sending plugun to " wide
+        $str5 = "Save recorded file fail " wide
+        $str6 = "Sa8XOfH1BudX" wide
+        $str7 = "Alert when process activive." wide
+        $str8 = "disableDefedner" wide
+        $str9 = "bin\\Ransomware.dll" wide
+        $str10 = "disableDefedner" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 7 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_dcrat_qwqdanchun.yar b/yara_rules/rat_win_dcrat_qwqdanchun.yar
new file mode 100644
index 0000000..b12f858
--- /dev/null
+++ b/yara_rules/rat_win_dcrat_qwqdanchun.yar
@@ -0,0 +1,29 @@
+rule rat_win_dcrat_qwqdanchun {
+    meta:
+        id = "8206a410-48b3-425f-9dcb-7a528673a37a"
+        version = "1.0"
+        description = "Find DcRAT samples (qwqdanchun) based on specific strings"
+        author = "Sekoia.io"
+        reference = "https://github.com/qwqdanchun/DcRat"
+        creation_date = "2023-01-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "DcRatByqwqdanchun" wide
+        $str02 = "U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==" wide
+        $str03 = "Po_ng" wide
+        $str04 = "Pac_ket" wide
+        $str05 = "Perfor_mance" wide
+        $str06 = "Install_ed" wide
+        $str07 = "get_IsConnected" ascii
+        $str08 = "get_ActivatePo_ng" ascii
+        $str09 = "isVM_by_wim_temper" ascii
+        $str10 = "save_Plugin" wide
+        $str11 = "timeout 3 > NUL" wide
+        $str12 = "ProcessHacker.exe" wide
+        $str13 = "Select * from Win32_CacheMemory" wide
+        
+    condition:
+        uint16(0) == 0x5A4D and 8 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_hiddenz.yar b/yara_rules/rat_win_hiddenz.yar
new file mode 100644
index 0000000..a8a6795
--- /dev/null
+++ b/yara_rules/rat_win_hiddenz.yar
@@ -0,0 +1,18 @@
+rule rat_win_hiddenz {
+    meta:
+        id = "4e582cda-4c50-4554-8e26-9d26206a02ee"
+        version = "1.0"
+        description = "Lazy rule to detect Hiddenz's HVNC sample based on te malware name contained in numerous samples"
+        author = "Sekoia.io"
+        creation_date = "2022-08-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $name0 = "Hiddenz's HVNC" wide ascii
+        $name1 = "Hiddenzs_HVNC_DLL" wide ascii
+        $name2 = "HiddenzHVNC" wide ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 1 of ($name*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_konni_rat.yar b/yara_rules/rat_win_konni_rat.yar
new file mode 100644
index 0000000..d34f6aa
--- /dev/null
+++ b/yara_rules/rat_win_konni_rat.yar
@@ -0,0 +1,26 @@
+rule rat_win_konni_rat {
+    meta:
+        id = "032f1c79-6f03-4588-a4af-38b1f3ca1cb8"
+        version = "1.0"
+        description = "Detect the KONNI RAT DLL files (x32 and x64)"
+        author = "Sekoia.io"
+        creation_date = "2023-09-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = ".cab" wide
+        $ = ".zip" wide
+        $ = ".rar" wide
+        $ = ".ini" wide
+        $ = ".dat" wide
+        $ = "%s(%d)" wide
+        $ = "%s %s \"%s\"" wide
+        $ = "\\Temp\\" wide
+        
+    condition:
+        uint16(0)==0x5A4D 
+        and all of them 
+        and filesize > 60KB 
+        and filesize < 120KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_lilith.yar b/yara_rules/rat_win_lilith.yar
new file mode 100644
index 0000000..e8cf910
--- /dev/null
+++ b/yara_rules/rat_win_lilith.yar
@@ -0,0 +1,19 @@
+rule rat_win_lilith {
+    meta:
+        id = "944637e6-c4e4-423f-9f4c-a26b4fce3729"
+        version = "1.0"
+        description = "Detect the Lilith malware"
+        author = "Sekoia.io"
+        creation_date = "2023-02-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        // UmVnUXVlcnlWYWx1ZUV4QQ==
+        $ = {55 6d 56 6e 55 58 56 6c 63 6e 6c 57 59 57 78 31 5a 55 56 34 51 51 3d 3d}
+        // getaddrinfo: %s
+        $ = {67 65 74 61 64 64 72 69 6e 66 6f 3a 20 25 73}
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_millenium.yar b/yara_rules/rat_win_millenium.yar
new file mode 100644
index 0000000..9b45c38
--- /dev/null
+++ b/yara_rules/rat_win_millenium.yar
@@ -0,0 +1,31 @@
+rule rat_win_millenium {
+    meta:
+        version = "1.0"
+        description = "Finds MilleniumRAT samples based on the specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-11-16"
+        id = "91320924-5c74-457a-8601-29c4e4034761"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "Millenium RAT, version:" wide
+        $str02 = "Coded by @shinyenigma" wide
+        $str03 = "*gift*<NEW TOKEN>*<NEW CHAT ID>*<message> - gift this bot to another user, his telegram bot has to be started" wide
+        $str04 = "*historyForce - grab more browser history by killing browser processes, use carefully" wide
+        $str05 = "*download - victim`s PC downloads a file attached to this message, if it is a picture it should also be attached as a file" wide
+        $str06 = "No keylogs recorded!" wide
+        $str07 = "Successfully added RAT to startup" wide
+        $str08 = "You`ve gifted gifted a bot:" wide
+        $str09 = "Incorrect agrument, please enter 0/90/180/270" wide
+        $str10 = "SELECT action_url, username_value, password_value FROM logins" wide
+        $str11 = "Yandex\\YandexBrowser\\User Data\\Default" wide
+        
+        $str12 = "Millenium-rat-CSharp (main project)" ascii
+        $str13 = "get_BatteryLifePercent" ascii
+        $str14 = "get_ExpirationMonth" ascii
+        $str15 = "sqlite3_extension_init " ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 10 of ($str*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_nighthawk.yar b/yara_rules/rat_win_nighthawk.yar
new file mode 100644
index 0000000..e638c92
--- /dev/null
+++ b/yara_rules/rat_win_nighthawk.yar
@@ -0,0 +1,26 @@
+import "pe"
+        
+rule rat_win_nighthawk {
+    meta:
+        version = "1.0"
+        description = "Detects Nighthawk RAT"
+        hash1 = "0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988"
+        hash2 = "9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8"
+        hash3 = "38881b87826f184cc91559555a3456ecf00128e01986a9df36a72d60fb179ccf"
+        hash4 = "f3bba2bfd4ed48b5426e36eba3b7613973226983a784d24d7a20fcf9df0de74e"
+        hash5 = "b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94"
+        author = "Sekoia.io"
+        creation_date = "2022-11-23"
+        id = "91bc3c5b-83fd-47f8-9652-df0f6a70b693"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $pattern1 = { 48 8d 0d ?? ?? ?? ?? 51 5a 48 81 c1 ?? ?? ?? ?? 48 81 c2 ?? ?? ?? ?? ff e2 }
+        $pattern2 = { 66 03 D2 66 33 D1 66 C1 E2 02 66 33 D1 66 23 D0 0F B7 C1 }
+        
+    condition:
+        uint16(0) == 0x5A4D and filesize < 2MB and
+        ((1 of them) or
+        (pe.section_index(".profile") and pe.section_index(".detourc")))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_ninerat.yar b/yara_rules/rat_win_ninerat.yar
new file mode 100644
index 0000000..a6cb496
--- /dev/null
+++ b/yara_rules/rat_win_ninerat.yar
@@ -0,0 +1,32 @@
+import "pe"
+import "hash"
+        
+rule rat_win_ninerat {
+    meta:
+        id = "a9f4f78b-5b86-4ac1-9b9b-ba2672b938bf"
+        version = "1.0"
+        description = "Detect the NineRAT payload"
+        author = "Sekoia.io"
+        creation_date = "2023-12-12"
+        classification = "TLP:CLEAR"
+        hash1 = "47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30"
+        hash2 = "82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def"
+        
+    strings:
+        $ = "https://api.telegram.org/bot"
+        $ = "/getMe"
+        $ = "/upgrade"
+        $ = "/getFile"
+        $ = "/sendMessage"
+        $ = ">> Request send time:"
+        
+    condition:
+        // Strings
+        all of them
+        
+        // Sections
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "3ce78c89e2c0e795ad3382aa12e99683"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_ratel_strings.yar b/yara_rules/rat_win_ratel_strings.yar
new file mode 100644
index 0000000..2b65def
--- /dev/null
+++ b/yara_rules/rat_win_ratel_strings.yar
@@ -0,0 +1,29 @@
+rule rat_win_ratel_strings {
+    meta:
+        id = "d0c8b89b-c811-47aa-9e03-717998c40d91"
+        version = "1.0"
+        description = "Detect RATel based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2023-04-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "[-] Error when changing folder." ascii
+        $s2 = "cmd.exe" wide
+        $s3 = "back slash find: " ascii
+        $s4 = "MOD_ALL:" wide
+        $s5 = "MOD_PERSISTENCE" wide
+        $s6 = "MOD_DESTRUCTION:" wide
+        $s7 = "MOD_RECONNECT" wide
+        $s8 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide
+        $s9 = "powershell.exe -command \"([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')\"" wide
+        $s10 = "The command was executed successfully but no data was returned."
+        $s11 = "[-] TIMEOUT IN CREATEPROCESS, but all the processes in the name of: " ascii
+        $s12 = "we were well and truly killed." ascii
+        
+    condition:
+        (uint16be(0) == 0x4d5a) and
+        filesize > 500KB and filesize < 3MB and
+        8 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_remcos.yar b/yara_rules/rat_win_remcos.yar
new file mode 100644
index 0000000..ddabc54
--- /dev/null
+++ b/yara_rules/rat_win_remcos.yar
@@ -0,0 +1,26 @@
+rule rat_win_remcos {
+    meta:
+        id = "011132f5-c5d9-4e97-bfed-0b94c9a30481"
+        version = "1.0"
+        description = "DEPRECATED : Find Remcos RAT samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-01-29"
+        modification_date = "2024-01-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f" ascii
+        $str02 = "Disconnection occurred, retrying to connect..." ascii
+        $str03 = "[Following text has been pasted from clipboard:]" ascii
+        $str04 = "[Following text has been copied to clipboard:]" ascii
+        $str05 = "[Chrome StoredLogins found, cleared!]" ascii
+        $str06 = "PING 127.0.0.1 -n 2" ascii
+        $str07 = "Remcos_Mutex_Inj" ascii
+        $str08 = " * REMCOS v" ascii
+        $str09 = "Connected to C&C!" ascii
+        $str10 = "[Cleared all cookies & stored logins!]" ascii
+        
+    condition:
+        uint16(0) == 0x5A4D and 3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_reverserat.yar b/yara_rules/rat_win_reverserat.yar
new file mode 100644
index 0000000..c38bfad
--- /dev/null
+++ b/yara_rules/rat_win_reverserat.yar
@@ -0,0 +1,20 @@
+rule rat_win_reverserat {
+    meta:
+        id = "8fbd395f-f44e-46d5-a942-7c7e88f37127"
+        version = "1.0"
+        description = "Detect SideCopy's ReverseRAT v3 observed in January 2023"
+        author = "Sekoia.io"
+        creation_date = "2023-02-22"
+        classification = "TLP:CLEAR"
+        hash = "b277a824b2671f40298ce03586a2ccc0fca2a081a66230c57a3060c2028f13ee"
+        hash = "8b87459483248d7b95424cd52b7d4f3031e89c6644adc2e167556e071d9ec3aa"
+        
+    strings:
+        $ = "SELECT maxclockspeed,  datawidth, name, manufacturer FROM Win32_Processor" wide
+        $ = "select * from Win32_PhysicalMemory" wide
+        $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" wide
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_romcom_payload.yar b/yara_rules/rat_win_romcom_payload.yar
new file mode 100644
index 0000000..ab9927f
--- /dev/null
+++ b/yara_rules/rat_win_romcom_payload.yar
@@ -0,0 +1,18 @@
+import "pe"
+import "hash"
+        
+rule rat_win_romcom_payload {
+    meta:
+        id = "c391f84c-f0cb-42d8-a8d8-d59725bf74c2"
+        version = "1.0"
+        description = "Detect the RomCom malware"
+        author = "Sekoia.io"
+        creation_date = "2022-11-04"
+        classification = "TLP:CLEAR"
+        
+    condition:
+        for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "160ed1cdf6e9321cef19cfed6a63b4b5557dd35e174b821bf8a81c4146fa6536"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_tutclient.yar b/yara_rules/rat_win_tutclient.yar
new file mode 100644
index 0000000..9239709
--- /dev/null
+++ b/yara_rules/rat_win_tutclient.yar
@@ -0,0 +1,22 @@
+rule rat_win_tutclient {
+    meta:
+        id = "2bd2d61f-3654-4acd-9773-8d3617c67ee0"
+        version = "1.0"
+        description = "Detect the open-source RAT TutClient"
+        author = "Sekoia.io"
+        creation_date = "2024-02-09"
+        classification = "TLP:CLEAR"
+        reference = "https://github.com/AdvancedHacker101/C-Sharp-R.A.T-Client"
+        
+    strings:
+        $ = "Clipboard Data Not Retrived!" wide
+        $ = "Remote Cmd stream reading failed!" wide
+        $ = "PasswordFox" wide
+        $ = "[Right Click, Position: x = <rtd.xpos>; y = <rtd.ypos>]" wide
+        $ = "SendCommand"
+        $ = "HandleCommand"
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_xeno_rat.yar b/yara_rules/rat_win_xeno_rat.yar
new file mode 100644
index 0000000..9ce6ddc
--- /dev/null
+++ b/yara_rules/rat_win_xeno_rat.yar
@@ -0,0 +1,18 @@
+rule rat_win_xeno_rat {
+    meta:
+        id = "4be1ff07-8180-42a8-9f51-b5e17bf23442"
+        version = "1.0"
+        description = "Xeno RAT is an open-source RAT, used by Kimsuky in January 2024"
+        author = "Sekoia.io"
+        creation_date = "2024-02-09"
+        classification = "TLP:CLEAR"
+        reference = "https://github.com/moom825/xeno-rat/tree/main/xeno%20rat%20client"
+        
+    strings:
+        $ = "Xeno-manager" wide
+        $ = "moom825"
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_xworm_v2.yar b/yara_rules/rat_win_xworm_v2.yar
new file mode 100644
index 0000000..1196038
--- /dev/null
+++ b/yara_rules/rat_win_xworm_v2.yar
@@ -0,0 +1,39 @@
+rule rat_win_xworm_v2 {
+    meta:
+        version = "1.0"
+        description = "Finds XWorm v2 samples based on characteristic strings"
+        author = "Sekoia.io"
+        reference = "https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/"
+        creation_date = "2022-11-07"
+        id = "6cf06f52-0337-415d-8f29-f63d67e228f8"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "XWorm.exe" wide ascii
+        $str02 = "ngrok" wide ascii
+        $str03 = "Mutexx" ascii
+        $str04 = "FileManagerSplitFileManagerSplit" wide
+        $str05 = "InstallngC" wide
+        $str06 = "downloadedfile" wide
+        $str07 = "creatfile" wide
+        $str08 = "creatnewfolder" wide
+        $str09 = "showfolderfile" wide
+        $str10 = "hidefolderfile" wide
+        $str11 = "txtttt" wide
+        $str12 = "\\root\\SecurityCenter2" wide
+        $str13 = "[USB]" wide
+        $str14 = "[Drive]" wide
+        $str15 = "[Folder]" wide
+        $str16 = "HVNC" wide
+        $str17 = "http://exmple.com/Uploader.php" wide
+        $str18 = "XKlog.txt" wide
+        $str19 = "Select * from AntivirusProduct" wide
+        $str20 = "runnnnnn" wide
+        $str21 = "RunBotKiller" wide
+        $str22 = "bypss" wide
+        $str23 = "<Xwormmm>" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 12 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rat_win_xworm_v3.yar b/yara_rules/rat_win_xworm_v3.yar
new file mode 100644
index 0000000..dde879a
--- /dev/null
+++ b/yara_rules/rat_win_xworm_v3.yar
@@ -0,0 +1,31 @@
+rule rat_win_xworm_v3 {
+    meta:
+        version = "1.0"
+        description = "Finds XWorm (version XClient, v3) samples based on characteristic strings"
+        author = "Sekoia.io"
+        creation_date = "2023-03-03"
+        id = "5fb1cbd3-1e37-43b9-9606-86d896f2150b"
+        classification = "TLP:CLEAR"
+        hash = "0016647c3c7031e744c0af6f9eadb73ab5cab1ca4f8ce7633f4aa069b62755cd"
+        hash = "07e747a9313732d2dcf7609b6a09ac58d38f5643299440b827ec55f260e33c12"
+        hash = "de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147"
+        
+    strings:
+        $str01 = "$VB$Local_Port" ascii
+        $str02 = "$VB$Local_Host" ascii
+        $str03 = "get_Jpeg" ascii
+        $str04 = "get_ServicePack" ascii
+        $str05 = "Select * from AntivirusProduct" wide
+        $str06 = "PCRestart" wide
+        $str07 = "shutdown.exe /f /r /t 0" wide
+        $str08 = "StopReport" wide
+        $str09 = "StopDDos" wide
+        $str10 = "sendPlugin" wide
+        $str11 = "OfflineKeylogger Not Enabled" wide
+        $str12 = "-ExecutionPolicy Bypass -File \"" wide
+        $str13 = "Content-length: 5235" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 8 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/recotool_adfind_strings.yar b/yara_rules/recotool_adfind_strings.yar
new file mode 100644
index 0000000..2748af1
--- /dev/null
+++ b/yara_rules/recotool_adfind_strings.yar
@@ -0,0 +1,21 @@
+rule recotool_adfind_strings {
+    meta:
+        id = "afca88ef-756a-4b2b-91d7-d18d730e7074"
+        version = "1.0"
+        description = "Detects Adfind utility based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-02-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Find all person objects on cn=ab container of local ADAM instance"
+        $ = "IPv6 IP address w/ port is specified [address]:port"
+        $ = "Search Global Catalog (port 3268)."
+        $ = "~~~ADCSV~~~"
+        $ = "adfind -b dc="
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 5MB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/reverseshell_win_1st_troy.yar b/yara_rules/reverseshell_win_1st_troy.yar
new file mode 100644
index 0000000..6d08393
--- /dev/null
+++ b/yara_rules/reverseshell_win_1st_troy.yar
@@ -0,0 +1,33 @@
+import "pe"
+import "hash"
+        
+rule reverseshell_win_1st_troy {
+    meta:
+        id = "b40b742d-8b1e-4d99-8df5-6cb8c9a7d8bd"
+        version = "1.0"
+        description = "Detect the 1st Troy Reverse Shell agent used by Andariel"
+        author = "Sekoia.io"
+        creation_date = "2023-09-04"
+        classification = "TLP:CLEAR"
+        hash1 = "186a6663eb91999b3e2637898ab40034f5fcd451150c9199d9b49328e64f90b5"
+        hash2 = "5b015e69629de37507e96ce258c27479d157714121d7c622698c6d1d6b547425"
+        
+    strings:
+        $s1 = "1th Troy/02___Go/Reverse_Base64_Pipe"
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them 
+        
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "657d7495796c36297ec1c13aaedf1dd3"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "debd992f27402355766cf3b5b47abe94"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "687d2535086bd055af5716760a2d87ce"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "78389349844e8d2d719603fc389779bf"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "44563b597e806af8a9ebe026c9ea6a53"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5db8685a067d106fe66292b828a2161c"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "1268012f292e60785825726967a4e63e"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "c7b760c8b603f39a5ff9867accbad427"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "d28526f9543ecf429de4a863b8901575"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rootkit_diamorphine_strings.yar b/yara_rules/rootkit_diamorphine_strings.yar
new file mode 100644
index 0000000..e42f908
--- /dev/null
+++ b/yara_rules/rootkit_diamorphine_strings.yar
@@ -0,0 +1,32 @@
+rule rootkit_diamorphine_strings {
+    meta:
+        id = "5a28be5c-9a57-4204-a7cc-42dfcaa2c2da"
+        version = "1.0"
+        description = "Detects Diamorphine linux rootkit based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-10-21"
+        classification = "TLP:CLEAR"
+        hash = "622675e83bab630adc0f1c6c46c4d6d1"
+        hash = "013b23213975d2646e2435f058afcacf"
+        hash = "f068e83721f10ad74bb6f386a4375a91"
+        hash = "ba9d6a6bbde602fd414cea09fcbd1aa0"
+        hash = "fdd86788e295010c4e61bf6b589f340e"
+        hash = "0d396c1763503b35a7f601831bd684de"
+        hash = "66b8955188a3bda7ecdcd51cfd360313"
+        hash = "1e4fd8c6bf0e381ac395d9bff1f98a31"
+        hash = "ce08ce2b8bc1718052f5d0316e3e71b7"
+        hash = "94982037875d4fdb17681866afc12ade"
+        hash = "4fa2fe9ccde3e6bd4956e2b93ca5fcb6"
+        hash = "644c4ce0bbe4f1f1e3aae537a111d5b8"
+        hash = "fb7d594621fbb4f9bdb0eb74f6090ecd"
+        hash = "9faf1493164e734f533f0ecfb1737a98"
+        hash = "33d48b6c66715ab67a059ab940d759ff"
+        
+    strings:
+        $ = "LKM rootkit" ascii fullword
+        $ = "m0nad"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rootkit_lin_winnti.yar b/yara_rules/rootkit_lin_winnti.yar
new file mode 100644
index 0000000..e759635
--- /dev/null
+++ b/yara_rules/rootkit_lin_winnti.yar
@@ -0,0 +1,36 @@
+import "elf"
+import "hash"
+        
+rule rootkit_lin_winnti {
+    meta:
+        id = "c800038e-7f8a-4f24-bf0b-06aba6a828cb"
+        version = "1.0"
+        description = "Rootkit used by Winnti"
+        author = "Sekoia.io"
+        creation_date = "2024-05-22"
+        classification = "TLP:CLEAR"
+        reference = "https://x.com/naumovax/status/1792902386295394629"
+        hash1 = "161344ae61278e09eacb1c76508cda45555eee109e6d6a031716a096ab5c84f3"
+        hash2 = "bb56e088739b281c9f56b4fa3fa4d285e45b32c4f9f06b647d7e8cb916054e1a"
+        hash3 = "777c1fda4008f122ff3aef9e80b5b5720c9f2dbc3d7e708277e2ccad1afd8cc5"
+        hash4 = "9c770b12a2da76c41f921f49a22d7bc6b5a1166875b9dc732bc7c05b6ae39241"
+        
+    strings:
+        $ = "[CDATA[%s]]></name><type>%o</type><perm>%o</perm><user>%s:%s</user><size>%llu</size><time>%s</time></LIST>"
+        $ = "HideFile"
+        $ = "DownThread"
+        $ = "PortforwardThread"
+        $ = "HidePidPort"
+        $ = "DownFile"
+        $ = "ReadReConnConf"
+        $ = "DecRemotePort"
+        $ = "DecRemoteIP"
+        
+    condition:
+        uint32(0)==0x464c457f 
+        and 6 of them
+        and for any i in (0..elf.number_of_sections-1) : (
+            hash.md5(elf.sections[i].offset, elf.sections[i].size) == "7dea362b3fac8e00956a4952a3d4f474"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rootkit_win_purplefox_360_tct.yar b/yara_rules/rootkit_win_purplefox_360_tct.yar
new file mode 100644
index 0000000..14a7efb
--- /dev/null
+++ b/yara_rules/rootkit_win_purplefox_360_tct.yar
@@ -0,0 +1,22 @@
+rule rootkit_win_purplefox_360_tct {
+    meta:
+        id = "e992d574-6a44-4bea-97e2-6d5579ce8d01"
+        version = "1.0"
+        description = "Detects Purple Fox payloads used during end-2021 and 2022 campaigns based on characteristics shared by TrendMicro details."
+        author = "Sekoia.io"
+        reference = "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html"
+        creation_date = "2022-03-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $rar = "Rar!"
+        $str0 = "svchost.txt"
+        $str1 = "rundll3222.exe"
+        $str2 = "ojbkcg.exe"
+        
+    condition:
+        $rar at 0 and
+        all of ($str*) and
+        filesize > 800KB and filesize < 2800KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rootkit_win_purplefox_kernel_driver.yar b/yara_rules/rootkit_win_purplefox_kernel_driver.yar
new file mode 100644
index 0000000..f011738
--- /dev/null
+++ b/yara_rules/rootkit_win_purplefox_kernel_driver.yar
@@ -0,0 +1,36 @@
+import "pe"
+        
+rule rootkit_win_purplefox_kernel_driver {
+    meta:
+        id = "798dc20b-76cd-4e31-b9ee-f363fb39cd58"
+        version = "1.0"
+        description = "Detect the Purple Fox trojan"
+        author = "Sekoia.io"
+        creation_date = "2022-03-28"
+        classification = "TLP:CLEAR"
+        reference = "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt"
+        
+    strings:
+        $ = "\\DosDevices\\Global\\MyDriver" wide
+        $ = "IOCTL_IO_KILL_PROCESS" ascii
+        $ = "IOCTL_IO_DELET_FILE" ascii
+        $ = "IOCTL_IO_COPY_FILE" ascii
+        $ = "IOCTL_IO_KILL_MINIFITER" ascii
+        
+    condition:
+        //Native
+        uint16(0)==0x5A4D and all of them
+        
+        // Console
+        or (
+            pe.rich_signature.toolid(171, 30319)
+            and pe.rich_signature.toolid(158, 30319)
+            and pe.rich_signature.toolid(170, 30319)
+            and pe.rich_signature.toolid(147, 30729)
+            and pe.rich_signature.toolid(1, 0)
+        )
+        and for any i in (0..pe.number_of_signatures-1) : (
+            pe.signatures[i].thumbprint == "c7939f8303ca22effb28246e970b13bee6cb8043"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rootkit_win_purplefox_svchost_txt.yar b/yara_rules/rootkit_win_purplefox_svchost_txt.yar
new file mode 100644
index 0000000..eb926d1
--- /dev/null
+++ b/yara_rules/rootkit_win_purplefox_svchost_txt.yar
@@ -0,0 +1,23 @@
+rule rootkit_win_purplefox_svchost_txt {
+    meta:
+        id = "e992d574-6a44-4bea-97e2-6d5579ce8d02"
+        version = "1.0"
+        description = "Detects Purple Fox payloads used during end-2021 and 2022 campaigns based on characteristics shared by TrendMicro details."
+        author = "Sekoia.io"
+        reference = "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html"
+        creation_date = "2022-03-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "C:\\ProgramData\\dll.dll,luohua" wide
+        $str1 = "C:\\ProgramData\\7z.exe" wide
+        $str2 = "F:\\hidden-master\\x64\\Debug\\QAssist.pdb" ascii
+        $str3 = "F:\\Root\\sources\\MedaiUpdateV8\\Release\\MedaiUpdateV8.pdb" ascii
+        $str4 = "cmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255" ascii
+        $str5 = "del /s /f %appdata%\\Mozilla\\Firefox\\Profiles\\*.db" ascii
+        
+    condition:
+        4 of ($str*) and
+        filesize > 7000KB and filesize <9500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/rule_lazarus_generic_downloader_7c3f94702fa7.yar b/yara_rules/rule_lazarus_generic_downloader_7c3f94702fa7.yar
new file mode 100644
index 0000000..9ce1c13
--- /dev/null
+++ b/yara_rules/rule_lazarus_generic_downloader_7c3f94702fa7.yar
@@ -0,0 +1,22 @@
+rule rule_lazarus_generic_downloader_7c3f94702fa7 {
+    meta:
+        id = "eb0f0a91-5e72-4358-91a3-7c3f94702fa7"
+        version = "1.0"
+        description = "Detects a Generic Downloader used by Lazarus"
+        author = "Sekoia.io"
+        creation_date = "2022-08-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "%s%s%s%s = %s%s%s%s"
+        $ = "sec-ch-ua-mobile: ?0"
+        $ = "%s>%s"
+        $ = "d$f92&^$#FESAfaSDage#FDa"
+        $ = "Sec-Fetch-User: ?1"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 200KB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt37_rokrat_macho.yar b/yara_rules/sekoiaio_apt37_rokrat_macho.yar
deleted file mode 100644
index cc1dcf3..0000000
--- a/yara_rules/sekoiaio_apt37_rokrat_macho.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt37_rokrat_macho {
-    meta:
-        id = "c54fb9ae-85fa-4c36-bab9-6c6d989262ba"
-        version = "1.0"
-        description = "Detects Public key of Macho samples of RokRAT"
-        author = "Sekoia.io"
-        creation_date = "2022-09-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = { 4D 49 49 42 49 6A 41 4E 42 67 6B 71 68 6B 69 47 39 77 30 42 41 51 45 46 41 41 4F 43 41 51 38 41 4D 49 49 42 43 67 4B 43 41 51 45 41 73 47 52 59 53 45 56 76 77 6D 66 42 46 4E 42 6A 4F 7A 2B 51}
-        $s2 = {70 61 78 35 72 7A 57 66 2F 4C 54 2F 79 46 55 51 41 31 7A 72 41 31 6E 6A 6A 79 49 48 72 7A 70 68 67 63 39 74 67 47 48 73 2F 37 74 73 57 70 38 65 35 64 4C 6B 41 59 73 56 47 68 57 41 50 73 6A 79}
-        $s3 = {31 67 78 30 64 72 62 64 4D 6A 6C 54 62 42 59 54 79 45 67 35 50 67 79 2F 35 4D 73 45 4E 44 64 6E 73 43 52 57 72 32 33 5A 61 4F 45 4C 76 48 48 56 56 38 43 4D 43 38 46 75 34 57 62 61 7A 38 30 4C}
-        $s4 = {47 68 67 38 69 73 56 50 45 48 43 38 48 2F 79 47 74 6A 48 50 59 46 56 65 36 6C 77 56 72 2F 4D 58 6F 4B 63 70 78 31 33 53 31 4B 38 6E 6D 44 51 4E 41 68 4D 70 54 31 61 4C 61 47 2F 36 51 69 6A 68}
-        $s5 = {57 34 50 2F 52 46 51 71 2B 46 64 69 61 33 66 46 65 68 50 67 35 44 74 59 44 39 30 72 53 33 73 64 46 4B 6D 6A 39 4E 36 4D 4F 30 2F 57 41 56 64 5A 7A 47 75 45 58 44 35 33 4C 48 7A 39 65 5A 77 52}
-        $s6 = {39 59 38 37 38 36 6E 56 44 72 6C 6D 61 35 59 43 4B 70 71 55 5A 35 63 34 36 77 57 33 67 59 57 69 33 73 59 2B 56 53 33 62 32 46 64 41 4B 43 4A 68 54 66 43 79 38 32 41 55 47 71 50 53 56 66 4C 61}
-        $s7 = {6D 51 49 44 41 51 41 42}
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_37_chinotto.yar b/yara_rules/sekoiaio_apt_37_chinotto.yar
deleted file mode 100644
index 1518a67..0000000
--- a/yara_rules/sekoiaio_apt_37_chinotto.yar
+++ /dev/null
@@ -1,51 +0,0 @@
-rule sekoiaio_apt_37_chinotto {
-    meta:
-        id = "eff8fd11-dc7a-4011-b083-181d0cca8790"
-        version = "1.0"
-        description = "Detects obfuscation and string of APT37 stealer"
-        author = "Sekoia.io"
-        creation_date = "2023-02-27"
-        classification = "TLP:CLEAR"
-        hash1 = "feab7940559392bbf38f29267509340569160e0a3b257fd86e5c65ae087ea014"
-        hash2 = "c9d2c8b6011a53e68e4a6c6e51142cef3348951d0b379e49b1a65a1891538df5"
-        hash3 = "2f5be3773e7e3a2f6806cdef154adfabc454c0e57a49e437c5889ce09b739302"
-        hash4 = "5bf170c95ca0e2079653d694f783b5bcd38f274ea875f67f0b60db4ac552a66c"
-        hash5 = "6fad04c836bc923f12ebaec8d8fb0c7091b044bf6f5c97e36d7bf46b8494f978"
-        hash6 = "64fe964f342acca6d85d247c4f67503e4222a58dfc5c644dedc2006a4b356d39"
-        hash7 = "6e216b265ea391f71f2a609df995f36b9ba8b17c8859f6d8e4ce4a076d351efd"
-        hash8 = "70dcc03cde3dd5c5ec6a6a240190cfb51667aaba9c867e20281e8dfc43afa891"
-        hash9 = "5053390bde150b771f8efe344b692c6c5718ba9203a4b23f5323af1ee9060ff2"
-        hash10 = "089e4dfd8b25afe596eff05baae86156a4e3243c84faa15416cff31a5120e107"
-        hash11 = "37e096338a78cb06d6236cb5a04cf125f191871ded3c9421f08a37890a095eb8"
-        hash12 = "b90a2b0249407b271a5d849fe82cbf4e9a31c2c6259caf515c9be3897e327414"
-        hash13 = "8f4751ed22619b04009c4b85ec45c8140b570835ca4c638c9e6019e7b7eb66c7"
-        
-    strings:
-        $chunk_1 = {
-        C7 85 ?? ?? ?? ?? ?? ?? ?? 00
-        C7 85 ?? ?? ?? ?? ?? ?? ?? 00
-        33 C0
-        EB 03
-        8D 49 00
-        8B 8C 85 ?? ?? ?? ??
-        3B 8C 85 ?? ?? ?? ??
-        }
-        
-        $chunk_2 = {
-        C7 84 24 ?? ?? ?? ?? ?? ?? 0? 00
-        C7 84 24 ?? ?? ?? ?? ?? ?? 0? 00
-        33 C0
-        EB 0D
-        8D A4 24 00 00 00 00
-        8D 9B 00 00 00 00
-        8B 8C 84 ?? ?? ?? ??
-        3B 8C 84 ?? ?? ?? ??
-        }
-        
-        $movs_zip_dir_start = { C7 45 ?? 5A 69 70 20 C7 45 ?? 44 69 72 20 C7 45 ?? 53 74 61 72  C7 45 ?? 74 20 2D 20}
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 1MB and ($chunk_1 or $chunk_2) and $movs_zip_dir_start
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_3cx_payload_stealer.yar b/yara_rules/sekoiaio_apt_3cx_payload_stealer.yar
deleted file mode 100644
index 63c21bf..0000000
--- a/yara_rules/sekoiaio_apt_3cx_payload_stealer.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_3cx_payload_stealer {
-    meta:
-        id = "1ca0605d-101f-4d1d-a476-9dfd93e74b4c"
-        version = "1.0"
-        description = "Detects stealer used in 3CX campaign"
-        author = "Sekoia.io"
-        creation_date = "2023-03-31"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "******************************** %s ******************************" wide
-        $s2 = "\\3CXDesktopApp\\config.json" wide
-        $s3 = "{\"HostName\": \"%s\", \"DomainName\": \"%s\", \"OsVersion\":" wide
-        $s4 = "%s.old" wide
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 8MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_agent_racoon_strings.yar b/yara_rules/sekoiaio_apt_agent_racoon_strings.yar
deleted file mode 100644
index 646c819..0000000
--- a/yara_rules/sekoiaio_apt_agent_racoon_strings.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_agent_racoon_strings {
-    meta:
-        id = "ec89f1db-0ba8-48c8-8c1a-c38c410f3e39"
-        version = "1.0"
-        description = "Detects Agent Racoon used by CL-STA-0002"
-        author = "Sekoia.io"
-        creation_date = "2023-12-05"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Command failed:" wide
-        $ = "Not uploaded:" wide
-        $ = "Not downloaded:" wide
-        $ = "xn--cc" wide
-        $ = "xn--ac" wide
-        $ = "xn--bc" wide
-        $ = "cmd.exe" wide
-        $ = ".xn--" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_andariel_dorarat_strings.yar b/yara_rules/sekoiaio_apt_andariel_dorarat_strings.yar
deleted file mode 100644
index 397a49c..0000000
--- a/yara_rules/sekoiaio_apt_andariel_dorarat_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_andariel_dorarat_strings {
-    meta:
-        id = "30388291-a287-489f-a060-c90a16cda217"
-        version = "1.0"
-        description = "Detects Dora RAT based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-06-17"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $x1 = "/encryption.go" ascii fullword
-        $x2 = "/handshake.go" ascii fullword
-        $x3 = "/trans_module.go" ascii fullword
-        $enc_rsc = { 14 02 72 14 D3 4C 4A 49 55 36 14 DF 8D 6F 2D CF }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        (all of ($x*) or $enc_rsc)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_andariel_keylogger_strings.yar b/yara_rules/sekoiaio_apt_andariel_keylogger_strings.yar
deleted file mode 100644
index 6e601ad..0000000
--- a/yara_rules/sekoiaio_apt_andariel_keylogger_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_andariel_keylogger_strings {
-    meta:
-        id = "59e94bee-9bd4-4f72-9358-858956bb4787"
-        version = "1.0"
-        description = "Detects one of the Andariel keylogger"
-        author = "Sekoia.io"
-        creation_date = "2024-06-17"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Username:%s [%d/%02d/%02d %02d:%02d]" ascii fullword
-        $ = "-------[%d/%02d/%02d %02d:%02d]"
-        $ = "{Insert}"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 300KB and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_andariel_nestdoor_variants_strings.yar b/yara_rules/sekoiaio_apt_andariel_nestdoor_variants_strings.yar
deleted file mode 100644
index 2782186..0000000
--- a/yara_rules/sekoiaio_apt_andariel_nestdoor_variants_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_andariel_nestdoor_variants_strings {
-    meta:
-        id = "dcfc48ad-f17b-4224-912b-b01740080fea"
-        version = "1.0"
-        description = "Detects Nestdoor based on (weak) strings"
-        author = "Sekoia.io"
-        creation_date = "2024-06-17"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $v_11 = "Error occurs while reading" wide
-        $v_12 = "{DECIMAL}" wide
-        $v_13 = "lnk_" wide
-        $v_21 = "Cannot connect with your ip and your operating system." wide
-        $v_22 = "del /q /f %1" ascii
-        $v_23 = "/f /tn %2" ascii
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        (all of ($v_1*) or all of ($v_2*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_andariel_siennablue.yar b/yara_rules/sekoiaio_apt_andariel_siennablue.yar
deleted file mode 100644
index c749326..0000000
--- a/yara_rules/sekoiaio_apt_andariel_siennablue.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_andariel_siennablue {
-    meta:
-        id = "ab3f8b49-0851-47a8-ac77-98d4e26f448e"
-        version = "1.0"
-        description = "Detects SiennaBlue based routine names"
-        author = "Sekoia.io"
-        creation_date = "2023-11-16"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "main_cryptAVPass"
-        $ = "main_DecryptString"
-        $ = "main_DisableNetworkDevice"
-        $ = "main_DeleteSchTask"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize > 4MB and filesize < 15MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt10_hui_loader.yar b/yara_rules/sekoiaio_apt_apt10_hui_loader.yar
deleted file mode 100644
index 0d637e2..0000000
--- a/yara_rules/sekoiaio_apt_apt10_hui_loader.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_apt10_hui_loader {
-    meta:
-        id = "97d17052-80d0-4f8e-8b3a-2e0d622522a9"
-        version = "1.0"
-        description = "Specific string for HUI Loader"
-        author = "Sekoia.io"
-        creation_date = "2022-07-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "HUIHWASDIHWEIUDHDSFSFEFWEFEWFDSGEFERWGWEEFWFWEWD" wide fullword
-        
-    condition:
-        (uint16be(0) == 0x4d5a) 
-        and filesize > 30KB and filesize < 100KB
-        and 1 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt28_document_phishing_webpage.yar b/yara_rules/sekoiaio_apt_apt28_document_phishing_webpage.yar
deleted file mode 100644
index 0cc2054..0000000
--- a/yara_rules/sekoiaio_apt_apt28_document_phishing_webpage.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_apt_apt28_document_phishing_webpage {
-    meta:
-        id = "585a8e23-c302-41d3-938f-eda60c82ef28"
-        version = "1.0"
-        description = "Detects APT28 document phishing webpage"
-        author = "Sekoia.io"
-        creation_date = "2024-04-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "webhook.site"
-        $ = "document.createElement('img')"
-        $ = "brightness(15%) blur(7.0px)"
-        $ = "This document is not available from mobile devices."
-        $ = "Capture2.PNG"
-        $ = ">CLICK TO VIEW DOCUMENT<"
-        $ = "window.location.href = 's"
-        $ = ".oast."
-        
-    condition:
-        4 of them and filesize < 20KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt28_htmlsmuggling.yar b/yara_rules/sekoiaio_apt_apt28_htmlsmuggling.yar
deleted file mode 100644
index 0d37c03..0000000
--- a/yara_rules/sekoiaio_apt_apt28_htmlsmuggling.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_apt28_htmlsmuggling {
-    meta:
-        id = "2e20c992-d971-4c0f-99b3-a7d528c7055a"
-        version = "1.0"
-        reference = "https://www.zscaler.com/blogs/security-research/steal-it-campaign"
-        description = "Detects some kind of HTMLSmuggling used by APT28"
-        author = "Sekoia.io"
-        creation_date = "2023-09-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "click();" ascii
-        $s2 = "window.location.replace("
-        
-    condition:
-        $s1 in (@s2..@s2-100)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt28_htmlsmuggling_disclosing_ip.yar b/yara_rules/sekoiaio_apt_apt28_htmlsmuggling_disclosing_ip.yar
deleted file mode 100644
index a345129..0000000
--- a/yara_rules/sekoiaio_apt_apt28_htmlsmuggling_disclosing_ip.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_apt28_htmlsmuggling_disclosing_ip {
-    meta:
-        id = "57adc227-2b72-457e-a786-97ca1a7300d8"
-        version = "1.0"
-        reference = "https://www.zscaler.com/blogs/security-research/steal-it-campaign"
-        description = "Detects some kind of HTMLSmuggling used by APT28"
-        author = "Sekoia.io"
-        creation_date = "2023-09-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "ipapi.co/json"
-        $s2 = "a.download("
-        $s3 = "a.click("
-        
-    condition:
-        $s1 and $s2 and $s3 and filesize < 5000
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt28_powershell_ntlm_stealer.yar b/yara_rules/sekoiaio_apt_apt28_powershell_ntlm_stealer.yar
deleted file mode 100644
index 26385f3..0000000
--- a/yara_rules/sekoiaio_apt_apt28_powershell_ntlm_stealer.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_apt28_powershell_ntlm_stealer {
-    meta:
-        id = "3fb5c472-6b1c-490e-b38f-4d4f1c472f43"
-        version = "1.0"
-        description = "Detects the NTLM Stealer used by APT28 against UA energy sector"
-        author = "Sekoia.io"
-        creation_date = "2023-09-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "'NTLM ' = [Convert]::ToBase64String"
-        $ = ".Prefixes.Add('http://localhost:8080/')"
-        $ = ".AddHeader('WWW-Authenticate', 'NTLM')"
-        $ = "GetValues('Authorization');"
-        $ = "[0] -split '\\s+';"
-        
-    condition:
-        3 of them and filesize < 4000
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt28_susp_graphite_downloader.yar b/yara_rules/sekoiaio_apt_apt28_susp_graphite_downloader.yar
deleted file mode 100644
index 63d6c33..0000000
--- a/yara_rules/sekoiaio_apt_apt28_susp_graphite_downloader.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-import "pe"
-        
-rule sekoiaio_apt_apt28_susp_graphite_downloader {
-    meta:
-        id = "9c9da5fe-ffd6-4c45-8ce1-9a6cf4fa2fda"
-        version = "1.0"
-        description = "Matches the routine which decrypts the RSA key blob in the Graphite downloader"
-        author = "Sekoia.io"
-        creation_date = "2022-01-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $gen =  { 33 D2
-        8B C1
-        6A ??
-        5E
-        F7 F6
-        8A 82 ?? ?? ?? ??
-        30 81 ?? ?? ?? ??
-        41
-        81 F9 94 04 00 00
-        72 E2 }
-        
-    condition:
-        uint16be(0) == 0x4d5a and $gen and pe.number_of_exports == 1
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt28_ukrnet_phishing_page.yar b/yara_rules/sekoiaio_apt_apt28_ukrnet_phishing_page.yar
deleted file mode 100644
index 2b85d73..0000000
--- a/yara_rules/sekoiaio_apt_apt28_ukrnet_phishing_page.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_apt28_ukrnet_phishing_page {
-    meta:
-        id = "053158d8-aac0-486f-8432-834a06f41ed2"
-        version = "1.0"
-        description = "Detects APT28 Phishing page"
-        author = "Sekoia.io"
-        creation_date = "2024-09-02"
-        classification = "TLP:CLEAR"
-        hash = "20dc3a5beb8e3a7801e010b4113efef1"
-        hash = "5f1462144d7704101cd71c679ea0322b"
-        
-    strings:
-        $ = "baseurl+\"/captcha\""
-        $ = "(\"sessionID\", sessionID"
-        $ = ".responseJSON['origin"
-        $ = "var baseurl="
-        $ = "(req.responseText.includes("
-        $ = "else if (req.responseText=='FAIL')"
-        $ = "|| document.getElementById('confpwd"
-        $ = "/master/dist/text-security-disc.woff"
-        
-    condition:
-        4 of them and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt28_wayzgoose_exploit_string.yar b/yara_rules/sekoiaio_apt_apt28_wayzgoose_exploit_string.yar
deleted file mode 100644
index 4b61e64..0000000
--- a/yara_rules/sekoiaio_apt_apt28_wayzgoose_exploit_string.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_apt28_wayzgoose_exploit_string {
-    meta:
-        id = "23d9e09e-202c-47f5-abf7-6b5085e44400"
-        version = "1.0"
-        description = "Detects APT28's Wayzgoose exploit strings"
-        author = "Sekoia.io"
-        creation_date = "2024-04-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "wayzgoose.dll"
-        $ = "wayzgoose_get_version"
-        $ = "NtSetInformationFile"
-        $ = "ZwDuplicateObject"
-        $ = "ZwClose"
-        
-    condition:
-        uint16be(0) == 0x4d5a and 4 of them
-        and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt29_malicious_rdp_file.yar b/yara_rules/sekoiaio_apt_apt29_malicious_rdp_file.yar
deleted file mode 100644
index d5e0ee7..0000000
--- a/yara_rules/sekoiaio_apt_apt29_malicious_rdp_file.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_apt_apt29_malicious_rdp_file {
-    meta:
-        id = "a7b092b5-53a1-4638-a6c1-733d3f063139"
-        version = "1.0"
-        description = "Detects malicious RDP files"
-        author = "Sekoia.io"
-        creation_date = "2024-10-25"
-        classification = "TLP:CLEAR"
-        hash = "db326d934e386059cc56c4e61695128e"
-        hash = "b38e7e8bba44bc5619b2689024ad9fca"
-        hash = "f58cf55b944f5942f1d120d95140b800"
-        hash = "40f957b756096fa6b80f95334ba92034"
-        
-    strings:
-        $ = "RedirectPrinters" wide
-        $ = "RedirectCOMPorts" wide
-        $ = "RedirectSmartCards" wide
-        $ = "RedirectPOSDevices" wide
-        $ = "RedirectClipboard" wide
-        $ = "DrivesToRedirect" wide
-        $ = "full address:s:" wide
-        
-    condition:
-        uint16be(0) == 0xFFFE and
-        all of them and filesize < 20KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt29_quarterrig.yar b/yara_rules/sekoiaio_apt_apt29_quarterrig.yar
deleted file mode 100644
index 2e89a95..0000000
--- a/yara_rules/sekoiaio_apt_apt29_quarterrig.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_apt29_quarterrig {
-    meta:
-        id = "e370ed7e-5e12-4add-95f3-3773ea8e2d03"
-        version = "1.0"
-        description = "Detects QUARTERRIG"
-        author = "Sekoia.io"
-        creation_date = "2023-04-19"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str_dll_name = "hijacker.dll"
-        $str_import_name = "VCRUNTIME140.dll"
-        $op_resolve_and_call_openthread = { 48 [6] 48 [6] 8B D8 E8 [4] [3] 33 D2 B9 FF FF 1F 00 FF D0 }
-        $op_resolve_and_call_suspendthread = { E8 [4] 48 8B CB FF D0 83 F8 FF }
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt29_wineloader_malicious_hta.yar b/yara_rules/sekoiaio_apt_apt29_wineloader_malicious_hta.yar
deleted file mode 100644
index dd5afed..0000000
--- a/yara_rules/sekoiaio_apt_apt29_wineloader_malicious_hta.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_apt29_wineloader_malicious_hta {
-    meta:
-        id = "5a17d854-0564-4830-a0e5-7867b99716c2"
-        version = "1.0"
-        description = "Detects malicious HTA used by APT29 to drop Wineloader"
-        author = "Sekoia.io"
-        creation_date = "2024-03-25"
-        classification = "TLP:CLEAR"
-        hash = "efafcd00b9157b4146506bd381326f39"
-        
-    strings:
-        $ = "<HTA:APPLICATION ID="
-        $ = "var _0x"
-        $ = "Date['\\x6e\\x6f\\x77']"
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt29_wineloader_malicious_pdf.yar b/yara_rules/sekoiaio_apt_apt29_wineloader_malicious_pdf.yar
deleted file mode 100644
index f52454b..0000000
--- a/yara_rules/sekoiaio_apt_apt29_wineloader_malicious_pdf.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_apt29_wineloader_malicious_pdf {
-    meta:
-        id = "b1db731e-471e-493a-b76c-38d2808ccac9"
-        version = "1.0"
-        description = "Detects malicious PDF used by APT29 to drop Wineloader"
-        author = "Sekoia.io"
-        creation_date = "2024-03-25"
-        classification = "TLP:CLEAR"
-        hash = "9712217ff3597468b48cdf45da588005de3a725ba554789bb7e5ae1b0f7c02a7"
-        hash = "3739b2eae11c8367b576869b68d502b97676fb68d18cc0045f661fbe354afcb9"
-        
-    strings:
-        $s1 = "<</Type/Annot/Subtype/Link/Border[0 0 0]/Rect["
-        $s2 = "/A<</Type/Action/S/URI/URI("
-        $s3 = { 2f [2-10] 2e 70 68 70 29 3e 3e }
-        $s4 = "JamrulNormal"
-        
-    condition:
-        uint32be(0) == 0x25504446 and
-        $s2 in (@s1..@s3) and $s4
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt31_pakdoor.yar b/yara_rules/sekoiaio_apt_apt31_pakdoor.yar
deleted file mode 100644
index 64e848f..0000000
--- a/yara_rules/sekoiaio_apt_apt31_pakdoor.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_apt_apt31_pakdoor {
-    meta:
-        id = "463b8d0d-30f4-45ed-8f19-4b32436fbbf0"
-        description = "Detects APT31 ORB implant - 2019/2021"
-        version = "1.0"
-        creation_date = "2021-10-11"
-        classification = "TLP:CLEAR"
-        author = "Sekoia.io"
-        version = "1.0"
-        hash = "1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2"
-        
-    strings:
-        // Common strings between samples
-        $s1 = "mv -f %s %s ;chmod 777 %s"
-        $s2 = "GET /plain HTTP/1.1"
-        $s3 = "exc_cmd time out"
-        $s4 = "exc_cmd pipe err"
-        $s5 = { 2e 2f [1-10] 20 20 64 65 6c }
-        
-    condition:
-        int32be(0) == 0x7f454c46 and 
-        filesize < 800KB and 
-        filesize > 400KB and 
-        4 of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt31_rekoobe.yar b/yara_rules/sekoiaio_apt_apt31_rekoobe.yar
deleted file mode 100644
index bfc2836..0000000
--- a/yara_rules/sekoiaio_apt_apt31_rekoobe.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-import "elf"
-        
-rule sekoiaio_apt_apt31_rekoobe {
-    meta:
-        id = "b1461a72-76ce-4cc5-ac84-3cc87454d288"
-        version = "1.0"
-        description = "Find Rekoobe sample via Trend Elf Hash (telfhash)"
-        author = "Sekoia.io"
-        creation_date = "2023-07-10"
-        classification = "TLP:CLEAR"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize < 100KB and elf.telfhash() == "t18fc080c7c6b56a34a7f32538ac7c407982035e1581561b207f50c955d93b408404c5ef"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt33_falsefont.yar b/yara_rules/sekoiaio_apt_apt33_falsefont.yar
deleted file mode 100644
index e0cb20e..0000000
--- a/yara_rules/sekoiaio_apt_apt33_falsefont.yar
+++ /dev/null
@@ -1,39 +0,0 @@
-rule sekoiaio_apt_apt33_falsefont {
-    meta:
-        id = "d77c1f5b-9898-456f-954a-ac1f0907a2ba"
-        version = "1.0"
-        description = "FalseFont backdoor"
-        author = "Sekoia.io"
-        creation_date = "2024-03-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s0 = "Agent.Core.WPF"
-        $s1 = "data2.txt" wide fullword
-        $s2 = "data.txt" wide fullword
-        $s3 = "Loginvault.db" wide fullword
-        $command1 = "ExecUseShell" ascii
-        $command2 = "ExecAndKeepAlive" ascii
-        $command3 = "CMD" ascii
-        $command4 = "PowerShell" ascii
-        $command5 = "KillByName" ascii
-        $command6 = "KillById" ascii
-        $command7 = "Download" ascii
-        $command8 = "Upload" ascii
-        $command9 = "Delete" ascii
-        $command10 = "GetDirectories" ascii
-        $command11 = "ChangeTime" ascii
-        $command12 = "SendAllDirectory" ascii
-        $command13 = "UpadateApplication" ascii
-        $command14 = "Restart" ascii
-        $command15 = "GetProcess" ascii
-        $command16 = "SendAllDirectoryWithStartPath" ascii
-        $command17 = "GetDir" ascii
-        $command18 = "GetHard" ascii
-        $command19 = "GetScreen" ascii
-        $command20 = "StopSendScreen" ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and 15 of ($command*) and 3 of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt33_tickler.yar b/yara_rules/sekoiaio_apt_apt33_tickler.yar
deleted file mode 100644
index 831757b..0000000
--- a/yara_rules/sekoiaio_apt_apt33_tickler.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-import "hash"
-import "pe"
-        
-rule sekoiaio_apt_apt33_tickler {
-    meta:
-        id = "e9ecf678-350c-47d2-ab4c-522974c70a45"
-        version = "1.0"
-        description = "Detects APT33 Tickler malware"
-        author = "Sekoia.io"
-        creation_date = "2024-08-29"
-        classification = "TLP:CLEAR"
-        hash = "8bd712b0a49f4fecd39d30ebd121832c"
-        hash = "3f29429fce0168748d7cc75e1478aedc"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        (hash.md5(pe.rich_signature.clear_data) == "2fe65623e6b22577516a4cd051ec3baa"
-        or pe.imphash() == "a5accd1a0d3eaf2c131bc662dd7ff8ea")
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt35_iisraid_strings.yar b/yara_rules/sekoiaio_apt_apt35_iisraid_strings.yar
deleted file mode 100644
index a03a785..0000000
--- a/yara_rules/sekoiaio_apt_apt35_iisraid_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_apt35_iisraid_strings {
-    meta:
-        id = "ee42f406-0c7e-4385-9098-409611dbe0a5"
-        version = "1.0"
-        description = "Detects APT35s ISSRaid implant"
-        author = "Sekoia.io"
-        creation_date = "2023-05-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "CHttpModule::"
-        $ = "X-Forward-Verify"
-        $ = "X-Beserver-Verify"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 500KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt37_chinotto_powershell_variant.yar b/yara_rules/sekoiaio_apt_apt37_chinotto_powershell_variant.yar
deleted file mode 100644
index 26e3104..0000000
--- a/yara_rules/sekoiaio_apt_apt37_chinotto_powershell_variant.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_apt37_chinotto_powershell_variant {
-    meta:
-        id = "fa42b225-58fe-4e00-b84b-df37491d8fdd"
-        version = "1.0"
-        description = "Detects APT37 Chinotto Powershell Variant"
-        author = "Sekoia.io"
-        creation_date = "2023-03-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$env:COMPUTERNAME + '-' + $env:USERNAME;" ascii wide
-        $ = "while($true -eq $true)" ascii wide
-        $ = "Start-Sleep -Seconds" ascii wide
-        $ = " -ne 'null' -and $" ascii wide
-        $ = "= 'R=' + [System.Convert]::" ascii wide
-        $ = "[string]$([char]0x0D) + [string]$([char]0x0A);" ascii wide
-        
-    condition:
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt37_malicious_hta_file.yar b/yara_rules/sekoiaio_apt_apt37_malicious_hta_file.yar
deleted file mode 100644
index 6928960..0000000
--- a/yara_rules/sekoiaio_apt_apt37_malicious_hta_file.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_apt37_malicious_hta_file {
-    meta:
-        id = "22a98c27-8ff4-4760-b505-f8eacf4dabda"
-        version = "1.0"
-        description = "Detects malicious APT37 files"
-        author = "Sekoia.io"
-        creation_date = "2023-03-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "<HTML>" nocase
-        $s2 = " UwB0AGEAcgB0AC0AUwBs" ascii
-        $s3 = "= new ActiveXObject(" ascii
-        $s4 = "\", \"\", \"open\", 0);" ascii
-        $s5 = ".moveTo(" ascii
-        $s6 = "self.close();"
-        
-    condition:
-        $s1 at 0 and all of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt41_javascript_dropper.yar b/yara_rules/sekoiaio_apt_apt41_javascript_dropper.yar
deleted file mode 100644
index 352143f..0000000
--- a/yara_rules/sekoiaio_apt_apt41_javascript_dropper.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_apt41_javascript_dropper {
-    meta:
-        id = "fde70806-af50-4706-9daf-d39ad0564fc7"
-        version = "1.0"
-        description = "Detects Earth Lusca JS dropper"
-        author = "Sekoia.io"
-        creation_date = "2024-02-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "eval(function(p, a, c, k, e, r) {"
-        $s2 = "|4d53"
-        $s3 = "ActiveXObject"
-        $x1 = " -F:* %1%"
-        $x2 = "&I /r c:\\"
-        $x3 = "ActiveXObject"
-        
-    condition:
-        filesize < 2MB and
-        (all of ($s*) or all of ($x*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt41_keyplug_dropper.yar b/yara_rules/sekoiaio_apt_apt41_keyplug_dropper.yar
deleted file mode 100644
index a6d94dd..0000000
--- a/yara_rules/sekoiaio_apt_apt41_keyplug_dropper.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_apt41_keyplug_dropper {
-    meta:
-        id = "b6740371-c4c3-437e-8235-0bd4f7b9c3f5"
-        version = "1.0"
-        description = "Detects a dropper used by keyplug"
-        author = "Sekoia.io"
-        creation_date = "2024-06-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "C:\\ProgramData\\pfm.ico" wide
-        $ = "C:\\\\ProgramData\\\\pfm.ico" wide
-        $ = "67f8de349abc5ghi" wide
-        $ = "3abc64597f8diegh" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 2MB and
-        any of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt41_powershell_collection_script.yar b/yara_rules/sekoiaio_apt_apt41_powershell_collection_script.yar
deleted file mode 100644
index e4cb32b..0000000
--- a/yara_rules/sekoiaio_apt_apt41_powershell_collection_script.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_apt41_powershell_collection_script {
-    meta:
-        id = "55b6cc3e-24b2-4faa-a7fb-b4203a8e6d83"
-        version = "1.0"
-        description = "Detects PowerShell collection script"
-        author = "Sekoia.io"
-        creation_date = "2023-11-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$yestoday.ToString(" ascii wide nocase
-        $ = "$m.LastAccessTime -" ascii wide nocase
-        $ = "$fmat=" ascii wide nocase
-        $ = "$computername" ascii wide nocase
-        $ = "Rar.exe" ascii wide nocase
-        
-    condition:
-        filesize < 10KB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt41_powershell_exfiltration_script.yar b/yara_rules/sekoiaio_apt_apt41_powershell_exfiltration_script.yar
deleted file mode 100644
index 92804d5..0000000
--- a/yara_rules/sekoiaio_apt_apt41_powershell_exfiltration_script.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_apt41_powershell_exfiltration_script {
-    meta:
-        id = "9a15f845-c0af-4f1c-a033-b4f40232dc0d"
-        version = "1.0"
-        description = "Detects PowerShell exfiltration script"
-        author = "Sekoia.io"
-        creation_date = "2023-11-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$UPLOAD_PASSPORT" ascii wide nocase
-        $ = "$fileName=$singleFile.Name" ascii wide nocase
-        $ = "Upload-Passport" ascii wide nocase
-        $ = "$singleFile in $files" ascii wide nocase
-        
-    condition:
-        filesize < 10KB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt_k_47_orpcbackdoor.yar b/yara_rules/sekoiaio_apt_apt_k_47_orpcbackdoor.yar
deleted file mode 100644
index 9554afd..0000000
--- a/yara_rules/sekoiaio_apt_apt_k_47_orpcbackdoor.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_apt_k_47_orpcbackdoor {
-    meta:
-        id = "9768371d-763f-45df-b727-ccda97501aaa"
-        version = "1.0"
-        description = "Detects ORPCBackdoor used by APT-K-47"
-        author = "Sekoia.io"
-        creation_date = "2024-02-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "RegisteredOrganization:\t\t\t" ascii wide
-        $s2 = "To Be Filled By O.E.M" ascii wide
-        $s3 = ">> "
-        $s4 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\%u" wide
-        $s5 = "Error! GetSystemDirectory failed."
-        $s6 = "Domain:\t\t\t\t"
-        
-    condition:
-        all of them and filesize < 300KB and uint16be(0) == 0x4d5a
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_apt_k_47_walkershell.yar b/yara_rules/sekoiaio_apt_apt_k_47_walkershell.yar
deleted file mode 100644
index c875c2c..0000000
--- a/yara_rules/sekoiaio_apt_apt_k_47_walkershell.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_apt_k_47_walkershell {
-    meta:
-        id = "201f8415-32d4-4af1-ba80-734554ced728"
-        version = "1.0"
-        description = "Detects WalkerShell used by APT-K-47"
-        author = "Sekoia.io"
-        creation_date = "2024-02-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "\\n kuskure" ascii wide
-        $s2 = "col.log.txt" ascii wide
-        $s3 = "polor" ascii wide
-        $s4 = "emit" ascii wide
-        $s5 = "delta" ascii wide
-        $s6 = "under process" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 4MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_aptc36_vbs_maldoc.yar b/yara_rules/sekoiaio_apt_aptc36_vbs_maldoc.yar
deleted file mode 100644
index 73e466d..0000000
--- a/yara_rules/sekoiaio_apt_aptc36_vbs_maldoc.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_aptc36_vbs_maldoc {
-    meta:
-        id = "f0ca061f-e94b-4f70-bbd1-8a15193652d3"
-        version = "1.0"
-        description = "Find VBS file used by the threat actor APT-C-36"
-        author = "Sekoia.io"
-        creation_date = "2022-02-16"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $dim = "dim " wide ascii
-        $hea = "::::::::::::::::::::::::::::::::::::::::::::::::" wide ascii
-        $str0 = "update" wide ascii nocase
-        $str1 = "On Error Resume Next" wide ascii
-        $str2 = "CreateObject" wide ascii
-        $str3 = "WScript" wide ascii
-        
-    condition:
-        #dim > 5 and
-        #hea > 10 and
-        2 of ($str*) and
-        filesize > 10KB and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_aptc60_downloader_strings.yar b/yara_rules/sekoiaio_apt_aptc60_downloader_strings.yar
deleted file mode 100644
index 3a869f0..0000000
--- a/yara_rules/sekoiaio_apt_aptc60_downloader_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_aptc60_downloader_strings {
-    meta:
-        id = "02fd6d5b-7211-46cc-bcff-ab5d78e459c0"
-        version = "1.0"
-        description = "Detects a simple downloader abusing wlrmdr.exe and used by APT-C-60"
-        author = "Sekoia.io"
-        creation_date = "2024-09-05"
-        classification = "TLP:CLEAR"
-        hash = "b14ef85a60ac71c669cc960bdf580144"
-        
-    strings:
-        $ = "mydllmain" fullword
-        $ = "-s 3600 -f 0 -t _ -m _ -a 11 -u" wide
-        $ = "WlrMakeService" wide
-        $ = "Trigger1" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-        and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_aptk47_asyncshell.yar b/yara_rules/sekoiaio_apt_aptk47_asyncshell.yar
deleted file mode 100644
index 6b4dcd6..0000000
--- a/yara_rules/sekoiaio_apt_aptk47_asyncshell.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_aptk47_asyncshell {
-    meta:
-        id = "2d009cf4-e30e-406d-8860-03b37a396ffa"
-        version = "1.0"
-        description = "Detects APT-K-47's Asyncshell"
-        author = "Sekoia.io"
-        creation_date = "2024-11-22"
-        classification = "TLP:CLEAR"
-        hash = "ce6a589d5e3604112e5595a1f8d53e1e"
-        hash = "751f427da8e11d8ab394574260735220"
-        
-    strings:
-        $ = "Error executing command:" wide
-        $ = "Error occurred:" wide
-        $ = "Attempting to reconnect in {0} seconds..." wide
-        $ = "Exiting the application." wide
-        $ = "Server disconnected." wide
-        $ = "_CorExeMain"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and 
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_aptk47_maliciouslnk.yar b/yara_rules/sekoiaio_apt_aptk47_maliciouslnk.yar
deleted file mode 100644
index e10ec0c..0000000
--- a/yara_rules/sekoiaio_apt_aptk47_maliciouslnk.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_aptk47_maliciouslnk {
-    meta:
-        id = "2ccc8777-26fe-4018-9646-4ea91394fe78"
-        version = "1.0"
-        description = "Detects APT-K-47 malicious LNK"
-        author = "Sekoia.io"
-        creation_date = "2024-11-22"
-        classification = "TLP:CLEAR"
-        hash = "6a405d4e88b4acb9706e19a83aad9cf6"
-        
-    strings:
-        $ = "[/c for /f" wide
-        $ = "2^>nul') do copy" wide
-        $ = "%F in ('where /r %Temp%" wide
-        
-    condition:
-        uint32be(0) == 0x4c000000 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_aridviper_rustsysjoker.yar b/yara_rules/sekoiaio_apt_aridviper_rustsysjoker.yar
deleted file mode 100644
index 7fd6e57..0000000
--- a/yara_rules/sekoiaio_apt_aridviper_rustsysjoker.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_aridviper_rustsysjoker {
-    meta:
-        id = "14ff3f76-0371-4b45-9864-bf69c74e60aa"
-        version = "1.0"
-        description = "Detects Rust Sysjoker variant via PDB path or key and Rust string"
-        author = "Sekoia.io"
-        creation_date = "2023-11-27"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        
-        $Rust = "called `Option::unwrap()` on a `None` value"
-        $Key = "QQL8VJUJMABL8H5YNRC9QNEOHA"
-        $PDB = "C:\\Code\\Rust\\RustDown-Belal\\target\\release\\deps\\RustDown.pdb"
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 1MB and ($PDB or ($Rust and $Key))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_backdoordiplomaty_custommerlinagent_strings.yar b/yara_rules/sekoiaio_apt_backdoordiplomaty_custommerlinagent_strings.yar
deleted file mode 100644
index a5507d7..0000000
--- a/yara_rules/sekoiaio_apt_backdoordiplomaty_custommerlinagent_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_backdoordiplomaty_custommerlinagent_strings {
-    meta:
-        id = "965693ba-93b8-4c52-9292-957884411968"
-        version = "1.0"
-        description = "Detects custom variant of Merlin agent used by BackdoorDiplomaty"
-        author = "Sekoia.io"
-        creation_date = "2024-06-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "agent.GetSpecificID"
-        $ = "agent.ExecuteCommand"
-        $ = "agent.getClient"
-        $ = "agent.SignalListen"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 10MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_backdoordiplomaty_phantomnet.yar b/yara_rules/sekoiaio_apt_backdoordiplomaty_phantomnet.yar
deleted file mode 100644
index 017df8f..0000000
--- a/yara_rules/sekoiaio_apt_backdoordiplomaty_phantomnet.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_backdoordiplomaty_phantomnet {
-    meta:
-        id = "bbcc0664-ef2b-47db-a546-b5e0aa2a1e9a"
-        version = "1.0"
-        description = "Detects PhantomNet based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-06-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "memory load plugin failed!" wide
-        $ = "Event eee!!!" ascii
-        $ = "LoadWin32_x64.pdb" ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 2MB and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_commonmagic_generic_1.yar b/yara_rules/sekoiaio_apt_badmagic_commonmagic_generic_1.yar
deleted file mode 100644
index fc8d4cb..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_commonmagic_generic_1.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_badmagic_commonmagic_generic_1 {
-    meta:
-        id = "0b328771-f674-4606-bb30-d20d07c67832"
-        version = "1.0"
-        description = "Detects CommonMagic related implants"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "\\CommonCommand\\Clean\\"
-        $ = "\\CommonCommand\\Overall\\"
-        $ = "\\CommonCommand\\Other\\"
-        $ = "\\CommonCommand\\Other\\*"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_commonmagic_generic_2.yar b/yara_rules/sekoiaio_apt_badmagic_commonmagic_generic_2.yar
deleted file mode 100644
index 4265d04..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_commonmagic_generic_2.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_badmagic_commonmagic_generic_2 {
-    meta:
-        id = "c6a16ecc-e00a-4756-b603-f6c85e4f4220"
-        version = "1.0"
-        description = "Detects CommonMagic related implants"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "\\CommonCommand\\" ascii wide
-        $ = "\\\\.\\pipe\\PipeMd" ascii wide fullword
-        $ = "\\\\.\\pipe\\PipeDtMd" ascii wide fullword
-        $ = "\\\\.\\pipe\\PipeCrDtMd" ascii wide fullword
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_commonmagic_main.yar b/yara_rules/sekoiaio_apt_badmagic_commonmagic_main.yar
deleted file mode 100644
index c59e978..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_commonmagic_main.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_badmagic_commonmagic_main {
-    meta:
-        id = "99983df5-89d6-4fac-81e6-16e5ab20bde3"
-        version = "1.0"
-        description = "Detects CommonMagic related implants"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "graph.microsoft.com" ascii wide
-        $ = "children?select=name,size" ascii wide fullword
-        $ = "\\\\.\\pipe\\PipeCrDtMd" ascii wide fullword
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_commonmagic_screenshot_module.yar b/yara_rules/sekoiaio_apt_badmagic_commonmagic_screenshot_module.yar
deleted file mode 100644
index 962e9d2..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_commonmagic_screenshot_module.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_badmagic_commonmagic_screenshot_module {
-    meta:
-        id = "d1ef0bd1-37dc-405f-b82b-288b1798455c"
-        version = "1.0"
-        description = "Detects CommonMagic related implants"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "%s_%02d.%02d.%04d_%02d.%02d.%02d.%03d.%s" wide
-        $ = "Screenshot" wide
-        $ = "\\\\.\\pipe\\PipeDtMd" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_commonmagic_usbstealer.yar b/yara_rules/sekoiaio_apt_badmagic_commonmagic_usbstealer.yar
deleted file mode 100644
index 85dc507..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_commonmagic_usbstealer.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_badmagic_commonmagic_usbstealer {
-    meta:
-        id = "37d5becc-f1c3-4400-bc10-cd6036d4dbb1"
-        version = "1.0"
-        description = "Detects CommonMagic related implants"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "\\\\.\\pipe\\PipeDtMd" ascii wide fullword
-        $ = "State USB" ascii wide
-        $ = "DefaultNameDevice" ascii wide
-        $ = "SerialNumber" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_generic_pshscript.yar b/yara_rules/sekoiaio_apt_badmagic_generic_pshscript.yar
deleted file mode 100644
index a279a62..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_generic_pshscript.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_apt_badmagic_generic_pshscript {
-    meta:
-        id = "82cda554-3c2b-4c04-b9f9-b5ba50c53271"
-        version = "1.0"
-        description = "Detects BadMagic generic powershell script (Possible FPs)"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$ExecutablePath"
-        $ = "Start-Sleep -Second 2"
-        
-    condition:
-        all of them and filesize < 1KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_installpzz_pshscript.yar b/yara_rules/sekoiaio_apt_badmagic_installpzz_pshscript.yar
deleted file mode 100644
index a500a3d..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_installpzz_pshscript.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_badmagic_installpzz_pshscript {
-    meta:
-        id = "d01bc217-9e14-498b-a92a-17f6aedec269"
-        version = "1.0"
-        description = "Detects BadMagic InstallPZZ powershell script"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "start-job -ScriptBlock $script;"
-        $ = "Start-Sleep -Second 1;"
-        $ = "Write-Output \"$url$j"
-        $ = "Start-Sleep -Second 2;"
-        
-    condition:
-        all of them and filesize < 1KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_ld_dll_loader_pshscript.yar b/yara_rules/sekoiaio_apt_badmagic_ld_dll_loader_pshscript.yar
deleted file mode 100644
index 5d27d4f..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_ld_dll_loader_pshscript.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_badmagic_ld_dll_loader_pshscript {
-    meta:
-        id = "d4a23afc-693f-4fab-b2c4-15eecba047f7"
-        version = "1.0"
-        description = "Detects BadMagic DLL Loader powershell script"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$ModulePath = \"$folder_path\\$name"
-        $ = "$ModuleExport ="
-        $ = "start-job -ScriptBlock $ScriptBlock"
-        $ = "Invoke-WebRequest -Uri"
-        
-    condition:
-        all of them and filesize < 1KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_listfiles_pshscript.yar b/yara_rules/sekoiaio_apt_badmagic_listfiles_pshscript.yar
deleted file mode 100644
index 0a3dc78..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_listfiles_pshscript.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_apt_badmagic_listfiles_pshscript {
-    meta:
-        id = "55f1c409-234e-4feb-91a3-9bf5c41ec2b8"
-        version = "1.0"
-        description = "Detects BadMagic ListFiles powershell script"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$env:USERPROFILE"
-        $ = "-Include *.jpg, *.odt, *.doc, *.docx"
-        
-    condition:
-        all of them and filesize < 1KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_malicious_lnk.yar b/yara_rules/sekoiaio_apt_badmagic_malicious_lnk.yar
deleted file mode 100644
index 7c37071..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_malicious_lnk.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_badmagic_malicious_lnk {
-    meta:
-        id = "731bd51d-c4e4-4efb-9fa8-f981a8555ed3"
-        version = "1.0"
-        description = "Detect LNK used by BadMagic to execute MSI payloads."
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "/i http" wide
-        $ = ".msi /quiet" wide
-        $ = "%WINDIR%\\System32\\msiexec.exe"
-        
-    condition:
-        uint32be(0) == 0x4c000000 and
-        filesize < 1KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_modules.yar b/yara_rules/sekoiaio_apt_badmagic_modules.yar
deleted file mode 100644
index 9566976..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_modules.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-import "pe"
-        
-rule sekoiaio_apt_badmagic_modules {
-    meta:
-        id = "e4f1f706-4a46-4a09-b598-e4e8d80f2c4b"
-        version = "1.0"
-        description = "Detect the modules used by the CloudWizard framework"
-        author = "Sekoia.io"
-        creation_date = "2023-05-25"
-        classification = "TLP:CLEAR"
-        hash = "no hash has been found on 2023-05-25 to test the rule"
-        
-    condition:
-        pe.DLL and
-        pe.exports("Start") and
-        pe.exports("Stop") and
-        pe.exports("Whoami") and
-        pe.exports("GetResult") and
-        pe.exports("GetSettings")
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_reco_pshscript.yar b/yara_rules/sekoiaio_apt_badmagic_reco_pshscript.yar
deleted file mode 100644
index c1d58f0..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_reco_pshscript.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_badmagic_reco_pshscript {
-    meta:
-        id = "7a1b2d31-03b7-4a43-8f4e-ed38ba8e118e"
-        version = "1.0"
-        description = "Detects BadMagic Reco powershell script"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$headers = @{};"
-        $ = "==ARP Cache=="
-        $ = "ipconfig.me"
-        $ = "-ComputerName $env:computername;"
-        
-    condition:
-        all of them and filesize < 1KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_startngrok_pshscript.yar b/yara_rules/sekoiaio_apt_badmagic_startngrok_pshscript.yar
deleted file mode 100644
index 76c78e2..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_startngrok_pshscript.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_badmagic_startngrok_pshscript {
-    meta:
-        id = "94d64482-3033-4531-8530-58546364ac06"
-        version = "1.0"
-        description = "Detects BadMagic StartNgrok powershell script"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$ExecutablePath http \"\"file:///$Disk"
-        $ = "write \"$ExecutablePath not found"
-        $ = "$ng_proxy_string ="
-        $ = "$ng_auth_token ="
-        $ = "$env:ALLUSERSPROFILE\\$NGrokFolderName"
-        
-    condition:
-        all of them and filesize < 1KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_badmagic_startrevsocks_pshscript.yar b/yara_rules/sekoiaio_apt_badmagic_startrevsocks_pshscript.yar
deleted file mode 100644
index feaf80a..0000000
--- a/yara_rules/sekoiaio_apt_badmagic_startrevsocks_pshscript.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_badmagic_startrevsocks_pshscript {
-    meta:
-        id = "a6c96aee-9e78-47d2-afe3-f3c5246a9370"
-        version = "1.0"
-        description = "Detects BadMagic DLL Loader powershell script"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$ExecutablePath"
-        $ = "Start-Sleep -Second 2"
-        $ = "recn -15 -rect 15"
-        
-    condition:
-        all of them and filesize < 1KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_blackwood_nspx30_plugin.yar b/yara_rules/sekoiaio_apt_blackwood_nspx30_plugin.yar
deleted file mode 100644
index 25c5209..0000000
--- a/yara_rules/sekoiaio_apt_blackwood_nspx30_plugin.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_blackwood_nspx30_plugin {
-    meta:
-        id = "ef8e0d51-c78c-426b-8008-910e27546f23"
-        version = "1.0"
-        description = "Detects plugins of NSPX30 backdoor based on RTTI and rundll32 string"
-        author = "Sekoia.io"
-        creation_date = "2024-01-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = {2E 3F 41 56 43 43 61 62 69 6E 65 74 40 40}
-        $s2 = {2E 3F 41 56 43 45 6E 63 6F 64 65 72 40 40}
-        $s3 = "rundll32.exe \"%hs\",#1" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 1MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_boldmove_strings.yar b/yara_rules/sekoiaio_apt_boldmove_strings.yar
deleted file mode 100644
index 2d2a553..0000000
--- a/yara_rules/sekoiaio_apt_boldmove_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_boldmove_strings {
-    meta:
-        id = "0458e282-f92f-4600-964a-de6b66b4a82d"
-        version = "1.0"
-        description = "Detects BOLDMOVE via strings"
-        author = "Sekoia.io"
-        creation_date = "2023-01-16"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "cwd=%s" ascii wide
-        $s2 = "executable=%s" ascii wide
-        $s3 = "curl/6.12.34" ascii wide
-        $s4 = "www.example.com" ascii wide
-        $s5 = "GET /ws HTTP/1.1" ascii wide
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 4MB and 4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_buhtrap_maldocx.yar b/yara_rules/sekoiaio_apt_buhtrap_maldocx.yar
deleted file mode 100644
index 837cd4b..0000000
--- a/yara_rules/sekoiaio_apt_buhtrap_maldocx.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_apt_buhtrap_maldocx {
-    meta:
-        id = "4aaba2f1-fafd-4e3f-8b18-7beda11464d1"
-        version = "1.0"
-        description = "Detect the malicious DOCX used by Buhtrap"
-        author = "Sekoia.io"
-        creation_date = "2022-02-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "<xm:macrosheet xmlns=" ascii fullword
-        $ = "CALL(\"kernel32\",\"VirtualFree"
-        $ = "CALL(\"kernel32\",\"CreateFileA"
-        $ = "CALL(\"kernel32\",\"WriteFile"
-        $ = "CALL(\"kernel32\",\"VirtualAlloc"
-        $ = "CALL(\"kernel32\",\"WinExec"
-        $ = "CALL(\"kernel32\",\"lstrcatA"
-        $ = "CALL(\"kernel32\",\"CreateFileA"
-        $ = "CALL(\"kernel32\",\"VirtualFree"
-        $ = "CALL(\"kernel32\",\"ExpandEnvironmentStringsA"
-        $ = "CALL(\"kernel32\",\"CloseHandle"
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cerana_keeper_dropboxflop.yar b/yara_rules/sekoiaio_apt_cerana_keeper_dropboxflop.yar
deleted file mode 100644
index 61474dc..0000000
--- a/yara_rules/sekoiaio_apt_cerana_keeper_dropboxflop.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_cerana_keeper_dropboxflop {
-    meta:
-        id = "e077901f-3847-45f3-82cb-d52724cd3fb5"
-        version = "1.0"
-        description = "Detects DropboxFlop malware"
-        author = "Sekoia.io"
-        creation_date = "2024-10-04"
-        classification = "TLP:CLEAR"
-        hash = "2b65b74e52fbf25cb400dbdfcd1a06a7"
-        
-    strings:
-        $ = "<assemblyIdentity type=\"win32\" name=\"dropboxflop\""
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cerana_keeper_yk0130.yar b/yara_rules/sekoiaio_apt_cerana_keeper_yk0130.yar
deleted file mode 100644
index 1abfd4f..0000000
--- a/yara_rules/sekoiaio_apt_cerana_keeper_yk0130.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_cerana_keeper_yk0130 {
-    meta:
-        id = "3da898a9-68e7-472f-8478-a0243840ec0a"
-        version = "1.0"
-        description = "Detects YK0130 reverse shell"
-        author = "Sekoia.io"
-        creation_date = "2024-10-04"
-        classification = "TLP:CLEAR"
-        hash = "2554e4864294dc96a5b4548dd42c7189"
-        
-    strings:
-        $pdb = "C:\\Users\\admin\\source\\repos\\YK0130" ascii fullword
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        all of them and filesize < 300KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cloudatlas_init_module_virtualalloc.yar b/yara_rules/sekoiaio_apt_cloudatlas_init_module_virtualalloc.yar
deleted file mode 100644
index ea22562..0000000
--- a/yara_rules/sekoiaio_apt_cloudatlas_init_module_virtualalloc.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_apt_cloudatlas_init_module_virtualalloc {
-    meta:
-        id = "299ed681-9d1f-4b47-8389-ff5a608f49d4"
-        version = "1.0"
-        description = "Find init module of CloudAtlas with params passed to VirtualAlloc"
-        author = "Sekoia.io"
-        creation_date = "2023-09-19"
-        classification = "TLP:CLEAR"
-        hash1 = "02a1a9582f5ccf421b08c41c35049416b9cdefc9228daf6b38d95e9b0930cc5a"
-        hash2 = "c7f19c7c295c86867ea7fa4597ba0cebe12f751753866e7298fd5d84676facc3"
-        
-    strings:
-        $chunk_1 = {
-        6A 40
-        68 00 30 10 00
-        8B 8D ?? ?? ?? ??
-        8B 51 50
-        52
-        6A 00
-        FF 15 ?? ?? ?? ??
-        }
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and $chunk_1 and filesize < 3MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cloudatlas_powershower_clean.yar b/yara_rules/sekoiaio_apt_cloudatlas_powershower_clean.yar
deleted file mode 100644
index 25b4baa..0000000
--- a/yara_rules/sekoiaio_apt_cloudatlas_powershower_clean.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_cloudatlas_powershower_clean {
-    meta:
-        id = "4a7c37df-3f53-4190-a86f-94bba3df628e"
-        version = "1.0"
-        description = "Detects clean version of PowerShower"
-        author = "Sekoia.io"
-        creation_date = "2022-12-05"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[io.file]::WriteAllBytes($zipfile" ascii wide
-        $ = "System.IO.File]::Exists($p_t" ascii wide
-        $ = "HttpRequestP" ascii wide
-        $ = "$http_request.getOption(2)" ascii wide
-        $ = "HttpRequestP($url)" ascii wide
-        
-    condition:
-    uint8(0) == 0x24 and filesize < 4000 and 4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cloudatlas_powershower_module.yar b/yara_rules/sekoiaio_apt_cloudatlas_powershower_module.yar
deleted file mode 100644
index 1224f42..0000000
--- a/yara_rules/sekoiaio_apt_cloudatlas_powershower_module.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_cloudatlas_powershower_module {
-    meta:
-        id = "dd688058-3d5d-46a7-8380-fe961c3327cd"
-        version = "1.0"
-        description = "Detects CloudAtlas PowerShower module"
-        author = "Sekoia.io"
-        creation_date = "2022-11-30"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$env:temp" ascii wide
-        $ = "foreach($item in $zip.items" ascii wide
-        $ = "echo $result" ascii wide
-        $ = "pass.txt" ascii wide
-        
-    condition:
-    all of them and filesize < 10000
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cloudatlas_powershower_obfuscated.yar b/yara_rules/sekoiaio_apt_cloudatlas_powershower_obfuscated.yar
deleted file mode 100644
index 7062f19..0000000
--- a/yara_rules/sekoiaio_apt_cloudatlas_powershower_obfuscated.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_cloudatlas_powershower_obfuscated {
-    meta:
-        id = "f76ab9d8-7753-4a17-aedd-fc9c3b8cd322"
-        version = "1.0"
-        description = "Detects obfuscated version of PowerShower"
-        author = "Sekoia.io"
-        creation_date = "2022-11-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "{0}{1}{2}{3}{4}{5}{6}{7}{8}" ascii wide
-        $s2 = "{000}{001}{002}{003}{004}{005}{006}{007}{008}" ascii wide
-        $s3 = "::Unicode.GetString([System.Convert]::FromBase64String(" ascii wide
-        
-    condition:
-        ($s1 in (0..100) or $s2 in (0..100))
-        and $s3 in (filesize-200..filesize)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cloudatlas_powershower_variant.yar b/yara_rules/sekoiaio_apt_cloudatlas_powershower_variant.yar
deleted file mode 100644
index 862616d..0000000
--- a/yara_rules/sekoiaio_apt_cloudatlas_powershower_variant.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_cloudatlas_powershower_variant {
-    meta:
-        id = "416d0cb0-bc59-47ae-8a98-d7b39f8108ab"
-        version = "1.0"
-        description = "Detects PowerShower"
-        author = "Sekoia.io"
-        creation_date = "2023-12-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "[System.Text.Encoding]::" ascii wide
-        $s2 = "{8}{9}{10}{11}{12}{13}{14}{15}{16}{17}{18}{19}{20}"  ascii wide
-        
-    condition:
-        filesize < 10KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cloudatlas_powertunnel.yar b/yara_rules/sekoiaio_apt_cloudatlas_powertunnel.yar
deleted file mode 100644
index 2ce125c..0000000
--- a/yara_rules/sekoiaio_apt_cloudatlas_powertunnel.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_cloudatlas_powertunnel {
-    meta:
-        id = "04981493-de8b-4662-ae81-8866c182f8b2"
-        version = "1.0"
-        description = "Detects PowerTunnel DLL of CloudAtlas"
-        author = "Sekoia.io"
-        creation_date = "2022-11-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "BeginGetHostEntry"
-        $ = "get_AddressList"
-        $ = "time_stop_delay_seconds"
-        $ = "<connect><result>{0}</result></connect>"
-        $ = "_CorDllMain"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB  and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cloudatlas_powertunnel_loader.yar b/yara_rules/sekoiaio_apt_cloudatlas_powertunnel_loader.yar
deleted file mode 100644
index fdee375..0000000
--- a/yara_rules/sekoiaio_apt_cloudatlas_powertunnel_loader.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_cloudatlas_powertunnel_loader {
-    meta:
-        id = "f2333b8a-99e9-4f28-b0d8-4f7dc4c648c5"
-        version = "1.0"
-        description = "Detects the Powershell loader of the PowerTunnel dll"
-        author = "Sekoia.io"
-        creation_date = "2022-11-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "New-Object System.IO.Compression.GzipStream(" ascii fullword
-        $ = "[System.Reflection.Assembly]::Load("
-        $ = ".ReadBytes("
-        $ = ".Service]::StartMain"
-        
-    condition:
-        uint8be(0) == 0x24 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cloudatlas_rtf_shellcode_cve_2018_0798.yar b/yara_rules/sekoiaio_apt_cloudatlas_rtf_shellcode_cve_2018_0798.yar
deleted file mode 100644
index 45bb79f..0000000
--- a/yara_rules/sekoiaio_apt_cloudatlas_rtf_shellcode_cve_2018_0798.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_apt_cloudatlas_rtf_shellcode_cve_2018_0798 {
-    meta:
-        id = "6c602c66-df40-4436-800f-e548dacc1e81"
-        version = "1.0"
-        description = "CloudAtlas Shellcode for CVE_2018_0798 "
-        author = "Sekoia.io"
-        creation_date = "2022-12-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "6060606061616161616161616161616161616161FB0B00004bE8FFFFFFFFC35F83C71B33C966B908010f0d00ddd8d97424f4668137" ascii nocase
-        
-    condition:
-        filesize < 8MB  and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cloudatlas_stagescalldllmainafterexec.yar b/yara_rules/sekoiaio_apt_cloudatlas_stagescalldllmainafterexec.yar
deleted file mode 100644
index 8f2eb32..0000000
--- a/yara_rules/sekoiaio_apt_cloudatlas_stagescalldllmainafterexec.yar
+++ /dev/null
@@ -1,47 +0,0 @@
-rule sekoiaio_apt_cloudatlas_stagescalldllmainafterexec {
-    meta:
-        id = "a24b7887-87f6-44e3-80c5-cd117e694595"
-        version = "1.0"
-        description = "Detects call to dllmain after execution of exported function"
-        author = "Sekoia.io"
-        creation_date = "2023-10-31"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $chunk_1 = {
-        55
-        8B EC
-        83 EC 10
-        C7 45 ?? 00 00 00 00
-        83 7D ?? 00
-        74 ??
-        8B 45 ??
-        89 45 ??
-        8B 4D ??
-        8B 51 ??
-        03 55 ??
-        89 55 ??
-        8B 45 ??
-        8B 48 ??
-        03 4D ??
-        89 4D ??
-        6A 00
-        6A 00
-        FF 75 ??
-        FF 55 ??
-        68 00 80 00 00
-        6A 00
-        8B 55 ??
-        52
-        FF 15 ?? ?? ?? ??
-        C7 45 ?? 01 00 00 00
-        8B 45 ??
-        8B E5
-        5D
-        C2 04 00
-        }
-        
-    condition:
-        any of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cloudmensis_downloader_strings.yar b/yara_rules/sekoiaio_apt_cloudmensis_downloader_strings.yar
deleted file mode 100644
index 902d542..0000000
--- a/yara_rules/sekoiaio_apt_cloudmensis_downloader_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_cloudmensis_downloader_strings {
-    meta:
-        id = "450cfa42-7b56-4d93-afe2-9cf5c1049217"
-        version = "1.0"
-        description = "Detects CloudMensis downloader"
-        author = "Sekoia.io"
-        creation_date = "2022-07-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "https://api.pcloud.com/getfilelink?path=%@&forcedownload=1"
-        $ = "python -c 'import os; print(os.confstr(65538))'"
-        $ = "getCmdResult:"
-        $ = "[pCloud DownloadFile:]"
-        
-    condition:
-        uint32be(0) == 0xcafebabe and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cloudmensis_spyagent_strings.yar b/yara_rules/sekoiaio_apt_cloudmensis_spyagent_strings.yar
deleted file mode 100644
index c0b7f59..0000000
--- a/yara_rules/sekoiaio_apt_cloudmensis_spyagent_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_cloudmensis_spyagent_strings {
-    meta:
-        id = "c2df8373-6698-4b23-9d77-8e7968bd69f0"
-        version = "1.0"
-        description = "Detects CloudMensis SpyAgent"
-        author = "Sekoia.io"
-        creation_date = "2022-07-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[control_thread loop_DirStructure:]"
-        $ = "[screen_keylog getScreenShotData]"
-        $ = "[screen_keylog loop_usb]"
-        $ = "[Management UploadFilebyPath:destination:]"
-        $ = "[control_thread loop_pwd:]"
-        
-    condition:
-        uint32be(0) == 0xcafebabe and 
-        filesize < 2MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_coathanger_beacon.yar b/yara_rules/sekoiaio_apt_coathanger_beacon.yar
deleted file mode 100644
index affbc4e..0000000
--- a/yara_rules/sekoiaio_apt_coathanger_beacon.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_coathanger_beacon {
-    meta:
-        id = "cc201479-016a-46d2-a9e2-41b4914ce618"
-        version = "1.0"
-        description = "Detects COATHANGER beacon"
-        author = "Sekoia.io"
-        creation_date = "2024-02-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = {
-        48 B8 47 45 54 20 2F 20 48 54
-        48 89 45 B0 48 B8 54 50 2F 32 0A 48 6F 73
-        48 89 45 B8 48 B8 74 3A 20 77 77 77 2E 67
-        48 89 45 C0 48 B8 6F 6F 67 6C 65 2E 63 6F
-        }
-        
-    condition:
-        uint32(0) == 0x464c457f and filesize < 5MB and
-        any of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_coathanger_files.yar b/yara_rules/sekoiaio_apt_coathanger_files.yar
deleted file mode 100644
index 012a8e9..0000000
--- a/yara_rules/sekoiaio_apt_coathanger_files.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_coathanger_files {
-    meta:
-        id = "615f5ac1-14bc-4f5b-a02e-7b13cd179917"
-        version = "1.0"
-        description = "Detects COATHANGER files"
-        author = "Sekoia.io"
-        creation_date = "2024-02-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "/data2/"
-        $ = "/httpsd"
-        $ = "/preload.so"
-        $ = "/authd"
-        $ = "/tmp/packfile"
-        $ = "/smartctl"
-        $ = "/etc/ld.so.preload"
-        $ = "/newcli"
-        $ = "/bin/busybox"
-        
-    condition:
-        (uint32(0) == 0x464c457f or uint32(4) == 0x464c457f)
-        and filesize < 5MB and 4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_cottonsandstorm_win_implant.yar b/yara_rules/sekoiaio_apt_cottonsandstorm_win_implant.yar
deleted file mode 100644
index c736781..0000000
--- a/yara_rules/sekoiaio_apt_cottonsandstorm_win_implant.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_cottonsandstorm_win_implant {
-    meta:
-        id = "04a5255c-f9bb-4612-b0e2-ed0326867055"
-        version = "1.0"
-        description = "Detects a simple win implant used by Cotton Sandstorm"
-        author = "Sekoia.io"
-        creation_date = "2024-11-05"
-        classification = "TLP:CLEAR"
-        hash = "f797d71ed07d6e05556300e4ce0f2927"
-        
-    strings:
-        $ = "DIR =>" wide
-        $ = "type=machines&md5=" wide
-        $ = "File =>" wide
-        $ = "&ip=" wide fullword
-        $ = "&un=" wide fullword
-        $ = "&cp=" wide fullword
-        $ = "myFile\";filename=" ascii
-        $ = "ifB75BcjsRBhy2et" ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        4 of them and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_dark_pink_pdb_path.yar b/yara_rules/sekoiaio_apt_dark_pink_pdb_path.yar
deleted file mode 100644
index 8b80b57..0000000
--- a/yara_rules/sekoiaio_apt_dark_pink_pdb_path.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_dark_pink_pdb_path {
-    meta:
-        id = "695586dc-66de-4f9d-814a-2d81261a7357"
-        version = "1.0"
-        description = "Detects PDB path of some Dark Pink sample"
-        author = "Sekoia.io"
-        creation_date = "2023-01-16"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "C:\\Users\\hoang\\source\\repos\\Cucky\\Cucky\\obj\\Release\\net46\\Cucky.pdb" wide ascii
-        $s2 = "C:\\Users\\build\\source\\repos\\CtealWebCredential\\Release\\CtealWebCredential.pdb" wide ascii
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 5MB and any of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_darkpink_kamikakabot_strings.yar b/yara_rules/sekoiaio_apt_darkpink_kamikakabot_strings.yar
deleted file mode 100644
index 8cbe16f..0000000
--- a/yara_rules/sekoiaio_apt_darkpink_kamikakabot_strings.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-rule sekoiaio_apt_darkpink_kamikakabot_strings {
-    meta:
-        id = "0f5a7d72-81c8-4fdd-aefd-136bc6d48aa5"
-        version = "1.0"
-        description = "Detects KamiKakaBot strings (.NET sample of Dark Pink)"
-        author = "Sekoia.io"
-        creation_date = "2023-02-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Execute"
-        $ = "f4869"
-        $ = "getIndentifyName"
-        $ = "getMessageAsync"
-        $ = "requestMessageID"
-        $ = "run_command"
-        $ = "sendFile"
-        $ = "sendMessage"
-        $ = "send_brw_data"
-        $ = "updateMessageID"
-        $ = "update_new_token"
-        $ = "update_new_xml"
-        $ = {53 00 74 00 61 00 72 00 74 00 65 00 64 00 20 00 75 00 70 00 20 00 72 00 75 00 6e}
-        $ = {20 00 72 00 65 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 65 00 64 00 21}
-        $ = {6e 00 65 00 77 00 20 00 63 00 6f 00 6e 00 6e 00 65 00 63 00 74 00 65 00 64 00 21}
-        $ = {74 00 6f 00 6b 00 65 00 6e 00 20 00 75 00 70 00 64 00 61 00 74 00 65 00 20 00 73 00 75 00 63 00 63 00 65 00 73 00 73 00 21 00 21 00 21}
-        
-    condition:
-       6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_darkpink_loader_decryptionroutine.yar b/yara_rules/sekoiaio_apt_darkpink_loader_decryptionroutine.yar
deleted file mode 100644
index a212aba..0000000
--- a/yara_rules/sekoiaio_apt_darkpink_loader_decryptionroutine.yar
+++ /dev/null
@@ -1,50 +0,0 @@
-import "hash"
-import "pe"
-        
-rule sekoiaio_apt_darkpink_loader_decryptionroutine {
-    meta:
-        id = "fefc7b2f-eecc-49dc-84bc-24c45e9ea8f0"
-        version = "1.0"
-        description = "Detects decryption routine of dark pink loader"
-        author = "Sekoia.io"
-        creation_date = "2023-01-17"
-        classification = "TLP:CLEAR"
-        hashs = "3f38860d0f6f0ff1b65219379f8793383cba85b11de1c853192fb2d2ba99e481"
-        hashs = "b3f1d6366ebc184f634a240c838b39d729c28b8718b0b9ca6be988a7e446ec42"
-        
-    strings:
-        $chunk_1 = {
-        8A 08
-        40
-        84 C9
-        75 ??
-        6A 00
-        2B C2
-        50
-        53
-        56
-        E8 ?? ?? ?? ??
-        8A 88 ?? ?? ?? ??
-        30 0C 3E
-        83 C6 01
-        83 D3 00
-        78 ??
-        7F ??
-        81 FE ?? ?? ?? ??
-        72 ??
-        55
-        }
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 3MB and (
-            all of them 
-            or
-            hash.md5(pe.rich_signature.clear_data) == "950c0710dc4cbf6e2cd6b857d25da523"
-            or
-            for any i in (0..pe.number_of_sections-1) : (
-                hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "547e43dd8560fa8b0ca0be9f633bf62d"
-            )
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_darkpink_sample.yar b/yara_rules/sekoiaio_apt_darkpink_sample.yar
deleted file mode 100644
index 5724fdd..0000000
--- a/yara_rules/sekoiaio_apt_darkpink_sample.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_darkpink_sample {
-    meta:
-        id = "91b4c64a-7622-4f03-bd3f-9fe56f01dfbe"
-        version = "1.0"
-        description = "Detects two parts of cmd.exe /c "
-        author = "Sekoia.io"
-        creation_date = "2023-06-05"
-        classification = "TLP:CLEAR"
-        hash = "8dc3f6179120f03fd6cb2299dbc94425451d84d6852b801a313a39e9df5d9b1a"
-        
-    strings:
-        $cmd_xor_part_1 = {DF 00 A1 00 E4 00 F0 00 4B 00 3A 00 D1 00 C4 00}
-        $cmd_xor_part_2 = {bc 00 cc 00 80 00 d0 00 64 00 59 00 F1 00 E6 00 FD 00 83 00 C6}
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize <1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_emberbear_credpump_strings.yar b/yara_rules/sekoiaio_apt_emberbear_credpump_strings.yar
deleted file mode 100644
index fac0abe..0000000
--- a/yara_rules/sekoiaio_apt_emberbear_credpump_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_emberbear_credpump_strings {
-    meta:
-        id = "c9898e34-4ab8-49d6-9c8a-3fce592449e2"
-        version = "1.0"
-        description = "Detects CredPump backdoor"
-        author = "Sekoia.io"
-        creation_date = "2023-02-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "User=%s Pass=%s Host=%s"
-        $ = "/etc/rc0.d/.rc0.d"
-        $ = "pam_get_authtok"
-        $ = "Password:"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize < 200KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_emissarypanda_sysupdate_removing_tool.yar b/yara_rules/sekoiaio_apt_emissarypanda_sysupdate_removing_tool.yar
deleted file mode 100644
index 17b3856..0000000
--- a/yara_rules/sekoiaio_apt_emissarypanda_sysupdate_removing_tool.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_emissarypanda_sysupdate_removing_tool {
-    meta:
-        id = "711d059c-6229-49ef-aa20-a04d505838dc"
-        version = "1.0"
-        description = "Detects the SysUpdate removing tool"
-        author = "Sekoia.io"
-        creation_date = "2022-08-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "KsWAYYYXXsFUCK" wide
-        $ = "remove Services:%s %d" wide
-        $ = "remove dir:%s %d" wide
-        $ = "remove reg %d" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 11MB and 2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_emissarypanda_web_auto_attack_tool.yar b/yara_rules/sekoiaio_apt_emissarypanda_web_auto_attack_tool.yar
deleted file mode 100644
index a8c9b06..0000000
--- a/yara_rules/sekoiaio_apt_emissarypanda_web_auto_attack_tool.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_emissarypanda_web_auto_attack_tool {
-    meta:
-        id = "c93eb792-a443-4c9a-8fcb-6015cc69f9b3"
-        version = "1.0"
-        description = "Detect LuckyMouse's Web auto attack tool"
-        author = "Sekoia.io"
-        creation_date = "2022-08-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[192.168.1.1/24|192.168.1.1|192.168.1|@host.txt]" ascii
-        $ = "80,s443,8080,s8443,8000-8010" ascii
-        $ = "exploit When find module vul" ascii
-        $ = "<title>\\s*(.*?)\\s*</title>" ascii
-        $ = "<meta.+?charset=[^\\w]?([-\\w]+)" ascii
-        $ = "%s is not existed" ascii
-        $ = "%-15s %4d Open" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and 4 of them and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_evasive_panda_downloader_certificate_exe.yar b/yara_rules/sekoiaio_apt_evasive_panda_downloader_certificate_exe.yar
deleted file mode 100644
index 5643e5c..0000000
--- a/yara_rules/sekoiaio_apt_evasive_panda_downloader_certificate_exe.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_apt_evasive_panda_downloader_certificate_exe {
-    meta:
-        id = "1b40fca9-04b1-46b3-b48c-5a148a1b36b9"
-        version = "1.0"
-        description = "Detects downloader used by Evasive Panda (certificate.exe)"
-        author = "Sekoia.io"
-        creation_date = "2024-03-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = {C6 45 D4 44 C6 45 D5 74 C6 45 D6 7C C6 45 D7 74 C6 45 D8 79}
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_evasive_panda_rphost_dll.yar b/yara_rules/sekoiaio_apt_evasive_panda_rphost_dll.yar
deleted file mode 100644
index 6ec0ee3..0000000
--- a/yara_rules/sekoiaio_apt_evasive_panda_rphost_dll.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_evasive_panda_rphost_dll {
-    meta:
-        id = "8d70639d-b736-4823-86ad-37f0e383b5f7"
-        version = "1.0"
-        description = "Detects DLL used by Evasive Panda"
-        author = "Sekoia.io"
-        creation_date = "2024-03-15"
-        classification = "TLP:CLEAR"
-        hash = "fa44028115912c95b5efb43218f3c7237d5c349f"
-        
-    strings:
-        $s1 = "htks.ini" ascii fullword
-        $s2 = "MyDemo" wide fullword
-        
-    condition:
-        uint16be(0) == 0x4d5a and 
-        all of them 
-        
-        and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_flightnight_malicious_lnk.yar b/yara_rules/sekoiaio_apt_flightnight_malicious_lnk.yar
deleted file mode 100644
index c43e2cc..0000000
--- a/yara_rules/sekoiaio_apt_flightnight_malicious_lnk.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_flightnight_malicious_lnk {
-    meta:
-        id = "06f33ece-ac9f-4dd3-98fb-cd69305ee995"
-        version = "1.0"
-        description = "Detects malicious LNK used by FlightNight"
-        author = "Sekoia.io"
-        creation_date = "2024-04-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s0 = "/c start /B " wide
-        $s1 = ".exe &" wide
-        $s2 = ".pdf" wide
-        $s3 = "%CD%" wide
-        
-    condition:
-        uint32be(0) == 0x4c000000 and
-        $s1 in (@s0..@s2) and
-        $s1 in (@s0..@s0+100) and
-        $s3
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_ddrdoh_powershell_backdoor.yar b/yara_rules/sekoiaio_apt_gamaredon_ddrdoh_powershell_backdoor.yar
deleted file mode 100644
index fefaaa1..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_ddrdoh_powershell_backdoor.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_gamaredon_ddrdoh_powershell_backdoor {
-    meta:
-        id = "3413dedd-e3ec-4231-8af7-c7f709ab82d7"
-        version = "1.0"
-        description = "Detects GAMAREDON's DDRDOH PowerShell Backdoor"
-        author = "Sekoia.io"
-        creation_date = "2023-01-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "hidden iex $env:" ascii wide
-        $ = ".substring(0,4) -eq \"http" ascii wide
-        $ = ".split('!')[1];" ascii wide
-        $ = " -bxor $key[$i % $key.Length]" ascii wide
-        $s = "Filter $fil | Select-Object VolumeSerialNumber" ascii wide
-        
-    condition:
-        uint8(0) == 0x24 and 4 of them and filesize < 10KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_ddrdoh_vbs_downloader.yar b/yara_rules/sekoiaio_apt_gamaredon_ddrdoh_vbs_downloader.yar
deleted file mode 100644
index aed8ee9..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_ddrdoh_vbs_downloader.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_apt_gamaredon_ddrdoh_vbs_downloader {
-    meta:
-        id = "c934b95d-d81d-4f58-a752-1bb31ba8593d"
-        version = "1.0"
-        description = "Detects the core of the VBS Gamaredon's Telegram Downloader"
-        author = "Sekoia.io"
-        creation_date = "2023-01-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $a1 = "==([0-9\\@]+)==" ascii
-        $a2 = "data\"\":\"\"(.*?)" ascii
-        $a3 = ", vbcr ,\"\")" ascii
-        $a4 = ", vblf ,\"\")" ascii
-        $a5 = ", \"&&\" ,\"\")" ascii
-        $a6 = "ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4" ascii
-        $b1 = "==([0-9\\@]+)==" base64
-        $b2 = "data\"\":\"\"(.*?)" base64
-        $b3 = ", vbcr ,\"\")" base64
-        $b4 = ", vblf ,\"\")" base64
-        $b5 = ", \"&&\" ,\"\")" base64
-        $b6 = "ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4" base64
-        
-    condition:
-        (4 of ($a*) or 4 of ($b*)) and filesize < 50KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_ddrdoh_vbs_downloader_vbs.yar b/yara_rules/sekoiaio_apt_gamaredon_ddrdoh_vbs_downloader_vbs.yar
deleted file mode 100644
index 62e2cc3..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_ddrdoh_vbs_downloader_vbs.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_gamaredon_ddrdoh_vbs_downloader_vbs {
-    meta:
-        id = "cc29d5d9-58bd-4f68-8673-daa41abfc7be"
-        version = "1.0"
-        description = "Detects malicious VBScript executed by LNK/mshta"
-        author = "Sekoia.io"
-        creation_date = "2023-01-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "b24gZXJyb3IgcmVzd" ascii
-        $ = "BinaryStream.readtext" ascii nocase
-        $ = "createobject(\"msxml2.domdocument.3.0\").createelement(" ascii nocase
-        $ = "Dim cSecond, cMinute, CHour, cDay, cMonth, cYear" ascii nocase
-        $ = "tDate & \"T\" & tTime"
-        $ = "AutoOpen" ascii nocase
-        
-    condition:
-        5 of them and filesize < 50KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_doc_external_template.yar b/yara_rules/sekoiaio_apt_gamaredon_doc_external_template.yar
deleted file mode 100644
index 0d27d72..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_doc_external_template.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_gamaredon_doc_external_template {
-    meta:
-        id = "5f6bbf92-2fdf-428d-af49-2d3e754c29d7"
-        version = "1.0"
-        description = "Detects malicious templates used by Gamaredon"
-        author = "Sekoia.io"
-        creation_date = "2023-01-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "USERPROFILE" ascii
-        $ = "msxml2" ascii
-        $ = "T24gRXJyb3IgUmVzdW1lIE5leHQ" ascii
-        
-    condition:
-        uint32be(0) == 0xd0cf11e0 and filesize < 100KB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_flash_infostealer.yar b/yara_rules/sekoiaio_apt_gamaredon_flash_infostealer.yar
deleted file mode 100644
index 543038b..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_flash_infostealer.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_gamaredon_flash_infostealer {
-    meta:
-        id = "f060fe4b-74fd-4ef3-ac86-916e2113ff24"
-        version = "1.0"
-        description = "Detects the Gamaredon's Flash InfoStealer"
-        author = "Sekoia.io"
-        creation_date = "2023-01-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $a1 = "Content-Type: multipart/form-data; boundary=----%s" ascii
-        $a2 = "Content-Disposition: form-data; name=\"p\"" ascii
-        $a3 = "Content-Type: application/octet-stream"
-        $w1 = "%s||%s||%s||%s" wide
-        $w2 = "Pragma: no-cache" wide
-        $w3 = { 64 00 6F 00 63 00 00 00 00 00 2E 00 64 00 6F 00 63 00 78 00 }
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 500KB and
-        2 of ($a*) and 2 of ($w*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_gamaredon_lnk_usb_spreader.yar b/yara_rules/sekoiaio_apt_gamaredon_gamaredon_lnk_usb_spreader.yar
deleted file mode 100644
index 46f2b48..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_gamaredon_lnk_usb_spreader.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_gamaredon_gamaredon_lnk_usb_spreader {
-    meta:
-        id = "a0972e30-bfc5-48ff-b04b-382db8c08a54"
-        version = "1.0"
-        description = "Detects Gamaredon LNK USB Spreader"
-        author = "Sekoia.io"
-        hash = "2aee8bb2a953124803bc42e5c42935c92f87030b65448624f51183bf00dd1581"
-        creation_date = "2023-06-19"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = ".CREatesHoRTCUt(" nocase ascii wide
-        $ = "cOPY-Item $enV:UsErprOfilE" nocase ascii wide
-        $ = "-dEsTInaTioN $Env:" nocase ascii wide
-        $ = " = GET-ChilDITem $drivE.nAMe" nocase ascii wide
-        $ = "STArt-SLEeP" nocase ascii wide
-        $ = "-eq [SYsTEM.Io.fILeaTTrIbuTES]::DIRecToRy" nocase ascii wide
-        $ = "drIvETYPe='2'" nocase ascii wide
-        $ = ".iConloCaTiON = " nocase ascii wide
-        
-    condition:
-        7 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_gamaredon_lnk_usb_spreader_encoded.yar b/yara_rules/sekoiaio_apt_gamaredon_gamaredon_lnk_usb_spreader_encoded.yar
deleted file mode 100644
index 69b90f4..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_gamaredon_lnk_usb_spreader_encoded.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_gamaredon_gamaredon_lnk_usb_spreader_encoded {
-    meta:
-        id = "e42bb654-d1aa-4219-b3da-dd4053d59a83"
-        version = "1.0"
-        description = "Detects encoded version of Gamaredon LNK USB Spreader"
-        author = "Sekoia.io"
-        hash = "28358a4a6acdcdfc6d41ea642220ef98c63b9c3ef2268449bb02d2e2e71e7c01"
-        creation_date = "2023-06-19"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(" ascii
-        $s2 = " 1000000){" base64
-        $s3 = "+\"\\$" base64
-        $s4 = ",3\";" base64
-        
-    condition:
-        $s1 at 0 and 3 of them and filesize < 4000
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_gammaload_malicioushta.yar b/yara_rules/sekoiaio_apt_gamaredon_gammaload_malicioushta.yar
deleted file mode 100644
index f1155a8..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_gammaload_malicioushta.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_gamaredon_gammaload_malicioushta {
-    meta:
-        id = "e5e502db-7f37-40f2-9ba3-81e158e767db"
-        version = "1.0"
-        description = "Detects Gamaredon's GammaLoad HTA"
-        author = "Sekoia.io"
-        creation_date = "2022-08-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "platform = window.navigator?.userAgentData?.platform" ascii fullword
-        $s2 = "'Win32', 'Win64', 'Windows', 'WinCE'" ascii
-        $s3 = "dcreate.download ="
-        $s4 = "dcreate.href = 'data:application/x-rar-compressed;base64"
-        $s5 = "= \"UmFyI"
-        
-    condition:
-        uint32be(0) == 0x3c68746d and
-        filesize < 400KB and filesize > 50KB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_gammaload_maliciouslnk.yar b/yara_rules/sekoiaio_apt_gamaredon_gammaload_maliciouslnk.yar
deleted file mode 100644
index c60dc33..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_gammaload_maliciouslnk.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_gamaredon_gammaload_maliciouslnk {
-    meta:
-        id = "2612e6c6-0bda-4bfa-a840-aa0a0b4c945b"
-        version = "1.0"
-        description = "Detects Gamaredon's GammaLoad LNK"
-        author = "Sekoia.io"
-        creation_date = "2022-08-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $mshta = "System32\\mshta.exe"
-        $trait = { 0D 0A ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 0D 0A }
-        
-    condition:
-        uint32be(0) == 0x4c000000 and
-        #trait > 100 and $mshta and
-        filesize > 100KB and filesize < 300KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_getlogicaldrive_hunting.yar b/yara_rules/sekoiaio_apt_gamaredon_getlogicaldrive_hunting.yar
deleted file mode 100644
index 93d6948..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_getlogicaldrive_hunting.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_gamaredon_getlogicaldrive_hunting {
-    meta:
-        id = "18958ee8-7eb8-43b5-8ad2-be93bb39aa80"
-        version = "1.0"
-        description = "Detects gamaredon powershell stuff"
-        author = "Sekoia.io"
-        creation_date = "2023-02-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "VolumeSerialNumber" ascii wide nocase
-        $ = "Get-WmiObject" ascii wide nocase
-        $ = "]::ToUInt32(" ascii wide nocase
-        $ = "DeviceID" ascii wide nocase
-        $ = "UploadValues" ascii wide nocase
-        $ = "UploadString" ascii wide nocase
-        
-    condition:
-        5 of them and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_htmlsmuggling_2024.yar b/yara_rules/sekoiaio_apt_gamaredon_htmlsmuggling_2024.yar
deleted file mode 100644
index bd6803a..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_htmlsmuggling_2024.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_gamaredon_htmlsmuggling_2024 {
-    meta:
-        id = "8fa1f80b-2261-4d63-92d8-7c360be73fe2"
-        version = "1.0"
-        description = "Detects HTML Smuggling webpages of Gamaredon used in 2024"
-        author = "Sekoia.io"
-        creation_date = "2024-09-09"
-        classification = "TLP:CLEAR"
-        hash = "ab2807824e68d5efb4c896e1af82e693"
-        hash = "926b7e65d0d61cd6ba9e085193ae8b1d"
-        
-    strings:
-        $ = "').innerHTML;window['" ascii fullword
-        $ = "='at'+'ob';"
-        $ = "]('*','');"
-        $ = "display:none"
-        $ = "0px;\" onerror=\""
-        $ = "'ev'+'"
-        $ = "<!DOCTYPE html PUBLIC"
-        
-    condition:
-        5 of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_htmlsmuggling_attachment.yar b/yara_rules/sekoiaio_apt_gamaredon_htmlsmuggling_attachment.yar
deleted file mode 100644
index d34373c..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_htmlsmuggling_attachment.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_gamaredon_htmlsmuggling_attachment {
-    meta:
-        id = "a39b6e67-9327-4c5b-902a-b9853cfefc8e"
-        version = "1.0"
-        description = "Detects Gamaredon HTMLSmuggling attachment"
-        author = "Sekoia.io"
-        creation_date = "2023-01-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "['at'+'ob'](" ascii
-        $ = "['ev'+'al'](" ascii
-        $ = "document.querySelectorAll('[" ascii
-        $ = "[0].innerHTML.split(' ').join('')))" ascii
-        
-    condition:
-        filesize < 1MB and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_htmlsmuggling_attachment_stage2.yar b/yara_rules/sekoiaio_apt_gamaredon_htmlsmuggling_attachment_stage2.yar
deleted file mode 100644
index b8d0fd2..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_htmlsmuggling_attachment_stage2.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_gamaredon_htmlsmuggling_attachment_stage2 {
-    meta:
-        id = "e82335ea-48d5-409c-a270-cfd5a2197c44"
-        version = "1.0"
-        description = "Detects Gamaredon HTMLSmuggling attachment"
-        author = "Sekoia.io"
-        creation_date = "2023-01-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = ") == -1) die();" ascii
-        $ = "'data:application/x-rar-compressed;base64, ' +" ascii
-        $ = ".appendChild(img);" ascii
-        $ = "['Win32', 'Win64', 'Windows', 'WinCE'].indexOf(" ascii
-        $ = " = navigator[\"platform\"];" ascii
-        
-    condition:
-        4 of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_lnk.yar b/yara_rules/sekoiaio_apt_gamaredon_lnk.yar
deleted file mode 100644
index 349a4a1..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_lnk.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_apt_gamaredon_lnk {
-    meta:
-        id = "bfa69d84-433c-4f37-93b7-5b1b11677fbb"
-        version = "1.0"
-        description = "Detects lnk file used by Gamaredon"
-        author = "Sekoia.io"
-        creation_date = "2024-02-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "-windowstyle hidden $(gc " wide
-        $s2 = "|out-string)|powershell -noprofile -" wide
-        
-    condition:
-        uint32be(0) == 0x4c000000 and any of them  and filesize < 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_lnk_spreader.yar b/yara_rules/sekoiaio_apt_gamaredon_lnk_spreader.yar
deleted file mode 100644
index 92f128f..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_lnk_spreader.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_gamaredon_lnk_spreader {
-    meta:
-        id = "2866ca1d-c094-49ba-b1de-ff9a60680e28"
-        version = "1.0"
-        description = "Detects LNK generated by Gamaredon LNK spreader"
-        author = "Sekoia.io"
-        hash = "7d6264ce74e298c6d58803f9ebdb4a40b4ce909d02fd62f54a1f8d682d73519a"
-        creation_date = "2023-06-19"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "windoWSTYLE hiDdEn -NOlOgo iEX" wide nocase
-        $ = "(IeX (geT-coNtEnT" wide nocase
-        
-    condition:
-        uint32be(0) == 0x4C000000 
-        and filesize < 3KB
-        and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_lnks_farl139_hostname.yar b/yara_rules/sekoiaio_apt_gamaredon_lnks_farl139_hostname.yar
deleted file mode 100644
index 1fc2d82..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_lnks_farl139_hostname.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_gamaredon_lnks_farl139_hostname {
-    meta:
-        id = "f8bb2e6b-e544-46b0-b61b-048fe84e1100"
-        version = "1.0"
-        description = "Detects some hostname used in Gamaredon LNKs"
-        author = "Sekoia.io"
-        creation_date = "2023-01-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "desktop-farl139"
-        
-    condition:
-        uint32be(0) == 0x4c000000
-        and all of them 
-        and filesize < 10KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_powerrevshell.yar b/yara_rules/sekoiaio_apt_gamaredon_powerrevshell.yar
deleted file mode 100644
index d8805e2..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_powerrevshell.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_gamaredon_powerrevshell {
-    meta:
-        id = "b5161c23-c607-4096-9f4a-1be516a0a614"
-        version = "1.0"
-        description = "Detects Powershell reverse shell"
-        author = "Sekoia.io"
-        creation_date = "2023-02-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "iex $enc.GetString("
-        $ = "$stream.Write"
-        $ = ".).FullName"
-        $ = "Sockets.TcpClient"
-        $ = "\">\";"
-        
-    condition:
-        all of them and filesize < 3000
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_stealer_obfuscation_1.yar b/yara_rules/sekoiaio_apt_gamaredon_stealer_obfuscation_1.yar
deleted file mode 100644
index 25e0aca..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_stealer_obfuscation_1.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_gamaredon_stealer_obfuscation_1 {
-    meta:
-        id = "a6197d16-8ed1-410b-8814-d7eff9a8096c"
-        version = "1.0"
-        description = "Matches the Gamaredon Stealer obfuscation"
-        author = "Sekoia.io"
-        creation_date = "2022-02-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = { 76 61 72 20 [5-30] 3d 20 6e 65 77 20 6f 62 6a 65 63 74 5b 5d 20 7b 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 2c 20 [2-10] 20 7d 3b }
-        $s2 = { 66 6f 72 28 69 6e 74 20 [5-30] 20 3d 20 30 3b 20 [5-30] 20 3c 20 31 30 3b 20 [5-30] 2b 2b 29 }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize > 100MB and
-        (#s1 > 100 or #s2 > 100)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_stealer_obfuscation_2.yar b/yara_rules/sekoiaio_apt_gamaredon_stealer_obfuscation_2.yar
deleted file mode 100644
index ad20737..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_stealer_obfuscation_2.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_gamaredon_stealer_obfuscation_2 {
-    meta:
-        id = "fd278a90-537b-4c67-9421-01c9f2416b60"
-        version = "1.0"
-        description = "Matches the Gamaredon Stealer obfuscation"
-        author = "Sekoia.io"
-        creation_date = "2022-02-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = { 3d 20 6e 65 77 20 73 74 72 69 6e 67 5b 5d 20 7b 20 [50-200] 20 7d 3b }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize > 100MB   and
-        #s1 > 40
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_subtle_paws.yar b/yara_rules/sekoiaio_apt_gamaredon_subtle_paws.yar
deleted file mode 100644
index 7010fc9..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_subtle_paws.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_gamaredon_subtle_paws {
-    meta:
-        id = "1950f886-97d2-4aa1-8f13-2947eba706e4"
-        version = "1.0"
-        description = "SUBTLE-PAWS powershell backdoor used by Gamaredon"
-        author = "Sekoia.io"
-        creation_date = "2024-02-09"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "$splitter" ascii wide
-        $s2 = "[System.Convert]::FromBase64String" ascii wide
-        $s3 = "$_;$var2 =\"var1\";$var3" ascii wide
-        $s4 = "foreach-object{$_|powershell -noprofile -}" ascii wide
-        
-    condition:
-        $s1 and $s2 and ($s3 or $s4) and filesize < 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gamaredon_vbs_downloader.yar b/yara_rules/sekoiaio_apt_gamaredon_vbs_downloader.yar
deleted file mode 100644
index 4b7c126..0000000
--- a/yara_rules/sekoiaio_apt_gamaredon_vbs_downloader.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_gamaredon_vbs_downloader {
-    meta:
-        id = "13b63570-2f18-4b35-8087-9ab15c58a0d1"
-        version = "1.0"
-        description = "Detects small VBS loader"
-        author = "Sekoia.io"
-        creation_date = "2023-02-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "on error resume next" nocase ascii wide
-        $s2 = "String('http" nocase ascii wide
-        $s3 = "send()" nocase ascii wide
-        $s4 = ")|Invoke-Expression" nocase ascii wide
-        $s5 = "'); Invoke-Expression $" nocase ascii wide
-        $s6 = "');Invoke-Expression $" nocase ascii wide
-        
-    condition:
-        $s1 and 
-        ($s2 or $s3) and 
-        ($s4 or $s5 or $s6) and 
-        filesize < 1KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gelsemium_firewood_backdoor.yar b/yara_rules/sekoiaio_apt_gelsemium_firewood_backdoor.yar
deleted file mode 100644
index 86ce99e..0000000
--- a/yara_rules/sekoiaio_apt_gelsemium_firewood_backdoor.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_gelsemium_firewood_backdoor {
-    meta:
-        id = "93670c07-9edd-4ea2-b8ed-6fee625491f4"
-        version = "1.0"
-        description = "Detects Gelsemium's FireWood backdoor"
-        author = "Sekoia.io"
-        creation_date = "2024-11-22"
-        classification = "TLP:CLEAR"
-        hash = "2251bc7910fe46fd0baf8bc05599bdcf"
-        
-    strings:
-        $ = "root dir:%s"
-        $ = "df -h|grep 'dev' |grep -v none|awk '/dev/{print $6}'"
-        $ = "rm -rf ../lib/%s"
-        $ = "Total Disk space:%luG, Free Disk spae:%luG"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and 
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gelsemium_wolfsbane_backdoor.yar b/yara_rules/sekoiaio_apt_gelsemium_wolfsbane_backdoor.yar
deleted file mode 100644
index 8f6a71c..0000000
--- a/yara_rules/sekoiaio_apt_gelsemium_wolfsbane_backdoor.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_gelsemium_wolfsbane_backdoor {
-    meta:
-        id = "db2ad5a4-b592-4646-a385-c668bb2ea090"
-        version = "1.0"
-        description = "Detects Gelsemium's WolfsBane backdoor"
-        author = "Sekoia.io"
-        creation_date = "2024-11-22"
-        classification = "TLP:CLEAR"
-        hash = "1418fe9a743226b9661a2b6decb19db0"
-        
-    strings:
-        $ = "udp_session"
-        $ = "session_interface"
-        $ = "plugin_persist"
-        $ = "Udp.cpp"
-        $ = "ikcp.c"
-        $ = "' %s 2>/dev/null"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize > 3MB and
-        filesize < 4MB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gelsemium_wolfsbane_launcher.yar b/yara_rules/sekoiaio_apt_gelsemium_wolfsbane_launcher.yar
deleted file mode 100644
index 961f1fa..0000000
--- a/yara_rules/sekoiaio_apt_gelsemium_wolfsbane_launcher.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_gelsemium_wolfsbane_launcher {
-    meta:
-        id = "26fbf4df-aa08-47b6-a73c-e8f80a408454"
-        version = "1.0"
-        description = "Detects Gelsemium's WolfsBane launcher"
-        author = "Sekoia.io"
-        creation_date = "2024-11-22"
-        classification = "TLP:CLEAR"
-        hash = "87e437cf74ce4b1330b8af9ff71edae2"
-        
-    strings:
-        $ = "rm -f /dev/shm/sem*%s"
-        $ = "/etc/ld.so.preload"
-        $ = "kill -9 %d 2>/dev/null"
-        $ = "/,1d' %s 2>/dev/null"
-        
-    condition:
-        uint32be(0) == 0x7F454C46 and 
-        filesize < 500KB and 
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gelsemium_wolfsbane_rootkit.yar b/yara_rules/sekoiaio_apt_gelsemium_wolfsbane_rootkit.yar
deleted file mode 100644
index fd741b5..0000000
--- a/yara_rules/sekoiaio_apt_gelsemium_wolfsbane_rootkit.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_gelsemium_wolfsbane_rootkit {
-    meta:
-        id = "e93f4515-62f5-4057-a464-aae11cbe0639"
-        version = "1.0"
-        description = "Detects Gelsemium's WolfsBane rootkit"
-        author = "Sekoia.io"
-        creation_date = "2024-11-22"
-        classification = "TLP:CLEAR"
-        hash = "ba08e63ad65a9bdcdb1655f25d32c808"
-        
-    strings:
-        $ = "__non_hooked_symbols"
-        $ = "__hidden_literals"
-        $ = "extract_type_2_socket_inode2"
-        $ = "/proc/%s/fd"
-        $ = "pluginkey" wide
-        $ = "mainpath" wide
-        $ = "hiderpath" wide
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and 
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_globalshadow.yar b/yara_rules/sekoiaio_apt_globalshadow.yar
deleted file mode 100644
index 58f9246..0000000
--- a/yara_rules/sekoiaio_apt_globalshadow.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_apt_globalshadow {
-    meta:
-        id = "2fef6192-25a6-4d6a-8e19-53ad51617d90"
-        version = "1.0"
-        description = "Detects the GLOBALSHADOW malware"
-        author = "Sekoia.io"
-        creation_date = "2024-09-04"
-        classification = "TLP:CLEAR"
-        hash = "68c16b6f178c88c12c9555169887c321"
-        
-    strings:
-        $command1 = "time to rest"  wide
-        $command2 = "pw" wide
-        $command3 = "pr" wide
-        $command4 = "dnld" wide
-        $step1 = "step1-" wide
-        $step2 = "step2-" wide
-        $step3 = "step3-" wide
-        $step4 = "step4-" wide
-        $step5 = "step5-" wide
-        $step6 = "step6-" wide
-        $delim = "]#@#[" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and 
-        2 of ($command*) and 3 of ($step*) and $delim and
-        true
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_gobrat_2.yar b/yara_rules/sekoiaio_apt_gobrat_2.yar
deleted file mode 100644
index 522c75c..0000000
--- a/yara_rules/sekoiaio_apt_gobrat_2.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_apt_gobrat_2 {
-    meta:
-        id = "6b7e38f5-00bc-49c8-b34d-3e878bf426d8"
-        version = "1.0"
-        description = "Detects GobRat related files"
-        author = "Sekoia.io"
-        creation_date = "2024-09-10"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "thisisweird" ascii
-        $ = "ZzZzZzZzZzZz"
-        
-    condition:
-        all of them and uint32be(0) == 0x7f454c46
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_granitetyphoon_pingpulllinux_strings.yar b/yara_rules/sekoiaio_apt_granitetyphoon_pingpulllinux_strings.yar
deleted file mode 100644
index e1d57c3..0000000
--- a/yara_rules/sekoiaio_apt_granitetyphoon_pingpulllinux_strings.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_apt_granitetyphoon_pingpulllinux_strings {
-    meta:
-        id = "ee213206-d9ad-47fa-bea1-61a9d2cfba58"
-        version = "1.0"
-        description = "Detects PingPull Linux variant"
-        author = "Sekoia.io"
-        creation_date = "2023-05-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "chkconfig --add %s"
-        $ = "chkconfig %s on"
-        $ = "update-rc.d %s enable"
-        $ = "service %s start"
-        $ = "respawn limit 10 10"
-        $ = "POST /%s HTTP/1.1"
-        $ = "PROJECT_%s_%s_%08X"
-        $ = "Description=The HTTP(S) Client"
-        $ = "exec %s -f"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize < 11MB and
-        7 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_granitetyphoon_sword2023_strings.yar b/yara_rules/sekoiaio_apt_granitetyphoon_sword2023_strings.yar
deleted file mode 100644
index 87b8256..0000000
--- a/yara_rules/sekoiaio_apt_granitetyphoon_sword2023_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_granitetyphoon_sword2023_strings {
-    meta:
-        id = "417b355f-9eb8-40ae-bc3b-f7f23b5ca63e"
-        version = "1.0"
-        description = "Detects Sword2023 malware based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-05-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "TERM=linux"
-        $ = ";echo"
-        $ = "sh:time out"
-        $ = "sh:read stdout error"
-        $ = "/proc/sys/kernel/random/uuid"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46) and
-        filesize < 100KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_icepeony_icecache.yar b/yara_rules/sekoiaio_apt_icepeony_icecache.yar
deleted file mode 100644
index 616cdb8..0000000
--- a/yara_rules/sekoiaio_apt_icepeony_icecache.yar
+++ /dev/null
@@ -1,47 +0,0 @@
-rule sekoiaio_apt_icepeony_icecache {
-    meta:
-        id = "3135c70e-c925-4d26-beed-09424fc0c153"
-        version = "1.0"
-        description = "Detects IceCache backdoor"
-        author = "Sekoia.io"
-        creation_date = "2024-10-21"
-        classification = "TLP:CLEAR"
-        hash = "38708c33dafb5625ddde1030a7efa7db"
-        hash = "1e102c8909b2bf71c626b81f7526ee01"
-        hash = "34bc3c586a48f836b00aff59fe891b30"
-        hash = "cd906f4cef84dddeb644b06777474b2e"
-        hash = "add23fedfbf238f51173796f3feb12af"
-        hash = "25b8daaa5e9c5f8820261d7ebf79f3cd"
-        hash = "7fd45cc1de1230c916d5f547a9fc725c"
-        hash = "e6e4060e838d7af5f13ad64258d5db0c"
-        hash = "87dfc911885420380bea0cf74c8160d3"
-        hash = "bd15103b300cad635191972330913d17"
-        hash = "a8119b7803a6e0b8aed6bc74d9062b7f"
-        hash = "e1bc3efc33b57c9e1e6d37e5011228f2"
-        hash = "e1233a5f613aafec2c28133e810f536d"
-        hash = "fe88a5b91841b25b4bafa08d42faab22"
-        
-    strings:
-        $ = "Source Response Empty!"
-        $ = "Source Response Len:"
-        $ = "GetFromSource:"
-        $ = "Failed add header!"
-        $ = "Failed receive response:"
-        $ = "Error: Status Code :"
-        $ = "WinHttpAddRequestHeaders"
-        $ = "X-FORWARDED-HOST:"
-        $ = "PROXY_DEL_CONTENT"
-        $ = "PROXY_CLEAR_CONTENT"
-        $ = "PROXY_SET_JS"
-        $ = "PROXY_GET_JS"
-        $ = "PROXY_ALLOW_PC"
-        $ = "Parse IP failed :"
-        $ = "Clear Proxy Contents Success!"
-        $ = "FILE_UPLOAD"
-        $ = "FILE_DOWNLOAD"
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 1MB and
-        6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_icepeony_iceevent.yar b/yara_rules/sekoiaio_apt_icepeony_iceevent.yar
deleted file mode 100644
index 51cead4..0000000
--- a/yara_rules/sekoiaio_apt_icepeony_iceevent.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_icepeony_iceevent {
-    meta:
-        id = "7d1f8b90-fde4-4d5c-a8a3-375db8aa88a1"
-        version = "1.0"
-        description = "Detects IceEvent Backdoor"
-        author = "Sekoia.io"
-        creation_date = "2024-10-21"
-        classification = "TLP:CLEAR"
-        hash = "07c291c9cea4430676c303128bbbb8e3"
-        hash = "489b573b37ab8bc74cca3704e723b895"
-        hash = "265f6cf778d26e62903fb295f89507e3"
-        hash = "f5eb28dd29c91cc84818b74d7f138ff6"
-        
-    strings:
-        $ = "Created a process" ascii fullword
-        $ = "CreateProcess failed: %d"
-        $ = "bind error:"
-        $ = "Error creating pip: %d"
-        $ = "listen error:"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        4 of them and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_implant_xdealer_linux_variant_strings.yar b/yara_rules/sekoiaio_apt_implant_xdealer_linux_variant_strings.yar
deleted file mode 100644
index afe0e0a..0000000
--- a/yara_rules/sekoiaio_apt_implant_xdealer_linux_variant_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_implant_xdealer_linux_variant_strings {
-    meta:
-        id = "42690513-753f-4296-b641-4d3b59a5e5e1"
-        version = "1.0"
-        description = "Detects XDealer linux variant"
-        author = "Sekoia.io"
-        creation_date = "2024-03-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "ls -l /proc/%s/exe"
-        $ = "Linux_%s_%s_%u"
-        $ = "chkconfig --add"
-        $ = "cmd over return [%s]"
-        $ = "touch   -d"
-        $ = "%s can't be opened/n"
-        $ = "/proc/%s/status"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and 3 of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_implant_xdealer_stealer_strings.yar b/yara_rules/sekoiaio_apt_implant_xdealer_stealer_strings.yar
deleted file mode 100644
index 6c75bb2..0000000
--- a/yara_rules/sekoiaio_apt_implant_xdealer_stealer_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_implant_xdealer_stealer_strings {
-    meta:
-        id = "6314cf6c-2c3b-4e9a-87a1-b56ee148474c"
-        version = "1.0"
-        description = "Detects stealer module of XDealer"
-        author = "Sekoia.io"
-        creation_date = "2024-03-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "%sbmp.tmp"
-        $ = "%sjgp.tmp"
-        $ = "%sma_%s_%05u_%u."
-        $ = "%s%s_%05u_%u."
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 500KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_implant_xdealer_strings.yar b/yara_rules/sekoiaio_apt_implant_xdealer_strings.yar
deleted file mode 100644
index b18af9f..0000000
--- a/yara_rules/sekoiaio_apt_implant_xdealer_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_implant_xdealer_strings {
-    meta:
-        id = "06ef72ca-b4e3-493b-8e01-d34b98259c6d"
-        version = "1.0"
-        description = "Detects XDealer based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-03-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "unknow_PC"
-        $ = "rdp-tcp#"
-        $ = "Din_%s_%s_%u_"
-        $ = "nslookup %s %s"
-        $ = "XFByb2dyYW1EYXRhXA=="
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        3 of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_implant_xdealer_vbs_launcher_strings.yar b/yara_rules/sekoiaio_apt_implant_xdealer_vbs_launcher_strings.yar
deleted file mode 100644
index 9d5d267..0000000
--- a/yara_rules/sekoiaio_apt_implant_xdealer_vbs_launcher_strings.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_implant_xdealer_vbs_launcher_strings {
-    meta:
-        id = "ebfc8a33-70dc-44d5-bc4a-07afc56f8254"
-        version = "1.0"
-        description = "Detects XDealer VBS Launcher"
-        author = "Sekoia.io"
-        creation_date = "2024-03-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "Dim objws"
-        $s2 = "Set objws="
-        $s3 = "objws.Run \"\"\"C:\\ProgramData\\"
-        
-    condition:
-       $s1 at 0 and all of them and filesize < 200
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_ir_sugarush_implant.yar b/yara_rules/sekoiaio_apt_ir_sugarush_implant.yar
deleted file mode 100644
index 9e5dd24..0000000
--- a/yara_rules/sekoiaio_apt_ir_sugarush_implant.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_ir_sugarush_implant {
-    meta:
-        id = "bcf057cc-272c-4cb6-bb76-928788675282"
-        version = "1.0"
-        description = "Detects the SUGARUSH implant"
-        author = "Sekoia.io"
-        creation_date = "2022-08-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "You are offline at " wide
-        $ = "\\Logs\\ServiceLog_" wide
-        $ = "Service is recall at" wide
-        $ = "add_OutputDataReceived" ascii
-        $ = "get_CurrentDomain" ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 100KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_ivanti_krustyloader.yar b/yara_rules/sekoiaio_apt_ivanti_krustyloader.yar
deleted file mode 100644
index c84bfa0..0000000
--- a/yara_rules/sekoiaio_apt_ivanti_krustyloader.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_apt_ivanti_krustyloader {
-    meta:
-        id = "617fdd5f-7555-49e8-b0ec-2199f017dc40"
-        version = "1.0"
-        description = "Detects KrustyLoader used in the Ivanti campaign"
-        author = "Sekoia.io"
-        creation_date = "2024-01-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "/proc/self/exe" ascii fullword
-        $s2 = "||||||||||||||"
-        $s3 = "/tmp/"
-        $xor = {40 80 f5}
-        $chunk_1 = {
-        66 0F EF D0
-        66 0F 6F C3
-        66 0F 73 F8 0C
-        66 0F EF C1
-        66 0F EF C2
-        66 0F EF C3
-        } // used for crypto but not specific to Krustyloader
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and filesize < 2MB and all of them
-        and #xor > 2 and #chunk_1 > 6
-        and @s3 < @s2 and @s2 < @s3+300 //$s2 is less than 300 bytes after $s3
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_fpspy.yar b/yara_rules/sekoiaio_apt_kimsuky_fpspy.yar
deleted file mode 100644
index 9da918d..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_fpspy.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_apt_kimsuky_fpspy {
-    meta:
-        id = "75d41851-a7a6-4068-8ea5-6a3e6e62a965"
-        version = "1.0"
-        description = "Detects FPSpy, a backdoor used by Kimsuky"
-        author = "Sekoia.io"
-        creation_date = "2024-09-27"
-        classification = "TLP:CLEAR"
-        hash = "6d6c1b175e435f5564341cc1f2c33ddf"
-        hash = "54c58b72f98cb63c44e7694add551e9d"
-        
-    strings:
-        $ = "Chrome/31.0." wide
-        $ = "%srundll32.exe %s, %s %%1" wide
-        $ = "MazeFunc" wide
-        $ = "sys.dll" wide
-        $ = "KLog" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_klogexe.yar b/yara_rules/sekoiaio_apt_kimsuky_klogexe.yar
deleted file mode 100644
index 82d6d1a..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_klogexe.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-rule sekoiaio_apt_kimsuky_klogexe {
-    meta:
-        id = "f6e3b1a5-43b6-4dac-83c2-a365c41de38d"
-        version = "1.0"
-        description = "Detects KLogExe, a keylogger used by Kimsuky"
-        author = "Sekoia.io"
-        creation_date = "2024-09-27"
-        classification = "TLP:CLEAR"
-        hash = "e1d683ee1746c08c5fff1c4c2b3b02f0"
-        hash = "90946c6358eacd119fe1eb36ec7a0a18"
-        hash = "9760f489a390665b5e7854429b550c83"
-        
-    strings:
-        //$ = "GetAsyncKeyState" ascii wide
-        //$ = "desktops.ini" ascii wide
-        $event = "Norton_BreakHelper" ascii wide
-        $log = "------ %d/%d/%d : %d/%d ------" ascii wide
-        
-        $keylog_1 = "[RM+]"
-        $keylog_2 = "[Tab+]"
-        $keylog_3 = "[Home+]"
-        $keylog_4 = "[End+]"
-        $keylog_5 = "[clip_s]: %s "
-        $keylog_6 = "%s[Too many clip_tail]"
-        $keylog_7 = "%s[F%d]"
-        
-        $user_agent = "Chrome/31.0." wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 600KB and 
-        8 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_malicious_gotopwsh_lnk.yar b/yara_rules/sekoiaio_apt_kimsuky_malicious_gotopwsh_lnk.yar
deleted file mode 100644
index 2f73bea..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_malicious_gotopwsh_lnk.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_apt_kimsuky_malicious_gotopwsh_lnk {
-    meta:
-        id = "cfe9adf5-2c06-4d04-8006-c4eea0dab549"
-        version = "1.0"
-        description = "Detects malicious LNK used by Kimsuky"
-        author = "Sekoia.io"
-        creation_date = "2023-09-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = {67 00 6f 00 74 00 6f 00 26 00 70 00 5e 00 6f 00 77 00 5e 00 65 00 5e 00 72 00 73 00 5e 00 68 00 65 00 5e 00 6c 00 5e 00 6c}
-        
-    condition:
-        uint32be(0) == 0x4c000000 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_malicious_vba.yar b/yara_rules/sekoiaio_apt_kimsuky_malicious_vba.yar
deleted file mode 100644
index 313aecd..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_malicious_vba.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_kimsuky_malicious_vba {
-    meta:
-        id = "2dbe2431-3592-4395-8164-49abae4a5a3d"
-        version = "1.0"
-        description = "Detects malicious VBA used by Kimsuky"
-        author = "Sekoia.io"
-        creation_date = "2022-08-30"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Certutil -decode %TMP%"
-        $ = "%LOCALAPPDATA%\\Microsoft\\Office"
-        
-    condition:
-        uint32be(0) == 0xD0CF11E0 and 
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_powershell.yar b/yara_rules/sekoiaio_apt_kimsuky_powershell.yar
deleted file mode 100644
index 1b3c688..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_powershell.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_kimsuky_powershell {
-    meta:
-        id = "b7f812e0-d08b-40fe-908a-dc5765d6bc66"
-        version = "1.0"
-        description = "Powershell scripts used by Kimsuky. If size < 3KB ok. If between 3 and 15, a check is needed"
-        author = "Sekoia.io"
-        creation_date = "2024-09-23"
-        classification = "TLP:CLEAR"
-        hash = "6babb53d881448dc58dd7c32fcd4208a"
-        hash = "29ec7a4495ea512d44d33c9847893200"
-        hash = "fde68771cebd7ecd81721b0dff5b7869"
-        hash = "0c3fd7f45688d5ddb9f0107877ce2fbd"
-        hash = "1a1723be720c1d9cd57cf4a6a112df79"
-        
-    strings:
-        $ = ".ToCharArray();[array]::Reverse(" ascii
-        $ = ");$res = -join ($bytes -as [char[]]);Invoke-Expression $res;" ascii
-        
-    condition:
-        all of them and filesize < 15KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_powershell_dropper_strings.yar b/yara_rules/sekoiaio_apt_kimsuky_powershell_dropper_strings.yar
deleted file mode 100644
index 9d4f60c..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_powershell_dropper_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_kimsuky_powershell_dropper_strings {
-    meta:
-        id = "8b346e05-215b-46c0-82bf-fce3a65440f3"
-        version = "1.0"
-        description = "Detects a PowerShell dropper used by Kimsuky"
-        author = "Sekoia.io"
-        creation_date = "2024-06-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "try { " ascii wide
-        $s2 = "); } catch(e){} } if ("
-        $s3 = "WScript.Sleep("
-        $s4 = " } catch(e) { }"
-        
-    condition:
-        filesize > 500KB and
-        $s1 at 0 and $s2 in (filesize-1000..filesize)
-                 and $s3 in (filesize-1000..filesize)
-                 and $s4 in (filesize-1000..filesize)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_sharpext_compromised_securepreferences.yar b/yara_rules/sekoiaio_apt_kimsuky_sharpext_compromised_securepreferences.yar
deleted file mode 100644
index 6eba5a3..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_sharpext_compromised_securepreferences.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_kimsuky_sharpext_compromised_securepreferences {
-    meta:
-        id = "aeda5d15-82e1-4ffc-8252-1eb4fc78d024"
-        version = "1.0"
-        description = "Detects compromised Chrome SecurePreferences file"
-        author = "Sekoia.io"
-        creation_date = "2022-07-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "\"devtools\", \"tabs\", \"webNavigation\", \"webRequest\", \"webRequestBlocking\""
-        $ = "AppData\\\\Roaming"
-        $ = "https://*/*"
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_sharpext_devps1_strings.yar b/yara_rules/sekoiaio_apt_kimsuky_sharpext_devps1_strings.yar
deleted file mode 100644
index dfac653..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_sharpext_devps1_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_kimsuky_sharpext_devps1_strings {
-    meta:
-        id = "f2ad32a4-bfca-40b2-964e-b8562538a6f2"
-        version = "1.0"
-        description = "Detects strings of Dev.ps1"
-        author = "Sekoia.io"
-        creation_date = "2022-07-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "keybd_Event(" ascii fullword
-        $s2 = "Sleep" ascii fullword
-        $s3 = "CreateDev" ascii fullword
-        
-    condition:
-        filesize < 10KB and 
-        #s1 == 6 and #s2 == 6 and $s3
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_sharpext_devtoolmodule_strings.yar b/yara_rules/sekoiaio_apt_kimsuky_sharpext_devtoolmodule_strings.yar
deleted file mode 100644
index 3f83b96..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_sharpext_devtoolmodule_strings.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_kimsuky_sharpext_devtoolmodule_strings {
-    meta:
-        id = "6f589a9c-344a-4ddc-929e-f123a2c3c187"
-        version = "1.0"
-        description = "Detects the DevTool module used by SharpExt"
-        author = "Sekoia.io"
-        creation_date = "2022-07-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "packetProc = function" ascii fullword
-        $ = "var url = request.request.url" ascii fullword
-        $ = "https://mail" ascii fullword
-        
-    condition:
-        all of them and filesize < 50KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_sharpext_jsexfil_strings.yar b/yara_rules/sekoiaio_apt_kimsuky_sharpext_jsexfil_strings.yar
deleted file mode 100644
index ab83bb1..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_sharpext_jsexfil_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_kimsuky_sharpext_jsexfil_strings {
-    meta:
-        id = "c9ebd123-6450-4424-93d1-60322bd97bf6"
-        version = "1.0"
-        description = "Detects the exfiltration JS code of SharpExt"
-        author = "Sekoia.io"
-        creation_date = "2022-07-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "var req_url" ascii fullword
-        $ = "var newReqId" ascii fullword
-        $ = "chrome.tabs.query" ascii fullword
-        $ = "payload.message.flags = new Object();" ascii fullword
-        
-    condition:
-        all of them and filesize < 50KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_sharptongue_c2_source.yar b/yara_rules/sekoiaio_apt_kimsuky_sharptongue_c2_source.yar
deleted file mode 100644
index ec2a710..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_sharptongue_c2_source.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_kimsuky_sharptongue_c2_source {
-    meta:
-        id = "a2ccf773-511c-4088-8bcf-b923291d024b"
-        version = "1.0"
-        description = "Detects the PHP code of the SharpTongue C2"
-        author = "Sekoia.io"
-        creation_date = "2022-07-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "<?php"
-        $ = "foreach($_GET as $variable => $value)"
-        $ = "$chk=$value"
-        $ = "base64_encode($ip)"
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_sharptongue_strings.yar b/yara_rules/sekoiaio_apt_kimsuky_sharptongue_strings.yar
deleted file mode 100644
index f84a1f8..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_sharptongue_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_kimsuky_sharptongue_strings {
-    meta:
-        id = "56027edb-4e6e-40ec-a1b9-36c52b0dd3ec"
-        version = "1.0"
-        description = "Detects SharpTongue variants."
-        author = "Sekoia.io"
-        creation_date = "2022-07-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "Post0.Open" ascii wide
-        $s2 = ".php?op=" ascii wide
-        $s3 = "s=s&Mid(c,ix*d+jx+1,1)" ascii wide
-        $s4 = "curl -o " ascii wide
-        
-    condition:
-        $s2 in (@s1..@s1+200) or $s2 in (@s4..@s4+200) or $s3 and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_sharptongue_vbslauncher_strings.yar b/yara_rules/sekoiaio_apt_kimsuky_sharptongue_vbslauncher_strings.yar
deleted file mode 100644
index 9006a0b..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_sharptongue_vbslauncher_strings.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_kimsuky_sharptongue_vbslauncher_strings {
-    meta:
-        id = "82bd648c-2961-4945-950e-8fb1e4650338"
-        version = "1.0"
-        description = "Detects VBS Launchers used by SharpTongue"
-        author = "Sekoia.io"
-        creation_date = "2022-07-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "powershell" ascii wide
-        $ = "On Error Resume Next" ascii wide
-        $ = "oShell.run(tmp0,0" ascii wide
-        
-    condition:
-        all of them and filesize < 10KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_toddlershark_obfuscated.yar b/yara_rules/sekoiaio_apt_kimsuky_toddlershark_obfuscated.yar
deleted file mode 100644
index 6bde94a..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_toddlershark_obfuscated.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_kimsuky_toddlershark_obfuscated {
-    meta:
-        id = "9ab82466-4f38-4597-b75b-13252e180c70"
-        version = "1.0"
-        description = "Detects obfuscated version of Kimsuky TODDLERSHARK vbs malware"
-        author = "Sekoia.io"
-        creation_date = "2024-03-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = { 3a 20 [3-10] 20 3d 20 22 [3-30] 22 3a }
-        $s2 = { 45 78 65 63 75 74 65 28  [3-15] 28 22 }
-        $s3 = { 50 72 69 76 61 74 65 20 46 75 6e 63 74 69 6f 6e 20 [3-15] 28 42 79 56 61 6c 20 [3-15] 29 3a }
-        $s4 = "& Chr(\"&H\" & Mid("
-        
-    condition:
-        #s4 == 1 and #s3 == 1 and #s2 == 1 and #s1 > 20 and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_toddlershark_strings.yar b/yara_rules/sekoiaio_apt_kimsuky_toddlershark_strings.yar
deleted file mode 100644
index 58d29a3..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_toddlershark_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_kimsuky_toddlershark_strings {
-    meta:
-        id = "2db1a424-9e83-4168-8ebf-d3b415b6a576"
-        version = "1.0"
-        description = "Detects Kimsuky TODDLERSHARK vbs malware"
-        author = "Sekoia.io"
-        creation_date = "2024-03-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "On Error Resume Next"
-        $ = ".open \"POST\", \"http"
-        $ = ".setRequestHeader"
-        $ = ".send"
-        $ = "Execute("
-        $ = ".responseText)"
-        
-    condition:
-        all of them and filesize < 450
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_validator_strings.yar b/yara_rules/sekoiaio_apt_kimsuky_validator_strings.yar
deleted file mode 100644
index 1d2c717..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_validator_strings.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_kimsuky_validator_strings {
-    meta:
-        id = "e055f2d4-8318-4342-812e-0f621d7886b4"
-        version = "1.0"
-        description = "Detects Kimsuky validator"
-        author = "Sekoia.io"
-        creation_date = "2024-06-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "%s%sc %s >%s 2>&1" wide
-        $ = "%s%sc %s 2>%s" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_vbs.yar b/yara_rules/sekoiaio_apt_kimsuky_vbs.yar
deleted file mode 100644
index e294d9a..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_vbs.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_kimsuky_vbs {
-    meta:
-        id = "3f92dbda-2ddb-4fa3-a587-743f65ced9e4"
-        version = "1.0"
-        description = "VBS files used by Kimsuky"
-        author = "Sekoia.io"
-        creation_date = "2024-09-23"
-        classification = "TLP:CLEAR"
-        hash = "12386be22ca82fce98a83a5a19e632bc"
-        hash = "7b5783d42240651af78ebf7e01b31fe8"
-        hash = "ff7d68e5fb253664ce64c85457b28041"
-        hash = "622358469e5e24114dd0eb03da815576"
-        hash = "edbb2aa40408e2a7936067ace38b445b"
-        hash = "73ed9b012785dc3b3ee33aa52700cfe4"
-        
-    strings:
-        $ = ")):Next:Execute " ascii
-        $ = "=\"\":" ascii
-        $ = "\":for "
-        
-    condition:
-        all of them and filesize < 10KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_kimsuky_vbs_powershell_downloader.yar b/yara_rules/sekoiaio_apt_kimsuky_vbs_powershell_downloader.yar
deleted file mode 100644
index b6f536f..0000000
--- a/yara_rules/sekoiaio_apt_kimsuky_vbs_powershell_downloader.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_kimsuky_vbs_powershell_downloader {
-    meta:
-        id = "4c9af11f-802b-4ffe-9783-90fc2ee53809"
-        version = "1.0"
-        description = "Detects VBS/Powershell Downloader used by Kimsuky"
-        author = "Sekoia.io"
-        creation_date = "2022-08-30"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "& WScript.ScriptFullName &" ascii fullword
-        $ = "/c schtasks /create /sc minute /mo 5 /tn"
-        $ = "pOwErsHeLl -ep bypass -encodedCommand"
-        
-    condition:
-        filesize < 200KB and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_konni.yar b/yara_rules/sekoiaio_apt_konni.yar
deleted file mode 100644
index a88210a..0000000
--- a/yara_rules/sekoiaio_apt_konni.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_apt_konni {
-    meta:
-        id = "6a20c492-e932-41bd-ac4a-01d35bfb0c49"
-        version = "1.0"
-        description = "Rule based on structure offsets and file extension"
-        author = "Sekoia.io"
-        creation_date = "2022-09-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ext_1 = ".zip" wide ascii fullword
-        $ext_2 = ".cab" wide ascii fullword
-        $ext_3 = ".rar" wide ascii fullword
-        $ext_4 = ".ini" wide ascii fullword
-        $ext_5 = ".dat" wide ascii fullword
-        
-        
-        $offset_structure_1 = { 8d ?? 08 02 00 00 } //offset 0x208
-        $offset_structure_2 = { 8d ?? 10 04 00 00 } //offset 0x410
-        $offset_structure_3 = { 8d ?? 18 06 00 00 } //offset 0x618
-        $url = "%s/dn.php?name=%s&prefix=%s" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 3MB and 3 of ($ext_*) and all of ($offset_structure_*) and $url
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_konni_check_bat.yar b/yara_rules/sekoiaio_apt_konni_check_bat.yar
deleted file mode 100644
index c446cde..0000000
--- a/yara_rules/sekoiaio_apt_konni_check_bat.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_konni_check_bat {
-    meta:
-        id = "f05e6ba2-c128-4c17-8f74-f7640103c859"
-        version = "1.0"
-        description = "Script used to performs check before executing Konni"
-        author = "Sekoia.io"
-        creation_date = "2023-11-27"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = ":64BIT"
-        $ = ":32BIT"
-        $ = ":INSTALL"
-        $ = ":EXIT"
-        $ = "netpp.dll"
-        $ = "wpns.dll"
-        $ = "netpp64.dll"
-        $ = "wpns64.dll"
-        $ = "rundll32"
-        
-    condition:
-        filesize < 1MB and 7 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_konni_dropper.yar b/yara_rules/sekoiaio_apt_konni_dropper.yar
deleted file mode 100644
index 31f9301..0000000
--- a/yara_rules/sekoiaio_apt_konni_dropper.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_konni_dropper {
-    meta:
-        id = "0783a55e-1d1e-40ca-a661-2c5dec6d78d6"
-        version = "1.0"
-        description = "Detects Konni dropper used when distributed via malicious document"
-        author = "Sekoia.io"
-        creation_date = "2023-11-27"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "UnzipAFile"
-        $ = "check.bat"
-        $ = "FOF_SILENT"
-        $ = "fLieObj"
-        
-    condition:
-        
-        filesize < 1MB and 3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_lazarus_backdoored_jslib.yar b/yara_rules/sekoiaio_apt_lazarus_backdoored_jslib.yar
deleted file mode 100644
index 6ca6219..0000000
--- a/yara_rules/sekoiaio_apt_lazarus_backdoored_jslib.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_lazarus_backdoored_jslib {
-    meta:
-        id = "73ffd449-93c8-494e-9c14-2e933b21a200"
-        version = "1.0"
-        description = "Detects InvisibleFerret based on common ressource."
-        author = "Sekoia.io"
-        creation_date = "2024-10-28"
-        classification = "TLP:CLEAR"
-        hash = "52e92be527690f4e63608cbc699e2f70"
-        
-    strings:
-        $obf = "(function(_0x" ascii
-        $exp = "module.exports =" ascii
-        
-    condition:
-        $exp in (filesize-500..filesize) and #obf == 1
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_lazarus_blindingcan_rtti.yar b/yara_rules/sekoiaio_apt_lazarus_blindingcan_rtti.yar
deleted file mode 100644
index 0371047..0000000
--- a/yara_rules/sekoiaio_apt_lazarus_blindingcan_rtti.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_apt_lazarus_blindingcan_rtti {
-    meta:
-        id = "9a16c189-ffc1-4aa6-8582-298abaecd0ef"
-        version = "1.0"
-        description = "Detects BLINDINGCAN with RTTI"
-        author = "Sekoia.io"
-        creation_date = "2022-10-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = ".?AVCHTTP_Protocol@@" ascii wide fullword
-        $s2 = ".?AVCFileRW@@" ascii wide fullword
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_lazarus_dangerouspassword_lnk.yar b/yara_rules/sekoiaio_apt_lazarus_dangerouspassword_lnk.yar
deleted file mode 100644
index 26f12c5..0000000
--- a/yara_rules/sekoiaio_apt_lazarus_dangerouspassword_lnk.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_lazarus_dangerouspassword_lnk {
-    meta:
-        id = "32533880-7f75-4682-a7ae-9868d0b5174b"
-        version = "1.0"
-        description = "Detects Lazarus DangerousPassword LNKs"
-        author = "Sekoia.io"
-        creation_date = "2022-07-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = {6D 00 73 00 68 00 2A}
-        $s2 = {25 00 70 00 75 00 62 00 6C 00 69 00 63 00 25}
-        $s3 = {44 00 4F 00 20 00 73 00 74 00 61 00 72 00 74}
-        $b1 = {2F 00 63 00 20 00 73 00 74 00 61 00 72 00 74 00 20 00 2F 00 62 00 20 00 6D 00 73 00 68 00 74 00 61}
-        $c1 = {68 00 74 00 74 00 70 00 73 00 3A 00 2F 00 2F 00 62 00 69 00 74 00 2E 00 6C 00 79 00 2F}
-        
-    condition:
-        uint32be(0)== 0x4C000000 and
-        filesize > 1KB and filesize < 40MB and
-        (all of ($s*) or $b1 or ($s1 and $c1))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_lazarus_dll_c2_comms.yar b/yara_rules/sekoiaio_apt_lazarus_dll_c2_comms.yar
deleted file mode 100644
index 5574739..0000000
--- a/yara_rules/sekoiaio_apt_lazarus_dll_c2_comms.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-rule sekoiaio_apt_lazarus_dll_c2_comms {
-    meta:
-        id = "9b379aa8-77ce-4c76-ab13-05e35ebfbdfe"
-        version = "1.0"
-        description = "Detects DLL communicating with the C2"
-        author = "Sekoia.io"
-        creation_date = "2023-04-04"
-        classification = "TLP:CLEAR"
-        hash1 = "fe948451df90df80c8028b969bf89ecbf501401e7879805667c134080976ce2e"
-        hash2 = "bb1066c1ca53139dc5a2c1743339f4e6360d6fe4f2f3261d24fc28a12f3e2ab9"
-        hash3 = "dca33d6dacac0859ec2f3104485720fe2451e21eb06e676f4860ecc73a41e6f9"
-        hash4 = "69dd140f45c3fa3aaa64c69f860cd3c74379dec37c46319d7805a29b637d4dbf"
-        
-    strings:
-        $x1 = "vG2eZ1KOeGd2n5fr" ascii fullword
-        $s1 = "Windows %d(%d)-%s" ascii fullword
-        $s2 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36" wide fullword
-        
-        $op1 = {B8 C8 00 00 00 83 FB 01 44 0F 47 E8 41 8B C5 48 8B B4 24 E0 18 00 00 4C 8B A4 24 E8 18 00 00 48 8B 8D A0 17 00 00 48 33 CC}
-        $op2 = {33 D2 46 8D 04 B5 00 00 00 00 66 0F 1F 44 00 00 49 63 C0 41 FF C0 8B 4C 84 70 31 4C 94 40 48 FF C2}
-        $op3 = {89 5C 24 50 0F 57 C0 C7 44 24 4C 04 00 00 00 C7 44 24 48 40 00 00 00 0F 11 44 24 60 0F 11 44 24 70 0F 11 45 80 0F 11 45 90}
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and (
-        filesize < 500KB and(
-            1 of ($x*)
-            or 2 of them
-        )
-        or (
-            $x1 and 1 of ($s*)
-            or 3 of them
-        ))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_lazarus_gopuram_backdoor.yar b/yara_rules/sekoiaio_apt_lazarus_gopuram_backdoor.yar
deleted file mode 100644
index bfa0d97..0000000
--- a/yara_rules/sekoiaio_apt_lazarus_gopuram_backdoor.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-import "pe"
-        
-rule sekoiaio_apt_lazarus_gopuram_backdoor {
-    meta:
-        id = "947d4ee3-79fa-450b-8482-beafe607baae"
-        version = "1.0"
-        description = "Detects Gopuram Backdoor"
-        author = "Sekoia.io"
-        creation_date = "2023-04-04"
-        classification = "TLP:CLEAR"
-        hash1 = "97b95b4a5461f950e712b82783930cb2a152ec0288c00a977983ca7788342df7"
-        hash2 = "beb775af5196f30e0ee021790a4978ca7a7ac2a7cf970a5a620ffeb89cc60b2c"
-        
-    strings:
-        $x1 = "%s\\config\\TxR\\%s.TxR.0.regtrans-ms"
-        $xop = {D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE D1 E8 33 C3 D1 EB A8 01 74 ?? 81 F3 25 A3 87 DE}
-        $opa1 = {48 89 44 24 ?? 45 33 C9 45 33 C0 33 D2 89 5C 24 ?? 48 89 74 24 ?? 48 89 5C 24 ?? 89 7C 24 ?? FF 15 ?? ?? ?? ?? 85 C0 74 ?? 48 8B 4C 24 ?? 4C 8D 4C 24 ?? 44 8D 43 ??}
-        $opa2 = {48 89 B4 24 ?? ?? ?? ?? 44 8D 43 ?? 33 D2 48 89 BC 24 ?? ?? ?? ?? 4C 89 B4 24 ?? ?? ?? ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? E8 ?? ?? ?? ?? 48 8B 4C 24 ?? 45 33 C0 33 D2 8B F8 E8 ?? ?? ?? ?? 8D 4F ?? E8 ?? ?? ?? ?? 4C 8B 4C 24 ?? 44 8D 43 ?? 48 8B C8 8B D7 48 8B F0 44 8B F7 E8 ?? ?? ?? ?? 48 8B 4C 24 ?? E8 ?? ?? ??}
-        
-    condition:        (uint16(0) == 0x4d5a and filesize < 2MB
-        and pe.characteristics & pe.DLL and 1 of ($x*)
-   )
-   or all of ($opa*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_lazarus_lambload_timecheck.yar b/yara_rules/sekoiaio_apt_lazarus_lambload_timecheck.yar
deleted file mode 100644
index c0a9672..0000000
--- a/yara_rules/sekoiaio_apt_lazarus_lambload_timecheck.yar
+++ /dev/null
@@ -1,68 +0,0 @@
-rule sekoiaio_apt_lazarus_lambload_timecheck {
-    meta:
-        id = "8807c752-c34e-4c3b-9194-3a9bd2575a88"
-        version = "1.0"
-        description = "Detects timeCheck routine in LambLoad"
-        author = "Sekoia.io"
-        creation_date = "2023-11-27"
-        classification = "TLP:CLEAR"
-        reference = "https://www.microsoft.com/en-us/security/blog/2023/11/22/diamond-sleet-supply-chain-compromise-distributes-a-modified-cyberlink-installer/"
-        
-    strings:
-        /*
-        0x41322e 0F8567030000                  jne 41359bh
-        0x413234 8D8548FBFFFF                  lea eax, [ebp - 4b8h]
-        0x41323a 50                            push eax
-        0x41323b E8F2490700                    call 487c32h
-        0x413240 83C404                        add esp, 4
-        0x413243 83781802                      cmp dword ptr [eax + 18h], 2
-        0x413247 0F854E030000                  jne 41359bh
-        0x41324d 8B4808                        mov ecx, dword ptr [eax + 8]
-        0x413250 83F90B                        cmp ecx, 0bh
-        0x413253 0F8C42030000                  jl 41359bh
-        0x413259 83F90C                        cmp ecx, 0ch
-        0x41325c 0F8D39030000                  jge 41359bh
-        0x413262 8B4004                        mov eax, dword ptr [eax + 4]
-        0x413265 83F81E                        cmp eax, 1eh
-        0x413268 0F8C2D030000                  jl 41359bh
-        0x41326e 83F83C                        cmp eax, 3ch
-        0x413271 0F8D24030000                  jge 41359bh
-        0x413277 53                            push ebx
-        0x413278 57                            push edi
-        0x413279 6808020000                    push 208h
-        0x41327e 8D8580FDFFFF                  lea eax, [ebp - 280h]
-        0x413284 6A00                          push 0
-        0x413286 50                            push eax
-        0x413287 C78550FBFFFF04010000          mov dword ptr [ebp - 4b0h], 104h
-        */
-        $chunk_1 = {
-        0F 85 ?? ?? ?? ??
-        8D 85 ?? ?? ?? ??
-        50
-        E8 ?? ?? ?? ??
-        83 C4 ??
-        83 78 ?? ??
-        0F 85 ?? ?? ?? ??
-        8B 48 ??
-        83 F9 ??
-        0F 8C ?? ?? ?? ??
-        83 F9 ??
-        0F 8D ?? ?? ?? ??
-        8B 40 ??
-        83 F8 ??
-        0F 8C ?? ?? ?? ??
-        83 F8 ??
-        0F 8D ?? ?? ?? ??
-        53
-        57
-        68 ?? ?? ?? ??
-        8D 85 ?? ?? ?? ??
-        6A ??
-        50
-        C7 85 ?? ?? ?? ?? ?? ?? ?? ??
-        }
-        
-    condition:
-        uint16be(0) == 0x4d5a and any of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_lazarus_pondrat.yar b/yara_rules/sekoiaio_apt_lazarus_pondrat.yar
deleted file mode 100644
index fc845cd..0000000
--- a/yara_rules/sekoiaio_apt_lazarus_pondrat.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_lazarus_pondrat {
-    meta:
-        id = "a957c158-a79a-4d7a-8473-b6960cf02d9b"
-        version = "1.0"
-        description = "Detects PondRAT via mangled command names"
-        author = "Sekoia.io"
-        creation_date = "2024-09-23"
-        classification = "TLP:CLEAR"
-        hash = "b62c912de846e743effdf7e5654a7605"
-        hash = "61d7b2c7814971e5323ec67b3a3d7f45"
-        hash = "ce35c935dcc9d55b2c79945bac77dc8e"
-        hash = "f50c83a4147b86cdb20cc1fbae458865"
-        hash = "05957d98a75c04597649295dc846682d"
-        hash = "33c9a47debdb07824c6c51e13740bdfe"
-        
-    strings:
-        $cmd_PondRAT1 = "_Z7MsgDownP11_TRANS_INFO" ascii
-        $cmd_PondRAT2 = "_Z5MsgUpP11_TRANS_INFO" ascii
-        $cmd_PondRAT3 = "_Z6MsgRunP11_TRANS_INFO" ascii
-        $cmd_PondRAT4 = "_Z6MsgCmdP11_TRANS_INFO" ascii
-        
-    condition:
-        3 of them and filesize < 4MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_lazarus_vhd_ransomware_downloader.yar b/yara_rules/sekoiaio_apt_lazarus_vhd_ransomware_downloader.yar
deleted file mode 100644
index 7f6a1e7..0000000
--- a/yara_rules/sekoiaio_apt_lazarus_vhd_ransomware_downloader.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_lazarus_vhd_ransomware_downloader {
-    meta:
-        id = "edcc9df8-650c-437a-adb8-a671e8b75e64"
-        version = "1.0"
-        description = "Detects VHD ransomware downloader"
-        author = "Sekoia.io"
-        creation_date = "2022-11-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "rundll32.exe %s #1 %S" wide
-        $ = "cmd /c timeout /t 10 & Del /f /q \"%s\" & attrib -s -h \"%s\" & rundll32 \"%s\" #1" wide
-        $ = "cmd /c timeout /t 10 & rundll32 \"%s\" #1" wide
-        $ = "curl -A cur1-agent -L %s -s -d da"
-        $ = "curl -A cur1-agent -L %s -s -d dl"
-        
-    condition:
-        filesize < 2MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_lazarus_vhd_ransomware_loader.yar b/yara_rules/sekoiaio_apt_lazarus_vhd_ransomware_loader.yar
deleted file mode 100644
index 36e314c..0000000
--- a/yara_rules/sekoiaio_apt_lazarus_vhd_ransomware_loader.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-rule sekoiaio_apt_lazarus_vhd_ransomware_loader {
-    meta:
-        id = "377f3ec5-fa2a-431e-93d2-6a1eb9e01d28"
-        version = "1.0"
-        description = "Detects VHD ransomware x64 loader "
-        author = "Sekoia.io"
-        creation_date = "2022-11-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = { B8 64 [8] B8 75 [8] B8 6D [8] B8 70 [8] B8 2E [8] B8 62 [8] B8 69 [8] B8 6E }
-        $ = { 48 63 ?? ?? ??
-        48 8B ?? ?? ??
-        0F BE ?? ??
-        B9 ?? ?? ?? ??
-        48 6B ?? ??
-        48 8B ?? ?? ??
-        0F BE ?? ??
-        ?? ??
-        48 63 ?? ?? ??
-        48 8B ?? ?? ??
-        88 ?? ??
-        EB }
-        $ = { 25 00 73 00 5c [3-15] 25 00 64 00 25 00 64 00 2e 00 62 00 69 00 6e }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 200KB and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_luckymouse_compromised_electronapp.yar b/yara_rules/sekoiaio_apt_luckymouse_compromised_electronapp.yar
deleted file mode 100644
index 0e368f7..0000000
--- a/yara_rules/sekoiaio_apt_luckymouse_compromised_electronapp.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_apt_luckymouse_compromised_electronapp {
-    meta:
-        id = "7702217d-771f-47af-8eaa-d5acf1e14f4d"
-        version = "1.0"
-        description = "Detects compromised ElectronApp"
-        author = "Sekoia.io"
-        creation_date = "2022-08-05"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s = "module.exports=function(t){eval(function(p,a,c,k,e,r)"
-        
-    condition:
-        $s at 0 and filesize < 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_luckymouse_rshell_strings.yar b/yara_rules/sekoiaio_apt_luckymouse_rshell_strings.yar
deleted file mode 100644
index ee0e7fc..0000000
--- a/yara_rules/sekoiaio_apt_luckymouse_rshell_strings.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_apt_luckymouse_rshell_strings {
-    meta:
-        id = "89f18013-ea3e-440f-821e-cef102a43b7b"
-        version = "1.0"
-        description = "Detects LuckyMouse RShell Mach-O implant"
-        author = "Sekoia.io"
-        creation_date = "2022-08-05"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = { 64 69 72 00 70 61 74 68
-        00 64 6F 77 6E 00 72 65
-        61 64 00 75 70 6C 6F 61
-        64 00 77 72 69 74 65 00
-        64 65 6C }
-        $ = { 6C 6F 67 69 6E 00 68 6F
-        73 74 6E 61 6D 65 00 6C
-        61 6E 00 75 73 65 72 6E
-        61 6D 65 00 76 65 72 73
-        69 6F 6E }
-        
-    condition:
-        (uint32be(0) == 0xCFFAEDFE or uint16be(0) == 0x4d5a) and 
-        filesize < 300KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_luckymouse_rshell_strings_all_platform.yar b/yara_rules/sekoiaio_apt_luckymouse_rshell_strings_all_platform.yar
deleted file mode 100644
index 6070e7b..0000000
--- a/yara_rules/sekoiaio_apt_luckymouse_rshell_strings_all_platform.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_luckymouse_rshell_strings_all_platform {
-    meta:
-        id = "e79a5ee1-96b3-4643-ab11-0b1095e96488"
-        version = "1.0"
-        description = "Detects LuckyMouse RShell Mach-O implant"
-        author = "Sekoia.io"
-        creation_date = "2022-08-05"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = { 6C 6F 67 69 6E 00 68 6F
-        73 74 6E 61 6D 65 00 6C
-        61 6E 00 75 73 65 72 6E
-        61 6D 65 00 76 65 72 73
-        69 6F 6E }
-        
-    condition:
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_luckymouse_sysupdate_removing_tool.yar b/yara_rules/sekoiaio_apt_luckymouse_sysupdate_removing_tool.yar
deleted file mode 100644
index 212a98a..0000000
--- a/yara_rules/sekoiaio_apt_luckymouse_sysupdate_removing_tool.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_luckymouse_sysupdate_removing_tool {
-    meta:
-        id = "711d059c-6229-49ef-aa20-a04d505838dc"
-        version = "1.0"
-        description = "Detects the SysUpdate removing tool"
-        author = "Sekoia.io"
-        creation_date = "2022-08-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "KsWAYYYXXsFUCK" wide
-        $ = "remove Services:%s %d" wide
-        $ = "remove dir:%s %d" wide
-        $ = "remove reg %d" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 11MB and 2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_malware_pocoproxy.yar b/yara_rules/sekoiaio_apt_malware_pocoproxy.yar
deleted file mode 100644
index fa6e2a0..0000000
--- a/yara_rules/sekoiaio_apt_malware_pocoproxy.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_apt_malware_pocoproxy {
-    meta:
-        id = "8b37e37f-339e-4f8b-b792-435096f56af0"
-        version = "1.0"
-        description = "Detects strings in PocoProxy"
-        author = "Sekoia.io"
-        creation_date = "2024-08-13"
-        classification = "TLP:CLEAR"
-        hash = "2b89f15012512002c656ff821bbbeca0"
-        hash = "8d850fed6bb1f3b60365ed656c6791c5"
-        
-    strings:
-        $ = "-listen" ascii fullword
-        $ = "-connect" ascii fullword
-        $ = "-proxy" ascii fullword
-        $ = "%d-%d-%d %d:%d:%d" ascii fullword
-        $ = "%S://%S:%u%S" wide
-        $ = "\\r\\n[%u(%u/%u/%u/%u)]==> %S  %S>> %S:%d connect ok." wide
-        $ = "\\r\\nnconnect to %S:%d faild." wide
-        $ = "\\r\\nI'm listen %S:%d,welcome..." wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_menupass_maliciouslibvlc_dll.yar b/yara_rules/sekoiaio_apt_menupass_maliciouslibvlc_dll.yar
deleted file mode 100644
index 82e1b1c..0000000
--- a/yara_rules/sekoiaio_apt_menupass_maliciouslibvlc_dll.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-import "pe"
-        
-rule sekoiaio_apt_menupass_maliciouslibvlc_dll {
-    meta:
-        id = "8b6b56f3-33b5-41cf-8bcb-e653c98718bd"
-        version = "1.0"
-        description = "Detects the malicious LibVLC variants used by MenuPass"
-        author = "Sekoia.io"
-        creation_date = "2022-04-06"
-        classification = "TLP:CLEAR"
-        
-    condition:
-        pe.DLL and
-        pe.number_of_exports < 15 and
-        for all i in (0..pe.number_of_exports - 1):
-        (pe.export_details[i].name contains "libvlc_")
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_micdown_encrypted_configuration.yar b/yara_rules/sekoiaio_apt_micdown_encrypted_configuration.yar
deleted file mode 100644
index 92b1887..0000000
--- a/yara_rules/sekoiaio_apt_micdown_encrypted_configuration.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_apt_micdown_encrypted_configuration {
-    meta:
-        id = "9567d68b-05d1-4d41-b87f-c8691ee689cd"
-        version = "1.0"
-        description = "Encrypted C2 configuration of micDown"
-        author = "Sekoia.io"
-        creation_date = "2023-08-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = {?? [20] 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 84 36}
-        
-    condition:
-        filesize == 66 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_muddywater_manifestation_backdoor.yar b/yara_rules/sekoiaio_apt_muddywater_manifestation_backdoor.yar
deleted file mode 100644
index 8be8cd4..0000000
--- a/yara_rules/sekoiaio_apt_muddywater_manifestation_backdoor.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_muddywater_manifestation_backdoor {
-    meta:
-        id = "998fb0ab-73ed-41e5-b87e-f987b8f05a8c"
-        version = "1.0"
-        description = "Detects Muddys manifestation JScript backdoor"
-        author = "Sekoia.io"
-        creation_date = "2022-01-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "/^\\s+|\\s+$/g" ascii
-        $l2 = "while (1) {"  ascii
-        $l3 = { 57 53 63 72 69 70 74 2e 73 6c 65 65 70 28 ?? ?? 20 2a 20 31 30 30 30 29 3b }
-        $s4 = ")+ key , false)" ascii
-        $s5 = ")+ data , false)" ascii
-        
-    condition:
-        filesize > 1000 and
-        ($l3 in (@l2..@l2+300)) and (any of ($s*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_muddywater_manifestation_backdoor_obfuscated.yar b/yara_rules/sekoiaio_apt_muddywater_manifestation_backdoor_obfuscated.yar
deleted file mode 100644
index 9ad6950..0000000
--- a/yara_rules/sekoiaio_apt_muddywater_manifestation_backdoor_obfuscated.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_muddywater_manifestation_backdoor_obfuscated {
-    meta:
-        id = "58df72a1-822c-4b82-904d-1c0124dc7bc1"
-        version = "1.0"
-        description = "Detects obfuscated Muddys manifestation JScript backdoor"
-        author = "Sekoia.io"
-        creation_date = "2022-01-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $m = { 76 61 72 20 5f 30 78 [4-6] 3d 5b }
-        $w = {57 53 63 72 69 70 74 5b 5f 30 78 [4-6] 28 30 78 [2-3] 29 5d 28 30 78 [2-3] 2a 30 78 [2-3] 29 2c }
-        $t = "subkeys(key));}"
-        
-    condition:
-        $m at 0 and ($t at (filesize-16) or $w in (filesize-200..filesize))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_muddywater_moriagent.yar b/yara_rules/sekoiaio_apt_muddywater_moriagent.yar
deleted file mode 100644
index 598f79b..0000000
--- a/yara_rules/sekoiaio_apt_muddywater_moriagent.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-import "pe"
-        
-rule sekoiaio_apt_muddywater_moriagent {
-    meta:
-        id = "e7a83663-6a30-416a-8f29-87a6b9445ea4"
-        version = "1.0"
-        description = "Detects Muddy's Mori Agent implant"
-        author = "Sekoia.io"
-        creation_date = "2022-01-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $mut = "0x50504060" ascii fullword
-        $cmd1 = "TType" ascii fullword
-        $cmd2 = "TPath" ascii fullword
-        $cmd3 = "TFileid" ascii fullword
-        $cmd4 = "TCommand" ascii fullword
-        $cmd5 = "TTimeout" ascii fullword
-        $cmd6 = "TFilter" ascii fullword
-        
-    condition:
-        
-        uint16be(0) == 0x4d5a and
-        ( ( pe.number_of_exports == 2 and
-        pe.exports("DllRegisterServer") and
-        pe.exports("DllUnregisterServer") ) and
-        ( 5 of them ) )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_muddywater_muddyc2go_dll_launcher_strings.yar b/yara_rules/sekoiaio_apt_muddywater_muddyc2go_dll_launcher_strings.yar
deleted file mode 100644
index e7f2c27..0000000
--- a/yara_rules/sekoiaio_apt_muddywater_muddyc2go_dll_launcher_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_muddywater_muddyc2go_dll_launcher_strings {
-    meta:
-        id = "59756195-d842-4038-8fbf-43d26f4353bc"
-        version = "1.0"
-        description = "Detects MuddyC2Go DLL launcher"
-        author = "Sekoia.io"
-        creation_date = "2024-03-07"
-        classification = "TLP:CLEAR"
-        hash = "1a0827082d4b517b643c86ee678eaa53f85f1b33ad409a23c50164c3909fdaca"
-        
-    strings:
-        $ = "-Method GET -ErrorAction Stop;Write-Output $response.Content;iex $response.Content;"
-        $ = "GetCurrentProcess"
-        $ = "TerminateProcess"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 50KB and 
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_muddywater_powershell_reverse_secure_proxy.yar b/yara_rules/sekoiaio_apt_muddywater_powershell_reverse_secure_proxy.yar
deleted file mode 100644
index 252f356..0000000
--- a/yara_rules/sekoiaio_apt_muddywater_powershell_reverse_secure_proxy.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_muddywater_powershell_reverse_secure_proxy {
-    meta:
-        id = "b255f327-cb56-41b7-82f7-83ee23f791a5"
-        version = "1.0"
-        description = "Detects PowerShell Reverse Secure Proxy"
-        author = "Sekoia.io"
-        creation_date = "2023-11-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$CS.Read($buff,4,2) | Out-Null" ascii wide
-        $ = "$DP = $buff[2]*256 + $buff[3]" ascii wide
-        $ = "$PS3.BeginInvoke() | Out-Null" ascii wide
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_muddywater_powgoop_decode_loop.yar b/yara_rules/sekoiaio_apt_muddywater_powgoop_decode_loop.yar
deleted file mode 100644
index 8c8a678..0000000
--- a/yara_rules/sekoiaio_apt_muddywater_powgoop_decode_loop.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_muddywater_powgoop_decode_loop {
-    meta:
-        id = "644ed1c4-e0e1-496e-9efc-7d9e15565f7b"
-        version = "1.0"
-        description = "Detects the loop used in PowGoop and its loader"
-        author = "Sekoia.io"
-        creation_date = "2022-01-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "System.Collections.Generic.List[System.Object]" ascii wide
-        $s2 = "$d.Add($in[$i]);" ascii wide
-        $s3 = "[System.Convert]::FromBase64String(" ascii wide
-        
-    condition:
-        filesize < 1MB and
-        $s2 in (@s1..@s1+400) and
-        $s3 in (@s1..@s1+400)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_muddywater_powgoop_decoded.yar b/yara_rules/sekoiaio_apt_muddywater_powgoop_decoded.yar
deleted file mode 100644
index a2232d8..0000000
--- a/yara_rules/sekoiaio_apt_muddywater_powgoop_decoded.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_apt_muddywater_powgoop_decoded {
-    meta:
-        id = "194cb9ef-da96-42b6-a3b5-b0aee7495f2c"
-        version = "1.0"
-        description = "Detects decoded PowGoop malware"
-        author = "Sekoia.io"
-        creation_date = "2022-01-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $h1 = "[System.Net.WebRequest]::Create(" ascii wide
-        $h2 = "Headers.Add('Authorization'" ascii wide
-        $h3 = "Headers.Add('Cookie',('value=' + $ec + ';')" ascii wide
-        $h4 = ".GetResponse()" ascii wide
-        $h5 = "GetResponseStream()" ascii wide
-        $c1 = "return (65..90) + (97..122) | Get-Random -Count" ascii wide
-        $c2 = "% {[char]$_}" ascii wide
-        
-    condition:
-        filesize > 1KB and
-        filesize < 1MB and
-        ( $h2 in (@h1..@h5) and
-        $h3 in (@h1..@h5) and
-        $h4 in (@h1..@h5) )
-        or ( $c2 in (@c1..@c1+50) ) and  true
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_muddywater_powgoop_loader.yar b/yara_rules/sekoiaio_apt_muddywater_powgoop_loader.yar
deleted file mode 100644
index 8dafdf9..0000000
--- a/yara_rules/sekoiaio_apt_muddywater_powgoop_loader.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_muddywater_powgoop_loader {
-    meta:
-        id = "716b45e1-9f17-4546-a003-a7c78340d623"
-        version = "1.0"
-        description = "Detects the loader of PowGoop malware"
-        author = "Sekoia.io"
-        creation_date = "2022-01-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "$d.Add($in[$i]);" ascii wide
-        $s2 = "[System.Text.Encoding]::UTF8.GetString($o);" ascii wide
-        $s3 = "$i+=(1+1)" ascii wide
-        $t = { 24 ?? 3d [1-15] 20 24 ?? 3b ?? ?? ?? 20 24 ?? 3b }
-        
-    condition:
-        filesize < 50KB and
-        (3 of ($s*) or $t in (filesize-50..filesize))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_muddywater_rotrot_strings.yar b/yara_rules/sekoiaio_apt_muddywater_rotrot_strings.yar
deleted file mode 100644
index 7a6cbda..0000000
--- a/yara_rules/sekoiaio_apt_muddywater_rotrot_strings.yar
+++ /dev/null
@@ -1,37 +0,0 @@
-rule sekoiaio_apt_muddywater_rotrot_strings {
-    meta:
-        id = "f7bc195a-0e60-4495-b78a-78f101543700"
-        version = "1.0"
-        description = "Detects RotRot backdoor based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-06-10"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "qsphsbnebub"
-        $s2 = "rtqitcofcvc"
-        $s3 = "surjudpgdwd"
-        $s4 = "tvskveqhexe"
-        $s5 = "uwtlwfrifyf"
-        $s6 = "vxumxgsjgzg"
-        
-        $t1 = "MpbeMjcsbs"
-        $t2 = "NqcfNkdtct"
-        $t3 = "OrdgOleudu"
-        $t4 = "PsehPmfvev"
-        $t5 = "QtfiQngwfw"
-        $t6 = "RugjRohxgx"
-        
-        $u1 = "UfsnjobufKpcPckfdu"
-        $u2 = "VgtokpcvgLqdQdlgev"
-        $u3 = "WhuplqdwhMreRemhfw"
-        $u4 = "XivqmrexiNsfSfnigx"
-        $u5 = "YjwrnsfyjOtgTgojhy"
-        $u6 = "ZkxsotgzkPuhUhpkiz"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize > 100KB and filesize < 300KB and
-        any of ($s*) and any of ($t*) and any of ($u*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustang_panda_nupakage.yar b/yara_rules/sekoiaio_apt_mustang_panda_nupakage.yar
deleted file mode 100644
index 71f3992..0000000
--- a/yara_rules/sekoiaio_apt_mustang_panda_nupakage.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_apt_mustang_panda_nupakage {
-    meta:
-        id = "bd62c220-addc-48e9-bd01-2eff687ac3ce"
-        version = "1.0"
-        description = "Detects NUPAKAGE malware (only PDB, too much false positives)"
-        author = "Sekoia.io"
-        creation_date = "2023-03-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "D:\\Project\\NEW_PACKAGE_FILE\\Release\\NEW_PACKAGE_FILE.pdb" ascii wide
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 1MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustang_panda_toneins.yar b/yara_rules/sekoiaio_apt_mustang_panda_toneins.yar
deleted file mode 100644
index cf35237..0000000
--- a/yara_rules/sekoiaio_apt_mustang_panda_toneins.yar
+++ /dev/null
@@ -1,45 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_apt_mustang_panda_toneins {
-    meta:
-        id = "f178217a-ff28-4dd7-9395-f19f3e2e934c"
-        version = "1.0"
-        description = "Detect the TONEINS implant used by Mustang Panda"
-        author = "Sekoia.io"
-        creation_date = "2022-11-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $rtti1 = ".?AVDNameNode@@"
-        $rtti2 = ".?AVcharNode@@"
-        $rtti3 = ".?AVpcharNode@@"
-        $rtti4 = ".?AVpDNameNode@@"
-        $rtti5 = ".?AVDNameStatusNode@@"
-        $rtti6 = ".?AVpairNode@@"
-        
-        $s1 = "DefWindowProcW1222_test" wide ascii
-        $s2 = "schtasks /create /sc minute /mo 2 /tn" wide ascii
-        $fnv_CreateFile = {CE C9 CA BD}
-        $fnv_GetFileSize = {18 81 ED 44}
-        $fnv_ReadFile = {43 C9 FC 54}
-        $fnv_CloseHandle = {65 00 BA FA}
-        $fnv_WriteFile = {4A C4 07 7F}
-        $fnv_CreateEventA = {E2 DD D2 F9}
-        $fnv_TerminateProcess = {59 EE 4E F8}
-        $fnv_GetCurrentProcess = {45 A8 D8 6D}
-        $fnv_CreateProcessA = { 09 0A 7C 4A}
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        4 of ($rtti*)
-        and
-        filesize < 8MB and 
-        (    
-            for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "69f400d3ff4679294e63fb8a8ca97dbb") 
-            or
-            (all of ($s*) and 5 of ($fnv*))
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustang_panda_toneshell.yar b/yara_rules/sekoiaio_apt_mustang_panda_toneshell.yar
deleted file mode 100644
index 8dacaff..0000000
--- a/yara_rules/sekoiaio_apt_mustang_panda_toneshell.yar
+++ /dev/null
@@ -1,161 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_apt_mustang_panda_toneshell {
-    meta:
-        id = "bf7c68a9-dddc-494a-a603-c2311ed712a4"
-        version = "1.0"
-        description = "Detect the TONESHELL implant used by Mustang Panda from specific functions"
-        author = "Sekoia.io"
-        creation_date = "2022-11-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        /*    GetTEB
-        result = NtCurrentTeb();
-        dword_1007CA38 = (int)result;
-        return result;
-        */
-        $func1 = {
-        55
-        89 E5
-        64 A1 18 00 00 00
-        A3 ?? ?? ?? ??
-        5D
-        C3
-        }
-        
-        /*memcpy
-        v5 = a1;
-        while ( a3-- )
-        *a1++ = *a2++;
-        return v5;
-        */
-        $func2 =  {
-        55
-        89 E5
-        50
-        8B 45 ??
-        8B 45 ??
-        8B 45 ??
-        8B 45 ??
-        89 45 ??
-        8B 45 ??
-        89 C1
-        83 C1 FF
-        89 4D ??
-        83 F8 00
-        0F 84 ?? ?? ?? ??
-        8B 45 ??
-        8A 08
-        8B 45 ??
-        88 08
-        8B 45 ??
-        83 C0 01
-        89 45 ??
-        8B 45 ??
-        83 C0 01
-        89 45 ??
-        E9 ?? ?? ?? ??
-        8B 45 ??
-        83 C4 04
-        5D
-        C3
-        }
-        
-        /* Decryptionroutine
-        result = a1;
-        for ( i = 0; i < 32; ++i )
-        {
-        *(_BYTE *)(a1 + i) ^= 0x7Eu;
-        result = i + 1;
-        }
-        return result;
-        */
-        $decryption_routine1 = {
-        8B 45 ??
-        C7 45 ?? 00 00 00 00
-        83 7D ?? 20
-        0F 8D ?? ?? ?? ??
-        8B 45 ??
-        8B 4D ??
-        0F BE 04 08
-        83 F0 ??
-        88 C2
-        8B 45 ??
-        8B 4D ??
-        88 14 08
-        8B 45 ??
-        83 C0 01
-        89 45 ??
-        E9 ?? ?? ?? ??
-        83 C4 04
-        }
-        
-        /*
-        v6 = 0;
-        for ( i = 0; ; ++i )
-        {
-        result = v6;
-        if ( v6 >= a2 )
-        break;
-        *(_BYTE *)(a1 + v6) ^= *(_BYTE *)(a3 + i);
-        if ( i == a4 - 1 )
-        i = 0;
-        ++v6;
-        }
-        return result;
-        */
-        $decryption_routine2 = {
-        55
-        89 E5
-        83 EC 08
-        8B 45 ??
-        8B 45 ??
-        8B 45 ??
-        8B 45 ??
-        C7 45 ?? 00 00 00 00
-        C7 45 ?? 00 00 00 00
-        8B 45 ??
-        3B 45 ??
-        0F 8D ?? ?? ?? ??
-        8B 45 ??
-        8B 4D ??
-        0F BE 04 08
-        8B 4D ??
-        8B 55 ??
-        0F BE 0C 11
-        31 C8
-        88 C2
-        8B 45 ??
-        8B 4D ??
-        88 14 08
-        8B 45 ??
-        8B 4D ??
-        83 E9 01
-        39 C8
-        0F 85 ?? ?? ?? ??
-        C7 45 ?? 00 00 00 00
-        E9 ?? ?? ?? ??
-        8B 45 ??
-        83 C0 01
-        89 45 ??
-        8B 45 ??
-        83 C0 01
-        89 45 ??
-        E9 ?? ?? ?? ??
-        83 C4 08
-        5D
-        C3
-        }
-        
-    condition:
-        uint16be(0) == 0x4d5a and 
-        filesize < 8MB and
-        for all i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) != "69f400d3ff4679294e63fb8a8ca97dbb"
-        ) and 
-        3 of them and
-        true
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_coolclient.yar b/yara_rules/sekoiaio_apt_mustangpanda_coolclient.yar
deleted file mode 100644
index c70a38d..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_coolclient.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_mustangpanda_coolclient {
-    meta:
-        id = "2f8fdb66-03a2-400f-808b-56ae1b276d2f"
-        version = "1.0"
-        description = "Detect COOLCLIENT via obfuscation & specific string"
-        author = "Sekoia.io"
-        creation_date = "2023-03-27"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = {eb 14 ea 50 eb 0b ea 8b c4 a8 01 74 06 eb 0b}
-        $s2 = {66 0f d6 44 24 eb eb}
-        $s3 = "c:\\windows\\syste" fullword
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_decrypt_payload.yar b/yara_rules/sekoiaio_apt_mustangpanda_decrypt_payload.yar
deleted file mode 100644
index d1c99ba..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_decrypt_payload.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_apt_mustangpanda_decrypt_payload {
-    meta:
-        id = "7b954007-0929-454d-8a10-05279a337f1b"
-        version = "1.0"
-        description = "Detects the decryption routine of DAT file"
-        author = "Sekoia.io"
-        creation_date = "2022-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $chunk_1 = {
-        85 ??
-        74 ??
-        8B ??
-        D1 EA
-        A1 ?? ?? ?? ??
-        03 C2
-        A3 ?? ?? ?? ??
-        30 04 29
-        41
-        3B ??
-        72 EC
-        }
-        
-    condition:
-        filesize < 8MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_downloader.yar b/yara_rules/sekoiaio_apt_mustangpanda_downloader.yar
deleted file mode 100644
index 45919d7..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_downloader.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_mustangpanda_downloader {
-    meta:
-        id = "54850ffd-f93b-4082-b3ca-8e1d60b35422"
-        version = "1.0"
-        description = "Detects the MustangPanda Downloader"
-        author = "Sekoia.io"
-        creation_date = "2022-03-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Windows Api" wide nocase
-        $ = "200 OK" wide
-        $ = "200 ok" wide
-        $ = "mscoree.dll" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_malicious_lnk_worm.yar b/yara_rules/sekoiaio_apt_mustangpanda_malicious_lnk_worm.yar
deleted file mode 100644
index fe4bba0..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_malicious_lnk_worm.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_apt_mustangpanda_malicious_lnk_worm {
-    meta:
-        id = "e7cc5ecc-2369-49ff-9e35-c9faeb69acda"
-        version = "1.0"
-        description = "Detects MustangPanda infected ThumbDrive"
-        author = "Sekoia.io"
-        creation_date = "2023-09-21"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "RECYCLER.BIN\\1\\CEFHelper.exe" wide
-        
-    condition:
-        uint32be(0) == 0x4C000000 and
-        1 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_maliciousdll_loading_plugx_strings.yar b/yara_rules/sekoiaio_apt_mustangpanda_maliciousdll_loading_plugx_strings.yar
deleted file mode 100644
index 443da94..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_maliciousdll_loading_plugx_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-import "pe"
-        
-rule sekoiaio_apt_mustangpanda_maliciousdll_loading_plugx_strings {
-    meta:
-        id = "2296ac6e-63f5-4cff-aeb7-2c5205e6f559"
-        version = "1.0"
-        description = "Detects MustangPanda malicious DLL"
-        author = "Sekoia.io"
-        creation_date = "2023-12-18"
-        classification = "TLP:CLEAR"
-        hash = "651c096cf7043a01d939dff9ba58e4d69f15b2244c71b43bedb4ada8c37e8859"
-        
-    strings:
-        $ = "VirtualAlloc"
-        $ = "VirtualFree"
-        $ = "VirtualProtect"
-        $ = "VirtualQuery"
-        $ = "GCC: (MinGW-W64"
-        
-    condition:
-        pe.exports("MsiProvideQualifiedComponentW") 
-        and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_mqsttang_qmagent.yar b/yara_rules/sekoiaio_apt_mustangpanda_mqsttang_qmagent.yar
deleted file mode 100644
index 1a392ff..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_mqsttang_qmagent.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_mustangpanda_mqsttang_qmagent {
-    meta:
-        id = "bcf6f961-0d9b-4fbc-81d2-f5d00c68d4d5"
-        version = "1.0"
-        description = "Detects specifics string of MQsTTang, also known as QMAGENT"
-        author = "Sekoia.io"
-        creation_date = "2023-03-27"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "iot/server"
-        $s2 = "QMQTT::Message"
-        $s3 = "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"
-        $command1 = "c_topic"
-        $command2 = "Alive"
-        $command3 = "msg"
-        $command4 = "ret"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 8MB  and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_payload.yar b/yara_rules/sekoiaio_apt_mustangpanda_payload.yar
deleted file mode 100644
index 91c1919..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_payload.yar
+++ /dev/null
@@ -1,43 +0,0 @@
-rule sekoiaio_apt_mustangpanda_payload {
-    meta:
-        id = "ce7ddf20-e13f-4b5f-8fff-4b1387b29568"
-        version = "1.0"
-        description = "Decryption routine of mustang panda payload"
-        author = "Sekoia.io"
-        creation_date = "2022-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $chunk_1 = {
-        89 74 24 ??
-        B9 ?? ?? ?? ??
-        8B 44 24 ??
-        3D ?? ?? ?? ??
-        B8 ?? ?? ?? ??
-        0F 4C C1
-        E9 ?? ?? ?? ??
-        B8 ?? ?? ?? ??
-        31 DB
-        31 ED
-        31 FF
-        E9 ?? ?? ?? ??
-        8B 44 24 ??
-        B9 ?? ?? ?? ??
-        3B 44 24 ??
-        B8 ?? ?? ?? ??
-        0F 42 C1
-        E9 ?? ?? ?? ??
-        88 5C 24 ??
-        89 6C 24 ??
-        89 7C 24 ??
-        B9 ?? ?? ?? ??
-        8B 44 24 ??
-        3D ?? ?? ?? ??
-        B8 ?? ?? ?? ??
-        0F 4C C1
-        }
-        
-    condition:
-        filesize < 8MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_tinynote.yar b/yara_rules/sekoiaio_apt_mustangpanda_tinynote.yar
deleted file mode 100644
index 0c4361f..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_tinynote.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_mustangpanda_tinynote {
-    meta:
-        id = "a2b9bea4-a211-456f-8a3f-0f31733e8b29"
-        version = "1.0"
-        description = "Detects strings in TinyNote backdoor"
-        author = "Sekoia.io"
-        creation_date = "2023-06-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "bypassSMADAV" ascii fullword
-        $s2 = "excuteCmdLine" ascii fullword
-        $s3 = "/Create1953125" ascii
-        $s4 = "MINUTEMonday" ascii
-        $s5 = "WndProc" ascii
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 8MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_tonedrop.yar b/yara_rules/sekoiaio_apt_mustangpanda_tonedrop.yar
deleted file mode 100644
index 89c8627..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_tonedrop.yar
+++ /dev/null
@@ -1,44 +0,0 @@
-rule sekoiaio_apt_mustangpanda_tonedrop {
-    meta:
-        id = "39df631c-5766-4804-838f-6c9b800c0cc9"
-        version = "1.0"
-        description = "TONEDROP strings"
-        author = "Sekoia.io"
-        creation_date = "2023-06-19"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $window1 = "PROCMON_WINDOW_CLASS"  ascii wide
-        $window2 = "OLLYDBG" ascii wide
-        $window3 = "WinDbgFrameClass"  ascii wide
-        $window4 = "OllyDbg - [CPU]"  ascii wide
-        $window5 = "Immunity Debugger - [CPU]"  ascii wide
-        
-        $errormsg1 = "Unable to open file %s for writing"  ascii wide
-        
-        $proc_01 = "cheatengine-x86_64.exe" ascii wide
-        $proc_02 = "ollydbg.exe" ascii wide
-        $proc_03 = "ida.exe" ascii wide
-        $proc_04 = "ida64.exe" ascii wide
-        $proc_05 = "radare2.exe" ascii wide
-        $proc_06 = "x64dbg.exe" ascii wide
-        $proc_07 = "procmon.exe" ascii wide
-        $proc_08 = "procmon64.exe" ascii wide
-        $proc_09 = "procexp.exe" ascii wide
-        $proc_10 = "processhacker.exe" ascii wide
-        $proc_11 = "pestudio.exe" ascii wide
-        $proc_12 = "systracerx32.exe" ascii wide
-        $proc_13 = "fiddler.exe" ascii wide
-        $proc_14 = "tcpview.exe" ascii wide
-        
-        $opcodes_check_PEsize = {C7 85 94 FD FF FF 2C 02}
-        $opcodes_ShellExecute_1 = {C7 45 BC 53 68 65 6C}
-        $opcodes_ShellExecute_2 = {C7 45 C0 6C 45 78 65}
-        $opcodes_ShellExecute_3 = {C7 45 C4 63 75 74 65}
-        $opcodes_ShellExecute_4 = {66 C7 45 C8 41 00}
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 8MB and 3 of ($window*) and $errormsg1 and 10 of ($proc_*) and 3 of ($opcodes*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_windows_remoteshell.yar b/yara_rules/sekoiaio_apt_mustangpanda_windows_remoteshell.yar
deleted file mode 100644
index 2118da9..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_windows_remoteshell.yar
+++ /dev/null
@@ -1,122 +0,0 @@
-rule sekoiaio_apt_mustangpanda_windows_remoteshell {
-    meta:
-        id = "cffdd11e-9700-462e-a965-f9f51db63f0b"
-        version = "1.0"
-        description = "Detects Remote Shell of Mustang Panda by detecting internal structure intialization"
-        author = "Sekoia.io"
-        creation_date = "2022-12-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        /*
-        *p_dword101a4 = 12;
-        this->encrypted[5] = 3;
-        *(_DWORD *)&this->encrypted[6] = this->dword10198;
-        *(_WORD *)&this->encrypted[10] = this->dword1019c;
-        */
-        
-        $chunk_1 = {
-        C7 45 ?? 0C 00 00 00
-        8D 4E ??
-        C6 01 03
-        8B 87 ?? ?? ?? ??
-        89 41 ??
-        66 8B 87 ?? ?? ?? ??
-        66 89 41 ??
-        }
-        /*
-        *p_dword101a4 = 12;
-        this->encrypted[5] = 2;
-        *(_DWORD *)&this->encrypted[6] = this->dword10198;
-        *(_WORD *)&this->encrypted[10] = this->dword1019c;
-        cme_crypt(&this->encrypted[5], *p_dword101a4 - 5);
-        */
-        
-        $chunk_2 = {
-        C7 45 ?? 0C 00 00 00
-        8D 4E ??
-        C6 01 02
-        8B 87 ?? ?? ?? ??
-        89 41 ??
-        66 8B 87 ?? ?? ?? ??
-        66 89 41 ??
-        8B 45 ??
-        83 E8 05
-        50
-        51
-        E8 ?? ?? ?? ??
-        }
-        /*
-        
-        this->dword101a0 = 1;
-        *p_dword101a4 = 12;
-        this->encrypted[5] = 4;
-        *(_DWORD *)&this->encrypted[6] = this->dword10198;
-        *(_WORD *)&this->encrypted[10] = this->dword1019c;
-        cme_crypt(&this->encrypted[5], *p_dword101a4 - 5);
-        */
-        $chunk_3 = {
-        C7 87 ?? ?? ?? ?? 01 00 00 00
-        8D 4E ??
-        C7 45 ?? 0C 00 00 00
-        C6 01 04
-        8B 87 ?? ?? ?? ??
-        89 41 ??
-        66 8B 87 ?? ?? ?? ??
-        66 89 41 ??
-        8B 45 ??
-        83 E8 05
-        50
-        51
-        E8 ?? ?? ?? ??
-        }
-        
-        /*
-        for ( i = 0; i < size; ++i )
-        encrypt[i] ^= v3[i % 0x70u];
-        for ( j = 0; ; ++j )
-        {
-        result = j;
-        if ( j >= size )
-        break;
-        encrypt[j] ^= v5[j % 0x64u];
-        }
-        
-        */
-        
-        $chunk_4 = {
-        83 65 ?? ??
-        EB ??
-        8B 45 ??
-        40
-        89 45 ??
-        8B 45 ??
-        3B 45 ??
-        7D ??
-        8B 45 ??
-        03 45 ??
-        0F B6 08
-        8B 45 ??
-        33 D2
-        6A ??
-        5E
-        F7 F6
-        0F B6 84 15 ?? ?? ?? ??
-        33 C8
-        8B 45 ??
-        03 45 ??
-        88 08
-        EB ??
-        83 65 ?? ??
-        EB ??
-        8B 45 ??
-        40
-        89 45 ??
-        8B 45 ??
-        }
-        
-    condition:
-        filesize < 8MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_windows_shellcode_decryptionalgorithm.yar b/yara_rules/sekoiaio_apt_mustangpanda_windows_shellcode_decryptionalgorithm.yar
deleted file mode 100644
index b2bdb18..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_windows_shellcode_decryptionalgorithm.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_apt_mustangpanda_windows_shellcode_decryptionalgorithm {
-    meta:
-        id = "c9873a5f-97a6-477f-a1a0-650441c73444"
-        version = "1.0"
-        description = "Decryption routine for Shellcode of MustangPanda"
-        author = "Sekoia.io"
-        creation_date = "2022-12-05"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $chunk_1 = {
-        7E ??
-        8B 55 ??
-        53
-        56
-        8B 75 ??
-        57
-        8B 7D ??
-        4F
-        8D A4 24 ?? ?? ?? ??
-        8A 1C 11
-        30 1C 30
-        }
-        
-    condition:
-        
-        filesize < 8MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_xoreddll.yar b/yara_rules/sekoiaio_apt_mustangpanda_xoreddll.yar
deleted file mode 100644
index 1178fc5..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_xoreddll.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_mustangpanda_xoreddll {
-    meta:
-        id = "73d13624-01df-41ab-b449-86db43dc6c55"
-        version = "1.0"
-        description = "Detects xored DLL from MustangPanda embedding a document"
-        author = "Sekoia.io"
-        creation_date = "2022-07-19"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $clear = "This program cannot be run in DOS mode"
-        $stub = "This program cannot be run in DOS mode" xor
-        $res1 = "5w>w9wR'31Z" xor
-        $res2 = "r0y0~0KlBD" xor
-        $res3 = "d&o&h&öé7Æ" xor
-        $res4 = "9{2{5{+0" xor
-        
-    condition:
-        $stub and any of ($res*) and not $clear and filesize < 3MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_mustangpanda_zpakage.yar b/yara_rules/sekoiaio_apt_mustangpanda_zpakage.yar
deleted file mode 100644
index 6b948ce..0000000
--- a/yara_rules/sekoiaio_apt_mustangpanda_zpakage.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_apt_mustangpanda_zpakage {
-    meta:
-        id = "a4767d12-5058-4a26-be62-0cec685917bd"
-        version = "1.0"
-        description = "Detect obfuscation seen in ZPAKAGE"
-        author = "Sekoia.io"
-        creation_date = "2023-03-27"
-        classification = "TLP:CLEAR"
-        hash = "711c0e83f4e626a7b54e3948b281a71915a056c5341c8f509ecba535bc199bee"
-        
-    strings:
-        $chunk_1 = {
-        88 94 1D ?? ?? ?? ??
-        8A 84 1D ?? ?? ?? ??
-        83 ?? ??
-        88 84 1D ?? ?? ?? ??
-        8A 84 1D ?? ?? ?? ??
-        83 ?? ??
-        88 84 1D ?? ?? ?? ??
-        8A 84 1D ?? ?? ?? ??
-        83 ?? ??
-        88 84 1D ?? ?? ?? ??
-        0F BE 8C 1D ?? ?? ?? ??
-        0F BE 84 1D ?? ?? ?? ??
-        }
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 1MB and filesize < 11MB and
-        #chunk_1 > 20
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_nobelium_acrobox_downloader_apr2022.yar b/yara_rules/sekoiaio_apt_nobelium_acrobox_downloader_apr2022.yar
deleted file mode 100644
index 6354719..0000000
--- a/yara_rules/sekoiaio_apt_nobelium_acrobox_downloader_apr2022.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_nobelium_acrobox_downloader_apr2022 {
-    meta:
-        id = "77f7f01d-72a2-4b13-b23f-d938a415dd40"
-        version = "1.0"
-        description = "Detects AcroBox downloader"
-        author = "Sekoia.io"
-        creation_date = "2022-05-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = { 80 ?? 7B
-        0F 84 ?? ?? 00 00
-        80 ?? ?? 0F
-        0F 84 ?? ?? 00 00
-        80 ?? ?? 0F
-        0F 84 ?? ?? 00 00
-        80 ?? ?? 0F
-        0F 84 ?? ?? 00 00 }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 200KB and
-        all of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_nobelium_nativezone_gen.yar b/yara_rules/sekoiaio_apt_nobelium_nativezone_gen.yar
deleted file mode 100644
index d51184b..0000000
--- a/yara_rules/sekoiaio_apt_nobelium_nativezone_gen.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-import "pe"
-        
-rule sekoiaio_apt_nobelium_nativezone_gen {
-    meta:
-        id = "e16cac97-38dd-4145-95f5-cf641940a19b"
-        version = "1.0"
-        description = "Detects NativeZone used in 2022"
-        author = "Sekoia.io"
-        creation_date = "2022-02-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $rich = { 52 69 63 68 [4] 00 }
-        $obs = { C7 85 [8] C7 85 }
-        $nobs = { C7 85 [6] 00 00 C7 85 }
-        
-    condition:
-        pe.DLL and
-        filesize < 2500KB and
-        pe.number_of_exports > 20 and
-        pe.number_of_imports < 30 and
-        (
-        pe.imports("kernel32.dll", "VirtualAlloc") and
-        pe.imports("kernel32.dll", "VirtualProtect")
-        ) and for any i in (0..pe.number_of_sections - 1):
-        ( pe.sections[i].name == ".rdata" and
-        pe.sections[i].raw_data_size > 300000 )
-        and #obs > 300
-        and #nobs < 150
-        and not $rich
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_oilrig_clipog_strings.yar b/yara_rules/sekoiaio_apt_oilrig_clipog_strings.yar
deleted file mode 100644
index 61ce289..0000000
--- a/yara_rules/sekoiaio_apt_oilrig_clipog_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_oilrig_clipog_strings {
-    meta:
-        id = "0ac40fd9-f67d-41fa-a774-77a3a1b7cac3"
-        version = "1.0"
-        description = "Detects OilRig's Clipog stealer"
-        author = "Sekoia.io"
-        creation_date = "2023-10-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[ClipBoard=" wide
-        $ = "[NUMPAD .]" wide
-        $ = "[SPACE]" wide
-        $ = "GetClipboardData"
-        
-    condition:
-        uint16be(0) == 0x4d5a 
-        and filesize < 350KB 
-        and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_oilrig_maliciousdocument_may2022.yar b/yara_rules/sekoiaio_apt_oilrig_maliciousdocument_may2022.yar
deleted file mode 100644
index 9d93b05..0000000
--- a/yara_rules/sekoiaio_apt_oilrig_maliciousdocument_may2022.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_apt_oilrig_maliciousdocument_may2022 {
-    meta:
-        id = "cb4ab310-e24c-4edc-8804-0c49c30124fb"
-        version = "1.0"
-        description = "Detects OilRig Malicious Document"
-        author = "Sekoia.io"
-        creation_date = "2022-05-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "<LogonType>InteractiveToken</LogonType>"
-        $s2 = "Select * From Win32_PingStatus Where Address"
-        $s3 = "She@et1"
-        $s4 = "_VBA_PROJECT" wide
-        $s5 = "This program cannot be run in DOS mode." base64
-        $s6 = ".Agent.pdb" base64
-        $s7 = "GetAgentID" base64
-        
-    condition:
-        uint32be(0) == 0xD0CF11E0 and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_oilrig_odagent_strings.yar b/yara_rules/sekoiaio_apt_oilrig_odagent_strings.yar
deleted file mode 100644
index 28f8c10..0000000
--- a/yara_rules/sekoiaio_apt_oilrig_odagent_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_oilrig_odagent_strings {
-    meta:
-        id = "1c5c0eb5-7c6f-4a34-b2e2-4a7c6d7030d6"
-        version = "1.0"
-        description = "Detects ODAgent malware based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-12-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "application/x-www-form-urlencoded" ascii wide
-        $ = "dly>" ascii wide
-        $ = "DELETE" ascii wide
-        $ = "nok!" ascii wide
-        $ = ".c:/content" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 5MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_oilrig_oilbooster_strings.yar b/yara_rules/sekoiaio_apt_oilrig_oilbooster_strings.yar
deleted file mode 100644
index e228b57..0000000
--- a/yara_rules/sekoiaio_apt_oilrig_oilbooster_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_oilrig_oilbooster_strings {
-    meta:
-        id = "001d12bc-1e7e-4a6c-9172-66687d08d827"
-        version = "1.0"
-        description = "Detects OilBooster malware based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-12-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "/rt.ovf" wide ascii
-        $ = "User-Agent: " wide ascii
-        $ = "/me/drive/items" wide ascii
-        $ = "client_secret" wide ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 5MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_oilrig_powerexchange.yar b/yara_rules/sekoiaio_apt_oilrig_powerexchange.yar
deleted file mode 100644
index 4616345..0000000
--- a/yara_rules/sekoiaio_apt_oilrig_powerexchange.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_oilrig_powerexchange {
-    meta:
-        id = "cb6b370f-7b05-480b-865e-ac81ded4a2a4"
-        version = "1.0"
-        description = "Detects OilRig's PowerExchange backdoor"
-        author = "Sekoia.io"
-        creation_date = "2023-10-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "($h.value).PadRight((($h.value).Length+($h.value).Length%4),'='" ascii wide
-        $ = "(($h.value).Length%4 -ne 0)" ascii wide
-        $ = "-match \"@@(.*)@@\"" ascii wide
-        $ = "[Environment]::NewLine+$_.Exception.Message | Out-File -FilePath" ascii wide
-        $ = "ContainsSubjectStrings.Add(\"@@\")" ascii wide
-        
-    condition:
-        2 of them and filesize < 50KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_oilrig_saitama_backdoor_may2022.yar b/yara_rules/sekoiaio_apt_oilrig_saitama_backdoor_may2022.yar
deleted file mode 100644
index bc25924..0000000
--- a/yara_rules/sekoiaio_apt_oilrig_saitama_backdoor_may2022.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_oilrig_saitama_backdoor_may2022 {
-    meta:
-        id = "4ea8c27f-c441-4616-a29b-2b5dfdd3bd20"
-        version = "1.0"
-        description = "Detects tje Saitama backdoor"
-        author = "Sekoia.io"
-        creation_date = "2022-05-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = { 7E [4] 7E [4] 59 0A 02 8E 69 06 28 [4] D1 0B 02 16 7E [4] 7E [4] 07 }
-        $ = "systeminfo | findstr" wide
-        $ = "powershell -exec bypass -enc" wide
-        $ = "SendAndReceive : {0}" wide
-        $ = "SleepSecond : Start" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_oilrig_saitama_backdoor_may2022_2.yar b/yara_rules/sekoiaio_apt_oilrig_saitama_backdoor_may2022_2.yar
deleted file mode 100644
index b638fb2..0000000
--- a/yara_rules/sekoiaio_apt_oilrig_saitama_backdoor_may2022_2.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_oilrig_saitama_backdoor_may2022_2 {
-    meta:
-        id = "f885551a-d0f0-431d-aa4f-7caa93b1db6a"
-        version = "1.0"
-        description = "Detects Saitama backdoor variants"
-        author = "Sekoia.io"
-        creation_date = "2022-05-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "_CorExeMain"
-        $ = "GetAgentID"
-        $ = "ComputeStringHash"
-        $ = ".Agent.pdb"
-        $ = "TaskExecTimeout"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_oilrig_sc5kv3_strings.yar b/yara_rules/sekoiaio_apt_oilrig_sc5kv3_strings.yar
deleted file mode 100644
index 9b419b6..0000000
--- a/yara_rules/sekoiaio_apt_oilrig_sc5kv3_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_oilrig_sc5kv3_strings {
-    meta:
-        id = "885ea13b-47b0-4a6d-8136-9b31abc9064a"
-        version = "1.0"
-        description = "Detects SC5kv3 malware based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-12-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "no-reply this email!" ascii wide
-        $ = "The serial is " ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 5MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_oilrig_webshell.yar b/yara_rules/sekoiaio_apt_oilrig_webshell.yar
deleted file mode 100644
index 66df5c0..0000000
--- a/yara_rules/sekoiaio_apt_oilrig_webshell.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_oilrig_webshell {
-    meta:
-        id = "53955117-5176-4682-89ad-1503faba42aa"
-        version = "1.0"
-        description = "Detects a webshell used by OilRig"
-        author = "Sekoia.io"
-        creation_date = "2024-10-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "string d = com;"
-        $ = "string p = fu;"
-        $ = "#@rt12!@$$$nnMF##"
-        $ = "messi(d)))"
-        
-    condition:
-        2 of them and filesize < 80KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_polonium_deepcreep_strings.yar b/yara_rules/sekoiaio_apt_polonium_deepcreep_strings.yar
deleted file mode 100644
index dee0435..0000000
--- a/yara_rules/sekoiaio_apt_polonium_deepcreep_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_polonium_deepcreep_strings {
-    meta:
-        id = "b04af229-2bea-4ee8-9e17-8e4befa06e3a"
-        version = "1.0"
-        description = "Tries to detect POLONIUM's DeepCreep implant"
-        author = "Sekoia.io"
-        creation_date = "2022-10-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = ";Invoke-Expression -Command '$shortcut =" ascii wide
-        $ = "CreateShortcut($c1" ascii wide
-        $ = "svchostdp.exe" ascii wide
-        $ = "HNlIC91IA==" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 3MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_polonium_megacreep_strings.yar b/yara_rules/sekoiaio_apt_polonium_megacreep_strings.yar
deleted file mode 100644
index da5624e..0000000
--- a/yara_rules/sekoiaio_apt_polonium_megacreep_strings.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_apt_polonium_megacreep_strings {
-    meta:
-        id = "927c5fd6-0574-43bf-8db9-6ecc328estrin56c7"
-        version = "1.0"
-        description = "Tries to detect POLONIUM's MegaCreep implant"
-        author = "Sekoia.io"
-        creation_date = "2022-10-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[#!#]" ascii wide
-        $ = "[$$%$$]" ascii wide
-        $ = ".e##x##e" ascii wide
-        $ = "WHLib.dll" ascii wide
-        $ = "TestService.txt" ascii wide
-        $ = "X = Stop" ascii wide
-        $ = "Sess.dll" ascii wide
-        $ = "filepathOnTarget" ascii wide
-        $ = "FileNameOnMega" ascii wide
-        $ = "Missing Parameter.. Format of command:" ascii wide
-        $ = "Your Old K##E##Y is Wronge" ascii wide
-        $ = "Your Upgrage Is Success" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 2MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_polonium_powershell_creepydrive_strings.yar b/yara_rules/sekoiaio_apt_polonium_powershell_creepydrive_strings.yar
deleted file mode 100644
index 93a246c..0000000
--- a/yara_rules/sekoiaio_apt_polonium_powershell_creepydrive_strings.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_polonium_powershell_creepydrive_strings {
-    meta:
-        id = "0ba196bd-9cd6-4553-b7bf-69989cdb8be4"
-        version = "1.0"
-        description = "Detects POLONIUM CreepyDrive Powershell implant"
-        author = "Sekoia.io"
-        creation_date = "2022-06-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "function Exec($comm)" base64 ascii  wide
-        $ = "$comm = $comm + \"| outstring" base64 ascii  wide
-        $ = "Invoke-Expression -Command:$comm" base64 ascii  wide
-        $ = "microsoft.com" base64 ascii  wide
-        $ = "$req = Invoke-WebRequest" base64 ascii  wide
-        $ = "$j += $data" base64 ascii  wide
-        $ = "$res = Exec($arr[$i])" base64 ascii  wide
-        $ = "$arr = @(iex \"$req\")" base64 ascii  wide
-        $ = "elseif ($req -cmatch" base64 ascii  wide
-        $ = "graph.microsoft.com" base64 ascii  wide
-        
-    condition:
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_polonium_technocreep_strings.yar b/yara_rules/sekoiaio_apt_polonium_technocreep_strings.yar
deleted file mode 100644
index b6234bc..0000000
--- a/yara_rules/sekoiaio_apt_polonium_technocreep_strings.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_apt_polonium_technocreep_strings {
-    meta:
-        id = "dad79df3-b081-458e-9c14-1d5e2b43ba91"
-        version = "1.1"
-        description = "Tries to detect TechnoCreep implant"
-        author = "Sekoia.io"
-        creation_date = "2022-10-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "file name : " ascii wide
-        $ = "copy to : " ascii wide
-        $ = "download" ascii wide
-        $ = "persistence" ascii wide
-        $ = "/cmdResult created!" ascii wide
-        $ = "/downloadsResulat created!" ascii wide
-        $ = "Downloading will take minets..." ascii wide
-        $ = "powershell -Command \"$c1 = " ascii wide
-        $ = "Missing Parameter.. Format of command:" ascii wide
-        $ = "File Fath On Target Device Not Exists>" ascii wide
-        $ = "/MissingDownloadParameter.txt" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_qnapworm_loader_may2022.yar b/yara_rules/sekoiaio_apt_qnapworm_loader_may2022.yar
deleted file mode 100644
index a4f148a..0000000
--- a/yara_rules/sekoiaio_apt_qnapworm_loader_may2022.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_apt_qnapworm_loader_may2022 {
-    meta:
-        id = "c6e87a55-73ea-4df4-ab61-b5d34968d741"
-        version = "1.0"
-        description = "Detects the QNAPWorm loader"
-        author = "Sekoia.io"
-        creation_date = "2022-05-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = {
-        66 C1 C0 05
-        0F B7 D8
-        81 C3 85 D0 FF FF
-        66 C1 C3 02
-        0F B7 C3
-        0F B6 9A ?? ?? ?? ??
-        33 D8
-        88 1C 11
-        42
-        0F B6 D2
-        81 FA ?? 00 00 00
-        }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        all of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_queueseed.yar b/yara_rules/sekoiaio_apt_queueseed.yar
deleted file mode 100644
index da3deb8..0000000
--- a/yara_rules/sekoiaio_apt_queueseed.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_apt_queueseed {
-    meta:
-        id = "35f7ffd5-4f6f-4b31-8d60-c713a15d14e8"
-        version = "1.0"
-        description = "Detects strings of Queueseed/Kapeka malware"
-        author = "Sekoia.io"
-        creation_date = "2024-04-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        // Looking for strings with alignment
-        $ = {2D 00 6F 00 00 00} // '-o'
-        $ = {2D 00 62 00 63 00 00 00} //'-bc'
-        $ = {20 00 00 00 00 00 00 00} // ' '
-        $ = {20 00 2D 00 77 00 00 00} // ' -w'
-        $ = {35 00 3A 00 20 00 00 00} // '5: '
-        $ = {34 00 3A 00 20 00 00 00} // '4: '
-        $ = {33 00 3A 00 20 00 00 00} // '3: '
-        $ = {32 00 3A 00 20 00 00 00} // '2: '
-        $ = {31 00 3A 00 20 00 00 00} // '1: '
-        $ = {50 00 49 00 44 00 20 00 3A 00 20 00 00 00 00 00} // 'PID : '
-        
-        
-        $ = "ExitCode : " wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them and filesize < 200KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_reaper_2fa_phishing_webpage.yar b/yara_rules/sekoiaio_apt_reaper_2fa_phishing_webpage.yar
deleted file mode 100644
index 2196465..0000000
--- a/yara_rules/sekoiaio_apt_reaper_2fa_phishing_webpage.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_reaper_2fa_phishing_webpage {
-    meta:
-        id = "348ca2ad-c8f9-4aed-8a27-95caa3a34f4b"
-        version = "1.0"
-        description = "Detects Reaper 2FA phishing webpage"
-        author = "Sekoia.io"
-        creation_date = "2023-03-09"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "setTimeout(checkUpload,"
-        $ = "commChannel.addListener("
-        $ = "else if(commType =="
-        $ = "?dir=DOWN&method=READ&id="
-        $ = "Content : base64_encode(upload_data)"
-        $ = "$.post(upHttpRelayer"
-        $ = "var ablyUpData = {"
-        $ = "initComm();"
-        $ = "function Next(arg) {"
-        
-    condition:
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_reaper_malicious_lnk.yar b/yara_rules/sekoiaio_apt_reaper_malicious_lnk.yar
deleted file mode 100644
index 71ba2a3..0000000
--- a/yara_rules/sekoiaio_apt_reaper_malicious_lnk.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_apt_reaper_malicious_lnk {
-    meta:
-        id = "8f055d1b-5727-4d77-9671-cdbb1ea69d5f"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-09-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "*rshell.exe" wide
-        $ = "/od') do call" wide
-        
-    condition:
-        uint32be(0) == 0x4c000000 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_redhotel_maliciouslnk_strings.yar b/yara_rules/sekoiaio_apt_redhotel_maliciouslnk_strings.yar
deleted file mode 100644
index 360428c..0000000
--- a/yara_rules/sekoiaio_apt_redhotel_maliciouslnk_strings.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_apt_redhotel_maliciouslnk_strings {
-    meta:
-        id = "df2f0002-7921-4378-a936-ea0de5fbfa5a"
-        version = "1.0"
-        description = "Detects RedHotel's malicious LNKs"
-        author = "Sekoia.io"
-        creation_date = "2024-09-06"
-        classification = "TLP:CLEAR"
-        hash = "8e2c17040ec78cbcdc07bb2cf9dd7e01"
-        hash = "dc613a519e515ca817fdfb88f81fc9d7"
-        hash = "6f7d85c196c277a6a619f6d94b8f69b9"
-        hash = "b04d484d1e1d793b04af2a5fb88a8a57"
-        
-    strings:
-        $ = "desktop-" ascii
-        $ = ".\\1.docx" wide
-        $ = ".\\1.pdf" wide
-        $ = ".\\1.doc" wide
-        $ = ".\\1.ppt" wide
-        $ = ".\\1.pptx" wide
-        $ = "MACOS" wide
-        
-    condition:
-        uint32be(0) == 0x4c000000 and 3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_rusticweb_stealer.yar b/yara_rules/sekoiaio_apt_rusticweb_stealer.yar
deleted file mode 100644
index cc821b2..0000000
--- a/yara_rules/sekoiaio_apt_rusticweb_stealer.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_rusticweb_stealer {
-    meta:
-        id = "813072e0-28de-4cb7-b2cc-71d77a1e8508"
-        version = "1.0"
-        description = "Detects stealer used by RusticWeb"
-        author = "Sekoia.io"
-        creation_date = "2024-01-09"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "-FTT=@"
-        $s2 = "https://oshi.at"
-        $s3 = "curl-T"
-        $s4 = "upload/upload.php"
-        $s5 = "cargo"
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 4MB and 3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sandworm_awfulshred_obfuscation_apr2022.yar b/yara_rules/sekoiaio_apt_sandworm_awfulshred_obfuscation_apr2022.yar
deleted file mode 100644
index 1039422..0000000
--- a/yara_rules/sekoiaio_apt_sandworm_awfulshred_obfuscation_apr2022.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_apt_sandworm_awfulshred_obfuscation_apr2022 {
-    meta:
-        id = "52317e6b-7f2c-4c2a-bcfc-ebb4ab4c728e"
-        version = "1.0"
-        description = "Detects the AWFULSHRED wiper used by Sandworm"
-        author = "Sekoia.io"
-        creation_date = "2022-04-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $h = "#!/bin/bash"
-        $s = { 64 65 63 6c 61 72 65 20 2d 72 20 [8] 3d }
-        
-    condition:
-        $h at 0 and #s > 15
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sandworm_caddywiper_stacked_strings.yar b/yara_rules/sekoiaio_apt_sandworm_caddywiper_stacked_strings.yar
deleted file mode 100644
index 00f88c1..0000000
--- a/yara_rules/sekoiaio_apt_sandworm_caddywiper_stacked_strings.yar
+++ /dev/null
@@ -1,75 +0,0 @@
-rule sekoiaio_apt_sandworm_caddywiper_stacked_strings {
-    meta:
-        id = "7750c4b6-5781-4b1c-8200-cbce9f18aa56"
-        version = "2.0"
-        description = "Detects stacked strings used in the wiper."
-        author = "Sekoia.io"
-        creation_date = "2022-04-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ =  { C6 45 ?? 6E
-        C6 45 ?? 65
-        C6 45 ?? 74
-        C6 45 ?? 61
-        C6 45 ?? 70
-        C6 45 ?? 69
-        C6 45 ?? 33
-        C6 45 ?? 32
-        C6 45 ?? 2E
-        C6 45 ?? 64
-        C6 45 ?? 6C
-        C6 45 ?? 6C }
-        $ = {  C6 45 ?? 44
-        C6 45 ?? 65
-        C6 45 ?? 76
-        C6 45 ?? 69
-        C6 45 ?? 63
-        C6 45 ?? 65
-        C6 45 ?? 49
-        C6 45 ?? 6F
-        C6 45 ?? 43
-        C6 45 ?? 6F
-        C6 45 ?? 6E
-        C6 45 ?? 74
-        C6 45 ?? 72
-        C6 45 ?? 6F
-        C6 45 ?? 6C }
-        $ = { C6 45 ?? 5C
-        C6 45 ?? 00
-        C6 45 ?? 5C
-        C6 45 ?? 00
-        C6 45 ?? 2E
-        C6 45 ?? 00
-        C6 45 ?? 5C
-        C6 45 ?? 00
-        C6 45 ?? 50
-        C6 45 ?? 00
-        C6 45 ?? 48
-        C6 45 ?? 00
-        C6 45 ?? 59
-        C6 45 ?? 00
-        C6 45 ?? 53
-        C6 45 ?? 00
-        C6 45 ?? 49
-        C6 45 ?? 00
-        C6 45 ?? 43
-        C6 45 ?? 00
-        C6 45 ?? 41
-        C6 45 ?? 00
-        C6 45 ?? 4C
-        C6 45 ?? 00
-        C6 45 ?? 44
-        C6 45 ?? 00
-        C6 45 ?? 52
-        C6 45 ?? 00
-        C6 45 ?? 49
-        C6 45 ?? 00
-        C6 45 ?? 56
-        C6 45 ?? 00
-        C6 45 ?? 45 }
-        
-    condition:
-        uint16be(0) == 0x4d5a and 2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sandworm_notpetya_strings.yar b/yara_rules/sekoiaio_apt_sandworm_notpetya_strings.yar
deleted file mode 100644
index aeec89e..0000000
--- a/yara_rules/sekoiaio_apt_sandworm_notpetya_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_sandworm_notpetya_strings {
-    meta:
-        id = "c6021638-1b59-4d20-a29d-95cabf256a28"
-        version = "1.0"
-        description = "Detects NotPetya worm"
-        author = "Sekoia.io"
-        creation_date = "2022-04-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "wevtutil cl Security &" wide
-        $ = "wevtutil cl System &" wide
-        $ = "u%s \\%s -accepteula -s" wide
-        $ = "\\\\%ws\\admin$\\%ws" wide
-        $ = "\\\\%s\\admin$" wide
-        $ = "C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\%s\",#1" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sandworm_olympicdestroyer.yar b/yara_rules/sekoiaio_apt_sandworm_olympicdestroyer.yar
deleted file mode 100644
index 94eb960..0000000
--- a/yara_rules/sekoiaio_apt_sandworm_olympicdestroyer.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_sandworm_olympicdestroyer {
-    meta:
-        id = "6820eb32-fea2-4a00-a5a2-672ba09f8206"
-        version = "1.0"
-        description = "Detects OlympicDestroyer malware"
-        author = "Sekoia.io"
-        creation_date = "2022-04-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "cmd.exe /c (ping 0.0.0.0 > nul)" wide
-        $ = "if exist %programdata%\\evtchk.txt" wide
-        $ = "\\\\.\\pipe\\%ls" wide
-        $ = "%ProgramData%\\%COMPUTERNAME%.exe" wide
-        $ = "(exit 5) else ( type nul >" wide
-        $ = "Select * From Win32_ProcessStopTrace" nocase
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sandworm_orcshred_apr2022.yar b/yara_rules/sekoiaio_apt_sandworm_orcshred_apr2022.yar
deleted file mode 100644
index 7a51f3d..0000000
--- a/yara_rules/sekoiaio_apt_sandworm_orcshred_apr2022.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_sandworm_orcshred_apr2022 {
-    meta:
-        id = "1a88800c-29e1-4e2c-8374-f5a93dd9fd91"
-        version = "1.0"
-        description = "Detects the ORCSHRED script"
-        author = "Sekoia.io"
-        creation_date = "2022-04-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "find /etc -name os-release >"
-        $ = "/bin/bash /var/"
-        $ = "crontab -l >"
-        $ = ".sh & disown"
-        
-    condition:
-        3 of them and filesize < 2KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sandworm_powergap_apr2022.yar b/yara_rules/sekoiaio_apt_sandworm_powergap_apr2022.yar
deleted file mode 100644
index 7c9b6d7..0000000
--- a/yara_rules/sekoiaio_apt_sandworm_powergap_apr2022.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_sandworm_powergap_apr2022 {
-    meta:
-        id = "2a1c7f02-92b3-45b8-a710-253b1a28fe85"
-        version = "1.0"
-        description = "Detects the POWERGAP malware"
-        author = "Sekoia.io"
-        creation_date = "2022-04-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Get-WmiObject Win32 ComputerSystem).Domain" nocase wide ascii
-        $ = "Write-Host \"Error1" nocase wide ascii
-        $ = "Write-Host \"Done\" -ForegroundColor Red" nocase wide ascii
-        $ = "sysvol\\$Domain\\Poicies\\$GpoGuid" nocase wide ascii
-        $ = "Function Start-work" nocase wide ascii
-        $ = "Domain: {0}\" -f $Domain)" nocase wide ascii
-        
-    condition:
-        filesize < 3KB and 5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_scanbox_framework_not_obfuscated.yar b/yara_rules/sekoiaio_apt_scanbox_framework_not_obfuscated.yar
deleted file mode 100644
index 319b555..0000000
--- a/yara_rules/sekoiaio_apt_scanbox_framework_not_obfuscated.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_scanbox_framework_not_obfuscated {
-    meta:
-        id = "4790f122-89de-4f7b-a25f-9ac7b1af8333"
-        version = "1.0"
-        description = "Detects the non obfuscated version of ScanBox"
-        author = "Sekoia.io"
-        creation_date = "2022-09-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "php?m=a&data="
-        $ = "php?m=p&data="
-        $ = ".fun.split_data = function"
-        $ = ".php?data="
-        $ = ".php?m=b"
-        $ = "basic.apipath"
-        $ = ".info.seed ="
-        $ = "loadjs ="
-        $ = "info.color = screen.colorDepth"
-        
-    condition:
-        5 of them and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_scanbox_obfuscated_versions.yar b/yara_rules/sekoiaio_apt_scanbox_obfuscated_versions.yar
deleted file mode 100644
index 86bd52d..0000000
--- a/yara_rules/sekoiaio_apt_scanbox_obfuscated_versions.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_scanbox_obfuscated_versions {
-    meta:
-        id = "2866cead-7f16-4895-80ef-aad6fb66e864"
-        version = "1.0"
-        description = "Detects obfuscated versions of the scanbox framework"
-        author = "Sekoia.io"
-        creation_date = "2022-09-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$_$_$_$__$_____$__$_$_$_$__$"
-        $ = "NztCm_NcDkh"
-        $ = "____$_$__$__$_______w____$_$__$__$_____i____$_$__$__$_____"
-        $ = "391,379,398,381,386"
-        $ = "plguinurl"
-        $ = "plugin_timeout*1000"
-        
-    condition:
-        2 of them and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_shadowpad_first_called_function.yar b/yara_rules/sekoiaio_apt_shadowpad_first_called_function.yar
deleted file mode 100644
index c196559..0000000
--- a/yara_rules/sekoiaio_apt_shadowpad_first_called_function.yar
+++ /dev/null
@@ -1,37 +0,0 @@
-rule sekoiaio_apt_shadowpad_first_called_function {
-    meta:
-        id = "3ce1ffd3-5c30-4b36-b7cc-c9fa873ebc25"
-        version = "1.0"
-        description = "Detects entrypoint of shadowpad"
-        author = "Sekoia.io"
-        creation_date = "2023-01-30"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $chunk_1 = {
-        48 83 EC 28
-        33 C9
-        FF 15 ?? ?? ?? ??
-        8B 80 ?? ?? ?? ??
-        3B 05 ?? ?? ?? ??
-        74 ??
-        E8 ?? ?? ?? ??
-        E8 ?? ?? ?? ??
-        EB ??
-        48 8B 0D ?? ?? ?? ??
-        E8 ?? ?? ?? ??
-        8B C8
-        FF 15 ?? ?? ?? ??
-        90
-        B9 28 04 00 00
-        FF 15 ?? ?? ?? ??
-        90
-        48 83 C4 28
-        C3
-        }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sidecopy_actionrat_packer_strings.yar b/yara_rules/sekoiaio_apt_sidecopy_actionrat_packer_strings.yar
deleted file mode 100644
index 3ae4b4b..0000000
--- a/yara_rules/sekoiaio_apt_sidecopy_actionrat_packer_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_sidecopy_actionrat_packer_strings {
-    meta:
-        id = "b9370bd5-12e1-448e-a5b1-2acc72adc4a7"
-        version = "1.0"
-        description = "Detects SideCopy's ActionRAT (packer?)"
-        author = "Sekoia.io"
-        creation_date = "2023-05-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "(HTTP/1\\.[01]) (\\d{3})(?: (.*?))?"
-        $ = "cpp-httplib/0.7"
-        $ = "\\HTTP Arsanel\\"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sidecopy_cheex.yar b/yara_rules/sekoiaio_apt_sidecopy_cheex.yar
deleted file mode 100644
index 59a83bc..0000000
--- a/yara_rules/sekoiaio_apt_sidecopy_cheex.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_apt_sidecopy_cheex {
-    meta:
-        id = "e9b57f15-e703-4367-b501-fa8a873e4455"
-        version = "1.0"
-        description = "Detects PDB path of Cheex"
-        author = "Sekoia.io"
-        creation_date = "2024-08-14"
-        classification = "TLP:CLEAR"
-        hash = "825c7a1603f800ff247c8f3e9a1420af"
-        
-    strings:
-        $ = "C:\\Users\\Dead Snake\\source\\repos\\cheex" ascii fullword
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sidecopy_malicious_macro.yar b/yara_rules/sekoiaio_apt_sidecopy_malicious_macro.yar
deleted file mode 100644
index e7d8b7f..0000000
--- a/yara_rules/sekoiaio_apt_sidecopy_malicious_macro.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_sidecopy_malicious_macro {
-    meta:
-        id = "4b90c33e-48d4-48b6-87a7-c35686e7e913"
-        version = "1.0"
-        description = "Detects malicious macro used by SideCopy"
-        author = "Sekoia.io"
-        creation_date = "2023-05-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "htmlFile$"
-        $ = "Gecko/20100101 Firefox/91.0"
-        $ = "Start Menu\\Programs\\Startup\\"
-        $ = "Document_Close"
-        $ = "ThisDocument" wide
-        $ = "ServerXMLHTTP.6.0"
-        
-    condition:
-        uint32be(0) == 0xD0CF11E0 and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sidecopy_reverserat_strings.yar b/yara_rules/sekoiaio_apt_sidecopy_reverserat_strings.yar
deleted file mode 100644
index 710956c..0000000
--- a/yara_rules/sekoiaio_apt_sidecopy_reverserat_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_sidecopy_reverserat_strings {
-    meta:
-        id = "383397c9-fd4a-4255-a8f2-27683bdbb7f7"
-        version = "1.0"
-        description = "Detects SideCopy's ReverseRAT"
-        author = "Sekoia.io"
-        creation_date = "2023-05-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "downloadexe" wide
-        $ = "creatdir" wide
-        $ = "regnewkey" wide
-        $ = "reglist" wide
-        $ = "regdelkey" wide
-        $ = "clipboardset" wide
-        $ = "shellexec" wide
-        $ = "SELECT maxclockspeed,  datawidth, name, manufacturer FROM Win32_Processor" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sofacy_graphitemalware_generic.yar b/yara_rules/sekoiaio_apt_sofacy_graphitemalware_generic.yar
deleted file mode 100644
index 18afbcd..0000000
--- a/yara_rules/sekoiaio_apt_sofacy_graphitemalware_generic.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-import "pe"
-        
-rule sekoiaio_apt_sofacy_graphitemalware_generic {
-    meta:
-        id = "6b51cfa3-4a7d-4c2a-9fd9-f129b8a18466"
-        version = "1.0"
-        description = "Detects APT28 graphite malware based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-09-27"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Microsoft Enhanced RSA and AES Cryptographic Provider" wide
-        $ = "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)" wide
-        $ = "%s %04d sp%1d.%1d %s"
-        $ = "%s%c%s%c%s"
-        $ = "InternetReadFile"
-        $ = "ObtainUserAgentString"
-        $ = "CryptImportKey"
-        
-    condition:
-        uint16be(0) == 0x4d5a and 
-        filesize < 100KB   and
-        ( all of them or pe.imphash() == "c56c322548250651361aef7dacf93eaf" )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_spikedwine_malicious_hta.yar b/yara_rules/sekoiaio_apt_spikedwine_malicious_hta.yar
deleted file mode 100644
index de36fee..0000000
--- a/yara_rules/sekoiaio_apt_spikedwine_malicious_hta.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_spikedwine_malicious_hta {
-    meta:
-        id = "e4526142-d98a-bf35-9d2c-ca2e83638c4b"
-        version = "1.0"
-        description = "Detects malicious HTA used by SPIKEDWINE"
-        author = "Sekoia.io"
-        creation_date = "2024-02-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "<HTA:APPLICATION ID=" nocase
-        $ = "return _0x"
-        $ = "font-size: 18px;"
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_spikedwine_wineloader.yar b/yara_rules/sekoiaio_apt_spikedwine_wineloader.yar
deleted file mode 100644
index 9bf4a37..0000000
--- a/yara_rules/sekoiaio_apt_spikedwine_wineloader.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-import "pe"
-        
-rule sekoiaio_apt_spikedwine_wineloader {
-    meta:
-        id = "7a599076-cd9d-42c4-a83a-9a991ede19fb"
-        version = "1.0"
-        description = "Detects vineloader"
-        author = "Sekoia.io"
-        creation_date = "2024-02-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $c = { E8 ?? ?? ?? ?? 48 8D 0D
-        ?? ?? ?? ?? 48 8D 05 ??
-        ?? ?? ?? 48 89 05 ?? ??
-        ?? ?? 48 C7 05 ?? ?? ??
-        ?? ?? ?? 00 00 48 C7 05
-        ?? ?? ?? ?? ?? ?? 00 00 }
-        
-    condition:
-        pe.is_dll() and
-        filesize < 100KB and
-        for any export in pe.export_details: (
-            $c in (export.offset..export.offset+100)
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_spynote_android_dex_strings.yar b/yara_rules/sekoiaio_apt_spynote_android_dex_strings.yar
deleted file mode 100644
index 3ae0ac0..0000000
--- a/yara_rules/sekoiaio_apt_spynote_android_dex_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_spynote_android_dex_strings {
-    meta:
-        id = "87fb8b7a-bfac-4003-b618-50b4a7863928"
-        version = "1.0"
-        description = "Detects Android SpyNote DEX file"
-        author = "Sekoia.io"
-        creation_date = "2022-08-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "is not file found"
-        $ = "Can not access"
-        $ = "PANG !!"
-        $ = "On Start!!"
-        
-    condition:
-        uint32be(0) == 0x6465780A and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_stripedfly.yar b/yara_rules/sekoiaio_apt_stripedfly.yar
deleted file mode 100644
index 5a7fce7..0000000
--- a/yara_rules/sekoiaio_apt_stripedfly.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_stripedfly {
-    meta:
-        id = "81968d34-3247-4965-ba44-55747370c90e"
-        version = "1.0"
-        description = "Detects string relative to Stripedfly malware"
-        author = "Sekoia.io"
-        creation_date = "2023-11-30"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "{\"id\":%d,\"jsonrpc\":\"2.0\",\"method\":\"%s\",\"params\":%s}"
-        $s2 = "{\"login\":\"%s\",\"pass\":\"%s\",\"agent\":\"\"}"
-        $s3 = "(tcp|ssl)://([A-Za-z0-9\\.\\-]+):([0-9]+)"
-        
-    condition:
-        filesize < 3MB and 2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sugardump_credentials_stealer_http.yar b/yara_rules/sekoiaio_apt_sugardump_credentials_stealer_http.yar
deleted file mode 100644
index dabd97a..0000000
--- a/yara_rules/sekoiaio_apt_sugardump_credentials_stealer_http.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_apt_sugardump_credentials_stealer_http {
-    meta:
-        id = "47d01ba8-9fdd-42d5-9f10-115f982dc133"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2022-08-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "\\Google\\Chrome\\User Data" wide
-        $ = "\\DebugLogWindowsDefender.txt" wide
-        $ = "Opera Software\\Opera Stable" wide
-        $ = "Microsoft\\Edge\\User Data" wide
-        $ = "\"encrypted_key\":\"(.*?)\\" wide
-        $ = "Url:" wide
-        $ = "Username:" wide
-        $ = "Password:" wide
-        $ = "Application:" wide
-        $ = "BCrypt.BCryptDecrypt" wide
-        $ = "C:\\Users\\User\\" wide
-        $ = "_CorExeMain"
-        $ = "http://" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        10 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sugardump_credentials_stealer_smtp.yar b/yara_rules/sekoiaio_apt_sugardump_credentials_stealer_smtp.yar
deleted file mode 100644
index 18fd744..0000000
--- a/yara_rules/sekoiaio_apt_sugardump_credentials_stealer_smtp.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_sugardump_credentials_stealer_smtp {
-    meta:
-        id = "bf028ebc-bfaa-45b3-9a3f-8949a5efbb73"
-        version = "1.0"
-        description = "Detects SUGARDUMP SMTP version"
-        author = "Sekoia.io"
-        creation_date = "2022-08-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "<<<<<<<< ------ Passwords Total: {0} --------- >>>>>>>>" wide
-        $ = "Url = {0} , Count = {1}" wide
-        $ = "smtp." wide
-        $ = "encrypted_key\":\"(.*?)\"" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_sugargh0stcampaign_malicious_lnk.yar b/yara_rules/sekoiaio_apt_sugargh0stcampaign_malicious_lnk.yar
deleted file mode 100644
index b5b215c..0000000
--- a/yara_rules/sekoiaio_apt_sugargh0stcampaign_malicious_lnk.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_sugargh0stcampaign_malicious_lnk {
-    meta:
-        id = "4297c150-d125-49b9-8850-fcedf5284ae9"
-        version = "1.0"
-        description = "Detects malicious LNK used in SugarGh0st campaign"
-        author = "Sekoia.io"
-        creation_date = "2023-12-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "dir /S/b *.lnk " wide
-        $ = "%temp%\\*.lnk" wide
-        
-    condition:
-        uint32be(0) == 0x4c000000 and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_susp_apt28_uac0063_hatvibe.yar b/yara_rules/sekoiaio_apt_susp_apt28_uac0063_hatvibe.yar
deleted file mode 100644
index b74b373..0000000
--- a/yara_rules/sekoiaio_apt_susp_apt28_uac0063_hatvibe.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_apt_susp_apt28_uac0063_hatvibe {
-    meta:
-        id = "c4e04671-e75f-40a4-a489-79c2ce91cf7a"
-        version = "1.0"
-        description = "Detects some suspected UAC-0063/APT28 HTA loader"
-        author = "Sekoia.io"
-        creation_date = "2024-07-25"
-        classification = "TLP:CLEAR"
-        hash = "332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725"
-        
-    strings:
-        $ = "& temp(Mid(" ascii fullword
-        $ = ".InnerHTML =" ascii fullword
-        $ = "peceert" ascii fullword
-        $ = "window.setTimeout" ascii fullword
-        $ = "cmdline = Split(" ascii fullword
-        
-    condition:
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_susp_apt28_uac0063_hta_loader.yar b/yara_rules/sekoiaio_apt_susp_apt28_uac0063_hta_loader.yar
deleted file mode 100644
index 11449c3..0000000
--- a/yara_rules/sekoiaio_apt_susp_apt28_uac0063_hta_loader.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_susp_apt28_uac0063_hta_loader {
-    meta:
-        id = "8e1889c1-c6ac-4048-9d3a-99ccbbd5435f"
-        version = "1.0"
-        description = "Detects some suspected APT28 HTA loader"
-        author = "Sekoia.io"
-        creation_date = "2024-07-25"
-        classification = "TLP:CLEAR"
-        hash = "332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725"
-        
-    strings:
-        $ = "<HEAD><HTA:APPLICATION ID" ascii fullword
-        $ = "id=service>null</span" ascii fullword
-        $ = "script Language=\"VBScript.Encode" ascii fullword
-        
-    condition:
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_susp_apt28_uac0063_malicious_doc.yar b/yara_rules/sekoiaio_apt_susp_apt28_uac0063_malicious_doc.yar
deleted file mode 100644
index 4de04d5..0000000
--- a/yara_rules/sekoiaio_apt_susp_apt28_uac0063_malicious_doc.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_susp_apt28_uac0063_malicious_doc {
-    meta:
-        id = "2b9d597a-a6cd-49df-8938-7103342a1d06"
-        version = "1.0"
-        description = "Detects some suspected APT28 document"
-        author = "Sekoia.io"
-        creation_date = "2024-07-25"
-        classification = "TLP:CLEAR"
-        hash = "93322be0785556e627d2b09832c18e39c115e6a6fbff64b1e590e1ddcf8f6a43"
-        
-    strings:
-        $ = "Sub pop() : : End Sub" ascii fullword
-        $ = "%localappdata%\\Temp" ascii fullword
-        $ = "rthedbv" ascii fullword
-        
-    condition:
-        2 of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_susp_apt28_uac0063_malicious_doc_settings_xml.yar b/yara_rules/sekoiaio_apt_susp_apt28_uac0063_malicious_doc_settings_xml.yar
deleted file mode 100644
index b0724c7..0000000
--- a/yara_rules/sekoiaio_apt_susp_apt28_uac0063_malicious_doc_settings_xml.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_susp_apt28_uac0063_malicious_doc_settings_xml {
-    meta:
-        id = "fd104985-6441-4fb6-8cc1-30afa4a7797b"
-        version = "1.0"
-        description = "Detects some suspected APT28 document settings.xml"
-        author = "Sekoia.io"
-        creation_date = "2024-07-25"
-        classification = "TLP:CLEAR"
-        hash = "0272acc6ed17c72320e4e7b0f5d449841d0ccab4ea89f48fd69d0a292cc5d39a"
-        
-    strings:
-        $ = "http://schemas.openxmlformats.org/" ascii fullword
-        $ = "Call svc.GetFolder(" ascii fullword
-        $ = "CreateTextFile(appdir" ascii fullword
-        $ = "Sub Document_Open() : On Error Resume Next" ascii fullword
-        
-    condition:
-        2 of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_susp_apt28_uac0063_malicious_doc_vba.yar b/yara_rules/sekoiaio_apt_susp_apt28_uac0063_malicious_doc_vba.yar
deleted file mode 100644
index 8ce3d5d..0000000
--- a/yara_rules/sekoiaio_apt_susp_apt28_uac0063_malicious_doc_vba.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_susp_apt28_uac0063_malicious_doc_vba {
-    meta:
-        id = "58040dbd-09ae-4f9e-940d-3a522e7ccfbb"
-        version = "1.0"
-        description = "Detects some suspected APT28 document vba"
-        author = "Sekoia.io"
-        creation_date = "2024-07-25"
-        classification = "TLP:CLEAR"
-        hash = "fceffb8ae94cef3af21b2943131e94db9e0e67073de48d9d32601a245448d067"
-        
-    strings:
-        $ = { 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 33 31 30 }
-        $ = "ThisDocument" wide
-        
-    condition:
-        uint32be(0) == 0xd0cf11e0 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_susp_lazarus_dangerous_password.yar b/yara_rules/sekoiaio_apt_susp_lazarus_dangerous_password.yar
deleted file mode 100644
index 0fd3f73..0000000
--- a/yara_rules/sekoiaio_apt_susp_lazarus_dangerous_password.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_apt_susp_lazarus_dangerous_password {
-    meta:
-        id = "726c8b92-7fbe-40f8-917a-cabd206028da"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-09-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = ".jpeg" wide
-        $ = "mshta"
-        
-    condition:
-        uint32be(0) == 0x4c000000 and all of them and filesize < 5KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_suspected_sandworm_sdelete_wiper.yar b/yara_rules/sekoiaio_apt_suspected_sandworm_sdelete_wiper.yar
deleted file mode 100644
index 2cd8058..0000000
--- a/yara_rules/sekoiaio_apt_suspected_sandworm_sdelete_wiper.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_suspected_sandworm_sdelete_wiper {
-    meta:
-        id = "c1419b11-33e5-4280-b92a-039719cb17d3"
-        version = "1.0"
-        description = "Detects Sdelete wiper"
-        author = "Sekoia.io"
-        creation_date = "2023-10-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = ".exe -accepteula -r -s -q" wide
-        $s2 = "sdelete [-p passes] [-r]" wide
-        $s3 = "!This program cannot be run in DOS mode."
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        $s1 and $s2 and #s3 == 2 and
-        filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_ta410_driver_keylogger.yar b/yara_rules/sekoiaio_apt_ta410_driver_keylogger.yar
deleted file mode 100644
index 3aace37..0000000
--- a/yara_rules/sekoiaio_apt_ta410_driver_keylogger.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_ta410_driver_keylogger {
-    meta:
-        id = "0cba1b3b-b93e-41e3-a7df-afd306e6b519"
-        version = "1.0"
-        description = "Keylogger TA410"
-        author = "Sekoia.io"
-        creation_date = "2022-10-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "namedpipe_keymousespy" ascii wide
-        $ = "[`LCTRL]" ascii wide
-        $ = "[`RCTRL]" ascii wide
-        $ = "[`BREAK]" ascii wide
-        $ = "[`NUMLOCK]" ascii wide
-        $ = "[`L]" ascii wide
-        $ = "[`R]" ascii wide
-        $ = "[`M]" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 1MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_ta410_flowcloud_loader.yar b/yara_rules/sekoiaio_apt_ta410_flowcloud_loader.yar
deleted file mode 100644
index 18f160b..0000000
--- a/yara_rules/sekoiaio_apt_ta410_flowcloud_loader.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_ta410_flowcloud_loader {
-    meta:
-        id = "0a11dfa0-5a59-477b-baf6-6a777d020860"
-        version = "1.0"
-        description = "Detects FlowCloud Loader"
-        author = "Sekoia.io"
-        creation_date = "2024-05-27"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $decryption_function = {8A C8 80 C1 26 32 D1 30 14 38}
-        $derivation_key = {6B 04 00 00 F7 ?? 81 c2 a8 01 00 00}
-        
-        $new_pattern_1 = {50 33 c0 58 74 01 e8}
-        $new_pattern_2 = {89 44 24 fc 58 8D 64
-        24 fc 81 fc 00 10 00
-        00 77 06 81 c4 ?? ??
-        ?? ?? 8B 44 24 FC}
-        $patch_bytes = {68 78 56 34 12 C3 90 90 90 90 90 00}
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 4MB and 2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_ta410_flowcloud_rtti.yar b/yara_rules/sekoiaio_apt_ta410_flowcloud_rtti.yar
deleted file mode 100644
index cd8b9bf..0000000
--- a/yara_rules/sekoiaio_apt_ta410_flowcloud_rtti.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_ta410_flowcloud_rtti {
-    meta:
-        id = "c6a18c08-8b98-46d7-a6c3-dc171c7791ac"
-        version = "1.0"
-        description = "Detects FlowCloud via RTTI"
-        author = "Sekoia.io"
-        creation_date = "2022-10-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $RTTI_1 = ".?AVdllloader@@" ascii fullword
-        $RTTI_2 = ".?AVel_cryptowrapper@@" ascii fullword
-        $RTTI_3 = ".?AVAntiVirusCheck@@" ascii fullword
-        
-    condition:
-        uint16(0) == 0x5A4D and filesize < 10MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_ta428_tmanger_strings.yar b/yara_rules/sekoiaio_apt_ta428_tmanger_strings.yar
deleted file mode 100644
index 6fa1d1b..0000000
--- a/yara_rules/sekoiaio_apt_ta428_tmanger_strings.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_apt_ta428_tmanger_strings {
-    meta:
-        id = "f600404d-3f93-4e3f-bba7-9f519f67c6cb"
-        version = "1.0"
-        description = "Detects Tmanger malware"
-        author = "Sekoia.io"
-        creation_date = "2022-09-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "sock_hmutex" wide ascii
-        $ = "cmd_hmutex" wide ascii
-        $ = "%s_%d.bmp" wide ascii
-        $ = "WSAStartup Error!" wide ascii
-        $ = "4551-8f84-08e738aec" wide ascii
-        $ = "Init failed!" wide ascii
-        $ = "GetLanIP error!" wide ascii
-        $ = "chcp & exit" wide ascii
-        $ = "GetHostname error!" wide ascii
-        $ = "[Num Lock]" wide ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 200KB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_tealkurma_snappytcp_reverse_shell_strings.yar b/yara_rules/sekoiaio_apt_tealkurma_snappytcp_reverse_shell_strings.yar
deleted file mode 100644
index 81e24c9..0000000
--- a/yara_rules/sekoiaio_apt_tealkurma_snappytcp_reverse_shell_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_tealkurma_snappytcp_reverse_shell_strings {
-    meta:
-        id = "e842825c-546c-475a-bc94-7e97aea4e9e0"
-        version = "1.0"
-        description = "Detects TealKurma SnappyTCP reverse shell"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "2>&1>/dev/null&" ascii
-        $ = ".php HTTP/1.1" ascii
-        $ = "GET /" ascii
-        $ = "Hostname: %s" ascii
-        $ = "bash -c \"./" ascii
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize < 3MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_tealkurma_snappytcp_strings.yar b/yara_rules/sekoiaio_apt_tealkurma_snappytcp_strings.yar
deleted file mode 100644
index 2199a98..0000000
--- a/yara_rules/sekoiaio_apt_tealkurma_snappytcp_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_tealkurma_snappytcp_strings {
-    meta:
-        id = "6bbee6d6-f490-4550-bd61-a643f93a8788"
-        version = "1.0"
-        description = "Detects TealKurma SnappyTCP shell script"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "#!/bin/bash" ascii
-        $s2 = "2>&1>/dev/null&" ascii
-        $s3 = "PATH=$PATH:$PWD;" ascii
-        
-    condition:
-        $s1 at 0 and $s2 at filesize-16 and $s3 
-        and filesize < 300
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_toddycat_toddybox_strings.yar b/yara_rules/sekoiaio_apt_toddycat_toddybox_strings.yar
deleted file mode 100644
index e06ad8e..0000000
--- a/yara_rules/sekoiaio_apt_toddycat_toddybox_strings.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_apt_toddycat_toddybox_strings {
-    meta:
-        id = "fde3df24-ebd7-4327-998e-bddaa08835da"
-        version = "1.0"
-        description = "Detects ToddyCat's ToddyBox binary"
-        author = "Sekoia.io"
-        creation_date = "2023-11-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Wait a while to upload the next file..."
-        $ = "[-] Error Msg: %s"
-        $ = "[-] Error Msg: Connect Errors or Proxy Errors"
-        $ = "[-] arg missing!"
-        $ = "[-] Get module dir failed!"
-        $ = "[-] Dir error!"
-        $ = "Auto Get Proxy %S"
-        $ = "Dropbox-API-Arg"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_toddycat_tomberbil_strings.yar b/yara_rules/sekoiaio_apt_toddycat_tomberbil_strings.yar
deleted file mode 100644
index 57f177e..0000000
--- a/yara_rules/sekoiaio_apt_toddycat_tomberbil_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_apt_toddycat_tomberbil_strings {
-    meta:
-        id = "b16f4d35-ea59-4439-8ddb-2c0415b97b9b"
-        version = "1.0"
-        description = "Detects TomBerBil password stealer"
-        author = "Sekoia.io"
-        creation_date = "2024-04-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[+] Begin" ascii wide
-        $ = "[+] Delete File" ascii wide
-        $ = "[+] Current user" ascii wide
-        $ = "[+] Impersonate user" ascii wide
-        $ = "[+] Local State File" ascii wide
-        $ = "[>] Profile" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_toddycat_waexp_strings.yar b/yara_rules/sekoiaio_apt_toddycat_waexp_strings.yar
deleted file mode 100644
index 8f8b81a..0000000
--- a/yara_rules/sekoiaio_apt_toddycat_waexp_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_toddycat_waexp_strings {
-    meta:
-        id = "1bbb3e81-14a9-4bda-b647-b6f5255e9a16"
-        version = "1.0"
-        description = "Detects WAExp based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-04-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[>] Profile:" wide ascii
-        $ = "[+] All Done" wide ascii
-        $ = "[+] Files:" wide ascii
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        all of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_toneshell_loader.yar b/yara_rules/sekoiaio_apt_toneshell_loader.yar
deleted file mode 100644
index 00a032e..0000000
--- a/yara_rules/sekoiaio_apt_toneshell_loader.yar
+++ /dev/null
@@ -1,41 +0,0 @@
-rule sekoiaio_apt_toneshell_loader {
-    meta:
-        id = "b4bf284b-cab6-455e-a1c1-ad341d43bfdd"
-        version = "1.0"
-        description = "Detects loader of ToneShell (exception based)"
-        author = "Sekoia.io"
-        creation_date = "2024-10-02"
-        classification = "TLP:CLEAR"
-        hash = "41e0d172d900344a3692b88fff7527d9"
-        hash = "782cf7183735935f3f7aad041cec3184"
-        hash = "97c1f436028c58b51d4c92ee9c9ce424"
-        hash = "d6c771f2afd8ce35e8727f95f3a3c6c4"
-        hash = "b8520c5bad88ade394086cb7b1b7b631"
-        hash = "0b3e8571e70a32490da19f6b3283151c"
-        hash = "f6784c65ee115a9ae4c0fb03e0045285"
-        hash = "38888696e5223c77f5f8680922396123"
-        hash = "b52d0707e4e5d5c0d5fd5f5a177ba712"
-        hash = "fd54c6d17ff91640b377ff41353efdaa"
-        hash = "a6efe263acc794a212647a96e52ddf1f"
-        hash = "6e8c80c5f2f9a1da504618e984d2a56c"
-        hash = "0839666697ccc562a9c1fe77d6755931"
-        hash = "f367f2fe580e556176b60da202c742a5"
-        hash = "e8b2fcc14494ada2f28d1f6ecd2521a2"
-        hash = "c08589e10812cc7d636dcbe2a36d43b4"
-        hash = "fa848a05cfecc0c25cd21364c9516584"
-        hash = "be231f7879d8d2159b67b7f277527268"
-        hash = "2acd8b48202dcc30d88a871370c4f37a"
-        hash = "72963bfc2837695f038680471d4f061c"
-        
-    strings:
-        $exception = {00 00 00 00 2e 44 00 00}
-        $code = {02 00 00 00 66 89 96}
-        $kernel32 = "Kernel32.dll" wide
-        $outputdbgstr = "OutputDebugStringA"
-        $content = "ResetEvent"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_toneshell_shellcode.yar b/yara_rules/sekoiaio_apt_toneshell_shellcode.yar
deleted file mode 100644
index 3448f2e..0000000
--- a/yara_rules/sekoiaio_apt_toneshell_shellcode.yar
+++ /dev/null
@@ -1,35 +0,0 @@
-rule sekoiaio_apt_toneshell_shellcode {
-    meta:
-        id = "5ac8d2e9-dbeb-42f9-8343-1281510d4411"
-        version = "1.0"
-        description = "Detects first bytes of ToneShell used to call the shellcode or the code to check the MagicNumber (0x17 0x03 0x03)"
-        author = "Sekoia.io"
-        creation_date = "2024-10-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $code = {55 8b ec 83 ec 0c e8 85 00 00 00 6a 00 6a 00 6a 02 6a 00 6a 00 68 00 00 00 10}
-        $MagicNumberParser = {
-        B8 01 00 00 00
-        6B C8 00
-        8B 55 ??
-        0F BE 04 0A
-        83 F8 17
-        75 ??
-        B9 01 00 00 00
-        C1 E1 00
-        8B 55 ??
-        0F BE 04 0A
-        83 F8 03
-        75 ??
-        B9 01 00 00 00
-        D1 E1
-        8B 55 ??
-        0F BE 04 0A
-        83 F8 03
-        }
-        
-    condition:
-        any of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_tortoiseshell_imaploader.yar b/yara_rules/sekoiaio_apt_tortoiseshell_imaploader.yar
deleted file mode 100644
index 7ba4c06..0000000
--- a/yara_rules/sekoiaio_apt_tortoiseshell_imaploader.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_tortoiseshell_imaploader {
-    meta:
-        id = "e1706b59-5c94-4fbf-8560-0022ca631d1d"
-        version = "1.0"
-        description = "Detects IMAPLoader malware"
-        author = "Sekoia.io"
-        creation_date = "2023-11-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "yandex.com"
-        $s2 = "saveImapMessage.pdb"
-        $s3 = "downloader"
-        $s4 = "MailServer.Auth"
-        
-    condition:
-        filesize < 1MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_tortoiseshell_wateringhole_script.yar b/yara_rules/sekoiaio_apt_tortoiseshell_wateringhole_script.yar
deleted file mode 100644
index e0401cb..0000000
--- a/yara_rules/sekoiaio_apt_tortoiseshell_wateringhole_script.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_apt_tortoiseshell_wateringhole_script {
-    meta:
-        id = "58c5ae66-fe09-497c-80bf-20feee4d95e7"
-        version = "1.0"
-        description = "Detect's Tortoiseshell WH script"
-        author = "Sekoia.io"
-        creation_date = "2023-05-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "btoa(pluggin.toString())"
-        $ = "btoa(document.referrer)"
-        $ = "pluggin.push(navigator.plugins[i]"
-        $ = "navigator.language"
-        $ = "window.RTCPeerConnection"
-        $ = "sha256(canvas.toDataURL("
-        $ = "canvas.getContext('2d"
-        $ = "noop = function() {},"
-        
-    condition:
-        5 of them and filesize < 10000
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_turla_comlook.yar b/yara_rules/sekoiaio_apt_turla_comlook.yar
deleted file mode 100644
index 465e7ef..0000000
--- a/yara_rules/sekoiaio_apt_turla_comlook.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_apt_turla_comlook {
-    meta:
-        id = "c3bf886b-f952-47f9-aff6-3cd74c27077d"
-        version = "1.0"
-        description = "Detects Class and Method names used inside ComLook"
-        author = "Sekoia.io"
-        creation_date = "2023-10-30"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ClassName1 = "AgentConfig"
-        $ClassName2 = "CommandPerforming"
-        
-        
-        $MethodName1 = "CmdCommand"
-        $MethodName2 = "GetConfigCommand"
-        $MethodName3 = "GetFileCommand"
-        $MethodName4 = "PutFileCommand"
-        $MethodName5 = "SetConfigCommand"
-        $MethodName6 = "AgentProtocol"
-        
-        $Log1 = "CONFIG_SERVERS_LIST_PARSING_ERROR" ascii wide
-        $Log2 = "GET_UIDS_TO_CHECK_PARSING_ERROR" ascii wide
-        $Log3 = "PAYLOAD_PARSING_FILEPATH_AND_FILE_ERROR" ascii wide
-        $Log4 = "COMMAND_EMPTY_ERROR" ascii wide
-        $Log5 = "IMAP_USERNAME_FORMAT_INCORRECT" ascii wide
-        $Log6 = "NO_MESSAGES_TO_RETRIEVE" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 10MB and any of ($ClassName*) and any of ($MethodName*) and any of ($Log*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_turla_kazuar_variant_2023.yar b/yara_rules/sekoiaio_apt_turla_kazuar_variant_2023.yar
deleted file mode 100644
index e7b4cac..0000000
--- a/yara_rules/sekoiaio_apt_turla_kazuar_variant_2023.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_turla_kazuar_variant_2023 {
-    meta:
-        id = "51e9de6a-5d8a-4627-8063-b70f78e78726"
-        version = "1.0"
-        description = "New variant of Kazuar observed in 2023"
-        author = "Sekoia.io"
-        creation_date = "2023-11-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "Started from file '" ascii wide
-        $s2 = "Zombifying user's" ascii wide
-        $s3 = "Result #{0:X16} already exists in {1}" ascii wide
-        
-    condition:
-        uint16(0) == 0x5a4d and 2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_uac0099_lonepage.yar b/yara_rules/sekoiaio_apt_uac0099_lonepage.yar
deleted file mode 100644
index 2e373ea..0000000
--- a/yara_rules/sekoiaio_apt_uac0099_lonepage.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-rule sekoiaio_apt_uac0099_lonepage {
-    meta:
-        id = "007f62f5-da5c-4df7-8b5c-5ed815ce6993"
-        version = "1.0"
-        description = "Detects LonePage vbs malware"
-        author = "Sekoia.io"
-        creation_date = "2024-01-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s0 = "dim r, c" ascii fullword
-        $s1 = "= createobject(\"WScript.Shell\")" ascii fullword
-        $s2 = "r.Run c, 0, false" ascii fullword
-        
-        $t1 = "GetHostAddresses" ascii fullword nocase
-        $t2 = "upgrade.txt" ascii fullword nocase
-        $t3 = "net.webclient" ascii fullword nocase
-        $t4 = "downloaddata" ascii fullword nocase
-        $t5 = "[System.Environment]::NewLine" ascii fullword nocase
-        $t6 = ".uploaddata('" ascii nocase
-        
-    condition:
-        true and filesize < 10KB
-        and 
-        (
-            ($s1 at 0x10 and $s0 at 0 and $s2 and 2 of ($t*)) 
-            or 
-            (all of ($t*) and any of ($s*))
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_uac0154_malicious_html_smuggling.yar b/yara_rules/sekoiaio_apt_uac0154_malicious_html_smuggling.yar
deleted file mode 100644
index 56facfd..0000000
--- a/yara_rules/sekoiaio_apt_uac0154_malicious_html_smuggling.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_uac0154_malicious_html_smuggling {
-    meta:
-        id = "923d11e5-6332-456d-8aff-ae7fb76193a8"
-        version = "1.0"
-        description = "UAC-0154 Infection chain"
-        author = "Sekoia.io"
-        creation_date = "2023-10-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Microsoft&reg; HTML Help Workshop 4.1"
-        $ = "var a=['"
-        $ = ")+b('0x"
-        
-    condition:
-        all of them and filesize < 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_uac0154_powershell_infection_chain_1.yar b/yara_rules/sekoiaio_apt_uac0154_powershell_infection_chain_1.yar
deleted file mode 100644
index e61a4e6..0000000
--- a/yara_rules/sekoiaio_apt_uac0154_powershell_infection_chain_1.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_uac0154_powershell_infection_chain_1 {
-    meta:
-        id = "428eb021-b37f-4db5-8cab-ca2f6dd2e202"
-        version = "1.0"
-        description = "UAC-0154 Infection chain"
-        author = "Sekoia.io"
-        creation_date = "2023-10-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "command $es ="
-        $ = "function isV"
-        $ = "doIn;"
-        $ = "System.IO.Comp"
-        
-    condition:
-        all of them and filesize < 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_uac0154_powershell_infection_chain_2.yar b/yara_rules/sekoiaio_apt_uac0154_powershell_infection_chain_2.yar
deleted file mode 100644
index 7ba812d..0000000
--- a/yara_rules/sekoiaio_apt_uac0154_powershell_infection_chain_2.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_uac0154_powershell_infection_chain_2 {
-    meta:
-        id = "6fe37d52-9bd3-4aa8-83ba-15399bd1b66c"
-        version = "1.0"
-        description = "UAC-0154 Infection chain"
-        author = "Sekoia.io"
-        creation_date = "2023-10-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "files.catbox.moe"
-        $ = "$pse = $pse.Replace"
-        $ = "start -WindowStyle Hidden -FilePath $p"
-        $ = "-bxor $xorMask"
-        $ = "SysctlHost"
-        
-    condition:
-        4 of them and filesize < 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_unc3524_quietexit_strings.yar b/yara_rules/sekoiaio_apt_unc3524_quietexit_strings.yar
deleted file mode 100644
index 3a7f6cd..0000000
--- a/yara_rules/sekoiaio_apt_unc3524_quietexit_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_unc3524_quietexit_strings {
-    meta:
-        id = "1bfa9baa-40a3-4ad7-83dc-f9340fbed180"
-        version = "1.0"
-        description = "Detect the QUIETEXIT malware used by UNC3524"
-        author = "Sekoia.io"
-        creation_date = "2022-05-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Child connection from %s:%s" ascii
-        $ = "Failed to run %s" ascii
-        $ = "add %s %s %s" ascii
-        $ = "/usr/bin/xauth -q" ascii
-        $ = "/tmp/dropbear-%" ascii
-        $ = "cron" ascii
-        $ = { DD E5 D5 97 20 53 27 BF F0 A2 BA CD 96 35 9A AD 1C 75 EB 47 }
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize > 1MB and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_unc4990_emptyspace_pyc.yar b/yara_rules/sekoiaio_apt_unc4990_emptyspace_pyc.yar
deleted file mode 100644
index aa9e4a5..0000000
--- a/yara_rules/sekoiaio_apt_unc4990_emptyspace_pyc.yar
+++ /dev/null
@@ -1,44 +0,0 @@
-rule sekoiaio_apt_unc4990_emptyspace_pyc {
-    meta:
-        id = "d970fd9c-1ce5-471c-96a1-146250f36b89"
-        version = "1.0"
-        description = "Detects Python Bytecode of EmptySpace"
-        author = "Sekoia.io"
-        creation_date = "2024-02-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "PYBOOTSTRAP"
-        $ = "http://google.com/generate_204"
-        $ = "from"
-        $ = "pathZ"
-        $ = "usernamez"
-        $ = "timeZ"
-        $ = "win32api"
-        $ = "base64Z"
-        $ = "json"
-        $ = "marshalZ"
-        $ = "BOOTSTRAP_VERSION"
-        $ = "getZ"
-        $ = "sleepZ    b64encode"
-        $ = "dumps"
-        $ = "executableZ"
-        $ = "GetUserNameExZ"
-        $ = "NameSamCompatible"
-        $ = "encode"
-        $ = "decodeZ"
-        $ = "request_dataZ"
-        $ = "server"
-        $ = "post"
-        $ = "raise_for_status"
-        $ = "exec"
-        $ = "loadsZ    b64decode"
-        $ = "text"
-        $ = "globals"
-        $ = "bootstrap.py"
-        $ = "<module>"
-        
-    condition:
-        uint32be(0) == 0x420d0d0a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_unc4990_explorer_ps1.yar b/yara_rules/sekoiaio_apt_unc4990_explorer_ps1.yar
deleted file mode 100644
index 4f36d8e..0000000
--- a/yara_rules/sekoiaio_apt_unc4990_explorer_ps1.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_unc4990_explorer_ps1 {
-    meta:
-        id = "2e1abbbf-f9b7-4147-b7da-3544cbc4a5f1"
-        version = "1.0"
-        description = "Detects powershell script (explorer.ps1)"
-        author = "Sekoia.io"
-        creation_date = "2024-02-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s0 = "$(get-location).Path"
-        $s1 = "+ \"\\Runtime Broker.exe"
-        $s2 = "Start-Process -FilePath"
-        $s3 = "-Wait;"
-        $s4 = "Start-Sleep -s"
-        
-    condition:
-        all of them and @s3-@s2 < 35
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_unc4990_explorer_ps1_reverse_b64.yar b/yara_rules/sekoiaio_apt_unc4990_explorer_ps1_reverse_b64.yar
deleted file mode 100644
index 7315677..0000000
--- a/yara_rules/sekoiaio_apt_unc4990_explorer_ps1_reverse_b64.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_apt_unc4990_explorer_ps1_reverse_b64 {
-    meta:
-        id = "35c3ffb2-2ced-426c-ac3f-a8cd0c357672"
-        version = "1.0"
-        description = "Detects reverse base64 files (explorer.ps1)"
-        author = "Sekoia.io"
-        creation_date = "2024-02-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s0 = "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(\""
-        $s1 = "Wa1VHJ\"[-1..-"
-        $s2 = "-join '')))"
-        
-    condition:
-        all of them and $s0 at 0 and @s2 - @s2 < 20
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_unk_batcopier_strings.yar b/yara_rules/sekoiaio_apt_unk_batcopier_strings.yar
deleted file mode 100644
index 1cc29b9..0000000
--- a/yara_rules/sekoiaio_apt_unk_batcopier_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_apt_unk_batcopier_strings {
-    meta:
-        id = "eb76bbd0-a722-4fec-a4a7-c48c70a1880b"
-        version = "1.0"
-        description = "Detects BatCopier variant"
-        author = "Sekoia.io"
-        creation_date = "2024-09-06"
-        classification = "TLP:CLEAR"
-        reference = "https://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/"
-        
-    strings:
-        $ = "@echo off"
-        $ = "echo F|xcopy"
-        $ = "attrib +r +s +h"
-        
-    condition:
-        all of them and filesize < 1KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_unk_dex_china_freedom_trap_spyware.yar b/yara_rules/sekoiaio_apt_unk_dex_china_freedom_trap_spyware.yar
deleted file mode 100644
index dd0d364..0000000
--- a/yara_rules/sekoiaio_apt_unk_dex_china_freedom_trap_spyware.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_apt_unk_dex_china_freedom_trap_spyware {
-    meta:
-        id = "3d66b6b8-8397-441a-a337-4a282df39591"
-        version = "1.0"
-        description = "Detects China Freedom Trap spyware dex file"
-        author = "Sekoia.io"
-        creation_date = "2022-09-07"
-        classification = "TLP:CLEAR"
-        hash = "ceb70fce74898ea64ded6880a978441c"
-        
-    strings:
-        $ = "INSTALL" base64
-        $ = "FAILED" base64
-        $ = "TEST" base64
-        $ = "ONLY" base64
-        $ = "INSTALL" base64
-        $ = "INCONSISTENT" base64
-        $ = "CERTIFICATES" base64
-        $ = "Network country iso:" base64
-        $ = "Network operator name:" base64
-        $ = "SIM operator name:" base64
-        $ = "SIM country iso:" base64
-        $ = "SIM state:" base64
-        $ = "PIN REQUIRED" base64
-        $ = "PUK REQUIRED" base64
-        
-    condition:
-        uint32be(0) == 0x6465780A and
-        filesize < 100KB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_unk_hrserv_memory_commands_strings.yar b/yara_rules/sekoiaio_apt_unk_hrserv_memory_commands_strings.yar
deleted file mode 100644
index 2d2099c..0000000
--- a/yara_rules/sekoiaio_apt_unk_hrserv_memory_commands_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_apt_unk_hrserv_memory_commands_strings {
-    meta:
-        id = "1b5f442a-e758-4bd5-a612-8b504a542d29"
-        version = "1.0"
-        description = "Detects HrServ web shell memory commands"
-        author = "Sekoia.io"
-        creation_date = "2023-11-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "list all the process" ascii wide
-        $ = "equal with cmd /c tasklist" ascii wide
-        $ = "start target service by name" ascii wide
-        $ = "query local process information by wmi." ascii wide
-        $ = "upload local shellcode to" ascii wide
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_unk_hrserv_webshell_strings.yar b/yara_rules/sekoiaio_apt_unk_hrserv_webshell_strings.yar
deleted file mode 100644
index ccfc64b..0000000
--- a/yara_rules/sekoiaio_apt_unk_hrserv_webshell_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_unk_hrserv_webshell_strings {
-    meta:
-        id = "684fd41c-9ea6-4f4e-8db4-82325a2ff80b"
-        version = "1.0"
-        description = "Detects HrServ web shell based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-11-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "open file error!"
-        $ = "create file error!"
-        $ = "[!] CreatePipe failed."
-        $ = "[!] CreateProcess failed."
-        $ = "[!] CreateProcess success,no result return."
-        $ = "; cadataIV="
-        $ = "cadataKey="
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 300KB and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_unk_malicious_lnk.yar b/yara_rules/sekoiaio_apt_unk_malicious_lnk.yar
deleted file mode 100644
index 97cc140..0000000
--- a/yara_rules/sekoiaio_apt_unk_malicious_lnk.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_apt_unk_malicious_lnk {
-    meta:
-        id = "d2248803-7ddf-4cde-ab6a-78b20e760919"
-        version = "1.0"
-        description = "Detects a malicious LNK used by an APT"
-        author = "Sekoia.io"
-        creation_date = "2024-09-06"
-        classification = "TLP:CLEAR"
-        hash = "a8d7e56eb01a8cf576533db9af2e92ec"
-        reference = "https://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/"
-        
-    strings:
-        $ = ".pdf.lnkPK"
-        $ = ".jfifPK"
-        $ = ".batPK"
-        $ = ".pdfPK"
-        
-    condition:
-        uint32be(0) == 0x504b0304 and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_unknown_sessionmanageriis_strings.yar b/yara_rules/sekoiaio_apt_unknown_sessionmanageriis_strings.yar
deleted file mode 100644
index 86873c0..0000000
--- a/yara_rules/sekoiaio_apt_unknown_sessionmanageriis_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_unknown_sessionmanageriis_strings {
-    meta:
-        id = "7d55dd82-509f-444d-a1ba-6417b51f392f"
-        version = "1.0"
-        description = "Detects the IIS SessionManager backdoor"
-        author = "Sekoia.io"
-        creation_date = "2022-07-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Wokring OK"
-        $ = "Delete File Success :"
-        $ = "Delete File Error :"
-        $ = "SM_SESSION="
-        $ = "SM_SESSIONID"
-        $ = "attachment; filename ="
-        $ = "CHttpModule::"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize > 100KB and filesize < 400KB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_uta0178_javascript_inclusion_strings.yar b/yara_rules/sekoiaio_apt_uta0178_javascript_inclusion_strings.yar
deleted file mode 100644
index 52fcbbd..0000000
--- a/yara_rules/sekoiaio_apt_uta0178_javascript_inclusion_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_apt_uta0178_javascript_inclusion_strings {
-    meta:
-        id = "af816c35-1f00-47ea-86ee-c034607c625e"
-        version = "1.0"
-        description = "Detects UTA0178 malicious inclusion strings"
-        author = "Sekoia.io"
-        creation_date = "2024-01-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s0 = ".value"
-        $s1 = "btoa("
-        $s2 = "https://"
-        $s3 = "new XMLHttpRequest();"
-        $s4 = ".send(null);"
-        
-    condition:
-        @s0 < @s1 and 
-        @s1 < @s2 and 
-        @s2 < @s3 and 
-        @s3 < @s4 and
-        @s4-@s0 < 350
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_uta0218_upstyle_backdoor_strings.yar b/yara_rules/sekoiaio_apt_uta0218_upstyle_backdoor_strings.yar
deleted file mode 100644
index 5a96489..0000000
--- a/yara_rules/sekoiaio_apt_uta0218_upstyle_backdoor_strings.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_apt_uta0218_upstyle_backdoor_strings {
-    meta:
-        id = "098fbad7-efaf-4198-83de-208c2ae16f89"
-        version = "1.0"
-        description = "Detects UPSTYLE backdoor"
-        author = "Sekoia.io"
-        creation_date = "2024-04-16"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1_1 = "f.write(b'''import base64;exec(base64.b64decode(b" ascii
-        $s1_2 = "atime=os.path.getatime(" ascii
-        
-        $s2_1 = "exec(base64.b64decode(functioncode))"  ascii base64
-        $s2_2 = "os.path.exists(systempth):" ascii base64
-        $s2_3 = ".read().replace(b\"\\x00\",b\" \")" ascii base64
-        
-        $s3_1 = "if WRITE_FLAG:"  ascii base64
-        $s3_2 = "re.search(SHELL_PATTERN"  ascii base64
-        $s3_3 = "import threading,time,os,re,base64"  ascii base64
-        
-    condition:
-        filesize < 1500 and
-        (2 of ($s1_*) or 
-        2 of ($s2_*) or 
-        2 of ($s3_*) )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_win_disabledefender.yar b/yara_rules/sekoiaio_apt_win_disabledefender.yar
deleted file mode 100644
index 458cd14..0000000
--- a/yara_rules/sekoiaio_apt_win_disabledefender.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-import "pe"
-        
-rule sekoiaio_apt_win_disabledefender {
-    meta:
-        id = "a7b124ab-4c9d-47c0-a59e-211cc713b9b3"
-        version = "1.0"
-        description = "detects strings and imphash"
-        author = "Sekoia.io"
-        creation_date = "2022-09-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Restarting with privileges"
-        $ = "Windows defender is currently ACTIVE"
-        $ = "Windows defender is currently OFF"
-        $ = "Disabled windows defender"
-        $ = "Failed to disable defender..."
-        
-    condition:        4 of them or pe.imphash() == "74a6ef9e7b49c71341e439022f643c8e"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_windows_wip19_screencap.yar b/yara_rules/sekoiaio_apt_windows_wip19_screencap.yar
deleted file mode 100644
index 52bb5c7..0000000
--- a/yara_rules/sekoiaio_apt_windows_wip19_screencap.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_apt_windows_wip19_screencap {
-    meta:
-        id = "ebf5d2c5-81c9-45c3-aa61-05870f800f6b"
-        version = "1.0"
-        description = "Detects ScreenCap resource"
-        author = "Sekoia.io"
-        creation_date = "2022-10-18"
-        classification = "TLP:CLEAR"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-         for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "89f4d0e3f7f3318270aa9c8345c1402202b1a02ffefc03c7a86636e297aa0ffc"
-        ) and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_apt_yemen_apk_guardzoo.yar b/yara_rules/sekoiaio_apt_yemen_apk_guardzoo.yar
deleted file mode 100644
index 0688027..0000000
--- a/yara_rules/sekoiaio_apt_yemen_apk_guardzoo.yar
+++ /dev/null
@@ -1,41 +0,0 @@
-rule sekoiaio_apt_yemen_apk_guardzoo {
-    meta:
-        id = "f4004e7c-2904-46ea-a3e6-2bdd3e704fea"
-        version = "1.0"
-        description = "Detects Dex files containing GuardZoo strings."
-        author = "Sekoia.io"
-        creation_date = "2024-08-09"
-        classification = "TLP:CLEAR"
-        hash = "3afad114c68489e2d294720339baf570"
-        hash = "c59d0f5c8d00485199f147b96c5abca0"
-        hash = "75c58948725133160085dc1cfdf602ec"
-        hash = "d76a39ee85263900f7e6eaacb804f5e2"
-        hash = "51356c95dfe1221c0f4ca2475bc787f8"
-        hash = "1d0dd8201c051d9c8d2c945c8b31a48c"
-        hash = "b7b6be5e8eec44dd13e1df1f3908fcf0"
-        hash = "229984f004578a8fa643afb881d81e8c"
-        hash = "f3f1ccb3912c49a0a6ea710a0bd856de"
-        hash = "a3f8365bfa5f8185e8c7eba8efc63165"
-        hash = "7392deaf81ddf50b8a6f2179538f7e81"
-        hash = "c40d56e1586f9fa382c688d624d25525"
-        hash = "629fb04b91c4db4ea282440e20317dab"
-        hash = "bcebc41628196f8bd119f72e1e8eb47c"
-        hash = "f1cfdc9e91c3a20563246cf366b94f10"
-        hash = "a75ffb11adbace40a7c59128adba43ad"
-        
-    strings:
-        $classes_1 = "GuardZoo.java"
-        $classes_2 = "com/animals"
-        $path_1 = "&Password="
-        $path_2 = "&Coordinates="
-        $path_3 = "&Data="
-        $path_4 = "&Device="
-        $path_5 = "&ISPICTURE="
-        $path_6 = "&Phone_Number="
-        $path_7 = "&Provider="
-        
-    condition:
-        uint32be(0) == 0x6465780a and filesize < 10MB and
-        ((any of ($classes_*)) and (3 of ($path_*)))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_blueshell.yar b/yara_rules/sekoiaio_backdoor_blueshell.yar
deleted file mode 100644
index 79b99b0..0000000
--- a/yara_rules/sekoiaio_backdoor_blueshell.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_backdoor_blueshell {
-    meta:
-        id = "8f1cd966-c4d8-44f9-8cd5-4f5277332546"
-        version = "1.0"
-        description = "Detects BlueShell backdoor"
-        author = "Sekoia.io"
-        creation_date = "2023-09-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "BlueShell" ascii
-        $s2 = "client.go" ascii
-        $s3 = "server ip" ascii
-        $s4 = "server port" ascii
-        $s5 = "reconnect wait time" ascii
-        $s6 = "shell" ascii
-        $s7 = "socks" ascii
-        $s8 = "socks5" ascii
-        $s9 = "GetInteractiveShell" ascii
-        
-    condition:
-        filesize < 11MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_lin_bifrost.yar b/yara_rules/sekoiaio_backdoor_lin_bifrost.yar
deleted file mode 100644
index f4d134c..0000000
--- a/yara_rules/sekoiaio_backdoor_lin_bifrost.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_backdoor_lin_bifrost {
-    meta:
-        id = "9726b5f5-8cc3-4fad-950b-f20cac04d496"
-        version = "1.0"
-        description = "Detect the Bifrost backdor based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-03-05"
-        classification = "TLP:CLEAR"
-        reference = "https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/"
-        hash1 = "8e85cb6f2215999dc6823ea3982ff4376c2cbea53286e95ed00250a4a2fe4729"
-        hash2 = "2aeb70f72e87a1957e3bc478e1982fe608429cad4580737abe58f6d78a626c05"
-        hash3 = "f2bef6bed27f4b527118dd62b4035003c14afaffa72729c8117f213623f644ec"
-        
-    strings:
-        $ = "%c2%s%c3%u%c4%u-%.2u-%.2u %.2u:%.2u"
-        $ = "%c1%s%c3D%c4%u-%.2u-%.2u %.2u:%.2u"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_lin_bpfdoor.yar b/yara_rules/sekoiaio_backdoor_lin_bpfdoor.yar
deleted file mode 100644
index b3d259a..0000000
--- a/yara_rules/sekoiaio_backdoor_lin_bpfdoor.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_backdoor_lin_bpfdoor {
-    meta:
-        id = "1776ff6f-6fbb-4a81-bcad-c43b5117c67c"
-        version = "1.0"
-        description = "Detect the BPFDoor backdoor used by the Chinese TA Red Menshen"
-        author = "Sekoia.io"
-        creation_date = "2022-05-05"
-        classification = "TLP:CLEAR"
-        reference = "https://github.com/Neo23x0/signature-base/blob/master/yara/mal_lnx_implant_may22.yar"
-        
-    strings:
-        $op1 = { e8 ?? ff ff ff 80 45 ee 01 0f b6 45 ee 3b 45 d4 7c 04 c6 45 ee 00 80 45 ff 01 80 7d ff 00 }
-        $op2 = { 55 48 89 e5 48 83 ec 30 89 7d ec 48 89 75 e0 89 55 dc 83 7d dc 00 75 0? }
-        $op3 = { e8 a? fe ff ff 0f b6 45 f6 48 03 45 e8 0f b6 10 0f b6 45 f7 48 03 45 e8 0f b6 00 8d 04 02 }
-        $op4 = { c6 80 01 01 00 00 00 48 8b 45 c8 0f b6 90 01 01 00 00 48 8b 45 c8 88 90 00 01 00 00 c6 45 ef 00 0f b6 45 ef 88 45 ee }
-        
-    condition:
-        uint32(0)==0x464c457f
-        and filesize > 10KB
-        and filesize < 50KB
-        and (all of ($op*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_lin_sysupdate.yar b/yara_rules/sekoiaio_backdoor_lin_sysupdate.yar
deleted file mode 100644
index 852015d..0000000
--- a/yara_rules/sekoiaio_backdoor_lin_sysupdate.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_backdoor_lin_sysupdate {
-    meta:
-        id = "9cb806cf-4ca1-44d8-809a-58cc5f364fb8"
-        version = "1.0"
-        description = "Detect the SysUpdate malware"
-        author = "Sekoia.io"
-        creation_date = "2023-03-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "generate guid path=%s"
-        $ = "3rd/asio/include/asio/detail/posix_event.hpp"
-        $ = "expires_at"
-        $ = "%s -f %s"
-        $ = "expires_after"
-        $ = "-run"
-        
-    condition:
-        uint32(0)==0x464c457f and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_mul_sparkrat.yar b/yara_rules/sekoiaio_backdoor_mul_sparkrat.yar
deleted file mode 100644
index 5ae3b99..0000000
--- a/yara_rules/sekoiaio_backdoor_mul_sparkrat.yar
+++ /dev/null
@@ -1,60 +0,0 @@
-rule sekoiaio_backdoor_mul_sparkrat {
-    meta:
-        id = "cd818207-f8ec-41fa-abef-c29d481c7897"
-        version = "1.0"
-        description = "Detect SparkRAT using string found in the source code"
-        author = "Sekoia.io"
-        creation_date = "2023-01-30"
-        classification = "TLP:CLEAR"
-        reference = "https://github.com/XZB-1248/Spark"
-        
-    strings:
-        $ = "2006/01/02 15:04:05" wide ascii
-        $ = "can not find secret header" wide ascii
-        $ = "${i18n|COMMON.UNKNOWN_ERROR}" wide ascii
-        $ = "/api/client/update" wide ascii
-        $ = "application/octet-stream" wide ascii
-        $ = "${i18n|COMMON.OPERATION_NOT_SUPPORTED}" wide ascii
-        $ = "no IP address found" wide ascii
-        $ = "failed to read network io counters" wide ascii
-        $ = "failed to read cpu info" wide ascii
-        $ = "PING" wide ascii
-        $ = "OFFLINE" wide ascii
-        $ = "LOCK" wide ascii
-        $ = "LOGOFF" wide ascii
-        $ = "HIBERNATE" wide ascii
-        $ = "SUSPEND" wide ascii
-        $ = "RESTART" wide ascii
-        $ = "SHUTDOWN" wide ascii
-        $ = "SCREENSHOT" wide ascii
-        $ = "TERMINAL_INIT" wide ascii
-        $ = "TERMINAL_INPUT" wide ascii
-        $ = "TERMINAL_RESIZE" wide ascii
-        $ = "TERMINAL_PING" wide ascii
-        $ = "TERMINAL_KILL" wide ascii
-        $ = "FILES_LIST" wide ascii
-        $ = "FILES_FETCH" wide ascii
-        $ = "FILES_REMOVE" wide ascii
-        $ = "FILES_UPLOAD" wide ascii
-        $ = "FILE_UPLOAD_TEXT" wide ascii
-        $ = "PROCESSES_LIST" wide ascii
-        $ = "PROCESS_KILL" wide ascii
-        $ = "DESKTOP_INIT" wide ascii
-        $ = "DESKTOP_PING" wide ascii
-        $ = "DESKTOP_KILL" wide ascii
-        $ = "DESKTOP_SHOT" wide ascii
-        $ = "COMMAND_EXEC" wide ascii
-        $ = "DEVICE_UPDATE" wide ascii
-        $ = "${i18n|COMMON.INVALID_PARAMETER}" wide ascii
-        $ = "${i18n|EXPLORER.FILE_OR_DIR_NOT_EXIST}" wide ascii
-        $ = "SPARK COMMIT: " wide ascii
-        $ = "${i18n|COMMON.DISCONNECTED}" wide ascii
-        $ = "${i18n|DESKTOP.NO_DISPLAY_FOUND}" wide ascii
-        $ = "/api/bridge/push" wide ascii
-        $ = "${i18n|COMMON.OPERATION_NOT_SUPPORTED}" wide ascii
-        
-    condition:
-        17 of them
-        and filesize > 4MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_mul_supershell_client.yar b/yara_rules/sekoiaio_backdoor_mul_supershell_client.yar
deleted file mode 100644
index eed4b03..0000000
--- a/yara_rules/sekoiaio_backdoor_mul_supershell_client.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_backdoor_mul_supershell_client {
-    meta:
-        id = "3498ca9e-a165-4dda-bc15-2e5d6d43d9c1"
-        version = "1.0"
-        description = "Detect the Supershell client (unpacked) by looking for github references"
-        author = "Sekoia.io"
-        creation_date = "2024-04-25"
-        classification = "TLP:CLEAR"
-        hash1 = "a42906f8b392089fa1fe3ea264f6cb549ce5437b5ea253d9e1b8dd94bf115dad"
-        hash2 = "d97b41e8cd6b63cd55c9a4f99ccadf5a9141088319bc9eb467d96e54080f3c85"
-        hash3 = "2b54d1c064892a22f48b5742ba6da55bf62b73e5b1e0649e8b7880b286498735"
-        hash4 = "0dedab2ef8d44f9beef782a29dd8f628dd0218b90f23f729b315660437019ccd"
-        hash5 = "2484de7944889d784b8229f4fd756d3930e55c91654921019db4437877e30ab7"
-        
-    strings:
-        $ = "github.com/NHAS/reverse_ssh/internal/client/"
-        $ = "golang.org"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_opensource_northstar_strings.yar b/yara_rules/sekoiaio_backdoor_opensource_northstar_strings.yar
deleted file mode 100644
index e45ace0..0000000
--- a/yara_rules/sekoiaio_backdoor_opensource_northstar_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_backdoor_opensource_northstar_strings {
-    meta:
-        id = "6bf2f428-ec1a-4115-9c5e-258e9176969a"
-        version = "1.0"
-        description = "Detects the NorthStar Backdoor strings"
-        author = "Sekoia.io"
-        creation_date = "2022-08-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "_SAMDUMP.zip" wide
-        $ = "northstar" wide
-        $ = "smanage.php?sid=" wide
-        $ = "File Not Exists" wide
-        $ = "<enablecmd or enable cmd>" wide
-        $ = "getjuice.php" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_oyster.yar b/yara_rules/sekoiaio_backdoor_oyster.yar
deleted file mode 100644
index 7bc3c50..0000000
--- a/yara_rules/sekoiaio_backdoor_oyster.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_backdoor_oyster {
-    meta:
-        id = "f95f98ea-1e52-45ae-8abf-a986f95d4ab2"
-        version = "1.0"
-        description = "Detects files related to the Oyster backdoor."
-        author = "Sekoia.io"
-        creation_date = "2024-08-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "CleanUp30.dll" ascii fullword
-        $s2 = "MSTeamsSetup_c_l_.exe" ascii fullword
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_powershellempire_batlauchers.yar b/yara_rules/sekoiaio_backdoor_powershellempire_batlauchers.yar
deleted file mode 100644
index a12dfd8..0000000
--- a/yara_rules/sekoiaio_backdoor_powershellempire_batlauchers.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_backdoor_powershellempire_batlauchers {
-    meta:
-        id = "ad371665-ec59-45c8-9d99-2a675842c384"
-        version = "1.0"
-        description = "Detect BAT launchers for Empire"
-        author = "Sekoia.io"
-        creation_date = "2022-04-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "powershell -noP -sta -w 1 -enc  SQB" nocase wide ascii
-        $ = "powershell -ep bypass -noP -sta -w 1 -enc SQB" nocase wide ascii
-        $ = "-nol -nop -ep bypass \"[IO.File]::ReadAllText('%~f0')|iex" nocase wide ascii
-        
-    condition:
-        any of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_powershellempire_csharp.yar b/yara_rules/sekoiaio_backdoor_powershellempire_csharp.yar
deleted file mode 100644
index d3f3b75..0000000
--- a/yara_rules/sekoiaio_backdoor_powershellempire_csharp.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_backdoor_powershellempire_csharp {
-    meta:
-        id = "952e8e9b-8e4d-4550-9cf4-7ffd2f9d0672"
-        version = "1.0"
-        description = "Detects CSharp version of Empire"
-        author = "Sekoia.io"
-        creation_date = "2022-04-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[-] Catastrophic .Net Agent Failure, Attempting Agent Restart:" ascii wide
-        $ = "[!] Upload failed - No Delimiter"  ascii wide
-        $ = "SELECT * FROM Win32_IP4RouteTable" ascii wide
-        $ = "no shell command supplied" ascii wide
-        $ = "[-] CmdletInvocationException:" ascii wide
-        $ = "[*] File download of" ascii wide
-        $ = "Script successfully saved in memory" ascii wide
-        $ = "Invoke-Empire" ascii wide
-        $ = "website to reach:" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and 5 of them  and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_powershellempire_gen.yar b/yara_rules/sekoiaio_backdoor_powershellempire_gen.yar
deleted file mode 100644
index 5f123bf..0000000
--- a/yara_rules/sekoiaio_backdoor_powershellempire_gen.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_backdoor_powershellempire_gen {
-    meta:
-        id = "36050a5b-bdca-45cd-8e26-7129fdcbf1e8"
-        version = "1.0"
-        description = "Detects EmpirePowershell"
-        author = "Sekoia.io"
-        creation_date = "2022-04-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "%{$J=($J+$S[$_]+$K[$_%$K.COUNt])%256;" nocase wide ascii
-        $ = "($IV+$K))|IEX" nocase wide ascii
-        
-    condition:
-        all of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_powershellempire_python.yar b/yara_rules/sekoiaio_backdoor_powershellempire_python.yar
deleted file mode 100644
index fcb3658..0000000
--- a/yara_rules/sekoiaio_backdoor_powershellempire_python.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_backdoor_powershellempire_python {
-    meta:
-        id = "c2913f60-46a2-42c1-8569-72568eaddaed"
-        version = "1.0"
-        description = "Detects Empire Python version"
-        author = "Sekoia.io"
-        creation_date = "2022-04-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "import sys,base64;exec"
-        $ = "aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2"
-        
-    condition:
-        all of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_powershellempire_sharpire.yar b/yara_rules/sekoiaio_backdoor_powershellempire_sharpire.yar
deleted file mode 100644
index 59d1e23..0000000
--- a/yara_rules/sekoiaio_backdoor_powershellempire_sharpire.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_backdoor_powershellempire_sharpire {
-    meta:
-        id = "fed21fbd-52ed-4649-a1ff-56eae57fc9ef"
-        version = "1.0"
-        description = "Detect Sharpire version of Empire"
-        author = "Sekoia.io"
-        creation_date = "2022-04-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "GetAgentID" ascii wide
-        $ = "SetAgentID" ascii wide
-        $ = "StartAgentJob" ascii wide
-        $ = "get_JobThread" ascii wide
-        $ = "GetStagerURI" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and 4 of them  and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_sandman_strings.yar b/yara_rules/sekoiaio_backdoor_sandman_strings.yar
deleted file mode 100644
index 46028c8..0000000
--- a/yara_rules/sekoiaio_backdoor_sandman_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_backdoor_sandman_strings {
-    meta:
-        id = "7bac7a1e-7d4a-4410-9ad4-1c85beb6faaf"
-        version = "1.0"
-        description = "Detect the Sandman backdoor based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-08-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "e9f7c24c-879d-49f2-b9bf-2477dc28e2ee"
-        $s2 = "System.Net.Sockets"
-        $s3 = "ntpServer"
-        $s4 = "payloadUrl"
-        $s5 = "keepRunning"
-        $s6 = "payloadSize"
-        $s7 = "defaultNtpMessageSize"
-        $s8 = "InjectShellcode"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        7 of them or $s1
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_andardoor.yar b/yara_rules/sekoiaio_backdoor_win_andardoor.yar
deleted file mode 100644
index c146b52..0000000
--- a/yara_rules/sekoiaio_backdoor_win_andardoor.yar
+++ /dev/null
@@ -1,35 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_backdoor_win_andardoor {
-    meta:
-        id = "27f28f6e-b8fd-41dc-88a8-92f5a125a807"
-        version = "1.0"
-        description = "Detect the Andardoor backdoor used by Andariel"
-        author = "Sekoia.io"
-        creation_date = "2023-09-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = " : Deleted Dir" wide
-        $ = " : Not Exists" wide
-        $ = " : Deleted File" wide
-        $ = " : Closed." wide
-        $ = " : Opened." wide
-        $ = "GoodLuck!" wide
-        
-    condition:
-        // Strings
-        uint16(0)==0x5A4D and all of them
-        
-        // PE section
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "9fea4972270c492ca304f3663913ae63"
-        )
-        
-        // PE resource
-        or for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "34fde27c3c864efa6225e72016992d341f29cbbea638432a1c63ce05ca568300"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_blackrat.yar b/yara_rules/sekoiaio_backdoor_win_blackrat.yar
deleted file mode 100644
index 167f9bb..0000000
--- a/yara_rules/sekoiaio_backdoor_win_blackrat.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_backdoor_win_blackrat {
-    meta:
-        id = "3a5a6290-6344-45ce-8929-ea5a4451840f"
-        version = "1.0"
-        description = "Detect Andariel's Black RAT malware"
-        author = "Sekoia.io"
-        creation_date = "2023-09-04"
-        classification = "TLP:CLEAR"
-        hash1 = "c2500a6e12f22b16e221ba01952b69c92278cd05632283d8b84c55c916efe27c"
-        
-    strings:
-        $s1 = "I:/01___Tools/02__RAT/Black/Client_Go/Client.go"
-        $s2 = "I:/01___Tools/02__RAT/Black/Client_Go/Define.go"
-        $s3 = "I:/01___Tools/02__RAT/Black/Client_Go/Screenshot.go"
-        
-        // It is possible that it exists a Rust version of this RAT
-        $x1 = "RAT/Black/Client"
-        
-    condition:
-        uint16be(0) == 0x4d5a and (all of ($s*) or #x1 >= 3)
-        
-        // All section of the sample are unique. I use them for research purpose
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "74c4cdc9d33fc63aee7ae9659b6f8d24"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "298948afbe85985025e176605ee21176"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "e5ca54c5def3c7a950e6d4034dc86277"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "440ae899aea859458df5b6de7dbc5b34"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "98e46f76b965ffb58f6cd53ff8dc91c0"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_feedload.yar b/yara_rules/sekoiaio_backdoor_win_feedload.yar
deleted file mode 100644
index 5d8740f..0000000
--- a/yara_rules/sekoiaio_backdoor_win_feedload.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_backdoor_win_feedload {
-    meta:
-        id = "29cc46c4-7ed7-4a34-9749-a8ba8d37eb4c"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-10-24"
-        classification = "TLP:CLEAR"
-        hash = "f251144f7ad0be0045034a1fc33fb896e8c32874e0b05869ff5783e14c062486"
-        
-    strings:
-        $s1 = "                                        C:\\LibreSS5\\crypto\\"
-        
-    condition:
-        uint16be(0)==0x4d5a and #s1 > 200
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_foresttiger.yar b/yara_rules/sekoiaio_backdoor_win_foresttiger.yar
deleted file mode 100644
index c9b5161..0000000
--- a/yara_rules/sekoiaio_backdoor_win_foresttiger.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_backdoor_win_foresttiger {
-    meta:
-        id = "d3128da2-a86d-4db8-9b75-2f3048831c7e"
-        version = "1.0"
-        description = "Detect Lazarus' malware ForestTiger"
-        author = "Sekoia.io"
-        creation_date = "2023-10-24"
-        classification = "TLP:CLEAR"
-        hash1 = "e06f29dccfe90ae80812c2357171b5c48fba189ae103d28e972067b107e58795"
-        hash2 = "0be1908566efb9d23a98797884f2827de040e4cedb642b60ed66e208715ed4aa"
-        reference = "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/"
-        
-    strings:
-        $ = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.42"
-        $ = "biwbih="
-        $ = "rlzbiw="
-        $ = "whoami EnDePriv Erro" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_headertip.yar b/yara_rules/sekoiaio_backdoor_win_headertip.yar
deleted file mode 100644
index 9774925..0000000
--- a/yara_rules/sekoiaio_backdoor_win_headertip.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_backdoor_win_headertip {
-    meta:
-        id = "82899406-4ec3-41d2-bcc1-bdd1ee440e77"
-        version = "1.0"
-        description = "Detect HeaderTip backdoor used by the Chinese threat actor Scarab. This backdoor has its hardcoded C2 in strings"
-        author = "Sekoia.io"
-        creation_date = "2022-03-25"
-        classification = "TLP:CLEAR"
-        hash1 = "e1523185eac41a615b8d2af8b7fd5fe07b755442df2836041be544dff6881237"
-        hash2 = "da8a98d9b9a3c176ba44fb69ad0a820a971950e05f1eb0c4bbbf6c2fbb748bdc"
-        hash3 = "63a218d3fc7c2f7fcadc0f6f907f326cc86eb3f8cf122704597454c34c141cf1"
-        
-    strings:
-        $post = "POST" wide
-        $ua = "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko" wide
-        
-    condition:
-        (uint16(0)==0x5A4D and $post at 7256 and $ua at 7304 and filesize < 10KB)
-        or pe.imphash() == "60d01115d6baa0f214990c6e19339133"
-        or hash.md5(pe.rich_signature.clear_data) == "48f9cf422144c033e2ca183f72587910"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_ketrum2.yar b/yara_rules/sekoiaio_backdoor_win_ketrum2.yar
deleted file mode 100644
index 924672f..0000000
--- a/yara_rules/sekoiaio_backdoor_win_ketrum2.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_backdoor_win_ketrum2 {
-    meta:
-        id = "afcc349a-d44b-4b66-b86f-c62e700fa899"
-        version = "1.0"
-        description = "Detect Ke3chang's Ketrum backdoor version 2"
-        author = "Sekoia.io"
-        creation_date = "2022-10-19"
-        classification = "TLP:CLEAR"
-        reference = "https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/"
-        hash1 = "271384a078f2a2f58e14d7703febae8a28c6e2d7ddb00a3c8d3eead4ea87a0c0"
-        hash2 = "aa467945dd7b9b095e592fc96384bb385f2c95d00d5424e42bb6ab09827cb0ce"
-        hash3 = "aacaf0d4729dd6fda2e452be763d209f92d107ecf24d8a341947c545de9b7311"
-        hash4 = "ac5cb6e17f094068686225075251153e3eb21dc2d1ae744a97ab113cab034a36"
-        
-    strings:
-        $ = "powershell.exe" wide
-        $ = "cmd.exe" wide
-        $ = "%s\\adult.sft" wide
-        $ = "%s\\Notice" wide
-        $ = "%s\\Message" wide
-        $ = "\\Microsoft\\Media Player" wide
-        $ = "Windows\\CurrentVersion\\Explorer\\Shell Folders" wide ascii
-        $ = "Windows\\CurrentVersion\\Internet Settings" wide ascii
-        
-    condition:
-        all of them
-        
-        // Very common resource but appears in all Ketrum samples
-        and for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "49a60be4b95b6d30da355a0c124af82b35000bce8f24f957d1c09ead47544a1e"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_kimsuky.yar b/yara_rules/sekoiaio_backdoor_win_kimsuky.yar
deleted file mode 100644
index 031084f..0000000
--- a/yara_rules/sekoiaio_backdoor_win_kimsuky.yar
+++ /dev/null
@@ -1,39 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_backdoor_win_kimsuky {
-    meta:
-        id = "db927d1c-34cf-4501-a6ce-3e8ecdefc5a3"
-        version = "1.0"
-        description = "Detect the backdoors used by Kimsuky based on specific PE ressources"
-        author = "Sekoia.io"
-        creation_date = "2024-06-04"
-        classification = "TLP:CLEAR"
-        hash1 = "000e2926f6e094d01c64ff972e958cd38590299e9128a766868088aa273599c7"
-        hash2 = "cca1705d7a85fe45dce9faec5790d498427b3fa8e546d7d7b57f18a925fdfa5d"
-        
-    condition:
-        uint16be(0) == 0x4d5a
-        and for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "3d570af85db2bb18265d80e7209a5c90f7cc82e0c868c0088a925df6f34e9066"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "3d570af85db2bb18265d80e7209a5c90f7cc82e0c868c0088a925df6f34e9066"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ac9ed305c6dac749163db359736e7d92fca9173ff5c9e1f021d500b306e3c5ec"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "0ca965ccf7324b098da617909d38986c1e6aae3e12d9629975f1815ed4ed3907"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "25d79e59a6b625e5c22ccb55cc49373d38cc6f20cb75504b0df1bc0804bb1247"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ce5619ffe04ec569bf2565e0964156378bda7c42eb646bedbac2191a5af7bebf"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ce10e65f7bf105fc06005340f0a8eaea9b351f3750d2818c1cf2ca25a7f495be"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "5a9e2a392c530ab8b38ff917ae0f28496107f1bde94e89515931fd29a0bfb2e5"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "19f4f3a05b809d8e33bb0004f62899ca5f9eac7e4cdba68dfd5c0a6f2d71bec3"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "b9c208b9bada7bac4d5bfe53992f570e34e0b4d5cfa0862de9847ddf5630ab9a"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "3d570af85db2bb18265d80e7209a5c90f7cc82e0c868c0088a925df6f34e9066"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ac9ed305c6dac749163db359736e7d92fca9173ff5c9e1f021d500b306e3c5ec"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "0ca965ccf7324b098da617909d38986c1e6aae3e12d9629975f1815ed4ed3907"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "25d79e59a6b625e5c22ccb55cc49373d38cc6f20cb75504b0df1bc0804bb1247"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ce5619ffe04ec569bf2565e0964156378bda7c42eb646bedbac2191a5af7bebf"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ce10e65f7bf105fc06005340f0a8eaea9b351f3750d2818c1cf2ca25a7f495be"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "5a9e2a392c530ab8b38ff917ae0f28496107f1bde94e89515931fd29a0bfb2e5"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "19f4f3a05b809d8e33bb0004f62899ca5f9eac7e4cdba68dfd5c0a6f2d71bec3"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "b9c208b9bada7bac4d5bfe53992f570e34e0b4d5cfa0862de9847ddf5630ab9a"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_mgbot_main.yar b/yara_rules/sekoiaio_backdoor_win_mgbot_main.yar
deleted file mode 100644
index 0ba21b9..0000000
--- a/yara_rules/sekoiaio_backdoor_win_mgbot_main.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_backdoor_win_mgbot_main {
-    meta:
-        id = "528baa11-58d5-470a-bd6d-963d4ac75d97"
-        version = "1.0"
-        description = "Detect MgBot main.dll file"
-        author = "Sekoia.io"
-        creation_date = "2024-03-20"
-        classification = "TLP:CLEAR"
-        reference = "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt-attacks-telecoms-africa-mgbot"
-        hash1 = "706c9030c2fa5eb758fa2113df3a7e79257808b3e79e46869d1bf279ed488c36"
-        hash2 = "017187a1b6d58c69d90d81055db031f1a7569a3b95743679b21e44ea82cfb6c7"
-        
-    condition:
-        // Imphash
-        pe.imphash() == "8e1ee04a99c77bd54c6dc55214ffa2e3"
-        
-        // Rich header hash
-        or hash.md5(pe.rich_signature.clear_data) == "67e8e8b75b981b5c8ff31149dc2c61b2"
-        
-        // Sections
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "7c6adf9987e6dfbf19b5f156b0314798"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "46fa9f5a035c8ae8de1a0d14150bd5ef"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f7895f9456f8d51125e6744960c38133"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5d82bb8a7ef37c417615381b446f715c"
-        )
-        
-        // Resource
-        or for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "d7808c6662f098e685040f7c61bc033d9e73002f674de7cf2ffcd6230d60d429"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_minibike.yar b/yara_rules/sekoiaio_backdoor_win_minibike.yar
deleted file mode 100644
index 81f94f8..0000000
--- a/yara_rules/sekoiaio_backdoor_win_minibike.yar
+++ /dev/null
@@ -1,38 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_backdoor_win_minibike {
-    meta:
-        id = "d758c41a-279c-4706-9cf3-87740e45f71d"
-        version = "1.0"
-        description = "Detect the MINIBIKE malware"
-        author = "Sekoia.io"
-        creation_date = "2024-04-08"
-        classification = "TLP:CLEAR"
-        hash1 = "985967e245d8fbc722e30371c9ed48c3269ceaa6b9b9b80caf2b95c920c856c2"
-        hash2 = "ab0b602665b609392eacdcbfc6c1981f216c19f21e2156a55cf9998eab02227b"
-        hash3 = "8e2429d70989bbdd2ea8842dce7c3d790ebe148490ee519b47767557f4a4a733"
-        hash4 = "be86b8559a84d97aa1cc9852e60a553f5164477bacfc69b7f3453ad37fb6fd2a"
-        hash5 = "78065411e7e8eb205ddae7215a229b7c93bdca5d628670f89caa982238ac7eb6"
-        hash6 = "73bf3a5877a7fe16544d15670e3ece034e4826323ba555b3527ad4d061f44ec4"
-        reference = "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east"
-        
-    strings:
-        $ = "Mini-Junked.dll"
-        
-    condition:
-        // Strings
-        uint16(0)==0x5A4D and all of them
-
-        // Imphash
-        or pe.imphash() == "75a9ae7d4394abdc30e2a873908fa09d"
-
-        // Rich header
-        or hash.md5(pe.rich_signature.clear_data) == "06b2ec5892ac9ad566693b04cf427f3f"
-
-        // Section
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "612006b6f68cd0b8b0d48252dbdef4be"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_minibus.yar b/yara_rules/sekoiaio_backdoor_win_minibus.yar
deleted file mode 100644
index a895fc3..0000000
--- a/yara_rules/sekoiaio_backdoor_win_minibus.yar
+++ /dev/null
@@ -1,42 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_backdoor_win_minibus {
-    meta:
-        id = "f88bcf15-9a9f-4d84-adc6-db1db55fe93c"
-        version = "1.0"
-        description = "Detect the MINIBUS backdoor used by UNC1549 since August 2023"
-        author = "Sekoia.io"
-        creation_date = "2024-02-29"
-        classification = "TLP:CLEAR"
-        reference = "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east"
-        
-    strings:
-        $dll_150_1 = "TorvaldsPersist.dll"
-        $dll_150_2 = "FileCoAuth.exe"
-        
-        $dll_50_1 = "TorvaldInitial.dll"
-        $dll_50_2 = "\\essential.dat"
-        
-    condition:
-        // 150KB DLL
-        // 10e9d1eaf24ad3c63578d89f8b887adb47700aae02da1532c4842428725e77d6
-        // 720afa3e1216a9eb68b66858d50de0326f52afa279ef9ee0521aee98b312382f
-        (
-            uint16(0)==0x5A4D and all of ($dll_150_*) or
-            for any i in (0..pe.number_of_resources-1) : (
-                hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "2cf9797b1cfb5795d0fb892b7c371d506a5dd8b7c64fdc82975b3fde6d997df0"
-            )
-        )
-        
-        // 50-06KB DLL
-        // 26ca51cb067e1fdf1b8ad54ba49883bc5d1945952239aec0c4840754bff76621
-        // 90fa29cc98be1d715df26d22079bdb8ce1d1fd3ce6a4efb39a4c192134e01020
-        or (
-            uint16(0)==0x5A4D and all of ($dll_50_*) or
-            for any i in (0..pe.number_of_resources-1) : (
-                hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "de3fb5d4419eb6b943872dd6e3dd93d19584ef2b158aa3158b3b09f0a9b628ef"
-            )
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_nukesped_andariel.yar b/yara_rules/sekoiaio_backdoor_win_nukesped_andariel.yar
deleted file mode 100644
index f559b4c..0000000
--- a/yara_rules/sekoiaio_backdoor_win_nukesped_andariel.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_backdoor_win_nukesped_andariel {
-    meta:
-        id = "a3601f0b-5782-4546-ac22-8a0514791f8f"
-        version = "1.0"
-        description = "Detect the NukeSped variant type 1 used by Andariel in October 2023"
-        author = "Sekoia.io"
-        creation_date = "2023-11-27"
-        classification = "TLP:CLEAR"
-        reference = "https://asec.ahnlab.com/en/59073/"
-        
-    condition:
-        for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "4ce43c7e358e3951f4c4ebd050d570786cbb473ee353974fc7414e3d753da9f6"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "355485cbe2bec406d60a48d7d8d25c71d9ded3c508c87273d936a92b94720d9b"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_rokrat.yar b/yara_rules/sekoiaio_backdoor_win_rokrat.yar
deleted file mode 100644
index 3efb000..0000000
--- a/yara_rules/sekoiaio_backdoor_win_rokrat.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_backdoor_win_rokrat {
-    meta:
-        id = "97a3acc1-4120-4d67-a6ad-fa204f2fd7f5"
-        version = "1.0"
-        description = "Detect the RokRAT malware"
-        author = "Sekoia.io"
-        creation_date = "2023-07-11"
-        classification = "TLP:CLEAR"
-        hash1 = "84760cac26513915ebfb0a80ad3ddabe62f03ec4fda227d63e764f9c4a118c4e"
-        hash2 = "758348521331bb18241d1cfc90d7e687dbc5bad8d596a2b2d6a9deb6cfc8cb1d"
-        hash3 = "2a253c2aa1db3f809c86f410e4bd21f680b7235d951567f24d614d8e4d041576"
-        hash4 = "ebce34cdeb20bc8c75249ce87a3080054f48b03ef66572fbc9dc40e6c36310d6"
-        hash5 = "a1e4e95a20120f16adacb342672eec1e73bd7826b332096f046bb7e2b7cd80a1"
-        hash6 = "3be58a7a7a25dbceee9e7ef06ef20aa86aef083be19db9e5ffb181d3f9f6615a"
-        hash7 = "fa4df84071b9ae20b321e4d22162d8480f6992206bc046e403c2fbedd1655503"
-        hash8 = "aa76b4db29cf929b4b22457ccb8cd77308191f091cde2f69e578ade9708d7949"
-        
-    strings:
-        // String in all samples since 2019
-        $ = "--wwjaughalvncjwiajs--"
-        
-        // {"path":"%s","mode":{".tag":"overwrite"}}
-        $ = {7b 00 22 00 70 00 61 00 74 00 68 00 22 00 3a 00 22 00 25 00 73 00 22 00 2c 00 22 00 6d 00 6f 00 64 00 65 00 22 00 3a 00 7b 00 22 00 2e 00 74 00 61 00 67 00 22 00 3a 00 22 00 6f 00 76 00 65 00 72 00 77 00 72 00 69 00 74 00 65 00 22 00 7d 00 7d}
-        
-        // https://cloud-api.yandex.net/v1/disk/resources/upload?path=%s&overwrite=%s
-        $ = {68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 63 00 6c 00 6f 00 75 00 64 00 2d 00 61 00 70 00 69 00 2e 00 79 00 61 00 6e 00 64 00 65 00 78 00 2e 00 6e 00 65 00 74 00 2f 00 76 00 31 00 2f 00 64 00 69 00 73 00 6b 00 2f 00 72 00 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 73 00 2f 00 75 00 70 00 6c 00 6f 00 61 00 64 00 3f 00 70 00 61 00 74 00 68 00 3d 00 25 00 73 00 26 00 6f 00 76 00 65 00 72 00 77 00 72 00 69 00 74 00 65 00 3d 00 25 00 73}
-        
-    condition:
-        uint16(0)==0x5A4D
-        and any of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_rollsling.yar b/yara_rules/sekoiaio_backdoor_win_rollsling.yar
deleted file mode 100644
index 86b4a33..0000000
--- a/yara_rules/sekoiaio_backdoor_win_rollsling.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_backdoor_win_rollsling {
-    meta:
-        id = "5ef23b9c-5bc5-4f02-b1b4-1af18a03241a"
-        version = "1.0"
-        description = "Detect Lazarus' RollSling malware (aka LazarLoader)"
-        author = "Sekoia.io"
-        creation_date = "2023-10-24"
-        classification = "TLP:CLEAR"
-        hash1 = "d9add2bfdfebfa235575687de356f0cefb3e4c55964c4cb8bfdcdc58294eeaca"
-        hash2 = "48538a935ddf2cbeb4918d0ccf9372ec8e0a57c5fd145a584a9b1bb4ebbcd5ce"
-        hash3 = "18825be6b269087d7699f3d0aa2e6db2ae72ded36c56aa8e7b8a606dde3741fa"
-        hash4 = "645205e38dfdd560f6242ba717af1bfdd8e85baf5e710d724b853fe9808c4551"
-        hash5 = "455bab490a300d9d63b8777c223287c0a6a647ca7b98b96fd3236f83b8adc77b"
-        reference = "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/"
-        
-    strings:
-        $s1 = "LookupPrivilegeVCreateRemoteThreAdjustTokenPriviOpenProcessToken"
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_sidewinder_cobaltstrike_2022_09.yar b/yara_rules/sekoiaio_backdoor_win_sidewinder_cobaltstrike_2022_09.yar
deleted file mode 100644
index 97c1a53..0000000
--- a/yara_rules/sekoiaio_backdoor_win_sidewinder_cobaltstrike_2022_09.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_backdoor_win_sidewinder_cobaltstrike_2022_09 {
-    meta:
-        id = "b5e8f87a-4a2c-49bb-aa98-bf3fb5056b23"
-        version = "1.0"
-        description = "Detect the SideWinder malware"
-        author = "Sekoia.io"
-        creation_date = "2022-10-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        // eNEVER GONNA GIVE YOU UP!
-        $s1 = {65004e004500560045005200200047004f004e004e00410020004700490056004500200059004f0055002000550050002100}
-        
-    condition:
-        $s1
-
-        //Imphash
-        or pe.imphash() == "b1e345b2d78e4b82617d995d18100790"
-
-        //Sections
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ac989507d4af352fa354560efef99ba6"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "8090b29a44c750b7b21287f9639fe747"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ea8693d6bacf3e7876f717a3d8abc433"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_spacecolon.yar b/yara_rules/sekoiaio_backdoor_win_spacecolon.yar
deleted file mode 100644
index d0f4826..0000000
--- a/yara_rules/sekoiaio_backdoor_win_spacecolon.yar
+++ /dev/null
@@ -1,40 +0,0 @@
-rule sekoiaio_backdoor_win_spacecolon {
-    meta:
-        id = "ae09f0e2-e913-44d5-abe1-715170368cc8"
-        version = "1.0"
-        description = "Finds Spacecolon samples based on specific strings (ScHackTool component)"
-        author = "Sekoia.io"
-        reference = "https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/"
-        creation_date = "2023-08-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "Before Work" ascii
-        $str02 = "DEFENDER OFF" ascii
-        $str03 = "Stop Service" ascii
-        $str04 = "Kill All (Default)" ascii
-        $str05 = "Keyboard EN" ascii
-        $str06 = "After Work" ascii
-        $str07 = "Del Shadow Log" ascii
-        $str08 = "Kill OSK" ascii
-        $str09 = "PWGEN" ascii
-        $str10 = "Character :" ascii
-        $str11 = "PW GEN" ascii
-        $str12 = "Cobian UI Pass" ascii
-        $str13 = "Credssp" ascii
-        $str14 = "Username :" ascii
-        $str15 = "Password :" ascii
-        $str16 = "TSpeedButton" ascii
-        $str17 = "Ab1q2w3e!" ascii
-        $str18 = "PC Details" ascii
-        $str19 = "Mimi Dump" ascii
-        $str20 = "MIMI Dump" ascii
-        $str21 = "powershell -ExecutionPolicy Bypass -File \"" wide
-        $str22 = "lastlog.txt" wide
-        $str23 = "$AdminGroupName = (Get-WmiObject -Class Win32_Group -Filter 'LocalAccount = True AND SID = \"S-1-5-32-544\"').Name" wide
-        $str24 = "net localgroup $AdminGroupName " wide
-        
-    condition:
-        uint16(0) == 0x5a4d and 17 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_sponsor.yar b/yara_rules/sekoiaio_backdoor_win_sponsor.yar
deleted file mode 100644
index 0c79e2f..0000000
--- a/yara_rules/sekoiaio_backdoor_win_sponsor.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_backdoor_win_sponsor {
-    meta:
-        id = "d410cdb7-a2a8-481e-a90a-49ef15a7a0e3"
-        version = "1.0"
-        description = "Detect the Sponsor backdoor"
-        author = "Sekoia.io"
-        creation_date = "2024-03-29"
-        classification = "TLP:CLEAR"
-        reference = "https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/"
-        hash1 = "e5ee874bd59bb2a6dec700686544e7914312abff166a7390b34f7cb29993267a"
-        hash2 = "e2b74ed355d68bed2e7242baecccd7eb6eb480212d6cc54526bc4ff7e6f57629"
-        hash3 = "2a99cf7d73d453f3554e24bf3efa49d8109da9e8543db815a8f813559d083f8f"
-        hash4 = "c4dbda41c726af9ba3d9224f2e38fc433d2b60f4a23512437adeae8ef8986c57"
-        
-    strings:
-        $ = "Content-Type: application/x-www-form-urlencoded"
-        $ = "SYSTEM\\CurrentControlSet\\Control\\TimeZoneInformation"
-        $ = "\\Uninstall.bat"
-        $ = "\\config.txt"
-        $ = "\\node.txt"
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_volgmer.yar b/yara_rules/sekoiaio_backdoor_win_volgmer.yar
deleted file mode 100644
index 2bc5d2d..0000000
--- a/yara_rules/sekoiaio_backdoor_win_volgmer.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-rule sekoiaio_backdoor_win_volgmer {
-    meta:
-        id = "9468a66d-787c-488f-937b-22617c7a2ded"
-        version = "1.0"
-        description = "Detect the NukeSped variant called Volgmer used by Andariel"
-        author = "Sekoia.io"
-        creation_date = "2023-09-04"
-        classification = "TLP:CLEAR"
-        hash1 = "3098e6e7ae23b3b8637677da7bfc0ba720e557e6df71fa54a8ef1579b6746061"
-        hash2 = "7339cfa5a67f5a4261c18839ef971d7f96eaf60a46190cab590b439c71c4742b"
-        hash3 = "8daa6b20caf4bf384cc7912a73f243ce6e2f07a5cb3b3e95303db931c3fe339f"
-        hash4 = "1b88b939e5ec186b2d19aec8f17792d493d74dd6ab3d5a6ddc42bfe78b01aff1"
-        
-    strings:
-        $ = "Fixed" wide
-        $ = "CDRom" wide
-        $ = "Removable" wide
-        $ = "%.2fGB" wide
-        $ = "\\*.*" wide
-        $ = "Folder" wide
-        $ = "%.1fKB" wide
-        $ = "%.1fMB" wide
-        $ = "%s\\*.*" wide
-        $ = "%s\\%s\\%s" wide
-        $ = "%s\\%s%s" wide
-        $ = "Remote PC" wide
-        $ = "%s|%s|%s|%s|%s|%s|" wide
-        $ = "%s\\cmd.exe" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_warhawk.yar b/yara_rules/sekoiaio_backdoor_win_warhawk.yar
deleted file mode 100644
index c2a010f..0000000
--- a/yara_rules/sekoiaio_backdoor_win_warhawk.yar
+++ /dev/null
@@ -1,57 +0,0 @@
-rule sekoiaio_backdoor_win_warhawk {
-    meta:
-        id = "d0ec19a7-cb08-4bca-b153-d7b0358186b4"
-        version = "1.0"
-        description = "Detect the WarHawk backdoor used by the SideWinder intrusion-set"
-        author = "Sekoia.io"
-        creation_date = "2022-10-24"
-        classification = "TLP:CLEAR"
-        reference = "https://www.zscaler.com/blogs/security-research/warhawk-new-backdoor-arsenal-sidewinder-apt-group-0"
-        hash_exe1 = "7d3574c62df44b74337fc74ec7877792b4ffa1486a49bb19668433c3ca8836b5"
-        hash_exe2 = "624c6b56ee3865f4a5792ad1946a8e86b876440a5af3bac22ac1dee92f1b7372"
-        hash_iso1 = "58b3686e4255d32dbcf7dee9dac1d5be6d4692d086cde167da1e1a5e0e1b315a"
-        hash_iso2 = "f97d5d3e1c2ceb3e9d23ae5b5d4e7c9857155df5acf7f67fee995cb041c797dc"
-        
-    strings:
-        // { \"name\": \"%s\", \"size\": \"\", \"mod\": \"%s\", \"type\": \"File folder\" },
-        $ = {7b205c226e616d655c223a205c2225735c222c205c2273697a655c223a205c225c222c205c226d6f645c223a205c2225735c222c205c22747970655c223a205c2246696c6520666f6c6465725c22207d2c}
-        
-        // { \"name\": \"%s\", \"mod\": \"%s\", \"type\": \"%s\", \"size\": \"%u\" },
-        //$ = {7b205c226e616d655c223a205c2225735c222c205c226d6f645c223a205c2225735c222c205c22747970655c223a205c2225735c222c205c2273697a655c223a205c2225755c22207d2c}
-        
-        // { "_hwid": "%s", "_computer": "%s", "_username": "%s", "_os": "%s" }
-        $ = {7b20225f68776964223a20222573222c20225f636f6d7075746572223a20222573222c20225f757365726e616d65223a20222573222c20225f6f73223a2022257322207d}
-        
-        // {\"name\": \"%s\", \"type\": \"%s\"},
-        $ = {7b5c226e616d655c223a205c2225735c222c205c22747970655c223a205c2225735c227d2c}
-        
-        // { "_hwid": "%s", "_filemgr_done": "true", "_response": "%s" }
-        $ = {7b20225f68776964223a20222573222c20225f66696c656d67725f646f6e65223a202274727565222c20225f726573706f6e7365223a2022257322207d}
-        
-        // { "_hwid": "%s", "_task": "true" }
-        $ = {7b20225f68776964223a20222573222c20225f7461736b223a20227472756522207d}
-        
-        // { "_hwid": "%s", "_task_done": "true", "_id": "%s" }
-        $ = {7b20225f68776964223a20222573222c20225f7461736b5f646f6e65223a202274727565222c20225f6964223a2022257322207d}
-        
-        // { "_hwid": "%s", "_cmd": "true" }
-        $ = {7b20225f68776964223a20222573222c20225f636d64223a20227472756522207d}
-        
-        // { "_hwid": "%s", "_cmd_done": "true", "_response": "%s" }
-        $ = {7b20225f68776964223a20222573222c20225f636d645f646f6e65223a202274727565222c20225f726573706f6e7365223a2022257322207d}
-        
-        // { "_hwid": "%s", "_filemgr": "true" }
-        $ = {7b20225f68776964223a20222573222c20225f66696c656d6772223a20227472756522207d}
-        
-        // { "_hwid": "%s" }
-        $ = {7b20225f68776964223a2022257322207d}
-        
-        // { "_hwid": "%s", "_ping": "true" }
-        $ = {7b20225f68776964223a20222573222c20225f70696e67223a20227472756522207d}
-        
-        $ = "cmd.exe"
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_win_winordll64.yar b/yara_rules/sekoiaio_backdoor_win_winordll64.yar
deleted file mode 100644
index 232db4e..0000000
--- a/yara_rules/sekoiaio_backdoor_win_winordll64.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-import "hash"
-import "pe"
-        
-rule sekoiaio_backdoor_win_winordll64 {
-    meta:
-        id = "86a32538-bc69-47ea-9842-4af360588c27"
-        version = "1.0"
-        description = "Detect the WinorDLL64 backdoor"
-        author = "Sekoia.io"
-        creation_date = "2023-02-24"
-        classification = "TLP:CLEAR"
-        
-    condition:
-        hash.md5(pe.rich_signature.clear_data) == "d16713cbfe04151b3a9e832c8afd55df"
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "3f638774c2565594029fb52ceb67db7a"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f9416bfb43b2c70837927e43e7591a2a"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "6eede2cebaef39eec5bd1c24c809e3dc"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "1177658fb0469cd5982102c9f3cd2eea"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "658d877d1bf0d2928b2c3efec9ec06cf"
-        )
-        or pe.imphash() == "d6b6f8cdffb06f469e06c7af9639897c"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backdoor_xploitspy_strings.yar b/yara_rules/sekoiaio_backdoor_xploitspy_strings.yar
deleted file mode 100644
index fc6ae11..0000000
--- a/yara_rules/sekoiaio_backdoor_xploitspy_strings.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_backdoor_xploitspy_strings {
-    meta:
-        id = "0aa86c2e-dba6-4ef4-a47e-f1b43e04f1f3"
-        version = "1.0"
-        description = "Detects XploitSPY DEX file"
-        author = "Sekoia.io"
-        creation_date = "2022-08-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = { 04 30 78 43 42 00 }
-        $ = { 04 30 78 43 4C 00 }
-        $ = { 04 30 78 43 4F 00 }
-        $ = { 04 30 78 46 49 00 }
-        $ = { 04 30 78 47 50 00 }
-        $ = { 04 30 78 49 4E 00 }
-        $ = { 04 30 78 4C 4F 00 }
-        $ = { 04 30 78 4D 49 00 }
-        $ = { 04 30 78 4E 4F 00 }
-        $ = { 04 30 78 50 4D 00 }
-        $ = { 04 30 78 53 4D 00 }
-        $ = { 04 30 78 57 49 00 }
-        
-    condition:
-        uint32be(0) == 0x6465780A and
-        filesize < 1MB and
-        10 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backoor_win_gobear.yar b/yara_rules/sekoiaio_backoor_win_gobear.yar
deleted file mode 100644
index 96afb17..0000000
--- a/yara_rules/sekoiaio_backoor_win_gobear.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_backoor_win_gobear {
-    meta:
-        id = "f922bf1b-652e-4a2f-91e9-76ecd2e3bf6a"
-        version = "1.0"
-        description = "Detect the GoBear backdoor used by Kimsuky"
-        author = "Sekoia.io"
-        creation_date = "2024-02-13"
-        classification = "TLP:CLEAR"
-        reference = "https://medium.com/s2wblog/kimsuky-disguised-as-a-korean-company-signed-with-a-valid-certificate-to-distribute-troll-stealer-cfa5d54314e2"
-        
-    condition:
-        for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "668031f53390dc749971888029911c12d4171534f77c17a962e698bf121d0e20"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_backoor_win_tinyturla_ng.yar b/yara_rules/sekoiaio_backoor_win_tinyturla_ng.yar
deleted file mode 100644
index 41c9624..0000000
--- a/yara_rules/sekoiaio_backoor_win_tinyturla_ng.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-import "pe"
-        
-rule sekoiaio_backoor_win_tinyturla_ng {
-    meta:
-        id = "019043bb-0212-4b73-bc93-03e9a746d28d"
-        version = "1.0"
-        description = "Detect the TinyTurla-NG backdoor used by Turla"
-        author = "Sekoia.io"
-        creation_date = "2024-03-04"
-        classification = "TLP:CLEAR"
-        reference = "https://blog.talosintelligence.com/tinyturla-next-generation/"
-        hash1 = "267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b"
-        hash2 = "d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40"
-        
-    strings:
-        $ = "delkill /F /IM explENT_USER\\Softwar"
-        $ = "Set-PSReadLineOption -HistorySaveStyle SaveNothing"
-        $ = "changeshell"
-        $ = "chcp 437 > $null"
-        $ = "powershell.exe -nologo"
-        
-    condition:
-        // Strings
-        uint16be(0) == 0x4d5a and all of them
-        
-        // Imphash
-        or pe.imphash() == "2240ae6f0dcbc0537836dfd9205a1f2b"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_bot_lin_enemybot_april22.yar b/yara_rules/sekoiaio_bot_lin_enemybot_april22.yar
deleted file mode 100644
index 75571ee..0000000
--- a/yara_rules/sekoiaio_bot_lin_enemybot_april22.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_bot_lin_enemybot_april22 {
-    meta:
-        id = "5778c653-39ce-4f5d-b10b-1503b74e5041"
-        version = "1.0"
-        description = "Detect enemybot based on command line observed in strings"
-        author = "Sekoia.io"
-        reference = "https://twitter.com/3xp0rtblog/status/137520616938452173://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet"
-        creation_date = "2022-04-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $cmd0 = "wget http://%s/update.sh" ascii
-        $cmd1 = "busybox wget http://%s/update.sh" ascii
-        $cmd2 = "curl http://%s/update.sh" ascii
-        $cmd3 = "chmod 777 update.sh" ascii
-        $cmd4 = "rm -rf update.sh" ascii
-        
-        $str0 = "ENEMEYBOT" ascii xor
-        $str1 = "KEKSEC" ascii xor
-        $str2 = "/tmp/.pwned" ascii xor
-        $str3 = "echo -e \"\x65\x6e\x65\x6d\x79"
-        
-    condition:
-        (uint32(0)==0x464c457f or uint32(0)==0xfeedfacf) //elf or mach-o
-        and (4 of ($cmd*) or 2 of ($str*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_bot_lin_kinsing_strings.yar b/yara_rules/sekoiaio_bot_lin_kinsing_strings.yar
deleted file mode 100644
index 19451b3..0000000
--- a/yara_rules/sekoiaio_bot_lin_kinsing_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_bot_lin_kinsing_strings {
-    meta:
-        id = "ce41b6d0-bc22-4a85-a3bb-ed3234871524"
-        version = "1.0"
-        description = "Catch Kinsing malware based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-11-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "MinerUrl" ascii
-        $s2 = "main.masscan" ascii
-        $s3 = "redisBrute" ascii
-        $s4 = "ActiveC2CUrl" ascii
-        $s5 = "main.getKi" ascii
-        $s6 = "main.getMu" ascii
-        $s7 = "tryToRunMiner" ascii
-        $s8 = "main.kiLoader" ascii
-        $s9 = "main.downloadAndExecute" ascii
-        
-    condition:
-        uint32(0)==0x464c457f and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_bot_lin_lucifer_strings.yar b/yara_rules/sekoiaio_bot_lin_lucifer_strings.yar
deleted file mode 100644
index ebad970..0000000
--- a/yara_rules/sekoiaio_bot_lin_lucifer_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_bot_lin_lucifer_strings {
-    meta:
-        id = "c341b6d0-bc22-4a85-aebb-ed323487f524"
-        version = "1.0"
-        description = "Catch Lucifer DDoS - lin version - malware based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-09-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "DealwithDDoS" ascii
-        $s2 = "DecryptData" ascii
-        $s3 = "They say I'm rude. I'm not rude at all, but I still want to say, fuck your mother" ascii
-        $s4 = "stratum+tcp://" ascii
-        $s5 = "gethostip" ascii
-        $s6 = "GetmyName" ascii
-        
-    condition:
-        uint32(0)==0x464c457f and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_bot_lin_xorddos_strings.yar b/yara_rules/sekoiaio_bot_lin_xorddos_strings.yar
deleted file mode 100644
index 74afcfd..0000000
--- a/yara_rules/sekoiaio_bot_lin_xorddos_strings.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_bot_lin_xorddos_strings {
-    meta:
-        id = "2f5c70a3-fe3f-4091-905d-d779bd0cb2cd"
-        version = "1.0"
-        description = "Catch XORDDoS strings"
-        author = "Sekoia.io"
-        creation_date = "2023-11-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)" ascii fullword
-        $s2 = "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab" ascii fullword
-        $s3 = "for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done"
-        
-    condition:
-        uint32(0)==0x464c457f and filesize > 600KB and filesize < 700KB and 3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_bot_lin_zerobot_dec22.yar b/yara_rules/sekoiaio_bot_lin_zerobot_dec22.yar
deleted file mode 100644
index 2c9b4b9..0000000
--- a/yara_rules/sekoiaio_bot_lin_zerobot_dec22.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-rule sekoiaio_bot_lin_zerobot_dec22 {
-    meta:
-        id = "ce028297-a526-4a6a-95db-8762fb5895f6"
-        version = "1.0"
-        description = "Detect the linux Zerobot implant using specific strings"
-        author = "Sekoia.io"
-        reference = "https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities"
-        creation_date = "2022-08-05"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "rm -rf "
-        $str02 = "wget http://"
-        $str03 = "curl -O http://"
-        $str04 = "tftp"
-        $str05 = "-c get"
-        $str06 = "ftpget -v -u anonymous -P"
-        $str07 = "chmod 777"
-        $str08 = "nohup"
-        $str09 = "/dev/null 2>&1 &"
-        $str10 = "zero."
-        $str11 = "ppc64le"
-        $str12 = "riscv64"
-        $str13 = "s390x"
-        $str14 = "rm -rf ~/.bash_history"
-        $str15 = "history -c"
-        
-    condition:
-        11 of ($str*) and filesize < 10KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_bot_win_yamabot.yar b/yara_rules/sekoiaio_bot_win_yamabot.yar
deleted file mode 100644
index 1f9c63e..0000000
--- a/yara_rules/sekoiaio_bot_win_yamabot.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_bot_win_yamabot {
-    meta:
-        id = "9f5b85c4-59e3-448f-b054-5b4932ee89bb"
-        version = "1.0"
-        description = "Detect the Yamabot implant used by Lazarus"
-        author = "Sekoia.io"
-        creation_date = "2023-08-29"
-        classification = "TLP:CLEAR"
-        hash1 = "1e4de822695570421eb2f12fdfe1d32ab8639655e12180a7ab3cf429e7811b8f"
-        hash2 = "66415464a0795d0569efa5cb5664785f74ed0b92a593280d689f3a2ac68dca66"
-        hash3 = "74529dd15d1953a47f0d7ecc2916b2b92865274a106e453a24943ca9ee434643"
-        hash4 = "def2f01fbd4be85f48101e5ab7ddd82efb720e67daa6838f30fd8dcda1977563"
-        
-    strings:
-        $s1 = "_/D_/Bot/YamaBot/"
-        $s2 = "Go build ID: \"ujRRNborth3MgXzS7HTu/aYhLszO8_95srnr8Fk1n/Xr8P792kGZ_VUqOQVc97/kgx_H7YuMZBl2Ajyac2M\""
-        
-    condition:
-        uint16be(0) == 0x4d5a and 1 of them and filesize > 3MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_botnet_lin_tsunami.yar b/yara_rules/sekoiaio_botnet_lin_tsunami.yar
deleted file mode 100644
index 2af37f6..0000000
--- a/yara_rules/sekoiaio_botnet_lin_tsunami.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_botnet_lin_tsunami {
-    meta:
-        id = "65d2ff89-064f-489a-a215-33197926a62d"
-        version = "1.0"
-        description = "Catch tsunami botnet based on string"
-        author = "Sekoia.io"
-        creation_date = "2024-09-24"
-        classification = "TLP:CLEAR"
-        hash = "536a28db011459d841652e25a852ccf2"
-        
-    strings:
-        $n = "NOTICE %s" ascii
-        $t = "TSUNAMI" ascii nocase
-        $s1 = "NICK" ascii fullword
-        $s2 = "GETSPOOFS" ascii fullword
-        $s3 = "IRC" ascii fullword
-        $s4 = "PONG" ascii
-        
-    condition:
-        uint32(0)==0x464c457f and #n > 40 and #t > 3 and 3 of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_builder_win_royalroad_rtf.yar b/yara_rules/sekoiaio_builder_win_royalroad_rtf.yar
deleted file mode 100644
index 6932649..0000000
--- a/yara_rules/sekoiaio_builder_win_royalroad_rtf.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_builder_win_royalroad_rtf {
-    meta:
-        id = "065e798b-eadd-4aac-a444-de61b75f0273"
-        description = "Detects RoyalRoad weaponized RTF documents"
-        creation_date = "2022-06-23"
-        author = "Sekoia.io"
-        version = "1.0"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "{\\object\\objocx{\\objdata"
-        $ = "ods0000"
-        
-    condition:        uint32be(0) == 0x7B5C7274 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_bumblebee_loader.yar b/yara_rules/sekoiaio_bumblebee_loader.yar
deleted file mode 100644
index 1108b29..0000000
--- a/yara_rules/sekoiaio_bumblebee_loader.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_bumblebee_loader {
-    meta:
-        id = "8fd795c7-6896-498c-a892-de9da6427b60"
-        version = "1.0"
-        description = "Detect the BUMBLEBEE loader"
-        author = "Sekoia.io"
-        creation_date = "2022-05-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = { 5a 00 3a 00 5c 00 68 00 6f 00 6f 00 6b 00 65 00 72 00 32 00 5c 00 43 00 6f 00 6d 00 6d 00 6f 00 6e 00 5c 00 6d 00 64 00 35 00 2e 00 63 00 70 00 70 00 }
-        $str1 = "/gate" ascii
-        $str2 = "3C29FEA2-6FE8-4BF9-B98A-0E3442115F67" wide
-        $str3 = "BLACK" ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and 3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_bumblebee_vhd.yar b/yara_rules/sekoiaio_bumblebee_vhd.yar
deleted file mode 100644
index 00ec839..0000000
--- a/yara_rules/sekoiaio_bumblebee_vhd.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-import "magic"
-        
-rule sekoiaio_bumblebee_vhd {
-    meta:
-        id = "0a9d1ffa-a3ff-4b15-b660-b4c132d5a415"
-        version = "1.0"
-        description = "BumbleBee new infection vector via VHD file and powershell second stage"
-        author = "Sekoia.io"
-        creation_date = "2022-09-09"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" ascii
-        $s2 = "Invalid partition table" ascii
-        $s3 = "BOOTMGR" ascii
-        $s4 = "LNK" ascii
-        
-    condition:
-        magic.mime_type() == "application/x-virtualbox-vhd" and
-        filesize > 3MB and filesize < 10MB and
-        all of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_clipper_win_atlas_strings.yar b/yara_rules/sekoiaio_clipper_win_atlas_strings.yar
deleted file mode 100644
index 7b33a75..0000000
--- a/yara_rules/sekoiaio_clipper_win_atlas_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_clipper_win_atlas_strings {
-    meta:
-        id = "f08c6af6-c325-4f7d-8686-575b25550d6a"
-        version = "1.0"
-        description = "Detects Atlas Clipper"
-        author = "Sekoia.io"
-        creation_date = "2023-07-10"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "C:/Users/box/Desktop/ATLAS/ATLAS/main.go" ascii
-        $s2 = "ATLAS Clipper" ascii
-        $s3 = "Victim: %s" ascii
-        $s4 = "Attacker: %s" ascii
-        $s5 = "Install Path: %s" ascii
-        $s6 = "HWID: %s" ascii
-        $s7 = "Install Date: %s" ascii
-        $s8 = "https://t.me/atlasclipper_channel" ascii
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_clipper_win_cryptoclippy.yar b/yara_rules/sekoiaio_clipper_win_cryptoclippy.yar
deleted file mode 100644
index 9bcd02d..0000000
--- a/yara_rules/sekoiaio_clipper_win_cryptoclippy.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_clipper_win_cryptoclippy {
-    meta:
-        id = "eaa98a8e-e29e-43a4-8b2d-2137d33d4116"
-        version = "1.0"
-        description = "Finds CryptoClippy samples"
-        author = "Sekoia.io"
-        reference = "https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/"
-        creation_date = "2023-04-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "C:\\mbedtls\\library\\" ascii
-        $str02 = "udp://8.8.8.8:53" ascii
-        $str03 = "Upgrade: websocket" ascii
-        $str04 = "%s\\%s.lnk" ascii
-        $str05 = "%s\\%s.ps1" ascii
-        $str06 = "%s\\%s.bat" ascii
-        $str07 = "set PSExecutionPolicyPreference=Unrestricted" ascii
-        $str08 = "schtasks /delete /tn \"%ls\" /f" ascii
-        $str09 = "SetClipboardData" ascii
-        $str10 = "SetWinEventHook" ascii
-        
-    condition:
-        uint16(0) == 0x5A4D and 8 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_clwiper_strings.yar b/yara_rules/sekoiaio_clwiper_strings.yar
deleted file mode 100644
index 75c181a..0000000
--- a/yara_rules/sekoiaio_clwiper_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_clwiper_strings {
-    meta:
-        id = "91e531e2-8548-460f-88a8-cc09abb901e0"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2022-09-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $w1 = "missing args"
-        $w2 = "wp starts"
-        $w3 = "Total Bytez : %lld"
-        $w4 = "percent is %f spent time is %.2fs"
-        $d1 = "\\\\?\\RawDisk3"
-        $d2 = "B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        (3 of ($w*) or all of ($d*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_crime_sload_mainpowershellimplant.yar b/yara_rules/sekoiaio_crime_sload_mainpowershellimplant.yar
deleted file mode 100644
index dd1586b..0000000
--- a/yara_rules/sekoiaio_crime_sload_mainpowershellimplant.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_crime_sload_mainpowershellimplant {
-    meta:
-        id = "09d268e7-d688-4390-856e-9e9ed47aec04"
-        version = "1.0"
-        description = "Detects the main PowerShell implant"
-        author = "Sekoia.io"
-        creation_date = "2022-08-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $c1 = "priority FOREGROUND"
-        $c2 = "app|Services|RuntimeBroker|Search|host"
-        $c3 = "([wmiclass]\"win32_Process\").create("
-        $c4 = "Start-Sleep -seconds"
-        $c5 = "while($e -eq 1){ $dCnt++;"
-        
-        $d1 = "112,114,105,111,114,105,116,121,32,70,79,82,69,71,82,79,85,78,68"
-        $d2 = "97,112,112,124,83,101,114,118,105,99,101,115,124,82,117,110,116,105,109,101,66,114,111,107,101,114,124,83,101,97,114,99,104,124,104,111,115,116"
-        $d3 = "40,91,119,109,105,99,108,97,115,115,93,34,119,105,110,51,50,95,80,114,111,99,101,115,115,34,41,46,99,114,101,97,116,101,40"
-        $d4 = "83,116,97,114,116,45,83,108,101,101,112,32,45,115,101,99,111,110,100,115"
-        $d5 = "119,104,105,108,101,40,36,101,32,45,101,113,32,49,41,123,32,36,100,67,110,116,43,43,59"
-        
-        $b1 = "priority FOREGROUND" base64
-        $b2 = "app|Services|RuntimeBroker|Search|host" base64
-        $b3 = "([wmiclass]\"win32_Process\").create(" base64
-        $b4 = "Start-Sleep -seconds" base64
-        $b5 = "while($e -eq 1){ $dCnt++;" base64
-        
-    condition:
-        3 of ($c*) or 3 of ($d*) or 3 of ($b*) and filesize < 30KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_crime_sload_powershellarchiveexfiltrator_strings.yar b/yara_rules/sekoiaio_crime_sload_powershellarchiveexfiltrator_strings.yar
deleted file mode 100644
index 613b6f5..0000000
--- a/yara_rules/sekoiaio_crime_sload_powershellarchiveexfiltrator_strings.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_crime_sload_powershellarchiveexfiltrator_strings {
-    meta:
-        id = "3934696a-2116-49cb-9f75-3740767ad6f3"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2022-08-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "if ($wr1 -or $wr2){"
-        $ = "if ($zp1 -or $zp2){"
-        $ = "-join ((65..90) + (97..122) | Get-Random -Count 16 | % {[char]$_});"
-        
-    condition:
-        all of them and filesize < 1KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_crime_sload_scheduledtask_dropper_strings.yar b/yara_rules/sekoiaio_crime_sload_scheduledtask_dropper_strings.yar
deleted file mode 100644
index 37d7c98..0000000
--- a/yara_rules/sekoiaio_crime_sload_scheduledtask_dropper_strings.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_crime_sload_scheduledtask_dropper_strings {
-    meta:
-        id = "01c51da8-71a5-449f-a609-933c37bc2e63"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2022-08-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "$hh='hi'+'dd'+'en';"
-        $ = { 7D 65 6C 73 65 7B 0A 24 72 73 3D 30 3B 0A 7D 0A }
-        $ = { 6B 69 6C 6C 20 2D 6E 61 6D 65 20 2A 77 65 72 73 68 65 6C 2A }
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_crime_sload_vbs_downloader_strings_1.yar b/yara_rules/sekoiaio_crime_sload_vbs_downloader_strings_1.yar
deleted file mode 100644
index 48290ce..0000000
--- a/yara_rules/sekoiaio_crime_sload_vbs_downloader_strings_1.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_crime_sload_vbs_downloader_strings_1 {
-    meta:
-        id = "77ff0d21-9249-43b2-9a6d-87988a2dec3b"
-        version = "1.0"
-        description = "Detects an sLoad downloader based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-08-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "On Error Resume Next"
-        $ = {0A [4] 3D 41 72 72 61 79}
-        $ = { 2E 50 61 74 74 65 72 6E 20 3D 20 22 28 [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C }
-        
-    condition:
-      all of them and filesize < 20KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_crime_sload_vbs_downloader_strings_2.yar b/yara_rules/sekoiaio_crime_sload_vbs_downloader_strings_2.yar
deleted file mode 100644
index e476e1a..0000000
--- a/yara_rules/sekoiaio_crime_sload_vbs_downloader_strings_2.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_crime_sload_vbs_downloader_strings_2 {
-    meta:
-        id = "77ff0d21-9249-43b2-9a6d-87988a2dec3b"
-        version = "1.0"
-        description = "Detects an sLoad downloader based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-08-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "On Error Resume Next"
-        $ = {0A [4] 3D 41 72 72 61 79}
-        $ = { 2E 50 61 74 74 65 72 6E 20 3D 20 22 28 [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C [4-10] 7C }
-        
-    condition:
-    all of them and filesize < 20KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_crime_sload_vbs_wsf_downloader.yar b/yara_rules/sekoiaio_crime_sload_vbs_wsf_downloader.yar
deleted file mode 100644
index 969ce5a..0000000
--- a/yara_rules/sekoiaio_crime_sload_vbs_wsf_downloader.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_crime_sload_vbs_wsf_downloader {
-    meta:
-        id = "55d87205-5f8f-479a-a616-bf3fce571f03"
-        version = "1.0"
-        description = "Detects sLoad Downloader"
-        author = "Sekoia.io"
-        creation_date = "2022-08-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = { 53 65 74 20 6c 69 6e 6b 20 3d 20 [5-10] 2e 43 72 65 61 74 65 53 68 6f 72 74 63 75 74 28 }
-        $ = { 2e 72 75 6e 20 22 63 3a 5c 55 73 65 72 73 5c 50 75 62 6c 69 63 5c 44 6f 63 75 6d 65 6e 74 73 5c [5-10] 2e 6c 6e 6b 20 2f 63 20 70 6f 77 65 72 73 68 65 6c 6c }
-        $ = { 3d 22 20 2f 63 20 70 6f 77 65 72 73 68 65 6c 6c 20 22 }
-        $ = { 20 2f 63 20 70 6f 77 65 72 73 68 65 6c 6c 20 22 20 26 20 }
-        
-    condition:
-        2 of them and filesize < 1KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_crime_sload_zip_archives.yar b/yara_rules/sekoiaio_crime_sload_zip_archives.yar
deleted file mode 100644
index c969753..0000000
--- a/yara_rules/sekoiaio_crime_sload_zip_archives.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_crime_sload_zip_archives {
-    meta:
-        id = "5335ad65-bca5-4937-8634-46cbd7aa1b0e"
-        version = "1.0"
-        description = "Detects ZIP archives used by sLOad"
-        author = "Sekoia.io"
-        creation_date = "2022-08-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $pic = { 00 00 00 [6] 2E ( 70 6E 67 | 67 69 66 | 6a 70 67 | 6A 70 65 67 ) }
-        $pdf = { 00 00 00 [8] 2E 70 64 66 }
-        $vbs = { ( 4c 65 67 67 69 6d 69 | 66 69 73 63 ) 2e ( 77 73 66 | 76 62 73 ) }
-        
-    condition:
-        uint16be(0) == 0x504B
-        and filesize < 30KB
-        and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_crimeware_njrat_strings.yar b/yara_rules/sekoiaio_crimeware_njrat_strings.yar
deleted file mode 100644
index 4915192..0000000
--- a/yara_rules/sekoiaio_crimeware_njrat_strings.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_crimeware_njrat_strings {
-    meta:
-        id = "215807ae-fbcb-478d-8941-e0787b883669"
-        version = "1.0"
-        description = "Detects njRAT based on some strings"
-        author = "Sekoia.io"
-        creation_date = "2022-08-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "set cdaudio door closed" wide
-        $ = "set cdaudio door open" wide
-        $ = "ping 0" wide
-        $ = "[endof]" wide
-        $ = "TiGeR-Firewall" wide
-        $ = "NetSnifferCs" wide
-        $ = "IPBlocker" wide
-        $ = "Sandboxie Control" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_crybercrime_prophetspider_proxy.yar b/yara_rules/sekoiaio_crybercrime_prophetspider_proxy.yar
deleted file mode 100644
index 80e3cb3..0000000
--- a/yara_rules/sekoiaio_crybercrime_prophetspider_proxy.yar
+++ /dev/null
@@ -1,42 +0,0 @@
-import "pe"
-        
-rule sekoiaio_crybercrime_prophetspider_proxy {
-    meta:
-        id = "b7637fc3-bf81-40c4-869c-1c283574e0a7"
-        version = "1.0"
-        description = "Detects the Winntaa decryption loop or imphash"
-        author = "Sekoia.io"
-        creation_date = "2022-02-17"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = { 56
-        57
-        48 8D 95 F0 FE FF FF
-        31 C0
-        66 21 02
-        48 89 CE
-        AC
-        48 89 D7
-        4C 89 C2
-        88 D4
-        30 C2
-        0F B6 CA
-        48 89 95 E8 FE FF FF
-        AC
-        30 E0
-        AA
-        E2 FA
-        88 C8
-        AA
-        48 8D 85 F0 FE FF FF
-        48 8B 95 E8 FE FF FF
-        5F
-        5E
-        C3 }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        (all of them or pe.imphash() == "55e0b8e5b4d787c680ada4e450789a4d")
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_crypter_vbs_to_exe.yar b/yara_rules/sekoiaio_crypter_vbs_to_exe.yar
deleted file mode 100644
index 4f4fb63..0000000
--- a/yara_rules/sekoiaio_crypter_vbs_to_exe.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_crypter_vbs_to_exe {
-    meta:
-        id = "33ed286f-3055-452e-952b-abaf11a543a1"
-        version = "1.0"
-        description = "first stage of Crypter-VBS-to-EXE dropped on infected hosted"
-        author = "Sekoia.io"
-        creation_date = "2023-01-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $theDot = ":::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::" ascii
-        $s1 = "cmd.exe /c curl" ascii
-        $s2 = "WScript.Sleep(3000)" ascii
-        $s3 = "runCmd = \"cmd.exe /c powershell.exe -exec Bypass -C \" + myVar +" ascii
-        $s4 = "WshShell.Run \"cmd /c \" & runCmd, 0, True" ascii
-        
-    condition:
-        #theDot > 200  and all of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_crypter_win_dotrunpex.yar b/yara_rules/sekoiaio_crypter_win_dotrunpex.yar
deleted file mode 100644
index e44d70d..0000000
--- a/yara_rules/sekoiaio_crypter_win_dotrunpex.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_crypter_win_dotrunpex {
-    meta:
-        id = "6fb4ffe0-3a5c-432c-8ae2-404bb5960c30"
-        version = "1.0"
-        description = "Detect the dotRunpeX crypter based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-06-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = {52 00 75 00 6e 00 70 00 65 00 58 00 2e 00 53 00 74 00 75 00 62 00 2e 00 46 00 72 00 61 00 6d 00 65 00 77 00 6f 00 72 00 6b 00 2e 00 65 00 78 00 65} //R.u.n.p.e.X...S.t.u.b...F.r.a.m.e.w.o.r.k...e.x.e
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_darkriver_encodedurl.yar b/yara_rules/sekoiaio_darkriver_encodedurl.yar
deleted file mode 100644
index 816e5dc..0000000
--- a/yara_rules/sekoiaio_darkriver_encodedurl.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_darkriver_encodedurl {
-    meta:
-        id = "60f1676f-dade-4376-9980-f510dff52ae5"
-        version = "1.0"
-        description = "Detects encoding URL inside docx documents"
-        author = "Sekoia.io"
-        creation_date = "2023-10-10"
-        classification = "TLP:CLEAR"
-        hash1 = "5c9551388213f54c4b54cd42ccb034d8d9173a4bbfcf8b666e0db8df929762e7"
-        hash1 = "13de9f39b1ad232e704b5e0b5051800fcd844e9f661185ace8287a23e9b3868e"
-        hash1 = "3b05e89ff2338472cc493d59bae450338effd29f0ed7d46fb999709e63cf2472"
-        
-    strings:
-        $s1 = "&#109;&#104;&#116;&#109;&#108;&#58;&#104;&#116;&#116;&#112;"
-        $s2 = "&#38;&#95;&#116;&#115;&#61;"
-        $header = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>"
-        
-    condition:
-        filesize < 500KB and
-        any of ($s*) and $header at 0
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_dotnet_injector_new_payload.yar b/yara_rules/sekoiaio_dotnet_injector_new_payload.yar
deleted file mode 100644
index 8c57029..0000000
--- a/yara_rules/sekoiaio_dotnet_injector_new_payload.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-import "dotnet"
-        
-rule sekoiaio_dotnet_injector_new_payload {
-    meta:
-        id = "b0a1d471-5381-4fa8-8563-7e72ecd15bed"
-        version = "1.0"
-        description = "New dotnet injector"
-        author = "Sekoia.io"
-        creation_date = "2022-12-21"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $f1 = "DownloadFile" ascii
-        $f2 = "StreamReader" ascii
-        $f3 = "ReadToEnd" ascii
-        $f4 = "Reverse" ascii
-        $f5 = "Load" ascii
-        $f6 = "StringToByteArray" ascii
-        $s1 = "Admin" wide
-        $s2 = "User" wide
-        $p1 = "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" wide
-        $p2 = ".lnk" wide
-        
-    condition:
-        filesize < 300KB and
-        all of ($f*) and
-        all of ($s*) and
-        all of ($p*) and
-        dotnet.is_dotnet
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_kimsuky_lnk.yar b/yara_rules/sekoiaio_downloader_kimsuky_lnk.yar
deleted file mode 100644
index ca3d17e..0000000
--- a/yara_rules/sekoiaio_downloader_kimsuky_lnk.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_downloader_kimsuky_lnk {
-    meta:
-        id = "3831d115-7874-4bc9-aeb4-d2cb9bc2b5c9"
-        version = "1.0"
-        description = "Detect Kimsuky LNK"
-        author = "Sekoia.io"
-        creation_date = "2024-07-16"
-        classification = "TLP:CLEAR"
-        reference = "https://blogs.jpcert.or.jp/en/2024/07/attack-activities-by-kimsuky-targeting-japanese-organizations.html"
-        hash1 = "3065b8e4bb91b4229d1cea671e8959da8be2e7482067e1dd03519c882738045e"
-        hash2 = "d912f49d24792aa7197509f76e2097ac3858cde23199e1b40f2516948d39c589"
-        hash3 = "e936445935c4a636614f7113e4121695a5f3e4a6c137b7cdcceb6f629aa957c4"
-        hash4 = "fe156159a26f8b7c140db61dd8b136e1c8103a800748fe9b70a3a3fdf179d3c3"
-        
-    strings:
-        $ = "AType: Text Document" wide
-        $ = "Size: 5.23 KB" wide
-        $ = "Date modified: 01/02/2020 11:23" wide
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_mac_rustbucket.yar b/yara_rules/sekoiaio_downloader_mac_rustbucket.yar
deleted file mode 100644
index 4f90c1b..0000000
--- a/yara_rules/sekoiaio_downloader_mac_rustbucket.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_downloader_mac_rustbucket {
-    meta:
-        id = "5a003b68-ad9a-47f9-b157-dd898181dac2"
-        version = "1.0"
-        description = "RustBucket fake PDF reader"
-        author = "Sekoia.io"
-        creation_date = "2023-04-24"
-        classification = "TLP:CLEAR"
-        reference = "https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/"
-        hash1 = "38106b043ede31a66596299f17254d3f23cbe1f983674bf9ead5006e0f0bf880"
-        hash2 = "bea33fb3205319868784c028418411ee796d6ee3dfe9309f143e7e8106116a49"
-        hash3 = "7981ebf35b5eff8be2f3849c8f3085b9cec10d9759ff4d3afd46990520de0407"
-        hash4 = "e74e8cdf887ae2de25590c55cb52dad66f0135ad4a1df224155f772554ea970c"
-        
-    strings:
-        $down_exec1 = "_down_update_run" nocase
-        $down_exec2 = "downAndExec" nocase
-        $encrypt1 = "_encrypt_pdf"
-        $encrypt2 = "_encrypt_data"
-        $error_msg1 = "_alertErr"
-        $error_msg2 = "_show_error_msg"
-        $view_pdf1 = "-[PEPWindow view_pdf:]"
-        $view_pdf2 = "-[PEPWindow viewPDF:]"
-        $macho_magic = {CF FA ED FE}
-        $java_magic = {CA FE BA BE}
-        
-    condition:
-        ($macho_magic at 0 or $java_magic at 0) 
-        and 5 of them
-        and filesize > 50KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_mac_rustbucket_swiftloader.yar b/yara_rules/sekoiaio_downloader_mac_rustbucket_swiftloader.yar
deleted file mode 100644
index 1f8e831..0000000
--- a/yara_rules/sekoiaio_downloader_mac_rustbucket_swiftloader.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_downloader_mac_rustbucket_swiftloader {
-    meta:
-        id = "bdbc95db-5d58-4c96-91f9-34b653e67f50"
-        version = "1.0"
-        description = "Detect the file com.EdoneViewer in the new version of RustBucker 2023-10"
-        author = "Sekoia.io"
-        creation_date = "2023-12-05"
-        classification = "TLP:CLEAR"
-        hash1 = "7c5bf60787bfd076c8806eaa4f1185f5b9fda69008376624ab3d17f207eb16a4"
-        hash2 = "bc90adde92bd47b4de7d384e5b20c1a1791d603629bd0fcba4b550fb35e93216"
-        hash3 = "c9a7b42c7b29ca948160f95f017e9e9ae781f3b981ecf6edbac943e52c63ffc8"
-        
-    strings:
-        $ = "/Users/ghost/Desktop/EdoneViewer/EdoneViewer/"
-        $ = "EdoneViewerApp.swift"
-        
-    condition:
-        1 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_mac_smooth_operator.yar b/yara_rules/sekoiaio_downloader_mac_smooth_operator.yar
deleted file mode 100644
index 4024a9f..0000000
--- a/yara_rules/sekoiaio_downloader_mac_smooth_operator.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_downloader_mac_smooth_operator {
-    meta:
-        id = "c132b3f0-f536-4a66-bcf8-2a95c258c414"
-        version = "1.0"
-        description = "Detect the Smooth_Operator malware"
-        author = "Sekoia.io"
-        creation_date = "2023-07-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "%s/.main_storage"
-        $ = "%s/UpdateAgent"
-        
-    condition:
-        uint32be(0)==0xcafebabe and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_win_andarloader.yar b/yara_rules/sekoiaio_downloader_win_andarloader.yar
deleted file mode 100644
index 4f69a09..0000000
--- a/yara_rules/sekoiaio_downloader_win_andarloader.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_downloader_win_andarloader {
-    meta:
-        id = "96dd737e-601c-4370-9fa6-4bbafafae203"
-        version = "1.0"
-        description = "Detect the AndarLoader downloader used by Andariel"
-        author = "Sekoia.io"
-        creation_date = "2023-09-04"
-        classification = "TLP:CLEAR"
-        hash1 = "02135f60f3edff0b9baa4c20715ee6a80c94f282079bf879265f5e020d37cf88"
-        hash2 = "54ed7a7430974cc2ea694f49f3e637b835dcd24aa19d66af854ad47b87068c92"
-        
-    condition:
-        for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "b338ad077c7f5be85c33def7287198841d55af8cd1ad856fdcd16fdc78f18838"
-        )
-        and filesize < 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_win_apt33_tickler.yar b/yara_rules/sekoiaio_downloader_win_apt33_tickler.yar
deleted file mode 100644
index 7f4daf9..0000000
--- a/yara_rules/sekoiaio_downloader_win_apt33_tickler.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_downloader_win_apt33_tickler {
-    meta:
-        id = "e1f704d6-d527-479a-8311-d286c06768ac"
-        version = "1.0"
-        description = "Detect the downloader used by APT33 to diwnload Tickler"
-        author = "Sekoia.io"
-        creation_date = "2024-08-29"
-        classification = "TLP:CLEAR"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        pe.imphash() == "e43c58659b5b3082387307603478881a"
-        or hash.md5(pe.rich_signature.clear_data) == "d30bd7875b225709ecf95bf68dbd435f"
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "d7d2079d0a656c06a03f2c277bb08bda"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "61a1425e6a0d28e29c6fd3d451ac3717"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "916bf96ed3274ce8322d9f370432844f"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "3fab9d4ae989d53cecb2f443b8ce88d0"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "e0967483e074da72ceff4dea3bc17530"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "b4a571736b6646765155ffbd57c27c83"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "35c88ba521887f8fe1b2501f8cd8bd98"
-        )
-        or for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "636dc666c7496cb3382b029fed53473f181cdc24405886c468e51a103d78b4d4"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_win_cobianrat.yar b/yara_rules/sekoiaio_downloader_win_cobianrat.yar
deleted file mode 100644
index 005052a..0000000
--- a/yara_rules/sekoiaio_downloader_win_cobianrat.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_downloader_win_cobianrat {
-    meta:
-        id = "7a86c17f-bf4e-4465-9488-244b75fc36f1"
-        version = "1.0"
-        description = "Detect CobianRAT downloader"
-        author = "Sekoia.io"
-        creation_date = "2024-08-23"
-        classification = "TLP:CLEAR"
-        hash = "7a70779d9d7de5e370fac0fa2d4ccd13"
-        hash = "2ce40599a4990680db3af5defcd5381a"
-        hash = "56515c48f82475e7bb6a26b027a459d7"
-        hash = "3450bece12bd8103d5e718a2661d0404"
-        hash = "132858739129d2b863dc547facbed7e9"
-        hash = "693bd96d162c54d7e9605580eaf54a6e"
-        hash = "d03a4988e22e6c7b2a03efa2bdb1502d"
-        hash = "ab8c68b907ec2ce316bf18f00938710c"
-        
-    strings:
-        $ = {24 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 55 00 72 00 6C 00 20 00 3D 00 20 00 27}
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_win_curl_agent.yar b/yara_rules/sekoiaio_downloader_win_curl_agent.yar
deleted file mode 100644
index ff25102..0000000
--- a/yara_rules/sekoiaio_downloader_win_curl_agent.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_downloader_win_curl_agent {
-    meta:
-        id = "ddeb2d8f-1b10-4a33-b768-d19412e8551a"
-        version = "1.0"
-        description = "Detect the downloader used by Bluenoroff to install it CurlAgent"
-        author = "Sekoia.io"
-        creation_date = "2023-05-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "%s\\marcoor.dll" wide
-        $ = "curl -A cur1-agent -L %s -s -d dl"
-        $ = "curl -A cur1-agent -L %s -s -d da"
-        $ = "cmd /c timeout /t 10 & rundll32 \"%s\" #1" wide
-        $ = "cmd /c timeout /t 10 & Del /f /q \"%s\" & attrib -s -h \"%s\" & rundll32 \"%s\" #1" wide
-        
-    condition:
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_win_donot.yar b/yara_rules/sekoiaio_downloader_win_donot.yar
deleted file mode 100644
index b2a8182..0000000
--- a/yara_rules/sekoiaio_downloader_win_donot.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_downloader_win_donot {
-    meta:
-        id = "31b153cc-a4b9-40a0-8bcb-ce1370645b4b"
-        version = "1.0"
-        description = "Detect the DoNot's downloader malware. There are big binaries in downloader strings."
-        author = "Sekoia.io"
-        creation_date = "2023-03-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        // start of binary, translated: bin(bin("cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s""))
-        $ = "001100000011000100110001001100000011000000110000001100010011000100110000001100010011000100110000001100010011000100110000001100010011"
-        // other binary strings
-        $ = "01010011011011110110011001110100011101110110000101110010011001010101110001001101011010010110001101110010011011110111001101101111011001100111010001011100010101110110100101101110011001000110111101110111011100110101110001000011011101010111001001110010011001010110111001110100010101100110010101110010011100110110100101101111011011100101110001010101011011100110100101101110011100110111010001100001011011000110110000000000"
-        $ = "0101110001110011011110010111001101110100011001010110110100110011001100100101110001110010011101010110111001100100011011000110110000110011001100100010111001100101011110000110010100000000"
-        
-    condition:
-        1 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_win_fake_tor_browser.yar b/yara_rules/sekoiaio_downloader_win_fake_tor_browser.yar
deleted file mode 100644
index d639cf5..0000000
--- a/yara_rules/sekoiaio_downloader_win_fake_tor_browser.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_downloader_win_fake_tor_browser {
-    meta:
-        id = "6b070ba6-490b-43c2-9a01-65812d829eeb"
-        version = "1.0"
-        description = "Detect fake TOR browser used to spy Chinese TOR users"
-        author = "Sekoia.io"
-        creation_date = "2022-10-05"
-        classification = "TLP:CLEAR"
-        reference = "https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/107627/"
-        
-    condition:
-        for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "7172f95f934574be95c0250fb42b8f51"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_win_newsterminal.yar b/yara_rules/sekoiaio_downloader_win_newsterminal.yar
deleted file mode 100644
index acd6696..0000000
--- a/yara_rules/sekoiaio_downloader_win_newsterminal.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_downloader_win_newsterminal {
-    meta:
-        id = "2f9aae45-e3bd-4d87-b336-5d141738952b"
-        version = "1.0"
-        description = "Detect the PowerShell based downloader used by APT42 called NEWSTERMINAL"
-        author = "Sekoia.io"
-        creation_date = "2024-08-26"
-        classification = "TLP:CLEAR"
-        hash = "2b756515400d7e3b6e21ee3a83f313c8"
-        
-    strings:
-        $ = "Start-Process -FilePath $takeownCommand -ArgumentList $takeownArgs -Wait -NoNewWindow"
-        $ = "function Download-And-Extract-Dll {"
-        // $icaclsArgs = $destinationFilePath, "/grant", "Administrators:F", "/c", "/q"
-        $ = {24 69 63 61 63 6C 73 41 72 67 73 20 3D 20 24 64 65 73 74 69 6E 61 74 69 6F 6E 46 69 6C 65 50 61 74 68 2C 20 22 2F 67 72 61 6E 74 22 2C 20 22 41 64 6D 69 6E 69 73 74 72 61 74 6F 72 73 3A 46 22 2C 20 22 2F 63 22 2C 20 22 2F 71 22}
-        $ = "$publicip=(iwr http://127.0.0.1:4040/api/tunnels"
-        
-    condition:
-        1 of them and filesize < 30KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_downloader_win_search.yar b/yara_rules/sekoiaio_downloader_win_search.yar
deleted file mode 100644
index 4b9f4bb..0000000
--- a/yara_rules/sekoiaio_downloader_win_search.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_downloader_win_search {
-    meta:
-        id = "8094ddda-6294-4dee-93cb-de79aaed1ec6"
-        version = "1.0"
-        description = "'Search.exe' script used by APT42"
-        author = "Sekoia.io"
-        creation_date = "2024-08-23"
-        classification = "TLP:CLEAR"
-        hash = "a29fa85ecfc0e5554c21f3b9db185de97b3504517403f4aa102adbd2c46dc1bf"
-        hash = "f83e2b3be2e6db20806a4b9b216edc7508fa81ce60bf59436d53d3ae435b6060"
-        
-    strings:
-        $ = "C:\\Users\\pc\\source\\repos\\Search\\Search\\obj\\Debug\\Search.pdb"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_dropper_mac_lazarus_manuscrypt.yar b/yara_rules/sekoiaio_dropper_mac_lazarus_manuscrypt.yar
deleted file mode 100644
index 6d25f52..0000000
--- a/yara_rules/sekoiaio_dropper_mac_lazarus_manuscrypt.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_dropper_mac_lazarus_manuscrypt {
-    meta:
-        id = "6138bd0c-1fcf-4586-b2b6-29955c7d6266"
-        version = "1.0"
-        description = "MacOS Manuscrypt dropped by TraderTraitor"
-        author = "Sekoia.io"
-        creation_date = "2022-04-19"
-        classification = "TLP:CLEAR"
-        hash = "dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156"
-        hash = "9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa"
-        
-    strings:
-        $ = "networksetup -getwebproxy '%s'" ascii
-        $ = "Cookie: _ga=%s%02d%d%d%02d%s" ascii
-        $ = "networksetup -listallnetworkservices" ascii
-        $ = "gid=%s%02d%d%03d%s" ascii
-        
-    condition:
-        uint32(0) == 0xFEEDFACF
-        and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_dropper_win_konni_cab.yar b/yara_rules/sekoiaio_dropper_win_konni_cab.yar
deleted file mode 100644
index 90be16c..0000000
--- a/yara_rules/sekoiaio_dropper_win_konni_cab.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_dropper_win_konni_cab {
-    meta:
-        id = "87a209d5-667a-4a81-837a-660ab98c33c8"
-        version = "1.0"
-        description = "Detect the CAB files used to drop the KONNI malware"
-        author = "Sekoia.io"
-        creation_date = "2023-09-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $magic = "MSCF"
-        $file2 = "check.bat"
-        $file3 = "wpnprv64.dll"
-        $file4 = "wpnprv32.dll"
-        
-    condition:
-        $magic at 0 and all of ($file*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_dropper_win_ninerat.yar b/yara_rules/sekoiaio_dropper_win_ninerat.yar
deleted file mode 100644
index 94530bf..0000000
--- a/yara_rules/sekoiaio_dropper_win_ninerat.yar
+++ /dev/null
@@ -1,42 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_dropper_win_ninerat {
-    meta:
-        id = "798e3bee-4cee-4647-abda-3c3dcc602f0a"
-        version = "1.0"
-        description = "NineRAT dropper"
-        author = "Sekoia.io"
-        creation_date = "2023-12-12"
-        classification = "TLP:CLEAR"
-        reference = "https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/"
-        hash1 = "534f5612954db99c86baa67ef51a3ad88bc21735bce7bb591afa8a4317c35433"
-        hash2 = "f91188d23b14526676706a5c9ead05c1a91ea0b9d6ac902623bc565e1c200a59"
-        
-    strings:
-        $ = "\\x64\\Release\\Dropper.pdb"
-        $ = "TelegramRat\\lastest\\Dropper"
-        
-    condition:
-        all of them
-
-        // Imphash
-        or pe.imphash() == "92b8e9dea06fd5719e29a510e95b92ac"
-        
-        // Rich Header
-        or hash.md5(pe.rich_signature.clear_data) == "ba1ea20fe779ef0b747e5073c0881a99"
-        
-        // Section
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "c0471e0a78eef692b567cd89eeaddf08"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "965dc8b7c98325ca3d3371ced8424823"
-        )
-        
-        // Resources
-        or for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "bae1db350e313bf7bbd3b2178b20e6f6dd9b0331780099374edae5a99625bc5b"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "1abb447513b4435837029933e722b6ed92222291571a8ce0a306c9f6a335aa19"
-            or hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "ffbcd5bbe6c02aa5c993886811d7597f020abd6665fc82af133c5756ab72fb0a"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_dropper_win_romcom_dropper.yar b/yara_rules/sekoiaio_dropper_win_romcom_dropper.yar
deleted file mode 100644
index 4b4ea04..0000000
--- a/yara_rules/sekoiaio_dropper_win_romcom_dropper.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_dropper_win_romcom_dropper {
-    meta:
-        id = "ca1b7114-5a83-4620-a9e2-8228df2be7b1"
-        version = "1.0"
-        description = "Detect the dropper of RomCom malware"
-        author = "Sekoia.io"
-        creation_date = "2022-11-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "regInjecttNew.dll"
-        
-    condition:
-        //Strings
-        uint16(0)==0x5A4D and all of them
-
-        //Imphash
-        or pe.imphash()=="643c3d5c721741ad5b90c98c48007038"
-
-        //Sections
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "1c397f4ddafdcfd12bbc41cae45cdf9f"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "b71dc0007c685c790fb2542ddcf284f4"
-        )
-
-        //Vhash
-        or vhash=="175076655d155515655038z55?z1"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_dropper_win_selfau3.yar b/yara_rules/sekoiaio_dropper_win_selfau3.yar
deleted file mode 100644
index a0cbb1e..0000000
--- a/yara_rules/sekoiaio_dropper_win_selfau3.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_dropper_win_selfau3 {
-    meta:
-        id = "2d005a54-b013-40e9-b88a-30454e4b22af"
-        version = "1.0"
-        description = "Finds SelfAU3 Dropper samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2024-02-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $sfx = "!Require Windows" ascii
-        
-        $ins01 = ";!@Install@!UTF-8!" ascii
-        $set =  {53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 3d 22 [1-15] 3d ?? 22} //SetEnvironment="??..?=?"
-        $run = "RunProgram=\"hidcon:c" ascii
-        $ins02 = ";!@InstallEnd@!" ascii
-        
-    condition:
-        $sfx at 77 and
-        $set in (@ins01..@ins01+500) and
-        #set > 5 and
-        $run in (@set..@set+1000) and
-        $ins02 in (@run..@run+500)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_emmenhtal_strings_hta_exe.yar b/yara_rules/sekoiaio_emmenhtal_strings_hta_exe.yar
deleted file mode 100644
index b72700e..0000000
--- a/yara_rules/sekoiaio_emmenhtal_strings_hta_exe.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_emmenhtal_strings_hta_exe {
-    meta:
-        id = "64e08610-e8a4-4edd-8f6b-d4e8d2b47d87"
-        version = "1.0"
-        description = "Emmenhtal Loader string"
-        author = "Sekoia.io"
-        creation_date = "2024-09-06"
-        classification = "TLP:CLEAR"
-        hash = "e86a22f1c73b85678e64341427c7193ba65903f3c0f29af2e65d7c56d833d912"
-        
-    strings:
-        $char = / = String\.fromCharCode\([a-zA-Z]{2,4},[a-zA-Z]{2,4},/
-        $var = "var "
-        $eval = "eval("
-        $script1 = "<script>"
-        $script2 = "</script>MZ"
-        //$hta = "<HTA:APPLICATION CAPTION = \"no\" WINDOWSTATE = \"minimize\" SHOWINTASKBAR = \"no\" >"  NOT IN ALL SAMPLES
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them and $var in (@script1..@script1+2000) and $char in (@var..@var+100)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_evilnumpayload_fmtstr.yar b/yara_rules/sekoiaio_evilnumpayload_fmtstr.yar
deleted file mode 100644
index 0b3f3fb..0000000
--- a/yara_rules/sekoiaio_evilnumpayload_fmtstr.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_evilnumpayload_fmtstr {
-    meta:
-        id = "980c58e4-e04d-4076-a92e-2c04ced19ece"
-        version = "1.1"
-        description = "Detect payload of EvilNum"
-        author = "Sekoia.io"
-        creation_date = "2022-07-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        
-        $fmtstr01 = "{\"v\":\"" ascii wide
-        $fmtstr02 = ",\"u\":\"" ascii wide
-        $fmtstr03 = ",\"a\":\"" ascii wide
-        $fmtstr04 = ",\"w\":\"" ascii wide
-        $fmtstr05 = ",\"d\":\"" ascii wide
-        $fmtstr06 = ",\"n\":\"" ascii wide
-        $fmtstr07 = ",\"r\":\"1\"" ascii wide
-        $fmtstr08 = ",\"r\":\"0\"" ascii wide
-        $fmtstr09 = ",\"xn\":\"" ascii wide
-        $fmtstr10 = ",\"s\":0}" ascii wide
-        $fmtstr11 = "{\"u\":\"" ascii wide
-        $fmtstr12 = "\",\"sc\":1" ascii wide
-        $fmtstr13 = ",\"dt\":\"" ascii wide
-        
-    condition:
-        8 of ($fmtstr*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_exploit_cve20191458_strings.yar b/yara_rules/sekoiaio_exploit_cve20191458_strings.yar
deleted file mode 100644
index e57a9b1..0000000
--- a/yara_rules/sekoiaio_exploit_cve20191458_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_exploit_cve20191458_strings {
-    meta:
-        id = "0be4a550-0f0a-4596-ab32-aafaececf919"
-        version = "1.0"
-        description = "Detects compiled exploit for CVE-2019-1458 (Generic)"
-        author = "Sekoia.io"
-        creation_date = "2022-08-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[-] Failed to create SploitWnd window"
-        $ = "[+] ProcessCreated with pid %d!"
-        $ = "[!] Exploit fail, test:0x%p,tagWND:0x%p, error:0x%lx"
-        $ = "[*] tagWND: 0x%p, tagCLS:0x%p, gap:0x%llx"
-        $ = "[*] Simulating alt key press"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 200KB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_exploit_ez_pwnkit_strings.yar b/yara_rules/sekoiaio_exploit_ez_pwnkit_strings.yar
deleted file mode 100644
index eb404e7..0000000
--- a/yara_rules/sekoiaio_exploit_ez_pwnkit_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_exploit_ez_pwnkit_strings {
-    meta:
-        id = "24301f35-8174-4e0d-b14a-fc7e45a29b26"
-        version = "1.0"
-        description = "Detects ez-pwnkit exploit"
-        author = "Sekoia.io"
-        creation_date = "2024-01-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "go.buildid"
-        $s2 = "github.com/OXDBXKXO/ez-pwnkit"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize < 5MB and
-        $s1 and #s2 > 5
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_exploit_linux_eop_cve20177308_strings.yar b/yara_rules/sekoiaio_exploit_linux_eop_cve20177308_strings.yar
deleted file mode 100644
index f24a3f2..0000000
--- a/yara_rules/sekoiaio_exploit_linux_eop_cve20177308_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_exploit_linux_eop_cve20177308_strings {
-    meta:
-        id = "72d225dd-386c-47d5-afb3-c6712c0bdd9a"
-        version = "1.0"
-        description = "Detects CVE-2017-7308 exploit"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[.] SMEP & SMAP bypass enabled, turning them off"
-        $ = "[.] done, SMEP & SMAP should be off now"
-        $ = "[.] executing get root payload %p"
-        $ = "[.] done, should be root now"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_exploit_linux_eop_cve202121974_exploit_strings.yar b/yara_rules/sekoiaio_exploit_linux_eop_cve202121974_exploit_strings.yar
deleted file mode 100644
index d452c86..0000000
--- a/yara_rules/sekoiaio_exploit_linux_eop_cve202121974_exploit_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_exploit_linux_eop_cve202121974_exploit_strings {
-    meta:
-        id = "8e1fbbe5-7d51-48b4-80d5-90abff8cab9e"
-        version = "1.0"
-        description = "Detects CVE-2021-21974 Local Privesc exploit"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = ".name.replace('Thread','SLP Client'"
-        $ = "print('[' + name + '] recv: ', d)"
-        $ = "requests[28].put(connect())"
-        $ = "[+] stack enviorn address:"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_exploit_linux_eop_dirtyc0w_strings.yar b/yara_rules/sekoiaio_exploit_linux_eop_dirtyc0w_strings.yar
deleted file mode 100644
index 310abe6..0000000
--- a/yara_rules/sekoiaio_exploit_linux_eop_dirtyc0w_strings.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_exploit_linux_eop_dirtyc0w_strings {
-    meta:
-        id = "f0551e56-b08f-4f6f-81df-f30fbb8ee7b8"
-        version = "1.0"
-        description = "Detects DirtyCow exploit"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "DirtyCow root privilege escalation"
-        $ = "Backing up %s to /tmp/bak"
-        $ = "(o o)_____/"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_exploit_linux_eop_dirtypipe_strings.yar b/yara_rules/sekoiaio_exploit_linux_eop_dirtypipe_strings.yar
deleted file mode 100644
index bcdf52f..0000000
--- a/yara_rules/sekoiaio_exploit_linux_eop_dirtypipe_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_exploit_linux_eop_dirtypipe_strings {
-    meta:
-        id = "712d8a01-576e-4f43-a930-63dcdc535d93"
-        version = "1.0"
-        description = "Detects DirtyPipe Local Privesc exploit"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[+] hijacking suid binary.."
-        $ = "[+] dropping suid shell.."
-        $ = "[+] restoring suid binary.."
-        $ = "[+] popping root shell.."
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_exploit_linux_eop_polkit_pkexec_strings.yar b/yara_rules/sekoiaio_exploit_linux_eop_polkit_pkexec_strings.yar
deleted file mode 100644
index aaa972e..0000000
--- a/yara_rules/sekoiaio_exploit_linux_eop_polkit_pkexec_strings.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_exploit_linux_eop_polkit_pkexec_strings {
-    meta:
-        id = "de45c29e-432a-4e4f-b700-a016341d56d2"
-        version = "1.0"
-        description = "Detects Polkit Local Privesc exploit"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[.] Spawning suid process (%s) ..."
-        $ = "[.] Tracing midpid ..."
-        $ = "PTRACE_TRACEME local root (CVE-2019-13272)"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_exploit_linux_eop_pwnkit_strings.yar b/yara_rules/sekoiaio_exploit_linux_eop_pwnkit_strings.yar
deleted file mode 100644
index b39f20f..0000000
--- a/yara_rules/sekoiaio_exploit_linux_eop_pwnkit_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_exploit_linux_eop_pwnkit_strings {
-    meta:
-        id = "8637c602-62da-4983-bcb7-ba546fb2ed82"
-        version = "1.0"
-        description = "Detects Pwnkit Local Privesc exploit"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "CHARSET=PWNKIT"
-        $ = "i/do/not/exists"
-        $ = "pwnkit/pwnkit.c"
-        $ = "/usr/bin/pkexec"
-        $ = "SHELL=pwnkit"
-        $ = "pwnkit.so"
-        $ = "./pwnkit/"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and filesize < 1MB and 2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_exploit_linux_eop_rationallove_strings.yar b/yara_rules/sekoiaio_exploit_linux_eop_rationallove_strings.yar
deleted file mode 100644
index 2fd1c24..0000000
--- a/yara_rules/sekoiaio_exploit_linux_eop_rationallove_strings.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_exploit_linux_eop_rationallove_strings {
-    meta:
-        id = "e71e026e-ca2c-42b7-b552-b3fd013676db"
-        version = "1.0"
-        description = "Detects RationalLove Local Privesc exploit"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/"
-        $ = "Detected OS version: %s"
-        $ = "Content-Type: text/plain; charset=UTF-8"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_exploit_linux_eop_ubuntu_overlayfs_local_privesc_strings.yar b/yara_rules/sekoiaio_exploit_linux_eop_ubuntu_overlayfs_local_privesc_strings.yar
deleted file mode 100644
index 0ac5ed2..0000000
--- a/yara_rules/sekoiaio_exploit_linux_eop_ubuntu_overlayfs_local_privesc_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_exploit_linux_eop_ubuntu_overlayfs_local_privesc_strings {
-    meta:
-        id = "5e0e73f5-4cb3-4a79-adac-578b17ed7660"
-        version = "1.0"
-        description = "Detects Ubuntu OverlayFS Local Privesc exploit"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "./ovlcap"
-        $ = "rm -rf '%s/'"
-        $ = "./ovlcap/work"
-        $ = "./ovlcap/lower"
-        $ = "./ovlcap/upper"
-        $ = "./ovlcap/merge"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and filesize < 1MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_exploit_win_cloudatlas_cve_2018_0798.yar b/yara_rules/sekoiaio_exploit_win_cloudatlas_cve_2018_0798.yar
deleted file mode 100644
index a89d3d1..0000000
--- a/yara_rules/sekoiaio_exploit_win_cloudatlas_cve_2018_0798.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_exploit_win_cloudatlas_cve_2018_0798 {
-    meta:
-        id = "fcff4bc7-fe88-4546-bb5b-f2a1c2f8b0a5"
-        version = "1.0"
-        description = "Detect RTF files used by CloudAtlas to exploit CVE-2018-0798"
-        author = "Sekoia.io"
-        creation_date = "2022-11-15"
-        classification = "TLP:CLEAR"
-        hash1 = "c2064c7f4826c46bc609c472597366fd"
-        hash2 = "e2281402c63d4b544b81678250d24e61"
-        hash3 = "a97fa135d7e42886bcfdacca0d96c047"
-        
-    strings:
-        $ = "6060606061616161616161616161616161616161" ascii nocase
-        $ = "FB0B00004bE8FFFFFFFFC35F83C71B33C966B908" ascii nocase
-        $ = "010f0d00ddd8d97424f4668137" ascii nocase
-        
-    condition:
-        uint32be(0) == 0x7b5c7274 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_gen_empire_onedrive_stager.yar b/yara_rules/sekoiaio_gen_empire_onedrive_stager.yar
deleted file mode 100644
index 8dc2a87..0000000
--- a/yara_rules/sekoiaio_gen_empire_onedrive_stager.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_gen_empire_onedrive_stager {
-    meta:
-        id = "2053416f-1f53-491e-9c70-787a04362d16"
-        version = "1.0"
-        description = "Detects the Empire OneDrive stager"
-        author = "Sekoia.io"
-        creation_date = "2022-01-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $sleep = "Start-Sleep -Seconds $(($PI -as [Int])*2)" wide ascii nocase
-        $down  = "wc.DownloadData" wide ascii nocase
-        
-    condition:
-        $down in (@sleep..@sleep+1000)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_bat_script_mock_http_services.yar b/yara_rules/sekoiaio_generic_bat_script_mock_http_services.yar
deleted file mode 100644
index 21565cf..0000000
--- a/yara_rules/sekoiaio_generic_bat_script_mock_http_services.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_generic_bat_script_mock_http_services {
-    meta:
-        id = "1cfbe5ba-6304-476d-8308-928100a85c16"
-        version = "1.0"
-        description = "Generic rule detecting BAT script using mock HTTP services (used by APT28)"
-        author = "Sekoia.io"
-        creation_date = "2023-09-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $bat1 = "@echo off"
-        $bat2 = "chcp 65001"
-        $ps1 = "WebClient"
-        $ps2 = "UploadString"
-        $dom1 = "mockbin.org"
-        $dom2 = "webhook.site"
-        $dom3 = "mocky.io"
-        $dom4 = "pipedream.com"
-        
-    condition:
-        (1 of ($bat*) or 1 of ($ps*) ) and 1 of ($dom*)
-        and filesize < 2000
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_perl_reverse_shell.yar b/yara_rules/sekoiaio_generic_perl_reverse_shell.yar
deleted file mode 100644
index 57da06c..0000000
--- a/yara_rules/sekoiaio_generic_perl_reverse_shell.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_generic_perl_reverse_shell {
-    meta:
-        id = "4eb2ef0d-3ada-4566-bd82-8c75d6931acc"
-        version = "1.0"
-        description = "Detects simple reverse shell written in Perl"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "open(STDIN,\">&S\");"
-        $ = "open(STDERR,\">&S\");"
-        $ = "use Socket;$i="
-        
-    condition:
-        filesize < 300 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_php_webshell.yar b/yara_rules/sekoiaio_generic_php_webshell.yar
deleted file mode 100644
index d102d5f..0000000
--- a/yara_rules/sekoiaio_generic_php_webshell.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_generic_php_webshell {
-    meta:
-        id = "415a96bd-11a4-40e7-8335-ac1f1a99d17c"
-        version = "1.0"
-        description = "Detects generic webshell"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "system($_POST['a']);"
-        
-    condition:
-        all of them and filesize < 500
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_python_reverse_shell.yar b/yara_rules/sekoiaio_generic_python_reverse_shell.yar
deleted file mode 100644
index 4640b15..0000000
--- a/yara_rules/sekoiaio_generic_python_reverse_shell.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_generic_python_reverse_shell {
-    meta:
-        id = "ab25f8db-e39d-4aa4-b431-cf5cd2e038e5"
-        version = "1.0"
-        description = "Detects simple reverse shell written in Python"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "import pty"
-        $ = "lhost ="
-        $ = "os.dup2(s.fileno(),0)"
-        $ = "os.putenv(\"HISTFILE\",'/dev/null')"
-        
-    condition:
-        filesize < 1KB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_1.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_1.yar
deleted file mode 100644
index a305976..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_1.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_1 {
-    meta:
-        id = "82fd284a-47c2-4d29-9c80-f3affaa61a13"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "rc4 = function(key, str)"
-        $ = "var e={},i,b=0,c,x,l=0,a,r="
-        $ = "var plain = rc4("
-        $ = "<script language="
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_10.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_10.yar
deleted file mode 100644
index c67f28e..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_10.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_10 {
-    meta:
-        id = "477f8b92-e231-460c-8660-487d0a97f0e2"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "length = enc.GetByteCount_2(b);"
-        $ = "ms.Write(ba, 0, (length / 4) * 3);"
-        $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);"
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_11.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_11.yar
deleted file mode 100644
index b9c07d4..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_11.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_11 {
-    meta:
-        id = "703d2eb2-c9fd-4891-ba95-f94a8313618e"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "decodeHex = EL.NodeTypedValue"
-        $ = "Private Function decodeHex(hex)"
-        $ = "serialized_obj = serialized_obj & "
-        $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)"
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_12.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_12.yar
deleted file mode 100644
index 28518bb..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_12.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_12 {
-    meta:
-        id = "b69186cf-9825-4d90-be20-7caa9e7de61f"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "ms.Write(ba, 0, (length / 4) * 3);"
-        $ = "var serialized_obj = "
-        $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class);"
-        $ = "var sc ="
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_13.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_13.yar
deleted file mode 100644
index 6f8ccd6..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_13.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_13 {
-    meta:
-        id = "2d61d7b8-5348-4cc8-9d41-61799b573e3b"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Private Function decodeHex(hex)"
-        $ = "EL.Text = hex "
-        $ = "serialized_obj = serialized_obj & "
-        $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)"
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_2.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_2.yar
deleted file mode 100644
index 4e0556c..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_2.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_2 {
-    meta:
-        id = "02bc795f-b8e0-44d4-b475-310359867577"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "var e={},i,b=0,c,x,l=0,a,r="
-        $ = "eval(plain);"
-        $ = "var plain = rc4("
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_3.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_3.yar
deleted file mode 100644
index 493238c..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_3.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_3 {
-    meta:
-        id = "57b3ca9a-59c5-4b28-8eb9-36ff5b3633c2"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Function RC4(byteMessage, strKey)"
-        $ = "Sub Run()"
-        $ = "plain = RC4(decoded, "
-        $ = "Dim plain"
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_4.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_4.yar
deleted file mode 100644
index 3477888..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_4.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_4 {
-    meta:
-        id = "b8327436-3f3d-441c-86b7-35cd30144dc2"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Function RC4(byteMessage, strKey)"
-        $ = "Set EL = DM.createElement("
-        $ = "decodeBase64 = EL.NodeTypedValue"
-        $ = "Execute plain"
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_5.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_5.yar
deleted file mode 100644
index 147f803..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_5.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_5 {
-    meta:
-        id = "cb4d266e-f2b7-4642-a223-57180e66a9a6"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "rc4 = function(key, str)"
-        $ = "<job id=\"JS Code\""
-        $ = "var e={},i,b=0,c,x,l=0,a,r="
-        $ = "var plain = rc4("
-        $ = "eval(plain);"
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_6.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_6.yar
deleted file mode 100644
index f9b46c7..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_6.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_6 {
-    meta:
-        id = "53506a3e-b0d8-4a1e-88d9-485e829f25cb"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "function ${rc4Function}(r,o){for("
-        $ = "function ${b64AndRC4Function}(r,o){var"
-        $ = "Real-Time Scanning: No threats detected"
-        $ = "Please wait while your file is being downloaded..."
-        
-    condition:
-        3 of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_7.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_7.yar
deleted file mode 100644
index cd1555f..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_7.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_7 {
-    meta:
-        id = "de8069bb-59d7-4753-974a-f77c4b9e9bae"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "ms.Write(ba, 0, (length / 4) * 3)"
-        $ = "var serialized_obj = "
-        $ = "var n = fmt.SurrogateSelector;"
-        $ = "var o = d.DynamicInvoke(al.ToArray())"
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_8.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_8.yar
deleted file mode 100644
index 4058efe..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_8.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_8 {
-    meta:
-        id = "e28a1cd3-f7b6-4a55-8229-484e0bbeb7cb"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Private Function decodeHex(hex)"
-        $ = "Dim serialized_obj"
-        $ = "decodeHex = EL.NodeTypedValue"
-        $ = "d.DynamicInvoke(al.ToArray()).CreateInstance(entry_class)"
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_sharpshooter_payload_9.yar b/yara_rules/sekoiaio_generic_sharpshooter_payload_9.yar
deleted file mode 100644
index 59b47e1..0000000
--- a/yara_rules/sekoiaio_generic_sharpshooter_payload_9.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_generic_sharpshooter_payload_9 {
-    meta:
-        id = "e4283d6e-d829-4f21-ba60-9e6232519e54"
-        version = "1.0"
-        description = "Detects payload created by SharpShooter"
-        author = "Sekoia.io"
-        creation_date = "2023-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "shell.Environment(\"Process\").Item(\"COMPLUS_Version\")"
-        $ = "(enc.GetBytes_4(b), 0, length), 0, ((length / 4) * 3)"
-        $ = "DebugPrint Err.Description"
-        
-    condition:
-        all of them and filesize < 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_generic_tor_hidden_service_leading_to_winports.yar b/yara_rules/sekoiaio_generic_tor_hidden_service_leading_to_winports.yar
deleted file mode 100644
index 743363c..0000000
--- a/yara_rules/sekoiaio_generic_tor_hidden_service_leading_to_winports.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_generic_tor_hidden_service_leading_to_winports {
-    meta:
-        id = "1e5c469b-f721-44af-87b3-1adf423719c1"
-        version = "1.0"
-        description = "Detects malicious TOR redirection affecting RDP, NetBios"
-        author = "Sekoia.io"
-        creation_date = "2023-09-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "HiddenServiceDir "
-        $s2 = "SocksPort "
-        $s3 = "HiddenServicePort "
-        $s4 = ":3389"
-        $s5 = ":445"
-        
-    condition:
-        $s1 and $s2 
-        and ($s4 in (@s3..@s3+100) or $s5 in (@s3..@s3+100))
-        and filesize < 2000
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_guerrilla_lemongroup.yar b/yara_rules/sekoiaio_guerrilla_lemongroup.yar
deleted file mode 100644
index e06904e..0000000
--- a/yara_rules/sekoiaio_guerrilla_lemongroup.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_guerrilla_lemongroup {
-    meta:
-        id = "df635b5a-a19a-48ab-9a3a-9723e265c71d"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-05-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $dex = { 64 65 78 0A 30 33 ?? 00 }
-        $odex = { 64 65 79 0A 30 33 ?? 00 }
-        
-        $s2 = "data response code===" ascii
-        $s3 = "httpCon:" ascii
-        $s4 = "processName :" ascii
-        $s5 = "startListTasks......" ascii
-        $s6 = "url==" ascii
-        $s7 = "java core run ZYGOTE_PROCESS" ascii
-        
-        $api1 = "/api.php" ascii
-        $api2 = "/event.php" ascii
-        $api3 = "/apiRS.php" ascii
-        
-    condition:
-        ($dex at 0 or $odex at 0) and
-        filesize > 100KB and filesize < 5MB and
-        5 of ($s*) and 1 of ($api*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_guloader_lnk_file.yar b/yara_rules/sekoiaio_guloader_lnk_file.yar
deleted file mode 100644
index 54c6c1e..0000000
--- a/yara_rules/sekoiaio_guloader_lnk_file.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_guloader_lnk_file {
-    meta:
-        id = "ecc07753-0910-445b-bf84-911b17195894"
-        version = "1.0"
-        description = "LNK file delivering Guloader"
-        author = "Sekoia.io"
-        creation_date = "2024-02-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "$PSHOME" wide
-        $s2= "&(${" wide
-        $s3 = "}::ToString(" wide
-        $s4 = "$([TYPE]${" wide
-        
-    condition:
-        uint32be(0) == 0x4c000000 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_guloader_powershell_1.yar b/yara_rules/sekoiaio_guloader_powershell_1.yar
deleted file mode 100644
index fad647b..0000000
--- a/yara_rules/sekoiaio_guloader_powershell_1.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_guloader_powershell_1 {
-    meta:
-        id = "28c68991-db8b-4f00-b3a3-17286418a4ed"
-        version = "1.0"
-        description = "Powershell downloading decoy and delivering GuLoader"
-        author = "Sekoia.io"
-        creation_date = "2024-02-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "powershell -win hidden"
-        $s2 = "=iex($"
-        $s3 = ".Replace('"
-        $s4 = "$(Get-ChildItem -Include *.lnk -Name));"
-        
-    condition:
-        all of them and filesize < 10KB and #s3 > 3
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_guloader_unpacker.yar b/yara_rules/sekoiaio_guloader_unpacker.yar
deleted file mode 100644
index b7f68f8..0000000
--- a/yara_rules/sekoiaio_guloader_unpacker.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_guloader_unpacker {
-    meta:
-        id = "dee4cad4-e3b4-4a12-860b-ff750b119fa8"
-        version = "1.0"
-        description = "GuLoader Unpacker"
-        author = "Sekoia.io"
-        creation_date = "2024-02-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $p1 = "([Parameter(Position = 0)] [Type[]] $" base64
-        $p2 = "+=2){" base64
-        $p3 = "}else {" base64
-        
-    condition:
-        $p1 in (filesize-30000..filesize) and
-        $p2 in (filesize-30000..filesize) and
-        $p3 in (filesize-30000..filesize) and
-        filesize > 300KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_guloader_unpacker_decoded.yar b/yara_rules/sekoiaio_guloader_unpacker_decoded.yar
deleted file mode 100644
index 50e0760..0000000
--- a/yara_rules/sekoiaio_guloader_unpacker_decoded.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_guloader_unpacker_decoded {
-    meta:
-        id = "ca3f4fce-b3a1-4672-a2ca-29ea347eb23d"
-        version = "1.0"
-        description = "GuLoader Unpacker b64 decoded"
-        author = "Sekoia.io"
-        creation_date = "2024-02-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $jumps = {71 01 9b 71 01 9b}
-        $s1 = "([String]$"
-        $s2 = "For($"
-        $s3 = ",[Parameter(Position = 1)] [Type] $"
-        
-    condition:
-        filesize < 500KB and @jumps < 1000 and 2 of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_guloader_vbscript.yar b/yara_rules/sekoiaio_guloader_vbscript.yar
deleted file mode 100644
index a43bdb9..0000000
--- a/yara_rules/sekoiaio_guloader_vbscript.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_guloader_vbscript {
-    meta:
-        id = "3472e403-b1e6-4fdf-9770-af42d505b556"
-        version = "1.0"
-        description = "visual basic script delivering GuLoader"
-        author = "Sekoia.io"
-        creation_date = "2024-02-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = " = CreateObject(\"WScript.Shell\")"
-        $s2 = " = Join("
-        $s3 = ",vbnullstring)"
-        
-    condition:
-        filesize < 20KB and all of them and #s1 > 1 and @s3-@s2 < 16
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_credentialkatz.yar b/yara_rules/sekoiaio_hacktool_credentialkatz.yar
deleted file mode 100644
index a9395a6..0000000
--- a/yara_rules/sekoiaio_hacktool_credentialkatz.yar
+++ /dev/null
@@ -1,35 +0,0 @@
-rule sekoiaio_hacktool_credentialkatz {
-    meta:
-        id = "4795d131-2625-40ca-bca6-02aac5030b55"
-        version = "1.0"
-        description = "Finds ChromeKatz (CredentialKatz version) standalone samples based on the strings"
-        author = "Sekoia.io"
-        reference = "https://github.com/Meckazin/ChromeKatz"
-        creation_date = "2024-10-30"
-        classification = "TLP:CLEAR"
-        hash = "2762e066128e186526c5ff272fc9184c0262d81d8c513e6515c25c189418931c"
-        
-    strings:
-        $str01 = "Don't use your cat's name as a password!" ascii
-        $str02 = "[-] Failed to parse command line argument /pid!" ascii
-        $str03 = "[*] Targeting process: %ls on PID: %lu" ascii
-        $str04 = "CredentialStore: NotSet" ascii
-        $str05 = "CredentialStore: AccountStore" ascii
-        $str06 = "CredentialStore: ProfileStore" ascii
-        $str07 = "[*] Number of available credentials: %zu" ascii
-        $str08 = "[+] Found browser process: %d" ascii
-        $str09 = "Failed to read credential struct" wide
-        $str10 = "Error reading right node" wide
-        $str11 = "Failed to read the root node from given address" wide
-        $str12 = "Error reading first node" wide
-        $str13 = "chrome.dll" wide
-        $str14 = "    Domain:" ascii
-        $str15 = "    Password:" ascii
-        $str16 = "Found %ls main process PID: %lu" ascii
-        $str17 = "---------------" ascii
-        $str18 = "CredentialKatz" ascii wide
-        
-    condition:
-        uint16(0)==0x5A4D and 5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_defendercontrol_strings.yar b/yara_rules/sekoiaio_hacktool_defendercontrol_strings.yar
deleted file mode 100644
index 8aceea4..0000000
--- a/yara_rules/sekoiaio_hacktool_defendercontrol_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_hacktool_defendercontrol_strings {
-    meta:
-        id = "c6587a46-5f9b-4bf0-9231-9d2505293557"
-        version = "1.0"
-        description = "Detects DefenderControl based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-03-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "www.sordum.org All Rights Reserved." wide
-        $ = "dControl.exe" wide
-        $ = "By BlueLife" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 600KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_dnscat2_strings.yar b/yara_rules/sekoiaio_hacktool_dnscat2_strings.yar
deleted file mode 100644
index 9171bbf..0000000
--- a/yara_rules/sekoiaio_hacktool_dnscat2_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_hacktool_dnscat2_strings {
-    meta:
-        id = "9655cdd7-c7fe-4033-bdd9-bdfcfd2bf827"
-        version = "1.0"
-        description = "Detects DNSCat2 based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-02-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Creating a exec('%s') session!"
-        $ = "RROR parsing --dns"
-        $ = "Got a ping request! Responding!"
-        $ = "[Tunnel %d] Received %zd bytes"
-        $ = "[Tunnel %d] connection to %s:%d"
-        $ = "You'll need to use --dns server=<server>"
-        $ = "Setting delay between packets to %dms"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_duplicatedump_strings.yar b/yara_rules/sekoiaio_hacktool_duplicatedump_strings.yar
deleted file mode 100644
index 6229550..0000000
--- a/yara_rules/sekoiaio_hacktool_duplicatedump_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_hacktool_duplicatedump_strings {
-    meta:
-        id = "081d0124-4afe-418b-9767-3d987c0107ca"
-        version = "1.0"
-        description = "Detects Duplicate Dump"
-        author = "Sekoia.io"
-        creation_date = "2023-11-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "7d872e921a4b4b1b8b295395099b0209" wide ascii
-        $ = "[+] Named pipe connected and replying with current PID" wide ascii
-        $ = "[X] Named pipe connection error:" wide ascii
-        $ = "[X] Error occur while compressing file:" wide ascii
-        $ = "[+] Dump file saved to" wide ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 500KB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_earthworm_strings.yar b/yara_rules/sekoiaio_hacktool_earthworm_strings.yar
deleted file mode 100644
index 3d7b165..0000000
--- a/yara_rules/sekoiaio_hacktool_earthworm_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_hacktool_earthworm_strings {
-    meta:
-        id = "6c9b0225-8c41-49f9-9745-245bc7ef942f"
-        version = "1.0"
-        description = "Detects Mac/Win/Linux EarthWorm based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-02-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "the read url is %s"
-        $ = "--> %3d <-- (close)used tunnel %d , unused tunnel %d"
-        $ = "ssocksd 0.0.0.0:%d <--[%4d usec]--> socks server"
-        $ = "could not create one way tunnel"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 
-         or uint16be(0) == 0x4d5a
-         or uint32be(0) == 0xcffaedfe
-        ) and filesize < 100KB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_fscan_strings.yar b/yara_rules/sekoiaio_hacktool_fscan_strings.yar
deleted file mode 100644
index 5734ac2..0000000
--- a/yara_rules/sekoiaio_hacktool_fscan_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_hacktool_fscan_strings {
-    meta:
-        id = "6bef80c3-370c-4168-9d88-3fac88f986b1"
-        version = "1.0"
-        description = "Detects fscan based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-12-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Plugins.RdpScan.func1"
-        $ = "Plugins.smb1AnonymousConnectIPC.func1"
-        $ = "WebScan/WebScan.go"
-        $ = "Plugins/CVE-2020-0796.go"
-        $ = "Plugins.SshConn.func4"
-        $ = "Plugins.PostgresScan"
-        $ = "Plugins.(*FCGIClient).Request.func1"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 30MB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_gtunnel_strings.yar b/yara_rules/sekoiaio_hacktool_gtunnel_strings.yar
deleted file mode 100644
index 3a6b547..0000000
--- a/yara_rules/sekoiaio_hacktool_gtunnel_strings.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_hacktool_gtunnel_strings {
-    meta:
-        id = "f20a4400-8ae6-4954-b643-0a8847f037f0"
-        version = "1.0"
-        description = "Detects Go gTunnel based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-04-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $repo = "github.com/hotnops/gTunnel/" ascii fullword
-        $s1 = "common.(*Tunnel).GetControlStream"
-        $s2 = "common.(*Tunnel).handleIngressCtrlMessages"
-        $s3 = "client..inittask"
-        $s4 = "client.file_client_proto_rawDescGZIP."
-        $s5 = "common.(*SocksServer).Start."
-        $s6 = "client.(*TunnelControlMessage).GetConnectionId"
-        $s7 = "protobuf/reflect/protoreflect.ProtoMessage"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or 
-         uint16be(0) == 0x4d5a or 
-         uint32be(0) == 0xfeedface or 
-         uint32be(0) == 0xfeedfacf or 
-         uint32be(0) == 0xcafebabe ) and
-         #repo > 200 or 5 of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_impacket_compiled_binary.yar b/yara_rules/sekoiaio_hacktool_impacket_compiled_binary.yar
deleted file mode 100644
index 778c785..0000000
--- a/yara_rules/sekoiaio_hacktool_impacket_compiled_binary.yar
+++ /dev/null
@@ -1,37 +0,0 @@
-rule sekoiaio_hacktool_impacket_compiled_binary {
-    meta:
-        id = "43936dcc-0d74-43dd-996a-c27a28cef283"
-        version = "1.0"
-        description = "Detects generic PE embbeding impacket"
-        author = "Sekoia.io"
-        creation_date = "2022-02-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $i1 = "impacket.crypto" fullword
-        $i2 = "impacket.dcerpc" fullword
-        $i3 = "impacket.ese" fullword
-        $i4 = "impacket.hresult_errors" fullword
-        $i5 = "impacket.krb5" fullword
-        $i6 = "impacket.nmb" fullword
-        $i7 = "impacket.nt_errors" fullword
-        $i8 = "impacket.ntlm" fullword
-        $i9 = "impacket.smb" fullword
-        $i10 = "impacket.smb3" fullword
-        $i11 = "impacket.smb3structs" fullword
-        $i12 = "impacket.smbconnection" fullword
-        $i13 = "impacket.spnego" fullword
-        $i14 = "impacket.structure" fullword
-        $i15 = "impacket.system_errors" fullword
-        $i16 = "impacket.tds" fullword
-        $i17 = "impacket.uuid" fullword
-        $i18 = "impacket.version" fullword
-        $i19 = "impacket.winregistry" fullword
-        $py = "PYZ-00.pyz"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize > 1MB and
-        3 of ($i*) and $py
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_iox_tunneling.yar b/yara_rules/sekoiaio_hacktool_iox_tunneling.yar
deleted file mode 100644
index 01f63c2..0000000
--- a/yara_rules/sekoiaio_hacktool_iox_tunneling.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_hacktool_iox_tunneling {
-    meta:
-        id = "45b31d67-95e9-405d-88ea-3f2006ef160a"
-        version = "1.0"
-        description = "Detects IOX tunneling tool"
-        author = "Sekoia.io"
-        creation_date = "2022-10-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "iox/operate.Local2Remote"
-        $ = "iox/operate.Local2Local"
-        $ = "iox/operate.Remote2Remote"
-        $ = "iox/operate.ProxyLocal"
-        $ = "iox/operate.ProxyRemote"
-        $ = "iox/operate.ProxyRemoteL2L"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 5MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_ipmipwner_strings.yar b/yara_rules/sekoiaio_hacktool_ipmipwner_strings.yar
deleted file mode 100644
index 5e6365f..0000000
--- a/yara_rules/sekoiaio_hacktool_ipmipwner_strings.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_hacktool_ipmipwner_strings {
-    meta:
-        id = "2ac736b5-33bb-477f-a98c-57cc2744d251"
-        version = "1.0"
-        description = "Detects ipmiPwner script"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "{status} Using the list of users that the {lgcyan}script"
-        $ = "--host 192.168.1.12 -p 624 -uW /opt/SecLists/Usernames/"
-        
-    condition:
-        all of them and filesize < 10KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_lazagne_strings.yar b/yara_rules/sekoiaio_hacktool_lazagne_strings.yar
deleted file mode 100644
index b71366d..0000000
--- a/yara_rules/sekoiaio_hacktool_lazagne_strings.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_hacktool_lazagne_strings {
-    meta:
-        id = "5a5e7a07-1252-48cc-ada5-46e796c4e00e"
-        version = "1.0"
-        description = "Detects LaZagne hacktool based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-02-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        
-        $w1= "lazagne.softwares"
-        $w2= "pypykatz.lsadecryptor"
-        
-        $l0= "PyModule_GetDict"
-        $l1= "softwares.sysadmin.filezilla"
-        $l2= "softwares.walle"
-        $l3= "softwares.databases.sqldeveloper"
-        $l4= "softwares.wifi.wpa_supplicant"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 and all of ($l*))
-        or (uint16be(0) == 0x4d5a and all of ($w*)) and
-        filesize < 40MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_ligolo_relay_strings.yar b/yara_rules/sekoiaio_hacktool_ligolo_relay_strings.yar
deleted file mode 100644
index ae37c5c..0000000
--- a/yara_rules/sekoiaio_hacktool_ligolo_relay_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_hacktool_ligolo_relay_strings {
-    meta:
-        id = "1e32f2e5-b66b-4b55-9dd4-1402b2f627ed"
-        version = "1.0"
-        description = "Detects Ligolo Relay based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-02-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "ligolo/cmd/localrelay"
-        $ = "main.LigoloRelay.Start"
-        $ = "main.LigoloRelay.startRelayHandler"
-        $ = "main.LigoloRelay.startLocalHandler"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize > 2MB and filesize < 5MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_ligolo_strings.yar b/yara_rules/sekoiaio_hacktool_ligolo_strings.yar
deleted file mode 100644
index d49b12e..0000000
--- a/yara_rules/sekoiaio_hacktool_ligolo_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_hacktool_ligolo_strings {
-    meta:
-        id = "5013256b-eda3-417e-ac72-959055b01c7e"
-        version = "1.0"
-        description = "Detects ligolo based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-02-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Restarting Ligolo..."
-        $ = "Ligolo starts a socks5 proxy server"
-        $ = "main.startSocksProxy"
-        $ = "main.handleRelay"
-        $ = "main.StartLigolo"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize > 2MB and filesize < 5MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_microsocks_strings.yar b/yara_rules/sekoiaio_hacktool_microsocks_strings.yar
deleted file mode 100644
index 2b91487..0000000
--- a/yara_rules/sekoiaio_hacktool_microsocks_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_hacktool_microsocks_strings {
-    meta:
-        id = "20e82008-249b-47a3-885b-7c4b04b31a57"
-        version = "1.0"
-        description = "Detects Microsocks"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "microsocks -1 -i listenip -p port -u user -P password"
-        $ = "user/pass, it is added to a whitelist"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_mimikat_ssp_strings.yar b/yara_rules/sekoiaio_hacktool_mimikat_ssp_strings.yar
deleted file mode 100644
index 798b3ab..0000000
--- a/yara_rules/sekoiaio_hacktool_mimikat_ssp_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_hacktool_mimikat_ssp_strings {
-    meta:
-        id = "33b3620f-e02d-4d29-adcc-fea3b49ab780"
-        version = "1.0"
-        description = "Detects mimikat_ssp"
-        author = "Sekoia.io"
-        creation_date = "2023-11-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[*] Building RPC packet" ascii
-        $ = "[*] Connecting to lsasspirpc RPC service" ascii
-        $ = "[*] Sending SspirConnectRpc call" ascii
-        $ = "[*] Sending SspirCallRpc call" ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 500KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_mimikatz_obfuscated.yar b/yara_rules/sekoiaio_hacktool_mimikatz_obfuscated.yar
deleted file mode 100644
index f41550e..0000000
--- a/yara_rules/sekoiaio_hacktool_mimikatz_obfuscated.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_hacktool_mimikatz_obfuscated {
-    meta:
-        id = "bac4bb61-d250-4fc3-95a5-edd4e3c7ff83"
-        version = "1.0"
-        description = "Detects Mimikatz on strings obfuscation"
-        author = "Sekoia.io"
-        creation_date = "2022-07-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $xor1 = "Benjamin Delpy" xor
-        $xor2 = "sekurlsa" xor wide
-        $xor3 = "minidumpfile.dmp" wide
-        $xor4 = "lsadump_dcsync"  xor wide
-        $xor5 = "kuhl_m_lsadump_getSamKey" xor wide
-        
-        $b1 = "Benjamin Delpy" base64
-        $b2 = "sekurlsa" base64 wide
-        $b3 = "minidumpfile.dmp" base64 wide
-        $b4 = "lsadump_dcsync" base64 wide
-        $b5 = "kuhl_m_lsadump_getSamKey" base64 wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and 3 of them and filesize < 5MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_mimilite.yar b/yara_rules/sekoiaio_hacktool_mimilite.yar
deleted file mode 100644
index 7bd637a..0000000
--- a/yara_rules/sekoiaio_hacktool_mimilite.yar
+++ /dev/null
@@ -1,38 +0,0 @@
-rule sekoiaio_hacktool_mimilite {
-    meta:
-        id = "abb92a9d-0978-4ef2-b2cc-53ce6e83e3e4"
-        version = "1.0"
-        description = "Detects Mimilite"
-        author = "Sekoia.io"
-        creation_date = "2023-12-05"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $chunk = {
-        FF C7
-        48 63 D7
-        46 0F B6 04 22
-        41 03 F0
-        81 E6 ?? ?? ?? ??
-        7D ??
-        FF CE
-        81 CE ?? ?? ?? ??
-        FF C6
-        48 63 CE
-        42 0F B6 04 21
-        42 88 04 22
-        46 88 04 21 }
-        $imp1 = "CryptGetHashParam"
-        $imp2 = "CryptDestroyHash"
-        $imp3 = "CryptHashData"
-        $imp4 = "CryptReleaseContext"
-        $imp5 = "CryptCreateHash"
-        $imp6 = "CryptAcquireContextA"
-        $imp7 = "VirtualAlloc"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 200KB and
-        all of ($imp*) and $chunk
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_nbtscan_strings.yar b/yara_rules/sekoiaio_hacktool_nbtscan_strings.yar
deleted file mode 100644
index 0539a09..0000000
--- a/yara_rules/sekoiaio_hacktool_nbtscan_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_hacktool_nbtscan_strings {
-    meta:
-        id = "8883b56c-a085-459c-9ec6-a139ad5a2671"
-        version = "1.0"
-        description = "Detects NBTScan hacktool based on strings, ELF & PE variants"
-        author = "Sekoia.io"
-        creation_date = "2022-02-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "CHT:nfp:bt:vw:mVO:1P"
-        $ = "usage: %s [options] target [targets...]"
-        $ = "Targets are lists of IP addresses, DNS names, or address"
-        $ = "net bits [%d] must be 1..32"
-        $ = "subnet /%d is too large (%d max)"
-        $ = "[%s] is invalid IP address"
-        $ = "[%s] is an invalid target (bad IP/hostname)"
-        
-    condition:
-        uint16be(0) == 0x4d5a and 5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_ntdsdumpex_strings.yar b/yara_rules/sekoiaio_hacktool_ntdsdumpex_strings.yar
deleted file mode 100644
index e16c65b..0000000
--- a/yara_rules/sekoiaio_hacktool_ntdsdumpex_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_hacktool_ntdsdumpex_strings {
-    meta:
-        id = "9a0fe20a-49e9-4aaf-8f0e-d51800e0a6e0"
-        version = "1.0"
-        description = "Detects NTDSDumpEx based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-02-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Example : ntdsdumpex.exe -r" ascii wide
-        $ = "[x]can not open output file %s for write." ascii wide
-        $ = "[+]dump completed in %.3f seconds." ascii wide
-        $ = "[+]total %d entries dumped,%d" ascii wide
-        $ = "[x]can not get PEK!" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 200KB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_ntospy_strings.yar b/yara_rules/sekoiaio_hacktool_ntospy_strings.yar
deleted file mode 100644
index 6912520..0000000
--- a/yara_rules/sekoiaio_hacktool_ntospy_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_hacktool_ntospy_strings {
-    meta:
-        id = "c3281666-6a31-4718-a9c0-82944c6fdcb0"
-        version = "1.0"
-        description = "Detects Ntospy based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-12-05"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "NPGetCaps"
-        $ = "NPLogonNotify"
-        $ = {43 00 3A 00 5C 00 [10-150] 00 2E 00 6D 00 73 00 75}
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 300KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_pplblade_strings.yar b/yara_rules/sekoiaio_hacktool_pplblade_strings.yar
deleted file mode 100644
index 9adc9de..0000000
--- a/yara_rules/sekoiaio_hacktool_pplblade_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_hacktool_pplblade_strings {
-    meta:
-        id = "1a443621-fc95-4a70-873e-c1389943d4ab"
-        version = "1.0"
-        description = "Detects PPLBlade"
-        author = "Sekoia.io"
-        creation_date = "2023-11-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "shirou/gopsutil/internal/"
-        $ = ".miniDumpWriteDump"
-        $ = ".DRIVER_FULL_PATH"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize > 4MB and filesize < 6MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_rubeus_strings.yar b/yara_rules/sekoiaio_hacktool_rubeus_strings.yar
deleted file mode 100644
index 4af70d1..0000000
--- a/yara_rules/sekoiaio_hacktool_rubeus_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_hacktool_rubeus_strings {
-    meta:
-        id = "048cab99-c288-44c2-9dc6-74eed02ef8f5"
-        version = "1.0"
-        description = "Detects Rubeus based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-02-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "includeComputerAccounts" ascii
-        $ = "passwordsOutfile" ascii
-        $ = "monitorIntervalSeconds" ascii
-        $ = "displayNewTickets" ascii
-        $ = "658c8b7f-3664-4a95-9572-a3e5871dfc06" ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_sharpview_strings.yar b/yara_rules/sekoiaio_hacktool_sharpview_strings.yar
deleted file mode 100644
index 90e266e..0000000
--- a/yara_rules/sekoiaio_hacktool_sharpview_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_hacktool_sharpview_strings {
-    meta:
-        id = "585ead98-36d0-402c-b527-4dec308cb1c9"
-        version = "1.0"
-        description = "Detects SharpView based on strings."
-        author = "Sekoia.io"
-        creation_date = "2022-02-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Args_Get_DomainGPOComputerLocalGroupMapping"
-        $ = "Args_Get_ForestGlobalCatalog"
-        $ = "Args_Find_DomainLocalGroupMember"
-        $ = "Args_Get_DomainFileServer"
-        $ = "Ex: SharpView.exe Method-Name" wide
-        $ = "[Get-PathAcl] error: {0}" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 800KB and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_socat_strings.yar b/yara_rules/sekoiaio_hacktool_socat_strings.yar
deleted file mode 100644
index 2ae2604..0000000
--- a/yara_rules/sekoiaio_hacktool_socat_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_hacktool_socat_strings {
-    meta:
-        id = "7c7e4085-39b2-445e-a9ff-52f21936e714"
-        version = "1.0"
-        description = "Detects socat"
-        author = "Sekoia.io"
-        creation_date = "2023-12-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[options] <bi-address> <bi-address>"
-        $ = "version %s on %s"
-        $ = "socat_signal():"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 5MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_stowaway_strings.yar b/yara_rules/sekoiaio_hacktool_stowaway_strings.yar
deleted file mode 100644
index 4360438..0000000
--- a/yara_rules/sekoiaio_hacktool_stowaway_strings.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_hacktool_stowaway_strings {
-    meta:
-        id = "a952b45a-269b-4075-bf72-16d6d863e97c"
-        version = "1.0"
-        description = "Detects Stowaway based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-11-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "agent.CloseLowConn"
-        $ = "agent.CloseListener"
-        $ = "agent.SimpleNodeInit"
-        $ = "agent.HandleConnToLowerNode"
-        $ = "agent.HandleConnFromLowerNode"
-        $ = "common.NewPassToLowerNodeData"
-        $ = "agent.HandleSimpleNodeConn"
-        $ = "agent.HandleConnToUpperNode"
-        $ = "agent.HandleConnFromUpperNode"
-        $ = "agent.StartSocks"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_win_cookiekatz.yar b/yara_rules/sekoiaio_hacktool_win_cookiekatz.yar
deleted file mode 100644
index 3822809..0000000
--- a/yara_rules/sekoiaio_hacktool_win_cookiekatz.yar
+++ /dev/null
@@ -1,37 +0,0 @@
-rule sekoiaio_hacktool_win_cookiekatz {
-    meta:
-        id = "a32769bb-4ec4-46c7-9402-21afdf8d4293"
-        version = "1.0"
-        description = "Finds ChromeKatz (CookieKatz version) standalone samples based on the strings"
-        author = "Sekoia.io"
-        reference = "https://github.com/Meckazin/ChromeKatz"
-        creation_date = "2024-10-30"
-        classification = "TLP:CLEAR"
-        hash = "fef9fc33a788489af44b2f732c450d4ef018fbaced7f5471230b282dfd6f1169"
-        
-    strings:
-        $str01 = "CookieKatz.exe" ascii
-        $str02 = "--utility-sub-type=network.mojom.NetworkService" wide
-        $str03 = "chrome.dll" wide
-        $str04 = "msedge.dll" wide
-        $str05 = "msedgewebview2.exe" wide
-        $str06 = "Failed to read cookie struct" wide
-        $str07 = "Failed to read the root node from given address" wide
-        $str08 = "Error reading left node" wide
-        $str09 = "By Meckazin" ascii
-        $str10 = "By default targets first available Chrome process" ascii
-        $str11 = "Kittens love cookies too!" ascii
-        $str12 = "Attempting to read the cookie value from address: 0x%p" ascii
-        $str13 = "szCookieMonster" ascii
-        $str14 = "[*] Targeting Chrome" ascii
-        $str15 = "[*] Targeting Edge" ascii
-        $str16 = "[*] This Cookie map was empty" ascii
-        $str17 = "[+] Found browser process: %d" ascii wide
-        $str18 = "[*] Targeting process PID: %d" wide
-        $str19 = "[*] Found CookieMonster on 0x%p" wide
-        $str20 = "[*] CookieMap should be found in address 0x%p" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 8 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_win_gmer.yar b/yara_rules/sekoiaio_hacktool_win_gmer.yar
deleted file mode 100644
index 1ba5fb7..0000000
--- a/yara_rules/sekoiaio_hacktool_win_gmer.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-import "pe"
-        
-rule sekoiaio_hacktool_win_gmer {
-    meta:
-        version = "1.0"
-        description = "Dtect the GMER hacktool based string and UPX usage"
-        author = "Sekoia.io"
-        creation_date = "2022-09-09"
-        id = "d2f1aba1-4222-45e5-95bd-4d7f08595cea"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $pac = "IDI_GMER" wide
-        
-        $str0 = "---- Processes - GMER %s ----" ascii
-        $str1 = "E:\\projects\\cpp\\gmer\\Release\\gmer.pdb" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and
-        (($pac and for any i in (0..pe.number_of_sections-1) : (
-                pe.sections[i].name == "UPX0"
-        )) or
-        any of ($str*)) and filesize < 900KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_win_powertool.yar b/yara_rules/sekoiaio_hacktool_win_powertool.yar
deleted file mode 100644
index 3f944f4..0000000
--- a/yara_rules/sekoiaio_hacktool_win_powertool.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_hacktool_win_powertool {
-    meta:
-        version = "1.0"
-        description = "Detect PowerTool based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-09-09"
-        id = "ab8355b8-322d-41a4-82f0-43896c96b9bc"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "C:\\dev\\pt64_en\\Release\\PowerTool.pdb" ascii
-        $str1 = "Chage language nedd to restart PowerTool" ascii
-        $str2 = "(http://twitter.com/ithurricanept && https://www.linkedin.com/in/powertool)" wide
-        $str3 = "Infected=Before Fix, whether to back up the drive files will be fixed?" wide
-        $str4 = "Infected?-Are you sure to Fix the Infected Driver File?" wide
-        $str5 = "shellex\\ContextMenuHandlers\\PowerTool" wide
-        $str6 = "[PowerTool] name=%s, size=%d, %d" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and any of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_win_processhacker.yar b/yara_rules/sekoiaio_hacktool_win_processhacker.yar
deleted file mode 100644
index 649132c..0000000
--- a/yara_rules/sekoiaio_hacktool_win_processhacker.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_hacktool_win_processhacker {
-    meta:
-        version = "1.0"
-        description = "Detect ProcessHacker hacktool"
-        author = "Sekoia.io"
-        creation_date = "2022-09-09"
-        id = "1dffe8c9-2ab7-4265-965e-8673b80f17d5"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "Unable to uninstall KProcessHacker" wide
-        $str1 = "Process Hacker's settings file is corrupt. Do you want to reset it?" wide
-        $str2 = "Process Hacker uses the following components:" wide
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hacktool_win_uknowseckeylogger.yar b/yara_rules/sekoiaio_hacktool_win_uknowseckeylogger.yar
deleted file mode 100644
index d1ee68b..0000000
--- a/yara_rules/sekoiaio_hacktool_win_uknowseckeylogger.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_hacktool_win_uknowseckeylogger {
-    meta:
-        version = "1.0"
-        description = "Detect the uknowsec keylogger based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-10-05"
-        id = "ab08136d-b1f3-4e64-b73c-e6344b610f91"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "github.com/atotto/clipboard" ascii
-        $str1 = "github.com/TheTitanrain/w32" ascii
-        $str2 = "github.com/aliyun/aliyun-oss-go-sdk" ascii
-        $str3 = "golang.org/x/sys" ascii
-        $str4 = "golang.org/x/time" ascii
-        $str5 = "WSARecvWSASend[Print][Right][Shift][Sleep][debug][error]" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_hafnium_tarrask_malware.yar b/yara_rules/sekoiaio_hafnium_tarrask_malware.yar
deleted file mode 100644
index 7cada34..0000000
--- a/yara_rules/sekoiaio_hafnium_tarrask_malware.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_hafnium_tarrask_malware {
-    meta:
-        id = "6f1728d6-dc9b-4ea7-8656-2b069ee269a0"
-        version = "1.0"
-        description = "Hunting rule to look for Tarrask malware"
-        author = "Sekoia.io"
-        creation_date = "2022-04-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "delete sd success" wide ascii nocase
-        $s2 = "Task successfully registered." wide ascii nocase
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_icebot_exported_function.yar b/yara_rules/sekoiaio_icebot_exported_function.yar
deleted file mode 100644
index 659ee1c..0000000
--- a/yara_rules/sekoiaio_icebot_exported_function.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_icebot_exported_function {
-    meta:
-        id = "1a1fb651-6ce3-4751-be23-c27a3d8dabde"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2022-01-17"
-        classification = "TLP:CLEAR"
-        description = "Detects the IceBot RAT used by FIN7 based on the exported function"
-        hash1 = "5ee5b869689686d9352c73173304627bb424b8d0a8510e6f16726ac84fdec79d"
-        hash2 = "0f76768f65775329d7a0ddb977ea822d992d086ce48a23679cef66e3b4d2f4ed"
-        hash3 = "f06c7f1b91fb2f64e1f38df6eaf2b52a74b16cc958d74c4401fdaf180deb595a"
-        hash4 = "cbed0cf3273ce544a7e4e316d5c8f5e9c9ac6deaefa485a6afad2654fe75ff1e"
-        
-    strings:
-        $a = {cc cc cc 48 89 4c 24 ?? 53 55 56 57 41 54 41 55 41 56 41 57 ?? ?? ?? ?? 33 f6 44 8b ee 48 89 74 24 ?? 8b ee 48 89 b4 24 ?? ?? ?? ?? 44 8b f6 48 89 74 24 ?? 44 8b e6 e8 bf ff ff ff 4c 8b f8 8d 5e ?? b8 ?? ?? ?? ?? 66 41 39 07 75 1b 49 63 57 ?? 48 8d 4a ?? 48 81 f9 ?? ?? ?? ?? 77 0a 42 81 3c 3a ?? ?? ?? ?? 74 05 4c 2b fb eb d5 65 48 8b 04 25 ?? ?? ?? ?? bf ?? ?? ?? ?? 4c 89 bc 24 ?? ?? ?? ?? 48 8b 48 ?? 4c 8b 59 ?? 4c 89 9c 24 ?? ?? ?? ?? 4d 85 db 0f 84 d5 01 00 00 41 b9 ff ff 00 00 49 8b 53 ?? 48 8b c6 45 0f b7 43 ?? 0f b6 0a c1 c8 ?? 80 f9 ?? 72 04 48 83 c0 ?? 48 03 c1 48 03 d3 66 45 03 c1 75 e5 3d ?? ?? ?? ?? 0f 85 d2 00 00 00 49 8b 53 ?? 41 bb ff ff 00 00 48 63 42 ?? 8b b4 10 ?? ?? ?? ?? 44 8b 54 16 ?? 8b 5c 16 ?? 4c 03 d2 48 03 da 45 33 c9 45 8d 79 ?? 45 8b 02 41 8b c9 4c 03 c2 41 8a 00 4d 03 c7 c1 c9 ?? 0f be c0 03 c8 41 8a 00 84 c0 75 ee 81 f9 ?? ?? ?? ?? 74 10 81 f9 ?? ?? ?? ?? 74 08 81 f9 ?? ?? ?? ?? 75 44 44 8b 4c 16 ?? 44 0f b7 03 4c 03 ca 81 f9 ?? ?? ?? ?? 75 09 47 8b 2c 81 4c 03 ea eb 20 81 f9 ?? ?? ?? ?? 75 09 43 8b 2c 81 48 03 ea eb 0f 81 f9 ?? ?? ?? ?? 75 07 47 8b 34 81 4c 03 f2 66 41 03 fb 45 33 c9 49 83 c2 ?? 48 83 c3 ?? 66 85 ff 0f 85 75 ff ff ff 4c 8b 9c 24 ?? ?? ?? ?? 33 f6 48 89 ac 24 ?? ?? ?? ?? 4c 89 6c 24 ?? e9 8d 00 00 00 3d ?? ?? ?? ?? 0f 85 90 00 00 00 4d 8b 43 ?? 41 bf ?? ?? ?? ?? 41 0f b7 ff bd ff ff 00 00 49 63 40 ?? 42 8b 9c 00 ?? ?? ?? ?? 46 8b 4c 03 ?? 46 8b 54 03 ?? 4d 03 c8 4d 03 d0 41 8b 11 8b ce 49 03 d0 8a 02 49 03 d7 c1 c9 ?? 0f be c0 03 c8 8a 02 84 c0 75 ef 81 f9 ?? ?? ?? ?? 75 16 42 8b 4c 03 ?? 41 0f b7 12 49 03 c8 44 8b 24 91 4d 03 e0 66 03 fd 49 83 c1 ?? 49 83 c2 ?? 66 85 ff 75 ba 48 8b ac 24 ?? ?? ?? ?? 4c 89 64 24 ?? 41 b9 ff ff 00 00 bf ?? ?? ?? ?? 49 8b df 4d 85 ed 74 0f 48 85 ed 74 0a 4d 85 f6 74 05 4d 85 e4 75 14 4d 8b 1b 4c 89 9c 24 ?? ?? ?? ?? 4d 85 db 0f 85 39 fe ff ff 4c 8b bc 24 ?? ?? ?? ?? 49 63 6f ?? 33 c9 49 03 ef 89 b4 24 ?? ?? ?? ?? 41 b8 00 ?? ?? ?? 48 89 6c 24 ?? 4c 8b e6 44 8d 49 ?? 8b 55 ?? 41 ff d6 44 0f b7 45 ?? 48 8b f8 44 0f b7 55 ?? 49 83 c0 ?? 4d 85 d2 74 4f 4c 03 c5 41 8b 00 4c 2b d3 45 8b 48 ?? 41 8b 48 ?? 48 03 cf 49 8d 14 07 41 03 c1 89 84 24 ?? ?? ?? ?? 48 8b c1 48 2b c2 4d 85 e4 49 0f 45 c4 4c 8b e0 4d 85 c9 74 0f 8a 02 48 03 d3 88 01 48 03 cb 4c 2b cb 75 f1 49 83 c0 ?? 4d 85 d2 75 b4 8b 85 ?? ?? ?? ?? 41 be ?? ?? ?? ?? 85 c0 0f 84 e8 00 00 00 48 8d 1c 07 8b 43 ?? 85 c0 0f 84 d9 00 00 00 48 8b ac 24 ?? ?? ?? ?? 8b c8 48 03 cf 41 ff d5 44 8b 7b ?? 33 c9 8b 33 4c 03 ff 48 03 f7 4c 8b e8 49 39 0f 74 7d 48 85 f6 74 31 48 39 0e 7d 2c 49 63 45 ?? 0f b7 16 42 8b 8c 28 ?? ?? ?? ?? 42 8b 44 29 ?? 42 8b 4c 29 ?? 48 2b d0 49 03 cd 8b 04 91 49 03 c5 49 89 07 33 c9 eb 2a 4d 8b 37 49 8b cd 49 83 c6 ?? 4c 03 f7 49 8b d6 ff d5 33 c9 49 89 07 41 38 0e 74 0e 8d 41 ?? 41 88 0e 4c 03 f0 41 38 0e 75 f5 49 83 c7 ?? 48 8d 46 ?? 48 85 f6 48 0f 44 c6 48 8b f0 49 39 0f 75 89 41 be ?? ?? ?? ?? 8b 43 ?? 48 03 c7 33 f6 eb 06 40 88 30 49 03 c6 40 38 30 75 f5 8b 43 ?? 48 83 c3 ?? 4c 8b 6c 24 ?? 85 c0 0f 85 3c ff ff ff 48 8b 6c 24 ?? 4c 8b bc 24 ?? ?? ?? ?? 4c 8b cf 4c 2b 4d ?? 39 b5 ?? ?? ?? ?? 0f 84 b5 00 00 00 8b 95 ?? ?? ?? ?? 48 03 d7 8b 42 ?? 85 c0 0f 84 a1 00 00 00 41 bf ?? ?? ?? ?? bb ff ?? ?? ?? 45 8d 6f ?? 44 8b 02 4c 8d 5a ?? 44 8b d0 4c 03 c7 49 83 ea ?? 49 d1 ea 74 62 41 be ?? ?? ?? ?? 41 0f b7 0b 4d 2b d6 0f b7 c1 66 c1 e8 ?? 66 83 f8 ?? 75 09 48 23 cb 4e 01 0c 01 eb 34 66 41 3b c5 75 09 48 23 cb 46 01 0c 01 eb 25 66 41 3b c6 75 11 48 23 cb 49 8b c1 48 c1 e8 ?? 66 42 01 04 01 eb 0e 66 41 3b c7 75 08 48 23 cb 66 46 01 0c 01 4d 03 df 4d 85 d2 75 a7 8b 42 ?? 48 03 d0 8b 42 ?? 85 c0 0f 85 7a ff ff ff 4c 8b bc 24 ?? ?? ?? ?? 44 8d 70 ?? 8b 5d ?? 45 33 c0 33 d2 48 83 c9 ff 48 03 df ff 54 24 ?? e8 21 fb ff ff 4d 85 e4 74 13 48 85 c0 74 0e 4a 8d 0c 20 4c 8b e6 e8 67 00 00 00 eb 3b 8b 94 24 ?? ?? ?? ?? c1 ea ?? 89 b4 24 ?? ?? ?? ?? eb 1d 48 63 84 24 ?? ?? ?? ?? 41 89 34 87 8b 84 24 ?? ?? ?? ?? 41 03 c6 89 84 24 ?? ?? ?? ?? 8b 84 24 ?? ?? ?? ?? 3b c2 72 d8 4c 8b 84 24 ?? ?? ?? ?? ba ?? ?? ?? ?? 48 8b cf ff d3 49 8d 04 3c ?? ?? ?? ?? 41 5f 41 5e 41 5d 41 5c 5f 5e 5d 5b c3}
-        
-    condition:
-        uint16(0)==0x5A4D and $a
-        or pe.imphash() == "37af5cd8fc35f39f0815827f7b80b304"
-        or hash.md5(pe.rich_signature.clear_data) == "b857cf76a54ce175c225eaaae66547a2"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_icedid_chm_ttp.yar b/yara_rules/sekoiaio_icedid_chm_ttp.yar
deleted file mode 100644
index 16e60ba..0000000
--- a/yara_rules/sekoiaio_icedid_chm_ttp.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-import "magic"
-        
-rule sekoiaio_icedid_chm_ttp {
-    meta:
-        id = "cae771d4-a9cf-4325-81b3-c00090cbc05e"
-        version = "1.0"
-        description = "IcedID campaign delivering ISO file with CHM attack chain"
-        author = "Sekoia.io"
-        creation_date = "2022-09-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $hta1 = "<HTA:APPLICATION " ascii
-        $hta2 = "<script language=\"Javascript\">" ascii
-        $hta3 = "ActiveXObject" ascii
-        $hta4 = "cmd /c rundll32 \\" ascii
-        $chm1 = "CHM" ascii
-        $chm2 = ".htm" ascii
-        
-    condition:
-        3 of ($hta*) and all of ($chm*) and magic.mime_type() == "application/x-iso9660-image" and filesize > 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_any_sliver.yar b/yara_rules/sekoiaio_implant_any_sliver.yar
deleted file mode 100644
index 52dda84..0000000
--- a/yara_rules/sekoiaio_implant_any_sliver.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_implant_any_sliver {
-    meta:
-        id = "4b16f28a-2048-4044-8620-8e7a1651f2b1"
-        author = "Sekoia.io"
-        creation_date = "2021-11-08"
-        description = "Rule which detects any Sliver implant PE/Dlls/ELFs/MAC-O."
-        version = "1.1"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = ").GetActiveC2" ascii
-        $s2 = ").GetVersion" ascii
-        $s3 = ").GetReconnectInterval" ascii
-        $s4 = ").GetProxyURL" ascii
-        $s5 = ").GetPollInterval" ascii
-        
-    condition:
-        ( uint16be(0) == 0x4d5a or
-        uint32be(0) == 0x7f454c46 or
-        uint32be(0) == 0xcffaedfe
-        ) and (
-            true and
-            filesize < 11MB and
-            filesize > 7MB
-        ) and (
-            all of ($s*)
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_any_sliver_not_stripped.yar b/yara_rules/sekoiaio_implant_any_sliver_not_stripped.yar
deleted file mode 100644
index fc27c57..0000000
--- a/yara_rules/sekoiaio_implant_any_sliver_not_stripped.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_implant_any_sliver_not_stripped {
-    meta:
-        id = "35543c7c-c39b-4f96-b37c-1d27736e40fc"
-        author = "Sekoia.io"
-        creation_date = "2021-11-08"
-        modification_date = "2021-12-22"
-        description = "Rule which detects non stripped Sliver PE/Dlls/ELFs/MAC-O."
-        version = "1.1"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $a1 = "github.com/bishopfox/sliver/implant/sliver/"
-        
-    condition:
-        (
-        uint16be(0) == 0x4d5a or
-        uint32be(0) == 0x7f454c46 or
-        uint32be(0) == 0xcffaedfe
-        )
-        
-        and filesize < 11MB
-        and filesize > 8MB
-        and #a1 > 200
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_lin_geacon.yar b/yara_rules/sekoiaio_implant_lin_geacon.yar
deleted file mode 100644
index 54d4c70..0000000
--- a/yara_rules/sekoiaio_implant_lin_geacon.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule sekoiaio_implant_lin_geacon {
-    meta:
-        id = "ad71522e-270b-47d0-9c01-081f05a2b72a"
-        version = "1.0"
-        description = "Finds Geacon samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2024-01-11"
-        classification = "TLP:CLEAR"
-        reference = "https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/"
-        
-    strings:
-        $gea01 = "geacon/config.init" ascii
-        $gea02 = "geacon_pro-master/config/config.go" ascii
-        $gea03 = "geacon_plus-main/config/config.go" ascii
-        $gea04 = "command type %d is not support by geacon now" ascii
-        $gea05 = "main/sysinfo.GeaconID" ascii
-        
-        $str01 = "command.StealToken" ascii
-        $str02 = "command.MakeToken" ascii
-        $str03 = "command/misc.go" ascii
-        $str04 = "config/c2profile.go" ascii
-        $str05 = "crypt.AesCBCDecrypt" ascii
-        $str06 = "packet.File_Browse" ascii
-        $str07 = "packet.FirstBlood" ascii
-        $str08 = "packet.ParseCommandShell" ascii
-        $str09 = "packet.ParseCommandUpload" ascii
-        $str10 = "packet.PushResult" ascii
-        $str11 = "sysinfo.GetComputerName" ascii
-        $str12 = "sysinfo.IsOSX64" ascii
-        $str13 = "util..inittask" ascii
-        
-    condition:
-        uint32(0) == 0x464C457F and
-        ((1 of ($gea*) and 2 of ($str*)) or 8 of ($str*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_lin_lightning.yar b/yara_rules/sekoiaio_implant_lin_lightning.yar
deleted file mode 100644
index 7b72488..0000000
--- a/yara_rules/sekoiaio_implant_lin_lightning.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_implant_lin_lightning {
-    meta:
-        id = "56f53e89-3b63-4ce7-a3c8-da0ba37246f1"
-        version = "1.0"
-        description = "Detect the Lightning framework (Core & Downloader plugin)"
-        author = "Sekoia.io"
-        creation_date = "2022-07-21"
-        classification = "TLP:CLEAR"
-        reference = "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
-        
-    strings:
-        $ = "{\"ComputerName\":\"%s\",\"Guid\":\"%s\",\"RequestName\":\"%s\",\"Licence\":\"%s\"}"
-        $ = "kill -9 %s"
-        $ = "{%08X-%04X-%04X-%04X-%04X%04X%04X}"
-        $ = "sleep 60 && ./%s &"
-        $ = "cat /sys/class/net/%s/address"
-        $ = "/usr/bin/netstat"
-        $ = "/usr/bin/whoami"
-        $ = "/usr/bin/su"
-        $ = "dup2: %s"
-        $ = "Linux.Plugin.Kernel_%s"
-        $ = "Lightning"
-        
-    condition:
-        uint32(0)==0x464c457f
-        and 9 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_mac_rustbucket.yar b/yara_rules/sekoiaio_implant_mac_rustbucket.yar
deleted file mode 100644
index 6ffb0d3..0000000
--- a/yara_rules/sekoiaio_implant_mac_rustbucket.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_implant_mac_rustbucket {
-    meta:
-        id = "fcbb745d-7f56-4c51-9db5-427da22a0c68"
-        version = "1.0"
-        description = "Detect the RustBucket malware"
-        author = "Sekoia.io"
-        creation_date = "2023-04-24"
-        classification = "TLP:CLEAR"
-        hash = "9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747"
-        reference = "https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/"
-        
-    strings:
-        $ = "/Users/hero/"
-        $ = "PATHIpv6Ipv4Bodyslotpath"
-        $macho_magic = {CF FA ED FE}
-        $java_magic = {CA FE BA BE}
-        
-    condition:
-        ($macho_magic at 0 or $java_magic at 0) 
-        and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_mac_smoothoperator_update_agent.yar b/yara_rules/sekoiaio_implant_mac_smoothoperator_update_agent.yar
deleted file mode 100644
index a11f538..0000000
--- a/yara_rules/sekoiaio_implant_mac_smoothoperator_update_agent.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_implant_mac_smoothoperator_update_agent {
-    meta:
-        id = "45a1d0d9-083b-4b4a-b53c-e5d86f804f01"
-        version = "1.0"
-        description = "UpdateAgent payload delivered by SmoothOperator during the 3CX supply chain attack"
-        author = "Sekoia.io"
-        creation_date = "2023-07-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "3CX Desktop App/.main_storage"
-        $ = "3CX Desktop App/config.json"
-        $ = "3cx_auth_token_content=%s"
-        $ = "3cx_auth_id=%s"
-        
-    condition:
-        uint32be(0)==0xcffaedfe and 2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_macos_geacon.yar b/yara_rules/sekoiaio_implant_macos_geacon.yar
deleted file mode 100644
index f3ff72a..0000000
--- a/yara_rules/sekoiaio_implant_macos_geacon.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule sekoiaio_implant_macos_geacon {
-    meta:
-        id = "a7784bfa-66a7-47df-b88b-d98217d8cca5"
-        version = "1.0"
-        description = "Finds Geacon samples based on specific strings"
-        author = "Sekoia.io"
-        reference = "https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/"
-        creation_date = "2024-01-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $gea01 = "geacon/config.init" ascii
-        $gea02 = "geacon_pro-master/config/config.go" ascii
-        $gea03 = "geacon_plus-main/config/config.go" ascii
-        $gea04 = "command type %d is not support by geacon now" ascii
-        $gea05 = "main/sysinfo.GeaconID" ascii
-        
-        $str01 = "command.StealToken" ascii
-        $str02 = "command.MakeToken" ascii
-        $str03 = "command/misc.go" ascii
-        $str04 = "config/c2profile.go" ascii
-        $str05 = "crypt.AesCBCDecrypt" ascii
-        $str06 = "packet.File_Browse" ascii
-        $str07 = "packet.FirstBlood" ascii
-        $str08 = "packet.ParseCommandShell" ascii
-        $str09 = "packet.ParseCommandUpload" ascii
-        $str10 = "packet.PushResult" ascii
-        $str11 = "sysinfo.GetComputerName" ascii
-        $str12 = "sysinfo.IsOSX64" ascii
-        $str13 = "util..inittask" ascii
-        
-    condition:
-        uint32(0) == 0xFEEDFACF and
-        ((1 of ($gea*) and 2 of ($str*)) or 8 of ($str*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_mul_alchimist.yar b/yara_rules/sekoiaio_implant_mul_alchimist.yar
deleted file mode 100644
index 28e865b..0000000
--- a/yara_rules/sekoiaio_implant_mul_alchimist.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_implant_mul_alchimist {
-    meta:
-        version = "1.0"
-        description = "Detect the Alchimist implant based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-10-18"
-        id = "66330cc6-a7da-4717-9977-0cede48f46f5"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "POST /users/loginpage.html HTTP/1.1" ascii
-        $str02 = "pm3/apps/Insekt/main.go" ascii
-        $str03 = "generate new insekt err" ascii
-        $str04 = "[SHELLCODE][filesize]:[scan]" ascii
-        $str05 = "\\Device\\NamedPipe\\cygwinbad" ascii
-        $str06 = "pm3/utils.GetTmpDir" ascii
-        $str07 = "os/exec.Command" ascii
-        
-    condition:
-        (uint16(0)==0x5A4D or uint32(0)==0x464C457F) and 5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_apt29_2022_10.yar b/yara_rules/sekoiaio_implant_win_apt29_2022_10.yar
deleted file mode 100644
index 61e7ccc..0000000
--- a/yara_rules/sekoiaio_implant_win_apt29_2022_10.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_implant_win_apt29_2022_10 {
-    meta:
-        id = "0f270e75-f687-4fdc-a980-fde81107a4d6"
-        version = "1.0"
-        description = "APT29 implants from October 2022"
-        author = "Sekoia.io"
-        creation_date = "2023-02-15"
-        classification = "TLP:CLEAR"
-        hash1 = "1cffaf3be725d1514c87c328ca578d5df1a86ea3b488e9586f9db89d992da5c4"
-        hash2 = "381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c"
-        
-    condition:
-        pe.imphash() == "39b818e7bac0a276f509f8c47e467666"
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "6621113d9f212c71b8dd3ce85c62b251"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_flagpro.yar b/yara_rules/sekoiaio_implant_win_flagpro.yar
deleted file mode 100644
index c9c14ba..0000000
--- a/yara_rules/sekoiaio_implant_win_flagpro.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_implant_win_flagpro {
-    meta:
-        id = "08dd2de4-b359-424f-af04-7f294d519363"
-        version = "1.0"
-        description = "Detect the Flagpro malware used by Blacktech"
-        author = "Sekoia.io"
-        creation_date = "2022-04-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "<BODY ID=CV20_LoaderDlg BGCOLOR=LIGHTGREY style=\"font-family:MS Shell Dlg;font-size:8\">" ascii
-        $ = "<TABLE WIDTH=100% HEIGHT=100%>" ascii
-        $ = "<TR WIDTH=100% HEIGHT=45%>" ascii
-        $ = "<TD ALIGN=CENTER VALIGN=BOTTOM>" ascii
-        $ = "TODO: Place controls here." ascii
-        $ = "<TD ALIGN=RIGHT VALIGN=BOTTOM>" ascii
-        $ = "<BUTTON STYLE=\"WIDTH:100\" ID=\"ButtonHelp\">Help</BUTTON>&nbsp;&nbsp;<BUTTON STYLE=\"WIDTH:100\" ID=\"ButtonOK\">OK</BUTTON>&nbsp;<BUTTON STYLE=\"WIDTH:100\" ID=\"ButtonCancel\">Cancel</BUTTON>" ascii
-        
-        $about_loader = /About V[0-9]+\.[0-9]+_Loader.../ wide
-        $path = "f:\\dd\\vctools\\vc7libs\\ship\\atlmfc\\include\\" wide
-        $regitry = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\" wide
-        
-    condition:
-        uint16(0)==0x5A4D
-        and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_geacon.yar b/yara_rules/sekoiaio_implant_win_geacon.yar
deleted file mode 100644
index 6ebd042..0000000
--- a/yara_rules/sekoiaio_implant_win_geacon.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule sekoiaio_implant_win_geacon {
-    meta:
-        id = "064eabe0-aee5-4e5e-9f5e-69b32b1ba0da"
-        version = "1.0"
-        description = "Finds Geacon samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2024-01-11"
-        classification = "TLP:CLEAR"
-        reference = "https://www.sentinelone.com/blog/geacon-brings-cobalt-strike-capabilities-to-macos-threat-actors/"
-        
-    strings:
-        $gea01 = "geacon/config.init" ascii
-        $gea02 = "geacon_pro-master/config/config.go" ascii
-        $gea03 = "geacon_plus-main/config/config.go" ascii
-        $gea04 = "command type %d is not support by geacon now" ascii
-        $gea05 = "main/sysinfo.GeaconID" ascii
-        
-        $str01 = "command.StealToken" ascii
-        $str02 = "command.MakeToken" ascii
-        $str03 = "command/misc.go" ascii
-        $str04 = "config/c2profile.go" ascii
-        $str05 = "crypt.AesCBCDecrypt" ascii
-        $str06 = "packet.File_Browse" ascii
-        $str07 = "packet.FirstBlood" ascii
-        $str08 = "packet.ParseCommandShell" ascii
-        $str09 = "packet.ParseCommandUpload" ascii
-        $str10 = "packet.PushResult" ascii
-        $str11 = "sysinfo.GetComputerName" ascii
-        $str12 = "sysinfo.IsOSX64" ascii
-        $str13 = "util..inittask" ascii
-        
-    condition:
-        uint16(0) == 0x5A4D and
-        ((1 of ($gea*) and 2 of ($str*)) or 8 of ($str*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_graphiron_downloader.yar b/yara_rules/sekoiaio_implant_win_graphiron_downloader.yar
deleted file mode 100644
index c845416..0000000
--- a/yara_rules/sekoiaio_implant_win_graphiron_downloader.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_implant_win_graphiron_downloader {
-    meta:
-        id = "c50c4bd2-3828-43bf-b45c-8e911c298536"
-        version = "1.0"
-        description = "Detect the downloader of Graphiron"
-        author = "Sekoia.io"
-        creation_date = "2023-02-10"
-        classification = "TLP:CLEAR"
-        hash1 = "0d0a675516f1ff9247f74df31e90f06b0fea160953e5e3bada5d1c8304cfbe63"
-        hash2 = "878450da2e44f5c89ce1af91479b9a9491fe45211fee312354dfe69e967622db"
-        
-    condition:
-        for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "1b614f8d813125f56d2e772ed0ca5dae"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5c6496d33de5a35bd38ddb12d8b42e03"
-        )
-        and filesize > 3MB
-        and filesize < 6MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_havoc_default_strings.yar b/yara_rules/sekoiaio_implant_win_havoc_default_strings.yar
deleted file mode 100644
index fe47c29..0000000
--- a/yara_rules/sekoiaio_implant_win_havoc_default_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_implant_win_havoc_default_strings {
-    meta:
-        version = "1.0"
-        author = "Sekoia.io"
-        description = "Finds Havoc implants based on the embedded default strings"
-        creation_date = "2022-10-07"
-        id = "955c2211-4502-4258-ba4c-0d96a5624283"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "C:\\Windows\\System32\\notepad.exe" ascii
-        $str02 = "C:\\Windows\\SysWOW64\\notepad.exe" ascii
-        $str03 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" ascii
-        $str04 = "POST" wide
-        $str05 = "\\??\\C:\\Windows\\System32\\ntdll.dll" wide
-        $str06 = "X-Havoc: true" ascii
-        $str07 = "X-Havoc-Agent: Demon" ascii
-        $str08 = "/text.gif" ascii
-        $str09 = "SeImpersonatePrivilege" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_incontroller.yar b/yara_rules/sekoiaio_implant_win_incontroller.yar
deleted file mode 100644
index a732cfa..0000000
--- a/yara_rules/sekoiaio_implant_win_incontroller.yar
+++ /dev/null
@@ -1,50 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_implant_win_incontroller {
-    meta:
-        id = "c346c6ea-c5c0-4e9f-a632-1e8ed0286fbc"
-        version = "1.0"
-        description = "Detect the INCONTROLLER implant "
-        author = "Sekoia.io"
-        creation_date = "2022-04-14"
-        classification = "TLP:CLEAR"
-        hash = "69296ca3575d9bc04ce0250d734d1a83c1348f5b6da756944933af0578bd41d2"
-        reference = "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool"
-        
-    strings:
-        $ = "AsRockDrv.sys" ascii
-        $ = "C:\\Users\\User1\\Desktop\\dev projects\\SignSploit1\\x64\\Release\\AsrDrv_exploit.pdb" ascii
-        $ = "found map in %.3f sec physical address : %016I64x" ascii
-        $ = "get physical regions error : %x!"
-        $ = "Device AsrDrv103 was opened successefuly!" ascii
-        $ = "Ioctl handler AsrDrv103 was found successefuly!" ascii
-        $ = "cant open the AsrDrv103!" ascii
-        $ = "can't read a unsigned driver ! " ascii
-        $ = "cant drop and load exploatable driver ! " ascii
-        $ = "please set unsigned driver as argument to program!" ascii
-        $ = "\\DosDevices\\AsrDrv103" wide
-        $t = "This program cannot be run in DOS mode."
-        
-    condition:
-        (uint16(0)==0x5A4D
-        and 4 of them
-        and filesize < 800KB
-        and #t == 2)
-        
-        // Imphash
-        or pe.imphash() == "f139e860bc959a7e65a008399425c090"
-        
-        // Section MD5
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "a2fe4d32d74354c391a283178f0291e6"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "c33f9caa68fe46c6996a928ba5a38fd6"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "d9a1f1a4d48906da1d9f33eae0f0eaef"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "76426b0209a87fa32ca28e9f2361be67"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "9e63a5064b755925598b8d72ace52dc9"
-        )
-        
-        // Rich Header
-        or hash.md5(pe.rich_signature.clear_data) == "140d7fb360dbebb03edab903b5d08285"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_knotweed_jumplump.yar b/yara_rules/sekoiaio_implant_win_knotweed_jumplump.yar
deleted file mode 100644
index f401365..0000000
--- a/yara_rules/sekoiaio_implant_win_knotweed_jumplump.yar
+++ /dev/null
@@ -1,76 +0,0 @@
-import "pe"
-        
-rule sekoiaio_implant_win_knotweed_jumplump {
-    meta:
-        id = "8f8cec7a-624b-4306-87f4-bde8ccc3a2d0"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2022-07-27"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "DllCanUnloadNow"
-        $s2 = "DllGetClassObject"
-        $s3 = "_initterm"
-        $s4 = "__C_specific_handler"
-        $s5 = "HeapFree"
-        $s6 = "EnterCriticalSection"
-        $s7 = "EventUnregister"
-        $s8 = "LeaveCriticalSection"
-        $s9 = "WaitForSingleObject"
-        $s10 = "GetCurrentThreadId"
-        $s11 = "GetLastError"
-        $s12 = "CloseHandle"
-        $s13 = "HeapAlloc"
-        $s14 = "EventRegister"
-        $s15 = "GetProcAddress"
-        $s16 = "DeleteCriticalSection"
-        $s17 = "GetCurrentProcessId"
-        $s18 = "GetProcessHeap"
-        $s19 = "DisableThreadLibraryCalls"
-        $s20 = "Sleep"
-        $s21 = "RtlCaptureContext"
-        $s22 = "RtlLookupFunctionEntry"
-        $s23 = "RtlVirtualUnwind"
-        $s24 = "UnhandledExceptionFilter"
-        $s25 = "SetUnhandledExceptionFilter"
-        $s26 = "GetCurrentProcess"
-        $s27 = "TerminateProcess"
-        $s28 = "QueryPerformanceCounter"
-        $s29 = "GetSystemTimeAsFileTime"
-        $s30 = "GetTickCount"
-        $s31 = "CoCreateInstance"
-        $s32 = "RegCloseKey"
-        $s33 = "GetModuleFileNameW"
-        $s34 = "RegCreateKeyExW"
-        $s35 = "RegSetValueExW"
-        $s36 = "LocalFree"
-        $s37 = "RegOpenKeyExW"
-        $s38 = "OLEAUT32.dll"
-        $s39 = "memcpy"
-        $s40 = "memcmp"
-        $s41 = "memset"
-        $s42 = "LoadLibraryW"
-        $s43 = "OpenProcessToken"
-        $s44 = "DllRegisterServer"
-        $s45 = "DllUnregisterServer"
-        $s46 = "040904B0" wide
-        
-        $api_hash1 = {5D 44 11 FF} //GetModuleFileNameW
-        $api_hash2 = {4C 77 D6 07} //LoadLibraryW
-        $api_hash3 = {38 68 0D 16} //CreateThread
-        $api_hash4 = {40 DE CE 72} //GetWindowsDirectoryW
-        $api_hash5 = {08 87 1D 60} //WaitForSingleObject
-        $api_hash6 = {26 C6 0B 1B} //OpenProcessToken
-        $api_hash7 = {0C DC 67 55} //GetTokenInformation
-        $api_hash8 = {AA C5 E2 5D} //GetLastError
-        $api_hash9 = {C6 96 87 52} //CloseHandle
-        $api_hash10 = {F8 8E C2 92} //IsWellKnownSid
-        
-    condition:
-        uint16(0)==0x5A4D
-        and pe.number_of_sections == 7
-        and all of ($s*)
-        and 1 of ($api_hash*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_lyceum.yar b/yara_rules/sekoiaio_implant_win_lyceum.yar
deleted file mode 100644
index 9d82143..0000000
--- a/yara_rules/sekoiaio_implant_win_lyceum.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_implant_win_lyceum {
-    meta:
-        id = "e061562f-9c17-4ef4-b7f9-2c6708bb6570"
-        version = "1.0"
-        description = "Detect the DnsSystem malware used by Lyceum in March 2022"
-        author = "Sekoia.io"
-        creation_date = "2022-06-13"
-        classification = "TLP:CLEAR"
-        reference = "https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor"
-        
-    strings:
-        $ = "$02c7afab-7f96-4dfa-b452-832e3624e270" ascii
-        $ = "C:\\Users\\u1\\Downloads\\Compressed\\article_src\\DnsDig\\DnsDig\\obj\\Release\\DnsDig.pdb" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 1 of them
-        
-        // Section
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "d0e0c140e4831f835bcdcc6b463f3acc"
-        )
-        
-        // Resource
-        or for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "22c92a1ba6ffd828637d7045261db7a45608ddd6d7c85836af011b3c679c725f"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_magicrat.yar b/yara_rules/sekoiaio_implant_win_magicrat.yar
deleted file mode 100644
index c3c0ebb..0000000
--- a/yara_rules/sekoiaio_implant_win_magicrat.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_implant_win_magicrat {
-    meta:
-        id = "74973682-b214-48ee-98c3-f4b6bef76587"
-        version = "1.0"
-        description = "Detect Lazarus' MagicRAT"
-        author = "Sekoia.io"
-        creation_date = "2022-09-13"
-        classification = "TLP:CLEAR"
-        reference = "https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html"
-        hash1 = "9dc04153455d054d7e04d46bcd8c13dd1ca16ab2995e518ba9bf33b43008d592"
-        hash2 = "c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f"
-        hash3 = "f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332"
-        
-    condition:
-        uint16(0)==0x5A4D
-        and filesize > 15MB
-        and for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "39dfb9f035cba21ffd90973904f90469"
-            and pe.sections[i].name == ".qtmetad"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_mysterysnail.yar b/yara_rules/sekoiaio_implant_win_mysterysnail.yar
deleted file mode 100644
index 9477eee..0000000
--- a/yara_rules/sekoiaio_implant_win_mysterysnail.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_implant_win_mysterysnail {
-    meta:
-        id = "dfd2eba8-eb9c-411a-b5e0-663593453e3d"
-        version = "1.0"
-        description = "Detect the MysterySnail using section hashes"
-        author = "Sekoia.io"
-        creation_date = "2021-10-13"
-        classification = "TLP:CLEAR"
-        
-    condition:
-        uint16(0)==0x5A4D and (
-            pe.imphash() == "de0c9e6aec27d278ccdb6718b3e96e32"
-            or for any i in (0..pe.number_of_sections-1) : (
-                hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "a41b6fb1cc34d6393e30c13a58f6ecd4"
-                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f263a2be76694feab7e2ce79ecf8b724"
-                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "e9056ae96619d7aa18daa973da592afc"
-                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "3e38e89e9e8329f5cff8a7022d88fff7"
-                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ce78f8599167c63e8f1c8d3e789c4a60"
-                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "456d4f1096bf5c72cd6e1e3eb9980ec6"
-                or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "37e2bff637001fc64566fe651757f66e"
-            )
-            or hash.md5(pe.rich_signature.clear_data) == "e4116fffa240ba6d91b400541ce85182"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_pingpull.yar b/yara_rules/sekoiaio_implant_win_pingpull.yar
deleted file mode 100644
index 8979e6c..0000000
--- a/yara_rules/sekoiaio_implant_win_pingpull.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_implant_win_pingpull {
-    meta:
-        id = "521615d4-912b-4581-b5a9-a8b158ac9496"
-        version = "1.0"
-        description = "Detect the PingPull malware used by GALLUM in 2022"
-        author = "Sekoia.io"
-        creation_date = "2022-06-13"
-        classification = "TLP:CLEAR"
-        reference = "https://unit42.paloaltonetworks.com/pingpull-gallium/#Protections-and-Mitigations"
-        
-    strings:
-        $ = "PROJECT_%s_%s_%08X"
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_quantum_builder_lnk.yar b/yara_rules/sekoiaio_implant_win_quantum_builder_lnk.yar
deleted file mode 100644
index c54aaf3..0000000
--- a/yara_rules/sekoiaio_implant_win_quantum_builder_lnk.yar
+++ /dev/null
@@ -1,45 +0,0 @@
-rule sekoiaio_implant_win_quantum_builder_lnk {
-    meta:
-        id = "65f8a426-8bf3-4f7f-b7d2-fd8da5b660f7"
-        version = "1.0"
-        description = "Detect .LNK files created using Quantum Builder"
-        author = "Sekoia.io"
-        creation_date = "2022-06-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $magic_lnk = { 4C 00 00 00 01 14 02 00 }
-        $powershell_ascii = "\\WindowsPowerShell\\v1.0\\powershell.exe"
-        $powershell_wide = "powershell.exe" wide
-        
-        $start = "<#" wide
-        $end = "#>" wide
-        $foreach = "=$Null;foreach(" wide
-        $return = "};return" wide
-        $char = "[char]" wide
-        
-        $aes = "New-Object 'System.Security.Cryptography.AesManaged'" wide nocase
-        $base64 = "[System.Convert]::FromBase64String" wide nocase
-        $decryptor = "CreateDecryptor();" wide nocase
-        
-    condition:
-        $magic_lnk at 0
-        and all of ($powershell*)
-        
-        and (
-            // Obfuscated
-            $start
-            and $end
-            and $foreach
-            and $return
-            and $char
-            
-            or
-            
-            // AES + Base64
-            $aes
-            and $base64
-            and $decryptor
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_quasarrat.yar b/yara_rules/sekoiaio_implant_win_quasarrat.yar
deleted file mode 100644
index 169f1a5..0000000
--- a/yara_rules/sekoiaio_implant_win_quasarrat.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_implant_win_quasarrat {
-    meta:
-        id = "492fdffc-8e5f-4225-a2eb-cd6d80e6bcb8"
-        version = "1.0"
-        description = "Detect QuasarRAT (reted from samples 2023-03)"
-        author = "Sekoia.io"
-        creation_date = "2023-03-17"
-        classification = "TLP:CLEAR"
-        reference = "https://blog.alyac.co.kr/5103"
-        
-    strings:
-        // chcp 65001
-        $ = {63 00 68 00 63 00 70 00 20 00 36 00 35 00 30 00 30 00 31 00}
-        // echo DONT CLOSE THIS WINDOW!
-        $ = {65 00 63 00 68 00 6f 00 20 00 44 00 4f 00 4e 00 54 00 20 00 43 00 4c 00 4f 00 53 00 45 00 20 00 54 00 48 00 49 00 53 00 20 00 57 00 49 00 4e 00 44 00 4f 00 57 00 21 00}
-        // ping -n 10 localhost > nul
-        $ = {70 00 69 00 6e 00 67 00 20 00 2d 00 6e 00 20 00 31 00 30 00 20 00 6c 00 6f 00 63 00 61 00 6c 00 68 00 6f 00 73 00 74 00 20 00 3e 00 20 00 6e 00 75 00 6c 00}
-        // del /a /q /f "
-        $ = {64 00 65 00 6c 00 20 00 2f 00 61 00 20 00 2f 00 71 00 20 00 2f 00 66 00 20 00 22 00}
-        $ = "DoShellExecute"
-        $ = "DoDownloadFile"
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_implant_win_sliver_dll.yar b/yara_rules/sekoiaio_implant_win_sliver_dll.yar
deleted file mode 100644
index 330cdd9..0000000
--- a/yara_rules/sekoiaio_implant_win_sliver_dll.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-import "pe"
-        
-rule sekoiaio_implant_win_sliver_dll {
-    meta:
-        id = "41d83011-a08b-4245-b633-79fe6afaa4d2"
-        author = "Sekoia.io"
-        creation_date = "2021-11-08"
-        modification_date = "2021-12-22"
-        description = "Detect the Sliver DLL based on export names (standalone and process/memory dumps)"
-        version = "1.1"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $a1 = "main.RunSliver"
-        $a2 = "main.DllInstall"
-        
-    condition:
-        (   filesize > 8MB and
-        filesize < 11MB and
-        uint16be(0) == 0x4d5a and
-        pe.characteristics & pe.DLL and
-        pe.exports("RunSliver") and
-        pe.exports("DllInstall") and
-        pe.exports("VoidFunc")
-        )
-        or
-        (
-            true and ( uint32be(0) == 0x4d444d50 or
-            uint32be(0) == 0x00000000
-        ) and $a2 in (@a1..@a1+100)
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_in2al5d_p3in4er_loader.yar b/yara_rules/sekoiaio_in2al5d_p3in4er_loader.yar
deleted file mode 100644
index 91ba4a2..0000000
--- a/yara_rules/sekoiaio_in2al5d_p3in4er_loader.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-import "pe"
-        
-rule sekoiaio_in2al5d_p3in4er_loader {
-    meta:
-        id = "6dd3046d-55fb-4bcc-8735-dbc0add4d570"
-        version = "1.0"
-        description = "Invalid printer loader detection based on the XOR key"
-        author = "Sekoia.io"
-        creation_date = "2023-04-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $xor_key = "in2al5d p3in4er" ascii fullword
-        
-    condition:
-        all of them and (filesize > 4MB and filesize < 7MB) and pe.is_pe
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_mac_realst.yar b/yara_rules/sekoiaio_infostealer_mac_realst.yar
deleted file mode 100644
index b0ed7df..0000000
--- a/yara_rules/sekoiaio_infostealer_mac_realst.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-rule sekoiaio_infostealer_mac_realst {
-    meta:
-        id = "16a89317-c92d-4e13-94d3-a85a915f52e5"
-        version = "1.0"
-        description = "Finds Realst Stealer samples based on specific strings"
-        author = "Sekoia.io"
-        reference = "https://iamdeadlyz.gitbook.io/malware-research/july-2023/fake-blockchain-games-deliver-redline-stealer-and-realst-stealer-a-new-macos-infostealer-malware#realst-stealer-macos"
-        creation_date = "2023-09-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str00 = "realst@" ascii
-        $str01 = "IP:" ascii
-        $str02 = "OS:" ascii
-        $str03 = "PC PASSWORD:" ascii
-        $str04 = "Cookies:" ascii
-        $str05 = "Wallets:" ascii
-        $str06 = "Apps:" ascii
-        $str07 = "USERNAME: ]" ascii
-        $str08 = "FILENAME:" ascii
-        $str09 = "multipart/form-data; boundary=" ascii
-        $str10 = "src/browsers/firefox/modules/decryptors.rs" ascii
-        $str11 = "{\"event_id\":\"" ascii
-        $str12 = "..browsers..firefox..modules..data_stealers.." ascii
-        $str13 = "..browsers..chromium..modules..key_stealers.." ascii
-        $str14 = "..browsers..firefox..modules..decryptors.." ascii
-        $str15 = "url: , login: , password:" ascii
-        
-    condition:
-        (uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca) //macho
-        and 13 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_44caliber.yar b/yara_rules/sekoiaio_infostealer_win_44caliber.yar
deleted file mode 100644
index f228aec..0000000
--- a/yara_rules/sekoiaio_infostealer_win_44caliber.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_infostealer_win_44caliber {
-    meta:
-        id = "44e5bbc1-f442-47d3-8431-25182f38439d"
-        version = "1.0"
-        description = "Finds samples of the 44Caliber stealer"
-        author = "Sekoia.io"
-        reference = "https://github.com/razexgod/44CALIBER"
-        creation_date = "2022-03-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "44 CALIBER" fullword ascii
-        $str1 = "https://api.vimeworld.ru/user/name/" wide
-        $str2 = "https://freegeoip.app/xml/" wide
-        $str3 = "SOFTWARE\\Wow6432Node\\Valve\\Steam" wide
-        $str4 = "VPN\\NordVPN\\\\accounts.txt" wide
-        $str5 = "OpenVPN Connect\\profiles" wide
-        $str6 = "FuckTheSystem Copyright"  wide
-        $str7 = "lolz.guru"  wide
-        $str8 = "xss.is" wide
-        $str9 = "Test message recieved successfully! :raised_hands:" wide
-        $str10 = "Specify a single character: either D or F" wide
-        
-    condition:
-        uint16(0)==0x5A4D and
-        9 of ($str*) and
-        filesize > 100KB and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_acridrain_mar23.yar b/yara_rules/sekoiaio_infostealer_win_acridrain_mar23.yar
deleted file mode 100644
index eec5586..0000000
--- a/yara_rules/sekoiaio_infostealer_win_acridrain_mar23.yar
+++ /dev/null
@@ -1,41 +0,0 @@
-rule sekoiaio_infostealer_win_acridrain_mar23 {
-    meta:
-        id = "049b502a-0fb6-4fa9-a1ce-f01a40269bdb"
-        version = "1.0"
-        description = "Finds AcridRain samples"
-        author = "Sekoia.io"
-        creation_date = "2023-03-21"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "\",\"r\":" ascii
-        $str02 = "\",\"s\":\"" ascii
-        $str03 = "\",\"p\":\"" ascii
-        $str04 = "\",\"a\":\"" ascii
-        $str05 = ",\"c\":" ascii
-        $str06 = ",\"g\" :" ascii
-        $str07 = "v7166637466625297979 t2537736810932639330 ath5ee645e0 altpriv cvcv=2 cexpw=1 smf=0" ascii
-        $str08 = "Content-Type: multipart/form-data; boundary=----974767299852498929531610575" ascii
-        $str09 = "\\Roaming\\Bitwarden\\data\\bitwarden.sqlite3" ascii
-        
-        $ste01 = "\\Roaming\\Exodus\\exodus.wallet" ascii
-        $ste02 = "\\Roaming\\Electron Cash\\wallets" ascii
-        $ste03 = "\\Roaming\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb" ascii
-        $ste04 = "\\Local Extension Settings\\" ascii
-        $ste05 = "cnmamaachppnkjgnildpdmkaakejnhae" ascii
-        $ste06 = "ffnbelfdoeiohenkjibnmadjiehjhajb" ascii
-        $ste07 = "\\formhistory.sqlite" ascii
-        $ste08 = "\\logins.json" ascii
-        $ste09 = "encrypted_key" ascii
-        $ste10 = "\\Login Data" ascii
-        
-        $enc01 = "bX5cVw8FKyAKZVxXXUAdSTUXCXdCV0FoOxoSF0ZEUEZS" ascii
-        $enc02 = "bX5cVw8FKywUaVVbRlkyPAQAFCB1U0dV" ascii
-        $enc03 = "bX5cVw8FKzQvUBFhRkYINSIWA3IRdlJADw==" ascii
-        $enc04 = "bX5cVw8FKzYWdUVcWl8iCBU5NXBERl1dBTUiFgNyEXZSQA8=" ascii
-        $enc05 = "bWBcVQMAGQI6UEJbGGgeGxgDD2xUQW9QCw8WEAp0" ascii
-        
-    condition:
-        uint16(0) == 0x5A4D and 5 of ($str*) and 7 of ($ste*) and 1 of ($enc*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_acrstealer_str.yar b/yara_rules/sekoiaio_infostealer_win_acrstealer_str.yar
deleted file mode 100644
index 476062a..0000000
--- a/yara_rules/sekoiaio_infostealer_win_acrstealer_str.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule sekoiaio_infostealer_win_acrstealer_str {
-    meta:
-        id = "63b4d6ff-0cab-44ec-9d53-bb2612371a48"
-        version = "1.0"
-        description = "Finds ACR Stealer standalone samples based on specific strings."
-        author = "Sekoia.io"
-        creation_date = "2024-04-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "ref.txt" ascii
-        $str02 = "Wininet.dll" ascii
-        $str03 = "Content-Type: application/octet-stream; boundary=----" ascii
-        $str04 = "POST" ascii
-        $str05 = "os_c" ascii fullword
-        $str06 = "en_k" ascii fullword
-        $str07 = "MyApp/1.0" ascii
-        $str08 = "/Up/b" ascii
-        $str09 = "Hello, World!" ascii
-        $str10 = "/ujs/" ascii
-        $str11 = "/Up/" ascii fullword
-        $str12 = "ostr" ascii fullword
-        $str13 = "brCH" ascii fullword
-        $str14 = "brGk" ascii fullword
-        $str15 = "https://steamcommunity.com/profiles/" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 10 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_agrat.yar b/yara_rules/sekoiaio_infostealer_win_agrat.yar
deleted file mode 100644
index f358722..0000000
--- a/yara_rules/sekoiaio_infostealer_win_agrat.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_infostealer_win_agrat {
-    meta:
-        id = "472effe8-5044-4ca1-88e0-3e19d445b9d1"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2022-06-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str00 = "Vault.txt" wide
-        $str01 = "Credman.txt" wide
-        $str02 = "[Networks] {0}" wide
-        $str03 = "[Screenshot] {0}" wide
-        $str04 = "[Twitch] {0}" wide
-        $str05 = "Servers.txt" wide
-        $str06 = "[WindscribeVPN] {0}" wide
-        $str07 = "[{0}] Thread finished!" wide
-        $str08 = "[ERROR] Unable to enumerate vaults. Error (0x" wide
-        $str09 = "snowflake-ssh" wide
-        $str10 = "//setting[@name='Password']/value" wide
-        $str11 = "MakeScreenshot" ascii
-        
-        $sys = "System.Collections.Generic.IEnumerator<Stealer." ascii
-        
-    condition:
-        uint16(0)==0x5A4D and all of them and #sys > 10
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_aurora.yar b/yara_rules/sekoiaio_infostealer_win_aurora.yar
deleted file mode 100644
index 6dea724..0000000
--- a/yara_rules/sekoiaio_infostealer_win_aurora.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule sekoiaio_infostealer_win_aurora {
-    meta:
-        version = "1.0"
-        description = "Finds Aurora samples based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2022-11-15"
-        id = "22ae81b4-647f-4b46-9b2a-dd96e0615d65"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str00 = "I'm a teapot" ascii
-        $str01 = "wmic cpu get name" ascii
-        $str02 = "wmic path win32_VideoController get" ascii
-        $str03 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones" ascii
-        $str04 = "Exodus\\exodus.wallet" ascii
-        $str05 = "PaliWallet" ascii
-        $str06 = "cookies.sqlite" ascii
-        $str07 = "Startup\\Documents\\User Data" ascii
-        $str08 = "atomic\\Local Storage\\leveldb" ascii
-        $str09 = "com.liberty.jaxx\\IndexedDB" ascii
-        $str10 = "Guarda\\Local Storage\\leveldb" ascii
-        $str11 = "AppData\\Roaming\\Telegram Desktop\\tdata" ascii
-        $str12 = "Ethereum\\keystore" ascii
-        $str13 = "Coin98" ascii
-        $str14 = ".bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.xml.zip" ascii
-        $str15 = "type..eq.main.Grabber" ascii
-        $str16 = "type..eq.main.Loader_A" ascii
-        $str17 = "type..eq.net/http.socksUsernamePassword" ascii
-        $str18 = "powershell" ascii
-        $str19 = "start-process" ascii
-        $str20 = "http/httpproxy" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 15 of them and filesize > 4MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_aurora_str.yar b/yara_rules/sekoiaio_infostealer_win_aurora_str.yar
deleted file mode 100644
index 54c3a60..0000000
--- a/yara_rules/sekoiaio_infostealer_win_aurora_str.yar
+++ /dev/null
@@ -1,35 +0,0 @@
-import "pe"
-        
-rule sekoiaio_infostealer_win_aurora_str {
-    meta:
-        version = "1.0"
-        description = "Finds Aurora botnet samples based on characteristic strings."
-        author = "Sekoia.io"
-        creation_date = "2022-07-21"
-        id = "1f4391b8-700f-4702-9ef6-68ce3d55a176"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "Logs.tar" ascii
-        $str02 = "*main.StealerData" ascii
-        $str03 = "AppData\\Roaming\\Armory" ascii
-        $str04 = "AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data" ascii
-        $str05 = "github.com/TheTitanrain/w32" ascii
-        $str06 = "github.com/mattn/go-sqlite3" ascii
-        $str07 = "ScreenShot" ascii
-        $str08 = "*sql.stmtConnGrabber" ascii
-        $str09 = "Default\\Network\\Cookies" ascii
-        $str10 = "BuildID" ascii
-        $str11 = "Clipper" ascii
-        $str12 = "GeoPos" ascii
-        $str13 = "AppData\\Roaming\\Exodus\\exodus.wallet" ascii
-        $str14 = "FileGrabber\\Documents" ascii
-        $str15 = "193.233.48." ascii
-        $str16 = "ShellExecute" ascii
-        $str17 = "crypto/aes.(*aesCipherGCM).Encrypt" ascii
-        $str18 = "File-Download" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and (14 of them or pe.imphash() == "8ee5c1c09f740fbe63e8b35dac5d6f70" or pe.imphash() == "369b4f5b6c99674f15070689e1f675af")
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_banditstealer.yar b/yara_rules/sekoiaio_infostealer_win_banditstealer.yar
deleted file mode 100644
index 802bec4..0000000
--- a/yara_rules/sekoiaio_infostealer_win_banditstealer.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule sekoiaio_infostealer_win_banditstealer {
-    meta:
-        id = "d1e45a5c-c06d-4161-8d30-fa94bcf0ea7a"
-        version = "1.0"
-        description = "Finds BanditStealer samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-07-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $spe01 = "Banditstealer" ascii
-        $spe02 = "BANDIT STEALER" ascii
-        $spe03 = "Location: Geolocation: " ascii
-        $spe04 = "awesomeProject2/core.GetWallets" ascii
-        $spe05 = "awesomeProject2/core.GetCreditCards" ascii
-        $spe06 = "awesomeProject2/core.GetCookies" ascii
-        $spe07 = "awesomeProject2/core.KillProcessByName" ascii
-        $spe08 = "main.sendZipToTelegram" ascii
-        
-        $str01 = "json:\"city\"" ascii
-        $str02 = "UAC disabled" ascii
-        $str03 = "\\OpenVPN Connect\\profiles\\" ascii
-        $str04 = "\\Documents\\Monero\\wallets\\" ascii
-        $str05 = "cookies.sqlite" ascii
-        $str06 = "creditcard.txt" ascii
-        $str07 = "vmware.exe" ascii
-        $str08 = "aeachknmefphepccionboohckonoeemg" ascii
-        $str09 = "\\Documents\\NetSarang\\Xftp\\Sessions\\" ascii
-        $str10 = "\\WhatsApp\\Local Storage\\leveldb\\" ascii
-        $str11 = "Visited Time: %s" ascii
-        $str12 = "\\Google\\Chrome\\User Data\\Telegram Desktop\\tdata\\" ascii
-        
-    condition:
-        uint16(0) == 0x5a4d and 2 of ($spe*) and 6 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_bebra.yar b/yara_rules/sekoiaio_infostealer_win_bebra.yar
deleted file mode 100644
index 33e8c2b..0000000
--- a/yara_rules/sekoiaio_infostealer_win_bebra.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_infostealer_win_bebra {
-    meta:
-        id = "e84d04a7-1232-47e5-b797-ac8e56066796"
-        version = "1.0"
-        description = "Find samples of Bebra Stealer based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-02-06"
-        classification = "TLP:CLEAR"
-        hash = "7841746c54c53dbcafdf3f357c7a84b90fe3b089e07f30dea15ef6f7f15b0f00"
-        
-    strings:
-        $str01 = "https://studio.youtube.com/youtubei/v1/att/esr?alt=json&key=" ascii
-        $str02 = "https://www.youtube.com/getAccountSwitcher" ascii
-        $str03 = "\"challenge\":\"" ascii
-        $str04 = "\"botguardResponse\":\"" ascii
-        $str05 = "\"continueUrl\":\"https://studio.youtube.com/reauth\"," ascii
-        $str06 = "\"flow\":\"REAUTH_FLOW_YT_STUDIO_COLD_LOAD\"," ascii
-        $str07 = "\"xguardClientStatus\":0" ascii
-        $str08 = "SAPISIDHASH" ascii
-        $str09 = "system32\\cmd.exe /C choice /C Y /N /D Y /T 0 &Del" ascii
-        $str10 = "/new.php" ascii
-        $str11 = "github.com/mattn/go-sqlite3" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 9 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_blackcap.yar b/yara_rules/sekoiaio_infostealer_win_blackcap.yar
deleted file mode 100644
index cc531fb..0000000
--- a/yara_rules/sekoiaio_infostealer_win_blackcap.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_infostealer_win_blackcap {
-    meta:
-        id = "1aa1fadb-3413-46e2-b733-1ad2134f7be2"
-        version = "1.0"
-        description = "Finds BlackCap Grabber samples (Python code obfuscated using Py-Fuscate)"
-        author = "Sekoia.io"
-        creation_date = "2023-03-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $imp01 = "import asyncio, json, ntpath, random, re, shutil, sqlite3, subprocess, threading, winreg, zipfile, httpx, psutil, win32gui, win32con, pyperclip, base64, requests, ctypes, time" ascii
-        $imp02 = "from ctypes import windll, wintypes, byref, cdll, Structure, POINTER, c_char, c_buffer;from Crypto.Cipher import AES;from PIL import ImageGrab;from win32crypt import CryptUnprotectData" ascii
-        
-        $pyf01 = "import marshal,lzma,gzip,bz2,binascii,zlib;exec(marshal.loads(binascii.a2b_base64(b'YwAAAAAA" ascii
-        
-    condition:
-        ($imp01 in (0..500) and $pyf01 in (@imp01+200..@imp01+1000) or $imp02 in (0..1000) and $pyf01 in (@imp02+100..@imp02+500)) and
-        filesize > 100KB and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_blackguard_mar23.yar b/yara_rules/sekoiaio_infostealer_win_blackguard_mar23.yar
deleted file mode 100644
index 8d8aab0..0000000
--- a/yara_rules/sekoiaio_infostealer_win_blackguard_mar23.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_infostealer_win_blackguard_mar23 {
-    meta:
-        id = "65804d31-2a0c-4b22-a8d9-8cbe1497f155"
-        version = "1.0"
-        description = "Finds BlackGuard samples based on specific strings (March 2023, version 5)"
-        author = "Sekoia.io"
-        creation_date = "2023-03-27"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "==================  5.0 ==============" wide
-        $str02 = "/concerts/disk.php" wide
-        $str03 = "/concerts/memory.php" wide
-        $str04 = "/loader_v2.txt" wide
-        $str05 = "io.solarwallet.app\\Local Storage\\leveldb" wide
-        $str06 = "costura.dotnetzip.dll.compressed" ascii wide
-        $str07 = "set_Laskakakaska" ascii
-        $str08 = "get_Yliana" ascii
-        $str09 = "set_Illeona" ascii
-        $str10 = "set_Gyttettfd" ascii
-        
-    condition:
-        uint16(0) == 0x5A4D and 4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_blustealer.yar b/yara_rules/sekoiaio_infostealer_win_blustealer.yar
deleted file mode 100644
index c83e20c..0000000
--- a/yara_rules/sekoiaio_infostealer_win_blustealer.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule sekoiaio_infostealer_win_blustealer {
-    meta:
-        version = "1.0"
-        description = "Detect the BluStealer infostealer based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2022-10-05"
-        id = "a56b3c12-9d83-4a0b-81e8-43332e64d599"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $cha01 = "@top\\LOGGERS\\DARKCLOUD" wide
-        $cha02 = "===============DARKCLOUD===============" wide
-        $cha03 = "#######################################DARKCLOUD#######################################" wide
-        $cha04 = "fireballsabadafirebricksfisherboat" ascii
-        $cha05 = "Moonchild Pro2ductions" wide
-        
-        $str01 = "\\Microsoft\\Windows\\Templates\\credentials.txt" wide
-        $str02 = "\\NETGATE Technologies\\BlackHawK\\Profiles" wide
-        $str03 = "SysWOW64\\winsqlite3.dll" wide
-        $str04 = "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*RD_" wide
-        $str05 = "Expiry Date;" wide
-        $str06 = "SELECT c0subject, c3author, c4recipients, c1body  FROM messagesText_content" wide
-        $str07 = "http://www.mediacollege.com/internet/utilities/show-ip.shtml" wide
-        $str08 = "\\163MailContacts.txt" wide
-        $key_0  = {ba ?? ?? 40 00 8d 4?}
-        
-    condition:
-        uint16(0)==0x5A4D and 2 of ($cha*) and 4 of ($str*) and $key_0
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_cinoshistealer.yar b/yara_rules/sekoiaio_infostealer_win_cinoshistealer.yar
deleted file mode 100644
index 95198e8..0000000
--- a/yara_rules/sekoiaio_infostealer_win_cinoshistealer.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule sekoiaio_infostealer_win_cinoshistealer {
-    meta:
-        id = "2e9c066b-d5e3-4a25-8954-c10af285bcd3"
-        version = "1.0"
-        description = "Finds Cinoshi Stealer samples based on specific strings, or PE resources"
-        author = "Sekoia.io"
-        creation_date = "2023-06-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "Anaida.exe" ascii wide
-        $str02 = "Anaida.pdb" ascii
-        $str03 = "embedder_download_data" ascii
-        $str04 = "date_password_modified" ascii
-        $str05 = "card_number_encrypted" ascii
-        $str06 = "set_UseZip64WhenSaving" ascii
-        $str07 = "set_CommandText" ascii
-        $str08 = "Nss3CouldNotBeLoaded" ascii
-        $str09 = "formhistory.sqlite" wide
-        $str10 = "logins.json" wide
-        $str11 = "\\nss3.dll" wide
-        $str12 = "\\cookies.sqlite" wide
-        $str13 = "\\places.sqlite" wide
-        $str14 = "\\autofill-profiles.json" wide
-        
-    condition:
-        uint16(0) == 0x5a4d and 9 of them 
-        and filesize > 400KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_daolpu_str.yar b/yara_rules/sekoiaio_infostealer_win_daolpu_str.yar
deleted file mode 100644
index cf6528d..0000000
--- a/yara_rules/sekoiaio_infostealer_win_daolpu_str.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_infostealer_win_daolpu_str {
-    meta:
-        id = "dde1cf12-48d8-45b6-b453-b7196e6b1271"
-        version = "1.0"
-        description = "Finds Daolpu Stealer samples based on specific strings."
-        author = "Sekoia.io"
-        reference = "https://www.crowdstrike.com/blog/fake-recovery-manual-used-to-deliver-unidentified-stealer/"
-        creation_date = "2024-07-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "Content-Type: %s%s%s" ascii
-        $str02 = "Content-Disposition: %s%s%s%s%s%s%s" ascii
-        $str03 = "\\CocCoc\\Browser\\User Data\\Local State" ascii
-        $str04 = "\\Microsoft\\Edge\\User Data\\Default\\Login Data" ascii
-        $str05 = "\\Mozilla\\Firefox\\Profiles" ascii
-        $str06 = "No MAC Address Found" ascii
-        $str07 = "C:\\Windows\\Temp\\" ascii
-        $str08 = "C:\\Windows\\Temp\\result.txt" ascii
-        $str09 = "Privatekey@2211#$" ascii
-        $str10 = "CryptStringToBinaryA Failed to convert BASE64 private key." ascii
-        $str11 = "taskkill /F /IM chrome.exe" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 8 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_doenerium_str.yar b/yara_rules/sekoiaio_infostealer_win_doenerium_str.yar
deleted file mode 100644
index bf3263a..0000000
--- a/yara_rules/sekoiaio_infostealer_win_doenerium_str.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule sekoiaio_infostealer_win_doenerium_str {
-    meta:
-        id = "1645a86f-1063-4e98-a1fa-85fc8c4e9691"
-        version = "1.0"
-        description = "Detect the Doenerium infostealer based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-09-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "doenerium" ascii
-        $str02 = "<================[   User Info   ]>================>" ascii
-        $str03 = "<================[WiFi connections]>================>" ascii
-        $str04 = "<================[Executable Info]>================>" ascii
-        $str05 = "<================[ Network Data ]>================>" ascii
-        $str06 = "\\Network Data.txt" ascii
-        $str07 = "\\Update.exe\" --processStart" ascii
-        $str09 = "\\WiFi Connections.txt" ascii
-        $str10 = "\\User Info.txt" ascii
-        $str11 = "\\Executable Info.txt" ascii
-        $str12 = "\\Found Wallets.txt" ascii
-        $str13 = "SELECT origin_url, username_value, password_value FROM logins" ascii
-        $str14 = "https://cdn.discordapp.com/embed/avatars/0.png" ascii
-        $str15 = "detectClipboard" ascii
-        $str16 = ".gofile.io/uploadFile" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_ducklogs.yar b/yara_rules/sekoiaio_infostealer_win_ducklogs.yar
deleted file mode 100644
index aabafed..0000000
--- a/yara_rules/sekoiaio_infostealer_win_ducklogs.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-rule sekoiaio_infostealer_win_ducklogs {
-    meta:
-        version = "1.0"
-        description = "Detects DuckLogs based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-12-01"
-        id = "165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $dck = "DuckLogs" ascii wide
-        
-        $str01 = "CheckRemoteDebuggerPresent" ascii
-        $str02 = "MozGlueNotFound" ascii
-        $str03 = "get_DecryptedPassword" ascii
-        $str04 = "get_Extension" ascii
-        $str05 = "set_UseShellExecute" ascii
-        $str06 = "FirefoxPasswords" ascii
-        $str07 = "GetAllGeckoCookies" ascii
-        $str08 = "GetAllBlinkDownloadsBy" ascii
-        $str09 = "Grabbers" ascii
-        $str10 = "Utility" ascii
-        $str11 = "Persistance" ascii
-        $str12 = "Clipboard" ascii
-        $str13 = "WaterfoxGrabber" ascii
-        $str14 = "AvastGrabber" ascii
-        
-    condition:
-        uint16(0) == 0x5A4D and ((#dck > 4 and 2 of ($str*)) or 12 of them)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_edgeguard.yar b/yara_rules/sekoiaio_infostealer_win_edgeguard.yar
deleted file mode 100644
index 19b9960..0000000
--- a/yara_rules/sekoiaio_infostealer_win_edgeguard.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-rule sekoiaio_infostealer_win_edgeguard {
-    meta:
-        id = "bbdb362f-d235-48f8-8fa5-d340d4e3e3f0"
-        version = "1.0"
-        description = "Finds EdgeGuard Stealer samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-08-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "main.downloadnecessary" ascii
-        $str02 = "main.extractchromepasswords" ascii
-        $str03 = "main.extracttasksch" ascii
-        $str04 = "main.BrowserDownloadsViewExtract" ascii
-        $str05 = "main.stealmetamask" ascii
-        $str06 = "main.stealexoduswallet" ascii
-        $str07 = "main.moveatomic" ascii
-        $str08 = "main.movefirefoxcookies" ascii
-        $str09 = "main.movepasswords" ascii
-        $str10 = "main.FinallyZIPIPFolder" ascii
-        $str11 = "edgeguard.business" ascii
-        $str12 = "/License.XenArmor" ascii
-        $str13 = "/TaskSchedulerView.exe" ascii
-        $str14 = "/BrowsingHistoryView.exe" ascii
-        $str15 = "/outlookfiles/starter.exe" ascii
-        $str16 = "/outlookfiles/External.zip" ascii
-        $str17 = "/outlookfiles/XenManager.dll" ascii
-        $str18 = "/outlookfiles/EmailPasswordRecoveryPro.exe" ascii
-        
-    condition:
-        uint16(0) == 0x5a4d and 10 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_enigma_initial_loader.yar b/yara_rules/sekoiaio_infostealer_win_enigma_initial_loader.yar
deleted file mode 100644
index dcc9e1d..0000000
--- a/yara_rules/sekoiaio_infostealer_win_enigma_initial_loader.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_infostealer_win_enigma_initial_loader {
-    meta:
-        id = "664fe8de-b406-4d63-9a4b-1c350b444f00"
-        version = "1.0"
-        description = "Find initial loader of Enigma Stealer based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-01-30"
-        classification = "TLP:CLEAR"
-        hash = "03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23"
-        
-    strings:
-        $str01 = "/getFile?file_id=" ascii
-        $str02 = "/file/bot" ascii
-        $str03 = "?file_id=" ascii
-        $str04 = "pInternetSetOptionA failed" wide
-        $str05 = "list_messages[file_path] failed" wide
-        $str06 = "iE&xit" wide
-        $str07 = "[GetTgFileById][GetTgRequest] reply is NULL" wide
-        $str08 = "Telegram request failed" wide
-        $str09 = "bot getted" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_enigma_loader_module.yar b/yara_rules/sekoiaio_infostealer_win_enigma_loader_module.yar
deleted file mode 100644
index 61d132c..0000000
--- a/yara_rules/sekoiaio_infostealer_win_enigma_loader_module.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_infostealer_win_enigma_loader_module {
-    meta:
-        id = "664fe8de-b406-4d63-9a4b-1c350b444f01"
-        version = "1.0"
-        description = "Find loader module of Enigma Stealer based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-01-30"
-        classification = "TLP:CLEAR"
-        hash = "f1623c2f7c00affa3985cf7b9cdf25e39320700fa9d69f9f9426f03054b4b712"
-        
-    strings:
-        $str01 = "Enigma.Loader.Driver_x64.dll" ascii
-        $str02 = "C:\\projects\\driver\\Driver\\x64\\Release\\driver.pdb" ascii
-        $str03 = "/getFile?file_id=" ascii
-        $str04 = "/file/bot" ascii
-        $str05 = "Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator." wide
-        $str06 = "[GetTgFileById][GetTgRequest] reply is NULL" wide
-        $str07 = "Telegram request failed" wide
-        $str08 = "Vul driver data destroyed before unlink" wide
-        $str09 = "GetExportAddress hash not found: %x" wide
-        $str10 = "\\REGISTRY\\MACHINE\\HARDWARE\\RESOURCEMAP\\PnP Manager\\PnpManager" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_enigma_stealer_module.yar b/yara_rules/sekoiaio_infostealer_win_enigma_stealer_module.yar
deleted file mode 100644
index eceecff..0000000
--- a/yara_rules/sekoiaio_infostealer_win_enigma_stealer_module.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_infostealer_win_enigma_stealer_module {
-    meta:
-        id = "664fe8de-b406-4d63-9a4b-1c350b444f02"
-        version = "1.0"
-        description = "Find stealer module of Enigma Stealer based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-01-30"
-        classification = "TLP:CLEAR"
-        hash = "4d2fb518c9e23c5c70e70095ba3b63580cafc4b03f7e6dce2931c54895f13b2c"
-        
-    strings:
-        $eni01 = "enigma.common" nocase ascii wide
-        $eni02 = "--ENIGMA STEALER--" wide
-        
-        $str01 = "SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')" wide
-        $str02 = "/C chcp 65001 && netsh wlan show profile | findstr All" wide
-        $str03 = "/C chcp 65001 && netsh wlan show networks mode=bssid" wide
-        $str04 = "[Open google maps]" wide
-        $str05 = "Stealerium.Target." ascii
-        $str06 = "--- ClipperBCH ---" wide
-        $str07 = "//setting[@name='Username']/value" wide
-        $str08 = "Stealer >> Failed recursive remove directory with passwords" wide
-        $str09 = "[a-zA-Z0-9]{24}\\.[a-zA-Z0-9]{6}\\.[a-zA-Z0-9_\\-]{27}|mfa\\.[a-zA-Z0-9_\\-]{84}" wide //Discord Token regex
-        $str10 = "^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$" wide //Maestro Card regex
-        
-    condition:
-        uint16(0)==0x5A4D and 1 of ($eni*) and 4 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_eternity.yar b/yara_rules/sekoiaio_infostealer_win_eternity.yar
deleted file mode 100644
index adcffa0..0000000
--- a/yara_rules/sekoiaio_infostealer_win_eternity.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-import "pe"
-        
-rule sekoiaio_infostealer_win_eternity {
-    meta:
-        id = "0ed8d4bd-d57f-40a8-a709-d69531d59847"
-        version = "1.0"
-        description = "Detect the Eternity infostealer based on specific strings"
-        author = "Sekoia.io"
-        reference = "hxxp://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.]onion/threads/62331/"
-        creation_date = "2022-03-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "Sending info to Eternity.." wide
-        $str1 = "Debug mode, dont share this stealer anywhere." wide
-        $str2 = "\\Growtopia.exe" wide
-        $str3 = "Software\\Growtopia" wide
-        $str4 = "Corrupting Growtopia.." wide
-        $str5 = "Disabling Task Manager.." wide
-        $str6 = "Deleting previous file from startup and copying new one." wide
-        $str7 = "Hiding file in Startup folder.." wide
-        $str8 = "Initializing File watcher.." wide
-        $str9 = "Decoder: Failed to delete temp login. No problem, continuing.." wide
-        $str10 = "dcd.exe" wide
-        
-    condition:
-        uint16(0)==0x5A4D and
-        (for any i in (0..pe.number_of_sections-1) : ( pe.sections[i].name == ".eter0" ) and
-        for any i in (0..pe.number_of_sections-1) : ( pe.sections[i].name == ".eter1" )) or 
-        4 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_fwit_strings.yar b/yara_rules/sekoiaio_infostealer_win_fwit_strings.yar
deleted file mode 100644
index 9970217..0000000
--- a/yara_rules/sekoiaio_infostealer_win_fwit_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_infostealer_win_fwit_strings {
-    meta:
-        id = "332e89ad-d1fe-4da6-9354-0978ef173e78"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-06-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "C:\\ProgramData\\Temp" wide
-        $s2 = "{:08x}" wide
-        $s3 = "CURL_SSLVERSION" ascii // curl embedded
-        
-    condition:
-        (uint16be(0) == 0x4d5a) and
-        
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_ginzostealer_str.yar b/yara_rules/sekoiaio_infostealer_win_ginzostealer_str.yar
deleted file mode 100644
index 39221c1..0000000
--- a/yara_rules/sekoiaio_infostealer_win_ginzostealer_str.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_infostealer_win_ginzostealer_str {
-    meta:
-        id = "ef87e94b-9c53-44b4-b8a1-87d371a6d2cb"
-        version = "1.0"
-        description = "Finds samples of the Ginzo Stealer"
-        author = "Sekoia.io"
-        reference = "https://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html"
-        creation_date = "2022-04-21"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "Ginzo.pdb" ascii
-        $str1 = "Ginzo.exe" wide
-        $str2 = "SELECT creation_utc,top_frame_site_key,host_key,name,value,encrypted_value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,samesite,source_scheme,source_port,is_same_party FROM cookies" wide
-        $str3 = "SELECT origin_url,action_url,username_element,username_value,password_element,password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id,date_last_used,moving_blocked_for,date_password_modified FROM logins" wide
-        $str4 = "SELECT id,originAttributes,name,value,host,path,expiry,lastAccessed,creationTime,isSecure,isHttpOnly,inBrowserElement,sameSite,rawSameSite,schemeMap FROM moz_cookies" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_gomorrah.yar b/yara_rules/sekoiaio_infostealer_win_gomorrah.yar
deleted file mode 100644
index 20f2c6e..0000000
--- a/yara_rules/sekoiaio_infostealer_win_gomorrah.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-rule sekoiaio_infostealer_win_gomorrah {
-    meta:
-        id = "df8f06ba-6c93-4ce3-9857-ced93753f917"
-        version = "1.0"
-        description = "Detect the Gomorrah infostealer based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-08-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $gom01 = "-------------Developed By th3darkly [ https://gomorrah.pw ]-------------" wide
-        $gom02 = "-------------Created By Lucifer [ https://t.me/th3darkly ]-------------" wide
-        $gom03 = "--- Dev By https://t.me/@th3darkly ---" wide
-        $gom04 = "\\Gomorrah\\Gomorrah\\obj\\Debug\\Gomorrah.pdb" wide
-        $gom05 = "Gomorrah.Resources.resources" wide
-        
-        $str01 = "logs.php?hwid=" wide
-        $str02 = "gate.php?hwid=" wide
-        $str03 = "task.php?hwid=" wide
-        $str04 = "ownloadAndRun" wide
-        $str05 = "oftware\\\\Microsoft\\\\Windows Messaging Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676" wide
-        $str06 = "FileZilla\\\\recentservers.xml" wide
-        $str07 = "http://ip-api.com/json/" wide
-        $str08 = "OutkookStealer" ascii
-        $str09 = "update_windows10.youknowcaliber" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and
-        ((1 of ($gom*) and 1 of ($str*)) or (7 of ($str*)))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_grmsk_strings.yar b/yara_rules/sekoiaio_infostealer_win_grmsk_strings.yar
deleted file mode 100644
index a7b16c2..0000000
--- a/yara_rules/sekoiaio_infostealer_win_grmsk_strings.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_infostealer_win_grmsk_strings {
-    meta:
-        version = "1.0"
-        description = "Finds GrMsk samples based on the specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-11-30"
-        id = "58f32339-5e0f-405c-9acc-14b93f6c208b"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "ref.txt" ascii fullword
-        $str02 = "--------" ascii fullword
-        $str03 = "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/5362 (KHTML, like Gecko) Chrome/40.0.834.0 Mobile Safari/5362" ascii fullword
-        $str04 = "POST" ascii fullword
-        $str05 = "\\SearchWallet\\" ascii
-        $str06 = "1234niwef" ascii
-        $str07 = "afbcbjpbpfadlkmhmclhkeeodmamcflc" ascii
-        $str08 = "lodccjjbdhfakaekdiahmedfbieldgik" ascii
-        $str09 = "wallets" ascii
-        $str10 = "config" ascii
-        $str11 = "\"recently_open\": [" ascii
-        $str12 = "\"gui_last_wallet\": " ascii
-        $str13 = "YUOhtyugjKgdfgjFGghj676jj" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 10 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_irontiger_chrome_stealer.yar b/yara_rules/sekoiaio_infostealer_win_irontiger_chrome_stealer.yar
deleted file mode 100644
index e163858..0000000
--- a/yara_rules/sekoiaio_infostealer_win_irontiger_chrome_stealer.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-import "pe"
-        
-rule sekoiaio_infostealer_win_irontiger_chrome_stealer {
-    meta:
-        id = "8c5c3ed0-e1ea-4079-b330-ace8724bff2a"
-        version = "1.0"
-        description = "Detect the chrome_stealer malware"
-        author = "Sekoia.io"
-        creation_date = "2023-03-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "passwords.txt"
-        $ = "CryptUnprotectData: 0x%08x"
-        $ = "cookies.txt"
-        $ = "decrypt to %s"
-        $ = ".\\chromedb_tmp" wide ascii
-        $ = "SELECT ORIGIN_URL,USERNAME_VALUE,PASSWORD_VALUE FROM LOGINS;"
-        $ = "decrypt successful!"
-        $ = "url: %s"
-        $ = "user: %s"
-        $ = "pass: %s"
-        $ = "aes key:"
-        $ = "\\Google\\Chrome\\User Data\\Default\\Login Data" wide
-        $ = "password file %s" wide
-        $ = "cookies file %s" wide
-        $ = "keyfile: %s" wide
-        
-    condition:
-        (uint16(0)==0x5A4D and all of them)
-        or pe.imphash() == "e862f5a6671f9dbd6f53d3d557e568f0"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_leaf.yar b/yara_rules/sekoiaio_infostealer_win_leaf.yar
deleted file mode 100644
index 098ac07..0000000
--- a/yara_rules/sekoiaio_infostealer_win_leaf.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-rule sekoiaio_infostealer_win_leaf {
-    meta:
-        id = "17d8e384-1092-4f27-b4f7-c0c0f7efcaa3"
-        version = "1.0"
-        description = "Find samples of Leaf Stealer based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-02-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "Leaf $tealer" ascii
-        $str02 = "KiwiFolder" ascii
-        $str03 = "key_wordsFiles" ascii
-        $str04 = "**[Click to copy](https://superfurrycdn.nl/copy/" ascii
-        $str05 = "Early_Verified_Bot_Developer" ascii
-        $str06 = "getCookie.<locals>.<genexpr>" ascii
-        $str07 = "C:\\Program Files (x86)\\Steam\\config" ascii
-        $str08 = "[crunchyroll](https://crunchyroll.com)" ascii
-        $str09 = "-m pip install" ascii
-        $str10 = "taskkill /im " ascii
-        $str11 = "/loginusers.vdf" ascii
-        $str12 = "mot_de_passe" ascii
-        $str13 = "Interesting files found on user PC" ascii
-        $str14 = "NationsGlory/Local Storage/leveldb" ascii
-        $str15 = "wppassw.txt" ascii
-        $str16 = "wpcook.txt" ascii
-        $str17 = "ProcesName < 1 >" ascii
-        $str18 = "Metamask_" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 10 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_lighting.yar b/yara_rules/sekoiaio_infostealer_win_lighting.yar
deleted file mode 100644
index f3fe605..0000000
--- a/yara_rules/sekoiaio_infostealer_win_lighting.yar
+++ /dev/null
@@ -1,41 +0,0 @@
-rule sekoiaio_infostealer_win_lighting {
-    meta:
-        id = "3c160c16-f417-4fa2-aa44-fb7b981fb2b3"
-        version = "1.0"
-        description = "Detect the Lighting infostealer based on specific strings"
-        author = "Sekoia.io"
-        reference = "https://blog.cyble.com/2022/04/05/inside-lightning-stealer/"
-        creation_date = "2022-04-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "\\logins.json" wide
-        $str1 = "key3.db" wide
-        $str2 = "\\key4.db" wide
-        $str3 = "cert9.db" wide
-        $str4 = "\\places.sqlite" wide
-        $str5 = "7D78CB380BF5EFB7B851409CA6A875F77DECF09D19B9149DA17A3EBF674BC0F9" ascii
-        $str6 = "potentiallyVulnerablePasswords" wide
-        
-        $dll0 = "\\mozglue.dll" wide
-        $dll1 = "\\nss3.dll" wide
-        $dll2 = "SbieDll.dll" wide
-        
-        $app00 = "\\discord\\Local Storage\\leveldb\\" wide
-        $app01 = "Software\\Valve\\Steam" wide
-        $app02 = "Telegram Desktop\\tdata" wide
-        $app03 = "\\Wallets\\Armory\\" wide
-        $app04 = "\\Wallets\\Atomic\\Local Storage\\leveldb\\" wide
-        $app05 = "\\Exodus\\exodus.wallet\\" wide
-        $app06 = "\\Wallets\\Zcash\\" wide
-        $app07 = "uCozMedia\\Uran" wide
-        $app08 = "Comodo\\IceDragon" wide
-        $app09 = "8pecxstudios\\Cyberfox" wide
-        $app10 = "NETGATE Technologies\\BlackHaw" wide
-        $app11 = "Moonchild Productions\\Pale Moon" wide
-        
-    condition:
-        uint16(0)==0x5A4D and
-        6 of ($str*) and all of ($dll*) and 10 of ($app*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_lumma_strings_aug23.yar b/yara_rules/sekoiaio_infostealer_win_lumma_strings_aug23.yar
deleted file mode 100644
index d082fa3..0000000
--- a/yara_rules/sekoiaio_infostealer_win_lumma_strings_aug23.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_infostealer_win_lumma_strings_aug23 {
-    meta:
-        version = "1.0"
-        description = "Finds Lumma samples based on the specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-09-14"
-        id = "728f7825-a463-4b19-b2d3-3460e4c06dc9"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "lid=%s&j=%s&ver" ascii
-        $str02 = "%s (%d.%d.%d)" ascii
-        $str03 = "- Screen Resoluton:" ascii
-        $str04 = "- Physical Installed Memory:" ascii
-        $str05 = "Content-Type: attachment/x-object" ascii
-        $str06 = "Content-Type: application/x-www-form-urlencoded" ascii
-        $str07 = "Content-Type: multipart/form-data; boundary=%s" wide
-        $str08 = "SysmonDrv" wide
-        $str09 = "TeslaBrowser/5.5" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_lumma_strings_sept23.yar b/yara_rules/sekoiaio_infostealer_win_lumma_strings_sept23.yar
deleted file mode 100644
index e0218d2..0000000
--- a/yara_rules/sekoiaio_infostealer_win_lumma_strings_sept23.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_infostealer_win_lumma_strings_sept23 {
-    meta:
-        version = "1.0"
-        description = "Finds Lumma samples based on the specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-09-14"
-        modification_date = "2023-10-31"
-        id = "45900760-c10d-40c0-a49a-c66358a8a66a"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str10 = "CryptStringToBinaryA" ascii
-        $str11 = "WinHttpQueryDataAvailable" ascii
-        $str12 = "GetComputerNameExA" ascii
-        $str13 = "GetCurrentHwProfileW" ascii
-        $str14 = "ntdll.dll" wide
-        //$str15 = "%appdata%\\Thunderbird\\Profiles" wide
-        $str16 = "minkernel\\crts\\ucrt\\inc\\corecrt_internal_strtox.h" wide
-        $str17 = "xxxxxxxxxxx" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_mars_stealer.yar b/yara_rules/sekoiaio_infostealer_win_mars_stealer.yar
deleted file mode 100644
index ef55cc1..0000000
--- a/yara_rules/sekoiaio_infostealer_win_mars_stealer.yar
+++ /dev/null
@@ -1,45 +0,0 @@
-import "pe"
-        
-rule sekoiaio_infostealer_win_mars_stealer {
-    meta:
-        id = "3e2c7440b2fc9e4b039e6fa8152ac8fd"
-        version = "1.0"
-        description = "Detect Mars Stealer based on specific strings"
-        author = "Sekoia.io"
-        reference = "https://3xp0rt.com/posts/mars-stealer"
-        creation_date = "2022-02-03"
-        modification_date = "2022-02-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $dec = {a3 ?? ?? ?? ?? 68 ?? ?? ?? ?? e8 ?? ?? 00 00 83 c4 ??} //decryption op code
-        
-        $api00 = "LoadLibrary" ascii
-        $api01 = "GetProcAddress" ascii
-        $api02 = "ExitProcess" ascii
-        $api03 = "advapi32.dll" ascii
-        $api04 = "crypt32.dll" ascii
-        $api05 = "GetTickCount" ascii
-        $api06 = "Sleep" ascii
-        $api07 = "GetUserDefaultLangID" ascii
-        $api08 = "CreateMutex" ascii
-        $api09 = "GetLastError" ascii
-        $api10 = "HeapAlloc" ascii
-        $api11 = "GetProcessHeap" ascii
-        $api12 = "GetComputerName" ascii
-        $api13 = "VirtualProtect" ascii
-        $api14 = "GetUserName" ascii
-        $api15 = "CryptStringToBinary" ascii
-        
-        $str0 = "JohnDoe" ascii
-        //$str1 = "/c timeout /t 5 & del /f /q \"%s\" & exit" ascii
-        //$str2 = "C:\\Windows\\System32\\cmd.exe" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and
-        (#dec > 400 and
-        12 of ($api*) and $str0) or
-        for any i in ( 0..pe.number_of_sections-1 ) : (
-            pe.sections[i].name == "LLCPPC" and pe.sections[i].raw_data_size < 5000 )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_mars_stealer_variant_llcppc1.yar b/yara_rules/sekoiaio_infostealer_win_mars_stealer_variant_llcppc1.yar
deleted file mode 100644
index c22bc43..0000000
--- a/yara_rules/sekoiaio_infostealer_win_mars_stealer_variant_llcppc1.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_infostealer_win_mars_stealer_variant_llcppc1 {
-    meta:
-        id = "3e2c7440b2fc9e4b039e6fa8152ac8fe"
-        version = "1.0"
-        description = "Detect Mars Stealer variand llcppc1"
-        author = "Sekoia.io"
-        creation_date = "2022-03-10"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $a = {ff 15 ?? ?? ?? ?? 89 45 ?? 6a 14 68 ?? ?? ?? ?? ff 75 ?? e8 23 00 00 00 ff 75 ?? ff 75 ?? ff 75 ?? e8 5c 00 00 00}
-        
-    condition:
-        uint16(0)==0x5A4D and $a
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_mars_stealer_xor_routine.yar b/yara_rules/sekoiaio_infostealer_win_mars_stealer_xor_routine.yar
deleted file mode 100644
index e5f9a2c..0000000
--- a/yara_rules/sekoiaio_infostealer_win_mars_stealer_xor_routine.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_infostealer_win_mars_stealer_xor_routine {
-    meta:
-        id = "3e2c7440b2fc9e4b039e6fa8152ac8ff"
-        version = "1.0"
-        description = "Detect Mars Stealer based on a specific XOR routine"
-        author = "Sekoia.io"
-        creation_date = "2022-04-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $xor = {8b 4d ?? 03 4d ?? 0f be 19 8b 55 ?? 52 e8 ?? ?? ?? ?? 83 c4 ?? 8b c8 8b 45 ?? 33 d2 f7 f1 8b 45 ?? 0f be 0c 10 33 d9 8b 55 ?? 03 55 ?? 88 1a eb be}
-        
-    condition:
-        uint16(0)==0x5A4D and $xor
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_meduzastealer.yar b/yara_rules/sekoiaio_infostealer_win_meduzastealer.yar
deleted file mode 100644
index 66a2bf5..0000000
--- a/yara_rules/sekoiaio_infostealer_win_meduzastealer.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_infostealer_win_meduzastealer {
-    meta:
-        id = "1276f485-aa5d-491b-89d8-77f98dc496e1"
-        version = "1.0"
-        description = "Finds MeduzaStealer samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-06-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "emoji" ascii
-        $str02 = "%d-%m-%Y, %H:%M:%S" ascii
-        $str03 = "[UTC" ascii
-        $str04 = "user_name" ascii
-        $str05 = "computer_name" ascii
-        $str06 = "timezone" ascii
-        $str07 = "current_path()" ascii
-        $str08 = "[json.exception." ascii
-        $str09 = "GDI32.dll" ascii
-        $str10 = "GdipGetImageEncoders" ascii
-        $str11 = "GetGeoInfoA" ascii
-        
-    condition:
-        uint16(0) == 0x5a4d and 8 of them 
-        and filesize > 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_metastealer_strings.yar b/yara_rules/sekoiaio_infostealer_win_metastealer_strings.yar
deleted file mode 100644
index 4c4218d..0000000
--- a/yara_rules/sekoiaio_infostealer_win_metastealer_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-import "pe"
-        
-rule sekoiaio_infostealer_win_metastealer_strings {
-    meta:
-        id = "1f4b6f0b-706e-48b0-889d-01c1b7f92776"
-        version = "1.0"
-        description = "Detects IOCs related to Metastealer"
-        author = "Sekoia.io"
-        creation_date = "2023-12-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "FileScannerRule"
-        $s2 = "MSObject"
-        $s3 = "MSValue"
-        $s4 = "GetBrowsers"
-        $s5 = "Biohazard"
-        
-    condition:
-    4 of ($s*) 
-    and pe.imports("mscoree.dll")
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_monster_stub.yar b/yara_rules/sekoiaio_infostealer_win_monster_stub.yar
deleted file mode 100644
index 2951e80..0000000
--- a/yara_rules/sekoiaio_infostealer_win_monster_stub.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_infostealer_win_monster_stub {
-    meta:
-        id = "10d27d49-79ae-4edc-8c30-35506bdf2c42"
-        version = "1.0"
-        description = "Finds Monster Stealer stub (Python payload) based on specific strings."
-        author = "Sekoia.io"
-        creation_date = "2024-08-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "https://t.me/monster_free_cloud" ascii
-        $str02 = "MonsterUpdateService" ascii
-        $str03 = "Monster.exe" ascii
-        $str04 = "schtasks /create /f /sc daily /ri 30 /tn" ascii
-        $str05 = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\" ascii
-        $str06 = "banned_uuids" ascii
-        $str07 = "banned_computer_names" ascii
-        $str08 = "banned_process" ascii
-        $str09 = "register_X_browsers" ascii
-        $str10 = "register_payload" ascii
-        $str11 = "tiktok_sessions.txt" ascii
-        $str12 = "spotify_sessions.txt" ascii
-        $str13 = "network_info.txt" ascii
-        $str14 = "lolz.guru" ascii
-        $str15 = "echo ####System Info####" ascii
-        $str16 = "echo ####Firewallinfo####" ascii
-        $str17 = "/injection/main/injection.js" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 10 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_nekostealer.yar b/yara_rules/sekoiaio_infostealer_win_nekostealer.yar
deleted file mode 100644
index 08ee2d8..0000000
--- a/yara_rules/sekoiaio_infostealer_win_nekostealer.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_infostealer_win_nekostealer {
-    meta:
-        id = "8b7d2708-9d33-4855-8e02-f6afedb7dda8"
-        version = "1.0"
-        description = "Detect the NekoStealer infostealer based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-01-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $nek = "NekoStealer.Stealing" ascii
-        
-        $str01 = "\\Local Storage\\leveldb" wide
-        $str02 = "======================= Discord Tokens =======================" wide
-        $str03 = "======================== IP Information ========================" wide
-        $str04 = "https://ipapi.co/" wide
-        
-    condition:
-        uint16(0) == 0x5A4D and (#nek > 10 or all of ($str*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_nemesis_in_memory.yar b/yara_rules/sekoiaio_infostealer_win_nemesis_in_memory.yar
deleted file mode 100644
index c33bfac..0000000
--- a/yara_rules/sekoiaio_infostealer_win_nemesis_in_memory.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_infostealer_win_nemesis_in_memory {
-    meta:
-        id = "01d85bd5-ea93-44ff-b36a-9cd9eb54d634"
-        version = "1.0"
-        description = "Finds Nemesis Stealer samples based on specific strings, from samples without strings obsucation, or from memory"
-        author = "Sekoia.io"
-        creation_date = "2023-03-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "NemesisProject.Modules." ascii
-        $str02 = "~[NEMESIS INIZIALIZE]~" wide
-        $str03 = "Clip_BoardText.txt" wide
-        $str04 = "stealer_out.zip" wide
-        $str05 = "<span style=\"color:#FFFFFF\">Number of running processes:</span>" wide
-        $str06 = "<span style=\"color:#FFFFFF\">Installed FireWall: </span>" wide
-        $str07 = "~[Panel_Receiving_Data]~ Incorrect data when receiving data on the panel" wide
-        $str08 = "ProcessInfo_Log.txt" wide
-        $str09 = "Installed_Software_Log.txt" wide
-        $str10 = "Detect Data ClipBoard] - [ {DateTime.Now:MM.dd.yyyy - HH:mm:ss}]" wide
-        $str11 = "VPN/ProtonVPN_Log.txt" wide
-        $str12 = "VPN/Nord_Log.txt" wide
-        $str13 = "Steam/SteamID_Log.txt" wide
-        
-    condition:
-    uint16(0) == 0x5A4D and 6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_nosu.yar b/yara_rules/sekoiaio_infostealer_win_nosu.yar
deleted file mode 100644
index ec00d8c..0000000
--- a/yara_rules/sekoiaio_infostealer_win_nosu.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_infostealer_win_nosu {
-    meta:
-        version = "1.0"
-        description = "Finds Nosu samples based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2022-12-15"
-        id = "9823af25-e30b-4514-a59c-02dd19fe368d"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "C:\\xampp\\htdocs\\nosu\\core\\release\\lilly.pdb" ascii
-        $str1 = "{\"gp\":\"%s\",\"app\":\"%S\"," ascii
-        $str2 = "stored in zip:\\%s" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 1 of them and filesize<1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_pennywise_mar23.yar b/yara_rules/sekoiaio_infostealer_win_pennywise_mar23.yar
deleted file mode 100644
index 9200b43..0000000
--- a/yara_rules/sekoiaio_infostealer_win_pennywise_mar23.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_infostealer_win_pennywise_mar23 {
-    meta:
-        id = "9852b7e7-dfff-44e6-9068-d287cc84b069"
-        version = "1.0"
-        description = "Finds PennyWise samples based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-03-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $chr01 = "MvgmsudRT3loHygSj1F9K" ascii
-        $chr02 = "WebInfidelity2023" ascii
-        $chr03 = "PennyWise" ascii
-        
-        $str01 = "get_Handle" ascii
-        $str02 = "get_Now" ascii
-        $str03 = "get_Ticks" ascii
-        $str04 = "set_Expect100Continue" ascii
-        $str05 = "get_Jpeg" ascii
-        $str06 = "set_UseShellExecute" ascii
-        $str07 = "get_ProcessName" ascii
-        $str08 = "get_UtcNow" ascii
-        
-    condition:
-        uint16(0) == 0x5A4D and 1 of ($chr*) and 5 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_phoenix.yar b/yara_rules/sekoiaio_infostealer_win_phoenix.yar
deleted file mode 100644
index d10cb42..0000000
--- a/yara_rules/sekoiaio_infostealer_win_phoenix.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-rule sekoiaio_infostealer_win_phoenix {
-    meta:
-        id = "d63a8fcf-f897-4c36-a6ce-4bd4ae0154e5"
-        version = "1.0"
-        description = "Finds Phoenix Stealer samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-06-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "nkbihfbeogaeaoehlefnkodbefgpgknn" ascii
-        $str02 = "Discord\\Tokens.txt" ascii
-        $str03 = "SOFTWARE\\OpenVP" ascii
-        $str04 = "config_dir" ascii
-        $str05 = "| Last Login:" ascii
-        $str06 = "| Games:" ascii
-        $str07 = "| Host:" ascii
-        $str08 = "| Port:" ascii
-        $str09 = "| User:" ascii
-        $str10 = "| Pass:" ascii
-        $str11 = "Grabber.rar" ascii
-        $str12 = "\\GHISLER\\wcx_ftp.ini" ascii
-        $str13 = "Clipboard.txt" ascii
-        $str14 = "PROCESSOR_ARCHITECTURE" ascii
-        $str15 = "PROCESSOR_IDENTIFIER" ascii
-        $str16 = "Log.txt" ascii
-        $str17 = "xXxXxXxXxXx" ascii
-        $str18 = "hq101ejedmwcvvasd02kw" ascii
-        
-    condition:
-        uint16(0) == 0x5a4d and 15 of them 
-        and filesize > 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_phoenixwave.yar b/yara_rules/sekoiaio_infostealer_win_phoenixwave.yar
deleted file mode 100644
index 49103a1..0000000
--- a/yara_rules/sekoiaio_infostealer_win_phoenixwave.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule sekoiaio_infostealer_win_phoenixwave {
-    meta:
-        id = "67c05ea8-2f1b-4c60-b108-e05d7d0c6508"
-        version = "1.0"
-        description = "Detect the PhoenixWave infostealer based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-04-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "##################################################\n                  Information\n##################################################\n" wide
-        $str1 = "Specify a single character: either D or F" wide
-        $str2 = "// This SFX source file was generated by DotNetZip " wide
-        $str3 = "aHR0cDovL2lwLWFwaS5jb20vanNvbg==" wide //ip-api.com/json
-        $str4 = "TG9jYWxBcHBEYXRh" wide //LocalAppData
-        $str5 = "UGhvZW5peFdhdmU=" wide //PhoenixWave
-        $str6 = "virustotal" wide
-        $str7 = "SELECT * FROM win32_operatingsystem" wide
-        $str8 = "SELECT * FROM Win32_VideoController" wide
-        
-        $app0 = "\\discordcanary\\Local Storage\\leveldb" wide
-        $app1 = "\\discordptb\\Local Storage\\leveldb" wide
-        $app2 = "\\discorddevelopment\\Local Storage\\leveldb" wide
-        $app3 = "\\D877F783D5D3EF8C\\" wide //Telegram
-        $app4 = "\\IndexedDB\\file__0.indexeddb.leveldb" wide
-        $app5 = "\\Steam\\Games.txt" wide
-        $app6 = "nkbihfbeogaeaoehlefnkodbefgpgknn" wide
-        $app7 = "fhbohimaelbohpjbbldcngcnapndodjp" wide
-        $app8 = "fnjhmkhhmkbjkkabndcnnogagogbneec" wide
-        $app9 = "\\Opera Software\\Opera GX Stable" wide
-        
-    condition:
-        uint16(0)==0x5A4D and
-        7 of ($str*) and 8 of ($app*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_raccoon_str_takemypainback.yar b/yara_rules/sekoiaio_infostealer_win_raccoon_str_takemypainback.yar
deleted file mode 100644
index f9176f5..0000000
--- a/yara_rules/sekoiaio_infostealer_win_raccoon_str_takemypainback.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_infostealer_win_raccoon_str_takemypainback {
-    meta:
-        version = "1.0"
-        description = "Detect Raccoon based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-10-03"
-        id = "2148636e-47c7-4bf2-8d1e-df68faf65111"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "\\ffcookies.txt" wide
-        $str1 = "TakeMyPainBack" wide
-        $str2 = "wallet.dat" wide
-        $str3 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" wide
-        $str4 = "Network\\Cookies" wide
-        
-    condition:
-        uint16(0) == 0x5a4d and 4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_redline_strings.yar b/yara_rules/sekoiaio_infostealer_win_redline_strings.yar
deleted file mode 100644
index 8e72b10..0000000
--- a/yara_rules/sekoiaio_infostealer_win_redline_strings.yar
+++ /dev/null
@@ -1,48 +0,0 @@
-rule sekoiaio_infostealer_win_redline_strings {
-    meta:
-        version = "1.0"
-        description = "Finds Redline samples based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2022-09-07"
-        id = "0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $gen01 = "ChromeGetRoamingName" ascii
-        $gen02 = "ChromeGetLocalName" ascii
-        $gen03 = "get_UserDomainName" ascii
-        $gen04 = "get_encrypted_key" ascii
-        $gen05 = "browserPaths" ascii
-        $gen06 = "GetBrowsers" ascii
-        $gen07 = "get_InstalledInputLanguages" ascii
-        $gen08 = "BCRYPT_INIT_AUTH_MODE_INFO_VERSION" ascii
-        
-        $spe0 = "Profile_encrypted_value" wide
-        $spe1 = "[AString-ZaString-z\\d]{2String4}\\.[String\\w-]{String6}\\.[\\wString-]{2String7}" wide
-        $spe2 = "AFileSystemntivFileSystemirusPrFileSystemoduFileSystemct|AntiFileSystemSpyWFileSystemareProFileSystemduct|FireFileSystemwallProdFileSystemuct" wide
-        $spe3 = "OpHandlerenVPHandlerN ConHandlernect%DSK_23%Opera GXcookies" wide
-        $spe4 = "//settinString.Removeg[@name=\\PasswString.Removeord\\]/valuString.RemoveeROOT\\SecurityCenter" wide
-        $spe5 = "ROOT\\SecurityCenter2Web DataSteamPath" wide
-        $spe6 = "windows-1251, CommandLine:" wide
-        $spe7 = "OFileInfopeFileInfora GFileInfoX StabFileInfole" wide
-        $spe8 = "ApGenericpDaGenericta\\RGenericoamiGenericng\\" wide
-        $spe9 = "*wallet*" wide
-        
-        $typ01 = "359A00EF6C789FD4C18644F56C5D3F97453FFF20" ascii
-        $typ02 = "F413CEA9BAA458730567FE47F57CC3C94DDF63C0" ascii
-        $typ03 = "A937C899247696B6565665BE3BD09607F49A2042" ascii
-        $typ04 = "D67333042BFFC20116BF01BC556566EC76C6F7E2" ascii
-        $typ05 = "4E3D7F188A5F5102BEC5B820632BBAEC26839E63" ascii
-        $typ06 = "FB10FF1AD09FE8F5CA3A85B06BC96596AF83B350" ascii
-        $typ07 = "77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60" ascii
-        $typ08 = "A8F9B62160DF085B926D5ED70E2B0F6C95A25280" ascii
-        $typ09 = "718D1294A5C2D3F3D70E09F2F473155C4F567201" ascii
-        $typ10 = "2FBDC611D3D91C142C969071EA8A7D3D10FF6301" ascii
-        $typ11 = "2A19BFD7333718195216588A698752C517111B02" ascii
-        $typ12 = "EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2" ascii
-        $typ13 = "04EC68A0FC7D9B6A255684F330C28A4DCAB91F13" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and (7 of ($gen*) or 3 of ($spe*) or 2 of ($typ*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_solarmarker_dll.yar b/yara_rules/sekoiaio_infostealer_win_solarmarker_dll.yar
deleted file mode 100644
index c86b032..0000000
--- a/yara_rules/sekoiaio_infostealer_win_solarmarker_dll.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_infostealer_win_solarmarker_dll {
-    meta:
-        version = "1.0"
-        description = "Finds SolarMarker DLL based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2022-12-09"
-        id = "a2fe7f09-7134-4054-ba40-5ea66785a26c"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $zka = "zkabsr" wide
-        
-        $str0 = "set_PersistKeyInCsp" ascii
-        $str1 = "get_IV" ascii
-        $str2 = "get_MachineName" ascii
-        $str3 = "get_Current" ascii
-        $str4 = "ps_script" ascii
-        $str5 = "request_data" ascii
-        $str6 = "WindowsBuiltInRole" ascii
-        $str7 = "DllImportAttribute" ascii
-        $str8 = "get_BlockSize" ascii
-        $str9 = "GetRequestStream" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and
-        (($zka and 3 of ($str*)) or (all of ($str*)))
-        and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_solarmarker_powershell.yar b/yara_rules/sekoiaio_infostealer_win_solarmarker_powershell.yar
deleted file mode 100644
index 67bd5b3..0000000
--- a/yara_rules/sekoiaio_infostealer_win_solarmarker_powershell.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_infostealer_win_solarmarker_powershell {
-    meta:
-        version = "1.0"
-        description = "Finds SolarMarker PowerShell script based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2022-12-09"
-        id = "a2fe7f09-7134-4054-ba40-5ea66785a26d"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $fun = "function " ascii
-        
-        $ps0 = "return -join (0..(10..30|Get-Random)|%{[char]((65..90)+(97..122)|Get-Random)})" ascii
-        $ps1 = /new-item -path \$[a-zA-Z0-9_]* -itemtype registrykey -force;/
-        $ps2 = /set-item -path \$[a-zA-Z0-9_]* -value \$[a-zA-Z0-9_]*;/
-        
-        $str0 = "[IO.File]::WriteAllText($" ascii
-        $str1 = "CreateShortcut($env:appdata+" ascii
-        $str2 = "Registry::HKEY_CURRENT_USER\\Software\\Classes\\" ascii
-        $str3 = "New-Object System.Security.Cryptography.AesCryptoServiceProvider" ascii
-        $str4 = "[Convert]::FromBase64String([IO.File]::ReadAllText(" ascii
-        
-    condition:
-        $fun at 0 and 1 of ($ps*) and 2 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_spacestealer.yar b/yara_rules/sekoiaio_infostealer_win_spacestealer.yar
deleted file mode 100644
index 54518d4..0000000
--- a/yara_rules/sekoiaio_infostealer_win_spacestealer.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_infostealer_win_spacestealer {
-    meta:
-        version = "1.0"
-        description = "Detects SpaceStealer based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-11-29"
-        id = "aceae3b3-1f5a-48b4-84cb-d0ba68d26df5"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "spacestealerxD" ascii
-        $str02 = "\\spacex" ascii
-        $str03 = "@~$~@spacex-" ascii
-        $str04 = "StealerClient" ascii
-        $str05 = "kill-process-by-name" ascii
-        $str06 = "\\BetterDiscord\\data\\betterdiscord.asar" ascii
-        $str07 = "api/webhooks" ascii
-        $str08 = "discordPath" ascii
-        $str09 = "SELECT host_key, name, encrypted_value FROM cookies" ascii
-        $str10 = "SELECT origin_url, username_value, password_value FROM logins" ascii
-        $str11 = "SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards" ascii
-        $str12 = "Cookies don't found." ascii
-        $str13 = "/api/cookies?auth=" ascii
-        $str14 = "/api/passwords?auth=" ascii
-        $str15 = "/api/autofill?auth=" ascii
-        $str16 = "/api/creditcards?auth=" ascii
-        $str17 = "\\Yandex\\YandexBrowser\\User Data\\Guest Profile\\Network\\" ascii
-        
-    condition:
-        uint16(0) == 0x5A4D and filesize > 10MB and 13 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_stealc.yar b/yara_rules/sekoiaio_infostealer_win_stealc.yar
deleted file mode 100644
index 49b8c48..0000000
--- a/yara_rules/sekoiaio_infostealer_win_stealc.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_infostealer_win_stealc {
-    meta:
-        id = "aa78772e-9b31-40f3-84f4-b8302ea63a28"
-        version = "1.0"
-        description = "Find standalone Stealc sample based on decryption routine or characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2023-02-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $dec = { 55 8b ec 8b 4d ?? 83 ec 0c 56 57 e8 ?? ?? ?? ?? 6a 03 33 d2 8b f8 59 f7 f1 8b c7 85 d2 74 04 } //deobfuscation function
-        
-        $str01 = "------" ascii
-        $str02 = "Network Info:" ascii
-        $str03 = "- IP: IP?" ascii
-        $str04 = "- Country: ISO?" ascii
-        $str05 = "- Display Resolution:" ascii
-        $str06 = "User Agents:" ascii
-        $str07 = "%s\\%s\\%s" ascii
-        
-    condition:
-        uint16(0) == 0x5A4D and ($dec or 5 of ($str*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_stealc_str_oct24.yar b/yara_rules/sekoiaio_infostealer_win_stealc_str_oct24.yar
deleted file mode 100644
index 9c804d0..0000000
--- a/yara_rules/sekoiaio_infostealer_win_stealc_str_oct24.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_infostealer_win_stealc_str_oct24 {
-    meta:
-        id = "7448fafe-206c-4f9c-b5a3-cbabec12a45b"
-        version = "1.0"
-        description = "Finds Stealc standalone samples (or dumps) based on the strings"
-        author = "Sekoia.io"
-        creation_date = "2024-10-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "-nop -c \"iex(New-Object Net.WebClient).DownloadString(" ascii //also include in Vidar samples
-        $str02 = "Azure\\.IdentityService" ascii //also include in Vidar samples
-        $str03 = "steam_tokens.txt" ascii
-        $str04 = "\"encrypted_key\":\"" ascii //also include in Vidar samples
-        $str05 = "prefs.js" ascii //also include in Vidar samples
-        $str06 = "browser: FileZilla" ascii
-        $str07 = "profile: null" ascii
-        $str08 = "url:" ascii
-        $str09 = "login:" ascii
-        $str10 = "password:" ascii //also include in Vidar samples
-        $str11 = "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe" ascii //also include in Vidar samples
-        $str12 = "ChromeFuckNewCookies" ascii //also include in Vidar samples
-        $str13 = "/c timeout /t 10 & del /f /q \"" ascii //also include in Vidar samples
-        
-    condition:
-        uint16(0)==0x5A4D and 9 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_stealerium.yar b/yara_rules/sekoiaio_infostealer_win_stealerium.yar
deleted file mode 100644
index 8740ce7..0000000
--- a/yara_rules/sekoiaio_infostealer_win_stealerium.yar
+++ /dev/null
@@ -1,37 +0,0 @@
-rule sekoiaio_infostealer_win_stealerium {
-    meta:
-        version = "1.0"
-        description = "Detects Stealerium based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-12-01"
-        id = "165c7d3d-de7e-4d71-b94a-8ab4a0e5ddd5"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $stl = "Stealerium" ascii wide
-        
-        $str01 = "Processe: " wide
-        $str02 = "Compname: " wide
-        $str03 = "Language: " wide
-        $str04 = "SandBoxie: " wide
-        $str05 = "== System Info ==" wide
-        $str06 = "== Hardware ==" wide
-        $str07 = "== Domains ==" wide
-        $str08 = "WEBCAMS COUNT: " wide
-        $str09 = "[Virtualization]" wide
-        $str10 = "[Open google maps](" wide
-        $str11 = "Remember password: " wide
-        $str12 = "Target.Browsers.Firefox" ascii
-        $str13 = "Modules.Keylogger" ascii
-        $str14 = "ClipperAddresses" ascii
-        $str15 = "ChromiumPswPaths" ascii
-        $str16 = "DetectedBankingServices" ascii
-        $str17 = "DetectCryptocurrencyServices" ascii
-        $str18 = "CheckRemoteDebuggerPresent" ascii
-        $str19 = "GetConnectedCamerasCount" ascii
-        $str20 = "costura.discord-webhook-client.dll.compressed" ascii wide
-        
-    condition:
-        uint16(0) == 0x5A4D and filesize>1MB and ((#stl > 5 and 2 of ($str*)) or 15 of ($str*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_stormkitty.yar b/yara_rules/sekoiaio_infostealer_win_stormkitty.yar
deleted file mode 100644
index 2363cb9..0000000
--- a/yara_rules/sekoiaio_infostealer_win_stormkitty.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_infostealer_win_stormkitty {
-    meta:
-        id = "5014d2e5-af5c-4800-ab1e-b57de37a2450"
-        version = "1.0"
-        description = "Finds StormKitty samples (or their variants) based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-03-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $sk01 = "LimerBoy/StormKitty" ascii wide
-        $sk02 = "StormKitty-Latest.log" wide
-        $sk03 = "StormKitty.exe" ascii
-        $sk04 = "Debug\\StormKitty.pdb" ascii
-        $sk05 = "StormKitty.Implant" ascii
-        
-        $str01 = "set_sUsername" ascii
-        $str02 = "set_sIsSecure" ascii
-        $str03 = "set_sExpMonth" ascii
-        $str04 = "WritePasswords" ascii
-        $str05 = "WriteCookies" ascii
-        $str06 = "sChromiumPswPaths" ascii
-        $str07 = "sGeckoBrowserPaths" ascii
-        $str08 = "Username: {1}" wide
-        $str09 = "Password: {2}" wide
-        $str10 = "encrypted_key\":\"(.*?)\"" wide
-        
-    condition:
-    uint16(0) == 0x5A4D and
-    ((1 of ($sk*) and 3 of ($str*)) or 7 of ($str*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_stormkitty_exfil_urls.yar b/yara_rules/sekoiaio_infostealer_win_stormkitty_exfil_urls.yar
deleted file mode 100644
index f14d24e..0000000
--- a/yara_rules/sekoiaio_infostealer_win_stormkitty_exfil_urls.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_infostealer_win_stormkitty_exfil_urls {
-    meta:
-        id = "d3b6e778-85da-4ab6-bc98-921897677485"
-        version = "1.0"
-        description = "Detect the open-source StormKitty spyware by looking for the github path"
-        author = "Sekoia.io"
-        creation_date = "2022-04-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "https://github.com/LimerBoy/StormKitty" ascii
-        $telegram = "https://api.telegram.org" wide
-        $discord = "https://cdn.discordapp.com" wide
-        
-    condition:
-        uint16(0)==0x5A4D
-        and all of them
-        and (#telegram > 3 or #discord > 3)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_titan.yar b/yara_rules/sekoiaio_infostealer_win_titan.yar
deleted file mode 100644
index 6cde16a..0000000
--- a/yara_rules/sekoiaio_infostealer_win_titan.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_infostealer_win_titan {
-    meta:
-        id = "0adbe616-0d91-4b05-b7a8-812cd79f9252"
-        version = "1.0"
-        description = "Finds samples of the Titan Stealer"
-        author = "Sekoia.io"
-        creation_date = "2023-01-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "/sendlog" ascii
-        $str1 = "/stealer/grabfiles.go" ascii
-        $str2 = "/stealer/installedsoft.go" ascii
-        $str3 = "/stealer/screenshot.go" ascii
-        $str4 = "/stealer/sendlog.go" ascii
-        $str5 = "/stealer/userinformation.go" ascii
-        $str6 = "C:/Program Files (x86)/Steam/config/" ascii
-        $str7 = "/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb/" ascii
-        $str8 = "MAC Adresses:" ascii
-        $str9 = "/Coowon/Coowon/" ascii
-        $str10 = "_/C_/Users/admin/Desktop/stealer_v7/stealer" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_vidar_str_jul22.yar b/yara_rules/sekoiaio_infostealer_win_vidar_str_jul22.yar
deleted file mode 100644
index ae92e57..0000000
--- a/yara_rules/sekoiaio_infostealer_win_vidar_str_jul22.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule sekoiaio_infostealer_win_vidar_str_jul22 {
-    meta:
-        id = "1dc18694-aaac-41e6-979a-c06d5d62f5ea"
-        version = "1.0"
-        description = "Detect the Vidar infostealer based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-07-26"
-        modification_date = "2022-08-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "vcruntime140.dll" ascii
-        $str02 = "\\screenshot.jpg" ascii
-        $str03 = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor" ascii
-        $str04 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" ascii
-        $str05 = "%s\\%s\\%s\\chrome-extension_%s_0.indexeddb.leveldb" ascii
-        $str06 = "\\CC\\%s_%s.txt" ascii
-        $str07 = "\\Autofill\\%s_%s.txt" ascii
-        $str08 = "\\History\\%s_%s.txt" ascii
-        $str09 = "\\Downloads\\%s_%s.txt" ascii
-        $str10 = "Content-Disposition: form-data; name=" ascii
-        $str11 = "Exodus\\exodus.wallet" ascii
-        $str12 = "*%DRIVE_REMOVABLE%*" ascii
-        
-        $opc = {55 8b ec 51 56 8b 75 ?? 33 c0 c7 46 14 ?? ?? ?? ?? 89 46 ?? 68 ?? ?? ?? ?? 8b ce 89 45 ?? 88 06 e8 1f b6 ff ff 8b c6 5e c9 c2 ?? ??}
-        
-    condition:
-        uint16(0)==0x5A4D and (7 of them or $opc)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_vidar_strings_nov23.yar b/yara_rules/sekoiaio_infostealer_win_vidar_strings_nov23.yar
deleted file mode 100644
index 5d97f34..0000000
--- a/yara_rules/sekoiaio_infostealer_win_vidar_strings_nov23.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-rule sekoiaio_infostealer_win_vidar_strings_nov23 {
-    meta:
-        version = "1.0"
-        description = "Finds Vidar samples based on the specific strings"
-        author = "Sekoia.io"
-        reference = "https://twitter.com/crep1x/status/1722652451319202242"
-        creation_date = "2023-11-10"
-        id = "b2c17627-f9b8-4401-b657-1cce560edc76"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "MachineID:" ascii
-        $str02 = "Work Dir: In memory" ascii
-        $str03 = "[Hardware]" ascii
-        $str04 = "VideoCard:" ascii
-        $str05 = "[Processes]" ascii
-        $str06 = "[Software]" ascii
-        $str07 = "information.txt" ascii
-        $str08 = "%s\\*" ascii
-        $str09 = "Select * From AntiVirusProduct" ascii
-        $str10 = "SELECT target_path, tab_url from downloads" ascii
-        $str11 = "Software\\Martin Prikryl\\WinSCP 2\\Configuration" ascii
-        $str12 = "UseMasterPassword" ascii
-        $str13 = "Soft: WinSCP" ascii
-        $str14 = "<Pass encoding=\"base64\">" ascii
-        $str15 = "Soft: FileZilla" ascii
-        $str16 = "passwords.txt" ascii
-        $str17 = "build_id" ascii
-        $str18 = "file_data" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 10 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_vulturi.yar b/yara_rules/sekoiaio_infostealer_win_vulturi.yar
deleted file mode 100644
index 6b1237c..0000000
--- a/yara_rules/sekoiaio_infostealer_win_vulturi.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule sekoiaio_infostealer_win_vulturi {
-    meta:
-        id = "5369cbfb-ff94-4484-b5a4-894feeed97e1"
-        version = "1.0"
-        description = "Detect the Vulturi infostealer based on specific strings"
-        author = "Sekoia.io"
-        reference = "https://lamp-ret.club/t/vulturi-cracked-by-tr0uble-and-eshelon_mayskih.193/"
-        creation_date = "2022-03-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $vul = "Vulturi_" ascii
-        
-        $str01 = "/C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A" wide
-        $str02 = "SELECT ExecutablePath, ProcessID FROM Win32_Process" wide
-        $str03 = "Apps\\Gaming\\Minecraft" wide
-        $str04 = "Apps\\Gaming\\Steam\\Apps" wide
-        $str05 = "Messengers\\Facebook\\Contacts.txt" wide
-        $str06 = "Messengers\\Discord\\Tokens.txt" wide
-        $str07 = "Apps\\VPN\\NordVPN\\accounts.txt" wide
-        $str08 = "Apps\\VPN\\DUC\\credentials.txt" wide
-        $str09 = "System\\Screenshots\\Webcam.png" wide
-        $str10 = "System\\Screenshots\\Desktop.png" wide
-        $str11 = "GTA San Andreas User Files\\SAMP\\USERDATA.DAT" wide
-        $str12 = "http://ip-api.com/line?fields=query" wide
-        $str13 = "Wireshark" wide
-        $str14 = "KeePass.config.xml" wide
-        $str15 = "Apps\\TheBat!" wide
-        $str16 = "Vulturi" wide
-        $str17 = "StealerStub" wide
-        
-    condition:
-        uint16(0)==0x5A4D and
-        (#vul > 50 or 12 of ($str*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_whitesnake_loader_feb23.yar b/yara_rules/sekoiaio_infostealer_win_whitesnake_loader_feb23.yar
deleted file mode 100644
index 86eca70..0000000
--- a/yara_rules/sekoiaio_infostealer_win_whitesnake_loader_feb23.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_infostealer_win_whitesnake_loader_feb23 {
-    meta:
-        id = "f81a8a96-6fd2-4f5c-8a56-ff66ff1a80d3"
-        version = "1.0"
-        description = "Finds WhiteSnake samples (loader module, bat file)"
-        author = "Sekoia.io"
-        creation_date = "2023-03-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "echo         Please wait... a while Loading data ...." ascii
-        $str02 = "CERTUTIL -f -decode"  ascii
-        $str03 = "%Temp%\\build.exe" ascii
-        
-        $crt = "-----BEGIN CERTIFICATE-----" ascii
-        
-        $mz = "TVqQAAMAAAAEAAAA" ascii
-        
-    condition:
-        ($str01 in (0..200) or $str02 in (0..200) or $str03 in (0..200)) and
-        $mz in (@crt..@crt+50) and
-        filesize < 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_whitesnake_stealer_feb23.yar b/yara_rules/sekoiaio_infostealer_win_whitesnake_stealer_feb23.yar
deleted file mode 100644
index 3ee3d2d..0000000
--- a/yara_rules/sekoiaio_infostealer_win_whitesnake_stealer_feb23.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_infostealer_win_whitesnake_stealer_feb23 {
-    meta:
-        id = "68ae7fbc-4486-4b60-af5e-f37ddc58f170"
-        version = "1.0"
-        description = "Finds WhiteSnake samples (stealer module)"
-        author = "Sekoia.io"
-        creation_date = "2023-03-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $fun01 = "Ibhiyptxjhiacrnxomvqjb" ascii
-        $fun02 = "Irwcvmgzsduiiizaabbczm" ascii
-        
-        $whi = "WhiteSnake.Properties.Resources" ascii
-        
-        $str01 = "get_UtcNow" ascii
-        $str02 = "get_IPAddress" ascii
-        $str03= "get_Ticks" ascii
-        $str04 = "set_commands" ascii
-        $str05 = "set_Information" ascii
-        $str06 = "set_filedata" ascii
-        $str07 = "get_Jpeg" ascii
-        $str08 = "set_Culture" ascii
-        $str09 = "MakeScreenshot" ascii
-        
-    condition:
-        uint16(0) == 0x5A4D and
-        ((all of ($fun*) or $whi) and 3 of ($str*) or
-        7 of ($str*)) and
-        filesize < 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_whitesnake_xor_rc4_july12.yar b/yara_rules/sekoiaio_infostealer_win_whitesnake_xor_rc4_july12.yar
deleted file mode 100644
index 2f8fb2b..0000000
--- a/yara_rules/sekoiaio_infostealer_win_whitesnake_xor_rc4_july12.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_infostealer_win_whitesnake_xor_rc4_july12 {
-    meta:
-        id = "f2ebfcbd-9667-459a-a543-ce0be62c0dc4"
-        version = "1.0"
-        description = "Detects WhiteSnake Stealer XOR and RC4 version"
-        author = "Sekoia.io"
-        creation_date = "2023-07-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $1 = {FE 0C 00 00 FE 09 00 00 FE 0C 02 00 6F ?? 00 00 0A FE 0C 03 00 61 D1 FE 0E 04 00 FE}
-        $2 = {61 6e 61 6c 2e 6a 70 67}
-        $3 = {73 68 69 74 2e 6a 70 67}
-        $4 = {FE 0C ?? 00 20 00 01 00 00 3F ?? FF FF FF 20 00 00 00 00 FE 0E ?? 00 38 ?? 00 00 00 FE 0C}
-        $5 = "qemu" wide
-        $6 = "vbox" wide
-        
-    condition:
-        ($1 and $2 and filesize < 600KB) or ($3 and $4 and $5 and $6 and filesize < 300KB)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_xehook_str.yar b/yara_rules/sekoiaio_infostealer_win_xehook_str.yar
deleted file mode 100644
index 87341a9..0000000
--- a/yara_rules/sekoiaio_infostealer_win_xehook_str.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-rule sekoiaio_infostealer_win_xehook_str {
-    meta:
-        id = "fa76988d-f0a2-4fc2-a122-c104fd585f34"
-        version = "1.0"
-        description = "Finds XehookStealer standalone samples based on specific strings."
-        author = "Sekoia.io"
-        creation_date = "2024-06-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "xehook" ascii
-        $str02 = "Classes.LogRecord" ascii
-        $str03 = "__  _____| |__   ___   ___ | | __" wide
-        $str04 = "\\ \\/ / _ \\ '_ \\ / _ \\ / _ \\| |/ /" wide
-        $str05 = " >  <  __/ | | | (_) | (_) |   <" wide
-        $str06 = "/_/\\_\\___|_| |_|\\___/ \\___/|_|\\_\\" wide
-        $str07 = "https://t.me/xehook" wide
-        $str08 = "About PC.txt" wide
-        $str09 = "Browser: {4} v{5} ({6})" wide
-        $str10 = "http://ip-api.com/json/?fields=11827" wide
-        $str11 = "{0}gate.php?id={1}&build={2}&passwords={3}&cookies={4}" wide
-        $str12 = "getjson.php?id=" wide
-        
-        $com01 = "CheckRemoteDebuggerPresent" ascii
-        $com02 = "get_CurrentThread" ascii
-        $com03 = "get_InstalledInputLanguages" ascii
-        $com04 = "get_Ticks" ascii
-        $com05 = "System.Security.Cryptography" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 2 of ($str*) and 4 of ($com*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_xenostealer_strings.yar b/yara_rules/sekoiaio_infostealer_win_xenostealer_strings.yar
deleted file mode 100644
index ff4306f..0000000
--- a/yara_rules/sekoiaio_infostealer_win_xenostealer_strings.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule sekoiaio_infostealer_win_xenostealer_strings {
-    meta:
-        id = "0a41788b-1fa7-44ff-af85-9c1ff1892aad"
-        version = "1.0"
-        description = "Finds XenoStealer standalone samples based on the strings"
-        author = "Sekoia.io"
-        reference = "https://github.com/moom825/XenoStealer/"
-        creation_date = "2024-10-30"
-        classification = "TLP:CLEAR"
-        hash = "b74733d68e95220ab0630a68ddf973b0c959fd421628e639c1b91e465ba9299b"
-        
-    strings:
-        $str01 = "XenoStealer" ascii wide
-        $str02 = "$d05de59c-9ee5-4e7e-abb5-8f2cc3f72cd1" ascii
-        $str03 = "SteamInfo" ascii
-        $str04 = "TelegramInfo" ascii
-        $str05 = "NgrokInfo" ascii
-        $str06 = "pAuthInfo" ascii
-        $str07 = "FoxMailInfo" ascii
-        $str08 = "_hasNitro" ascii
-        $str09 = "_games" ascii
-        $str10 = "_profiles" ascii
-        $str11 = "_cookies" ascii
-        $str12 = "_creditCards" ascii
-        $str13 = "_cryptoExtensions" ascii
-        $str14 = "_passwordManagerExtensions" ascii
-        $str15 = "ChromiumBrowsersLikelyLocations" ascii
-        $str16 = "EdgeCryptoExtensions" ascii
-        $str17 = "ChromePasswordManagerExtensions" ascii
-        $str18 = "GeckoBrowserOptions" ascii
-        $str19 = "get_programFiles" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 15 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_xfiles.yar b/yara_rules/sekoiaio_infostealer_win_xfiles.yar
deleted file mode 100644
index 9fd3fe0..0000000
--- a/yara_rules/sekoiaio_infostealer_win_xfiles.yar
+++ /dev/null
@@ -1,51 +0,0 @@
-rule sekoiaio_infostealer_win_xfiles {
-    meta:
-        id = "3ad3ee19-6be8-484b-943c-05813cdcbd18"
-        version = "1.0"
-        description = "Detect the X-FILES infostealer based on specific strings"
-        author = "Sekoia.io"
-        reference = "https://twitter.com/3xp0rtblog/status/1375206169384521730"
-        creation_date = "2022-02-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $xfi0 = "Telegram bot - @XFILESShop_Bot" wide
-        $xfi1 = "Telegram support - @XFILES_Seller" wide
-        
-        $brw0 = "\\Google\\Chrome\\User Data\\Default\\Network\\Cookies" wide
-        $brw1 = "\\Chromium\\User Data\\Default\\Cookies" wide
-        $brw2 = "\\Slimjet\\User Data\\Default\\Cookies" wide
-        $brw3 = "\\Vivaldi\\User Data\\Default\\Cookies" wide
-        $brw4 = "\\Opera Software\\Opera GX Stable\\Cookies" wide
-        $brw5 = "\\Opera Software\\Opera Stable\\Cookies" wide
-        
-        $crp00 = "Tronlink" wide
-        $crp01 = "NiftyWallet" wide
-        $crp02 = "MetaMask" wide
-        $crp03 = "MathWallet" wide
-        $crp04 = "Coinbase" wide
-        $crp05 = "BinanceChain" wide
-        $crp06 = "GuardaWallet" wide
-        $crp07 = "EqualWallet" wide
-        $crp08 = "BitAppWallet" wide
-        $crp09 = "iWallet" wide
-        $crp10 = "Wombat" wide
-        $crp11 = "Zcash" wide
-        $crp12 = "Armory" wide
-        $crp13 = "Bytecoin" wide
-        $crp14 = "Jaxx" wide
-        $crp15 = "Exodus" wide
-        $crp16 = "Ethereum" wide
-        $crp17 = "AtomicWallet" wide
-        $crp18 = "Guarda" wide
-        $crp19 = "Coinomi" wide
-        $crp20 = "Litecoin" wide
-        $crp21 = "Dash" wide
-        $crp22 = "Bitcoin" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 
-        any of ($xfi*) or 
-        5 of ($brw*) and 20 of ($crp*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_infostealer_win_zharkbot_dump.yar b/yara_rules/sekoiaio_infostealer_win_zharkbot_dump.yar
deleted file mode 100644
index 2456bc7..0000000
--- a/yara_rules/sekoiaio_infostealer_win_zharkbot_dump.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_infostealer_win_zharkbot_dump {
-    meta:
-        id = "84c4f02e-fa59-4ab9-b8e8-077cd23ce117"
-        version = "1.0"
-        description = "Finds ZharkBot dumps based on specific strings."
-        author = "Sekoia.io"
-        creation_date = "2024-07-10"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "log\\Passwords.txt" ascii
-        $str02 = "---------------------------------------------------------------------" ascii
-        $str03 = "Browser: %s" ascii
-        $str04 = "Stealer: ZharkBOT" ascii
-        $str05 = "Failed to decrypt password for URL: %s" ascii
-        $str06 = "Closed database and cleaned up!" ascii
-        $str07 = "CREATE TEMP TABLE sqlite_temp_master(" ascii
-        $str08 = "(OpiumG4ng Win32)" wide
-        
-    condition:
-        uint16(0)==0x5A4D and (5 of them or $str08)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_installer_win_minibus.yar b/yara_rules/sekoiaio_installer_win_minibus.yar
deleted file mode 100644
index 2b1283d..0000000
--- a/yara_rules/sekoiaio_installer_win_minibus.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_installer_win_minibus {
-    meta:
-        id = "0f7f600d-d93b-4b5a-aa0e-7d91038409e6"
-        version = "1.0"
-        description = "Detect MINIBUS installer"
-        author = "Sekoia.io"
-        creation_date = "2024-04-08"
-        classification = "TLP:CLEAR"
-        hash1 = "26ca51cb067e1fdf1b8ad54ba49883bc5d1945952239aec0c4840754bff76621"
-        hash2 = "90fa29cc98be1d715df26d22079bdb8ce1d1fd3ce6a4efb39a4c192134e01020"
-        
-    strings:
-        $ = "\\essential.dat"
-        $ = "TorvaldInitial.dll"
-        
-    condition:
-        // Strings
-        uint16be(0) == 0x4d5a and 1 of them
-        
-        // Resources
-        or for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "de3fb5d4419eb6b943872dd6e3dd93d19584ef2b158aa3158b3b09f0a9b628ef"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_keylogger_win_donot.yar b/yara_rules/sekoiaio_keylogger_win_donot.yar
deleted file mode 100644
index f2f4a07..0000000
--- a/yara_rules/sekoiaio_keylogger_win_donot.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_keylogger_win_donot {
-    meta:
-        id = "4f67dda7-da68-4496-a8b4-a8a769ddd763"
-        version = "1.0"
-        description = "Detect the DoNot's keylogger malware"
-        author = "Sekoia.io"
-        creation_date = "2023-03-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "iwrct2mTFAu0ew1nyqQgoaNtNo0+52R0XiTKbwy1W48Bn1b2YcNt0+tptyY6oGoAeLDGekM/yHcdikNGi8bLqkUQ8CIdkWeT3QiympOTfjs="
-        $ = "ZmVwZW9kbWZ2c24ucHMuZ3h4LngweXBvdWpkYm1qcXE7YnFmVXp1LmZvb3VEcA=="
-        
-    condition:
-       1 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_killfloor_avkiller_strings.yar b/yara_rules/sekoiaio_killfloor_avkiller_strings.yar
deleted file mode 100644
index 26cc951..0000000
--- a/yara_rules/sekoiaio_killfloor_avkiller_strings.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_killfloor_avkiller_strings {
-    meta:
-        id = "ae6908c3-27d4-4d2c-af21-a9548dfcd487"
-        version = "1.0"
-        description = "Kill-Floor strings"
-        author = "Sekoia.io"
-        creation_date = "2024-10-29"
-        classification = "TLP:CLEAR"
-        hash = "9f16176ac20f7855fa960d321e156d69"
-        hash = "4b019e9ed2de734e242602abce06f7c1"
-        hash = "81ae32d9de8fd21acfc61d62f3292277"
-        hash = "7cb2c4560e02c25463ec70e222ad0018"
-        
-    strings:
-        $ = "sc create aswArPot.sys type=kernel binpath=%s" ascii
-        $ = "sc start aswArPot.sys" ascii
-        $ = "[*] Enumerating target processes" ascii
-        $ = "[*] Entering main loop... " ascii
-        $ = "aswArPot.pdb" ascii
-        $ = "SeConvertStringSecurityDescriptorToSecurityDescriptor" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 1MB and filesize > 20KB and 
-        6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_kimsuky_konni_dll.yar b/yara_rules/sekoiaio_kimsuky_konni_dll.yar
deleted file mode 100644
index 9c86b04..0000000
--- a/yara_rules/sekoiaio_kimsuky_konni_dll.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule sekoiaio_kimsuky_konni_dll {
-    meta:
-        id = "6a20c492-e932-41bd-ac4a-01d35bfb0c49"
-        version = "1.0"
-        description = "Rule based on structure offset and file extension"
-        author = "Sekoia.io"
-        creation_date = "2022-09-12"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ext_1 = ".zip" wide ascii fullword
-        $ext_2 = ".cab" wide ascii fullword
-        $ext_3 = ".rar" wide ascii fullword
-        $ext_4 = ".ini" wide ascii fullword
-        $ext_5 = ".dat" wide ascii fullword
-        
-        $offset_structure_1 = { 8d ?? 08 02 00 00 } //offset 0x208
-        $offset_structure_2 = { 8d ?? 10 04 00 00 } //offset 0x410
-        $offset_structure_3 = { 8d ?? 18 06 00 00 } //offset 0x618
-        $offset_structure_4 = { 8d ?? 20 08 00 00 } //offset 0x820
-        $offset_structure_5 = { 8d ?? 28 0a 00 00 } //offset 0xa28
-        $offset_structure_6 = { 89 ?? f8 11 00 00 } //offset 0x11f8
-        $offset_structure_7 = { 8d ?? fc 11 00 00 } //offset 0x11fc
-        $offset_structure_8 = { 89 ?? 0c 12 00 00 } //offset 0x120c
-        $offset_structure_9 = { 89 ?? 10 12 00 00 } //offset 0x1210
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 11MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_koi_koiloader.yar b/yara_rules/sekoiaio_koi_koiloader.yar
deleted file mode 100644
index 511580d..0000000
--- a/yara_rules/sekoiaio_koi_koiloader.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_koi_koiloader {
-    meta:
-        id = "b8289d78-42de-4919-b2c5-3c926ddd8043"
-        version = "1.0"
-        description = "Detects Koi Loader"
-        author = "Sekoia.io"
-        creation_date = "2024-03-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s2 = "%d|%s|%.16s|" ascii wide
-        $s3 = "Release" ascii wide
-        $s4 = "%s|%d.%d (%d)|%S|%S|%S" ascii wide
-        $s5 = "InitiateSystemShutdownExW" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 11MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_koi_netstealer.yar b/yara_rules/sekoiaio_koi_netstealer.yar
deleted file mode 100644
index 94a2be1..0000000
--- a/yara_rules/sekoiaio_koi_netstealer.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_koi_netstealer {
-    meta:
-        id = "deb06e2a-848c-44b3-be95-017ebccf11f8"
-        version = "1.0"
-        description = "Detects NET ofbuscated Stealer used loaded by KoiLoader"
-        author = "Sekoia.io"
-        creation_date = "2024-03-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $name_1 = "pg20"
-        $name_2 = "pg40"
-        $s1 = "Curve25519"
-        $s2 = "ConsoleApp"
-        $s3 = "e0d2eec7-eb14-48ba-8709-dcc9de65947d"
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 150KB and 
-        any of ($name_*) and all of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_koi_powershell_loading_obfuscatednet.yar b/yara_rules/sekoiaio_koi_powershell_loading_obfuscatednet.yar
deleted file mode 100644
index 9ee4fcb..0000000
--- a/yara_rules/sekoiaio_koi_powershell_loading_obfuscatednet.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_koi_powershell_loading_obfuscatednet {
-    meta:
-        id = "75a7460d-cc28-470e-9841-da8e46ee0101"
-        version = "1.0"
-        description = "Powershell script loading obfuscated .NET Koi module"
-        author = "Sekoia.io"
-        creation_date = "2024-03-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "# [Net.ServicePointManager]::SecurityProtocol +='tls12'"
-        $s2 = "$binary[$i] = $binary[$i] -bxor $k[$i % $k.Length]"
-        $s3 = "\").Split('|')"
-        $s4 = "$ep.Invoke($null, "
-        
-    condition:
-        $s3 and 3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_koiloader_lnk.yar b/yara_rules/sekoiaio_koiloader_lnk.yar
deleted file mode 100644
index 14cd3c3..0000000
--- a/yara_rules/sekoiaio_koiloader_lnk.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_koiloader_lnk {
-    meta:
-        id = "e82975b9-94b7-4de8-8cd5-d594aa80cf02"
-        version = "1.0"
-        description = "LNK file leading to deploy KoiLoader"
-        author = "Sekoia.io"
-        creation_date = "2024-03-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "bat & schtasks /create" wide
-        $s2 = "/sc minute /mo 1" wide
-        $s3 = "c3RhcnQgL21pbiBwb3dlcnNoZWxsIC1jb21tYW5kICJJV1IgLVVzZUJhc2ljUGFyc2luZyAnaHR0cHM6" wide
-        $s4 = " & certutil -f -decode " wide
-        
-    condition:
-        uint32(0) == 0x0000004c and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_koiloader_powershell_reflective_loading.yar b/yara_rules/sekoiaio_koiloader_powershell_reflective_loading.yar
deleted file mode 100644
index 1341883..0000000
--- a/yara_rules/sekoiaio_koiloader_powershell_reflective_loading.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_koiloader_powershell_reflective_loading {
-    meta:
-        id = "9bbe4cea-3e64-4377-bf93-def9fb629734"
-        version = "1.0"
-        description = "Powershell script loading service.exe (related to Koi Loader)"
-        author = "Sekoia.io"
-        creation_date = "2024-03-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "[Byte[]]$image" ascii fullword
-        $s2 = "function GDT"
-        $s3 = "function GPA"
-        $s4 = "GDT @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])"
-        $s5 = "$marshal::GetDelegateForFunctionPointer($CTAddr, $CTDeleg)"
-        
-    condition:
-        $s1 at 0 and 4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_latrodectus_br4_js_dropper.yar b/yara_rules/sekoiaio_latrodectus_br4_js_dropper.yar
deleted file mode 100644
index d071d25..0000000
--- a/yara_rules/sekoiaio_latrodectus_br4_js_dropper.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_latrodectus_br4_js_dropper {
-    meta:
-        id = "042a598d-66fa-4994-a793-228355abd5dd"
-        version = "1.0"
-        description = "Detect the JS script used to drop Latrodectus"
-        author = "Sekoia.io"
-        creation_date = "2024-06-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = " installer.InstallProduct(msiPath);" ascii
-        $s2 = "new ActiveXObject(\"WindowsInstaller.Installer\");" ascii
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_latrodectus_exports.yar b/yara_rules/sekoiaio_latrodectus_exports.yar
deleted file mode 100644
index b85efea..0000000
--- a/yara_rules/sekoiaio_latrodectus_exports.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-import "pe"
-        
-rule sekoiaio_latrodectus_exports {
-    meta:
-        version = "1.0"
-        description = "detection based on the exports"
-        creation_date = "2024-07-03"
-        classification = "TLP:CLEAR"
-        author = "Sekoia.io"
-        id = "29076cf5-f391-42f2-918f-e1c929bd368d"
-        
-    condition:
-        (pe.exports("stow") or pe.exports("homq") or pe.exports("scub")) and 
-        pe.number_of_exports >= 3 and uint16(0) == 0x5a4d
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_launcher_win_bluehaze.yar b/yara_rules/sekoiaio_launcher_win_bluehaze.yar
deleted file mode 100644
index 952c090..0000000
--- a/yara_rules/sekoiaio_launcher_win_bluehaze.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_launcher_win_bluehaze {
-    meta:
-        id = "ccfe0593-0a9f-4369-952e-5cef2f459bb3"
-        version = "1.0"
-        description = "Detect the BLUEHAZE malware"
-        author = "Sekoia.io"
-        creation_date = "2022-12-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Libraries\\CNNUDTV"
-        $ = "cmd.exe /C wuwebv.exe -t -e"
-        $ = "cmd.exe /C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v ACNTV /t REG_SZ /d \"Rundll32.exe SHELL32.DLL,ShellExec_RunDLL"
-        
-    condition:
-        // Strings
-        uint16(0)==0x5A4D and 3 of them
-        
-        // Imphash
-        or pe.imphash() == "1b3d8fae6035e34f91baa59643746efe"
-
-        // Rich header
-        or hash.md5(pe.rich_signature.clear_data) == "44022b7cefeae4d55edcceb5b9bcd295"
-
-        // Sections
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "1cdcb493593f8793b10e109f6b5b2993"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "276d668ed7d1b46e101425e02a16460f"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f6a474220add335b5696256235ce8c9c"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "82bccb3330d50080f86ab1aa566cae8e"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_launcher_win_mistcloak.yar b/yara_rules/sekoiaio_launcher_win_mistcloak.yar
deleted file mode 100644
index 5b9c5b6..0000000
--- a/yara_rules/sekoiaio_launcher_win_mistcloak.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-import "hash"
-import "pe"
-        
-rule sekoiaio_launcher_win_mistcloak {
-    meta:
-        id = "3dbf5efa-d77c-436a-a080-9ac58a78425f"
-        version = "1.0"
-        description = "Detect the MISTCLOAK malware"
-        author = "Sekoia.io"
-        creation_date = "2022-12-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "\\usb.ini"
-        $ = "autorun.inf\\Protection for Autorun\\System Volume Information"
-        $ = "G:\\project\\APT\\U"
-        $ = "\\new\\u2ec\\Release\\u2ec.pdb"
-        $ = "CheckUsbService"
-        
-    condition:
-        // Strings
-        uint16(0)==0x5A4D and 3 of them
-
-        // Rich header
-        or hash.md5(pe.rich_signature.clear_data) == "0f5082fd7ddd1950fa332a8fa4df052f"
-
-        // Sections
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "0ceac625db1e8405efe45d47486e9e2d"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "6968e6ac7b9c1dfbf40a0b3c4f6f4157"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "e6ed2da41f74e948cba7a002c41c6af5"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_launcher_win_romcom_launcher.yar b/yara_rules/sekoiaio_launcher_win_romcom_launcher.yar
deleted file mode 100644
index b199e85..0000000
--- a/yara_rules/sekoiaio_launcher_win_romcom_launcher.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_launcher_win_romcom_launcher {
-    meta:
-        id = "e8fa8239-a763-4be2-8f34-8e112e65b35e"
-        version = "1.0"
-        description = "Detect the launcher of RomCom malware"
-        author = "Sekoia.io"
-        creation_date = "2022-11-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        // C:\Users\123\source\repos\ins_asi\Win32\Release\setup.pdb
-        $ = {43 3a 5c 55 73 65 72 73 5c 31 32 33 5c 73 6f 75 72 63 65 5c 72 65 70 6f 73 5c 69 6e 73 5f 61 73 69 5c 57 69 6e 33 32 5c 52 65 6c 65 61 73 65 5c 73 65 74 75 70 2e 70 64 62}
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_launcher_win_stealthmutant_bat_launcher.yar b/yara_rules/sekoiaio_launcher_win_stealthmutant_bat_launcher.yar
deleted file mode 100644
index 3064a41..0000000
--- a/yara_rules/sekoiaio_launcher_win_stealthmutant_bat_launcher.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_launcher_win_stealthmutant_bat_launcher {
-    meta:
-        id = "7452291f-2244-469e-bb7c-5eff1ca17aa2"
-        version = "1.0"
-        description = "StealthMutant/StealthVector bat launcher"
-        author = "Sekoia.io"
-        creation_date = "2021-08-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "set \"WORK_DIR=" ascii
-        $s2 = "set \"DLL_NAME=" ascii
-        $s3 = "set \"SERVICE_NAME=" ascii
-        $s4 = "set \"DISPLAY_NAME=" ascii
-        $s5 = "set \"DESCRIPTION=" ascii
-        
-        $start = "@echo off" ascii
-        $end = "net start \"%SERVICE_NAME%\"" ascii
-        
-    condition:
-        uint16(0)!=0x5A4D  
-        and all of ($s*)
-        and filesize < 2KB
-        and $start at 0
-        and $end in (filesize-30..filesize)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_lnk_astaroth.yar b/yara_rules/sekoiaio_lnk_astaroth.yar
deleted file mode 100644
index 44b1f8f..0000000
--- a/yara_rules/sekoiaio_lnk_astaroth.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-rule sekoiaio_lnk_astaroth {
-    meta:
-        id = "1f4ce619-6f94-400a-9b32-46f2018da25c"
-        version = "1.0"
-        description = "Astaroth LNK"
-        author = "Sekoia.io"
-        creation_date = "2024-09-18"
-        classification = "TLP:CLEAR"
-        hash = "5611ea372f63ccd3a2e860e763714bb9"
-        hash = "3e4c01180fd7e9bffbf5cc9fe9e9c8ae"
-        hash = "ce4a3cfc450a8bbf8399c71d67c09954"
-        
-    strings:
-        $all1 = "S-1-5-21-" wide
-        $all2 = "..\\..\\Windows\\System32\\cmd.exe" wide
-        
-        $ver2_1 = "&&<nul" wide
-        $ver2_2 = "|call !" wide
-        $ver2_3 = "\\shell32.dll" wide
-        $ver2_4 = ";eval(" wide
-        $ver2_5 = "\\u" wide
-        
-        $ver1_1 = "/c mshtA \"JaVAsCrIpT:" nocase wide
-        $ver1_2 = "}catch(" nocase wide
-        $ver1_3 = "){}" nocase wide
-        $ver1_4 = "close()" nocase wide
-        $ver1_5 = "\\x" wide
-        $ver1_6 = "\\1" wide
-        
-    condition:
-        uint32be(0) == 0x4c000000 and filesize<3KB and all of ($all*) and
-        ((all of ($ver2*) and #ver2_5 > 20) or (all of ($ver1*) and #ver1_5 > 20 and #ver1_6 > 7))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_amadey_clipper_plugin.yar b/yara_rules/sekoiaio_loader_amadey_clipper_plugin.yar
deleted file mode 100644
index bf90d40..0000000
--- a/yara_rules/sekoiaio_loader_amadey_clipper_plugin.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_loader_amadey_clipper_plugin {
-    meta:
-        version = "1.0"
-        description = "Finds Amadey's clipper plugin based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2023-05-16"
-        id = "487b6657-8834-45ee-8fd4-03df9c0dd7be"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "CLIPPERDLL.dll" ascii
-        $str02 = "??4CClipperDLL@@QAEAAV0@$$QAV0@@Z" ascii
-        $str03 = "??4CClipperDLL@@QAEAAV0@ABV0@@Z" ascii
-        $str04 = "Main" ascii fullword
-        $str05 = "OpenClipboard" ascii
-        $str06 = "GetClipboardData" ascii
-        $str07 = "D:\\Mktmp\\Amadey\\ClipperDLL\\Release\\CLIPPERDLL.pdb" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_amadey_standalone_may23.yar b/yara_rules/sekoiaio_loader_amadey_standalone_may23.yar
deleted file mode 100644
index 7bded7f..0000000
--- a/yara_rules/sekoiaio_loader_amadey_standalone_may23.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_loader_amadey_standalone_may23 {
-    meta:
-        version = "1.0"
-        description = "Finds standalone samples of Amadey based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2023-05-17"
-        id = "5013586c-5ac3-4c1a-a82e-edce4889eedc"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "\\Amadey\\Release\\Amadey.pdb" ascii
-        
-        $hex01 = { 6E 74 64 6C 6C 2E 64 6C  6C 00 00 00 72 75 6E 61 73 } //ntdll.dll   runas
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_amadey_stealer_plugin.yar b/yara_rules/sekoiaio_loader_amadey_stealer_plugin.yar
deleted file mode 100644
index 9ee3870..0000000
--- a/yara_rules/sekoiaio_loader_amadey_stealer_plugin.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_loader_amadey_stealer_plugin {
-    meta:
-        version = "1.0"
-        description = "Finds Amadey's stealer plugin based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2023-05-16"
-        id = "50154e39-98b3-40e5-8986-18bbb7b15647"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "STEALERDLL.dll" ascii
-        $str02 = "?wal=1" fullword ascii
-        $str03 = "Content-Disposition: form-data; name=\"data\"; filename=\"" ascii
-        $str04 = "tar.exe -cf \"" ascii
-        $str05 = "SELECT origin_url, username_value, password_value FROM logins" ascii
-        $str06 = "\\Google\\Chrome\\User Data\\Default\\Login Data" ascii
-        $str07 = "\\SputnikLab\\Sputnik\\User Data\\Default\\Login Data" ascii
-        $str08 = "\\Mozilla\\Firefox\\Profiles\\" ascii
-        $str09 = "\"hostname\":\"([^\"]+)\"" ascii
-        $str10 = "\"encryptedUsername\":\"([^\"]+)\"" ascii
-        $str11 = "\"encryptedPassword\":\"([^\"]+)\"" ascii
-        $str12 = "&cred=" fullword ascii
-        $str13 = "D:\\Mktmp\\Amadey\\StealerDLL\\x64\\Release\\STEALERDLL.pdb" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 7 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_fakebat_initial_powershell_may24.yar b/yara_rules/sekoiaio_loader_fakebat_initial_powershell_may24.yar
deleted file mode 100644
index e2a6e2f..0000000
--- a/yara_rules/sekoiaio_loader_fakebat_initial_powershell_may24.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_loader_fakebat_initial_powershell_may24 {
-    meta:
-        id = "adf0e4fc-fa98-470b-9535-bd30d0bdb3aa"
-        version = "1.0"
-        description = "Finds FakeBat initial PowerShell script downloading and executing the next-stage payload."
-        author = "Sekoia.io"
-        creation_date = "2024-05-28"
-        modification_date = "2024-06-21"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "='http" wide
-        $str02 = "=(iwr -Uri $" wide
-        $str03 = " -UserAgent $" wide
-        $str04 = " -UseBasicParsing).Content; iex $" wide
-        
-    condition:
-        3 of ($str*) and
-        filesize < 1KB and
-        true
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_fakebat_powershell_fingerprint_may24.yar b/yara_rules/sekoiaio_loader_fakebat_powershell_fingerprint_may24.yar
deleted file mode 100644
index a062b1e..0000000
--- a/yara_rules/sekoiaio_loader_fakebat_powershell_fingerprint_may24.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_loader_fakebat_powershell_fingerprint_may24 {
-    meta:
-        id = "7efcf9cf-78fe-400e-abe3-6955c394e358"
-        version = "1.0"
-        description = "Finds FakeBat PowerShell script fingerprinting the infected host."
-        author = "Sekoia.io"
-        creation_date = "2024-06-21"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "Get-WmiObject Win32_ComputerSystem" ascii
-        $str02 = "-Class AntiVirusProduct" ascii
-        $str03 = "status = \"start\"" ascii
-        $str04 = " | ConvertTo-Json" ascii
-        $str05 = ".FromXmlString(" ascii
-        $str06 = " = Invoke-RestMethod -Uri " ascii
-        $str07 = ".Exception.Response.StatusCode -eq 'ServiceUnavailable'" ascii
-        $str08 = "Invoke-WebRequest -Uri $url -OutFile " ascii
-        $str09 = "--batch --yes --passphrase-fd" ascii
-        $str10 = "--decrypt --output" ascii
-        $str11 = "Invoke-Expression \"tar --extract --file=" ascii
-        
-    condition:
-        7 of them and
-        filesize < 10KB and
-        true
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_latrodectus_dll.yar b/yara_rules/sekoiaio_loader_latrodectus_dll.yar
deleted file mode 100644
index 0636c0d..0000000
--- a/yara_rules/sekoiaio_loader_latrodectus_dll.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule sekoiaio_loader_latrodectus_dll {
-    meta:
-        version = "1.0"
-        description = "Finds Latrodectus samples based on the specific strings"
-        author = "Sekoia.io"
-        reference = "https://twitter.com/Myrtus0x0/status/1732997981866209550"
-        creation_date = "2023-12-08"
-        id = "c60676ad-31cb-4f4d-9073-757a0ad7d23d"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "c:\\temp\\debug.pdb" fullword ascii
-        $str02 = "Bottmp64.dll" fullword ascii
-        $str03 = "scab" fullword ascii
-        $str04 = "&wmic=" fullword ascii
-        $str05 = "&ipconfig=" fullword ascii
-        $str06 = "&systeminfo=" fullword ascii
-        $str07 = "&domain_trusts=" fullword ascii
-        $str08 = "&domain_trusts_all=" fullword ascii
-        $str09 = "&net_view_all_domain=" fullword ascii
-        $str10 = "&net_view_all=" fullword ascii
-        $str11 = "&net_group=" fullword ascii
-        $str12 = "&net_config_ws=" fullword ascii
-        $str13 = "&net_wmic_av=" fullword ascii
-        $str14 = "&whoami_group=" fullword ascii
-        $str15 = "\"subproc\": [" fullword ascii
-        $str16 = "&proclist=[" fullword ascii
-        $str17 = "&desklinks=[" fullword ascii
-        $str18 = "Update_%x" fullword wide
-        $str19 = "Custom_update" fullword wide
-        $str20 = "\\update_data.dat" fullword wide
-        
-    condition:
-        uint16(0)==0x5A4D and 10 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_abcloader.yar b/yara_rules/sekoiaio_loader_win_abcloader.yar
deleted file mode 100644
index 5c480ac..0000000
--- a/yara_rules/sekoiaio_loader_win_abcloader.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_loader_win_abcloader {
-    meta:
-        id = "c286ce75-a041-478e-a567-4bf1d5e66c01"
-        version = "1.0"
-        description = "Detect ABCloader"
-        author = "Sekoia.io"
-        creation_date = "2024-08-19"
-        classification = "TLP:CLEAR"
-        reference = "https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/"
-        hash = "0d1dca5eaad49c2dbd979e1bf0b5f8d0"
-        hash = "9a640889e82407b06c546fea15be668f"
-        
-    strings:
-        $ = "qSii.LI4"
-        $ = "Cabinet.dll"
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-        
-        // Imphash
-        or pe.imphash() == "45c6b272631aa9e0c4b2ba675699b803"
-        
-        // Rich PE header hash
-        or hash.md5(pe.rich_signature.clear_data) == "b33158757dc039859e272f4528e10e80"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_aresloader.yar b/yara_rules/sekoiaio_loader_win_aresloader.yar
deleted file mode 100644
index c22dd89..0000000
--- a/yara_rules/sekoiaio_loader_win_aresloader.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_loader_win_aresloader {
-    meta:
-        version = "1.0"
-        description = "Finds AresLoader samples based on characteristic strings"
-        author = "Sekoia.io"
-        reference = "https://blog.cyble.com/2023/04/28/citrix-users-at-risk-aresloader-spreading-through-disguised-gitlab-repo/"
-        creation_date = "2023-05-02"
-        id = "bf5070fc-c8ca-4458-8702-cd1830667b7a"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "{\\\"ip\\\": '%s', \\\"UID\\\": '%s', \\\"geo\\\": '%s', \\\"service\\\": '%s', \\\"owner_token\\\": '%s'}" ascii
-        $str02 = "AresLdr_v_3" ascii
-        $str03 = "https://ipinfo.io/ip" ascii
-        $str04 = "C:\\Users\\%s\\AppData\\Roaming\\%s\\%s" ascii
-        $str05 = "/manager/payload" ascii
-        $str06 = "/manager/loader" ascii
-        $str07 = "/manager/legit" ascii
-        $str08 = "/manager/hvnc" ascii
-        $str09 = "C%p %d V=%0X w=%ld %s" ascii
-        $str10 = "rundll32.exe %s,%s" ascii
-        $str11 = "%startinfo" ascii
-        $str12 = "%managedapp" ascii
-        $str13 = "%has_cctor" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_batloader_scripts.yar b/yara_rules/sekoiaio_loader_win_batloader_scripts.yar
deleted file mode 100644
index 53a476d..0000000
--- a/yara_rules/sekoiaio_loader_win_batloader_scripts.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-rule sekoiaio_loader_win_batloader_scripts {
-    meta:
-        version = "1.0"
-        description = "Finds BatLoader samples based on the specific download URL"
-        author = "Sekoia.io"
-        creation_date = "2022-11-30"
-        id = "31a04ad3-74f8-4aa5-b3fc-df792bdc71b5"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $url = /https?:\/\/[^\s]{15,35}\/index\/[^\s]{1,40}servername=msi/ ascii wide
-        
-        $str00 = "Invoke-WebRequest" ascii wide
-        $str01 = "PSScriptRoot" ascii wide
-        $str02 = "Add-MpPreference" ascii wide
-        $str03 = "Install-GnuPG" ascii wide
-        $str04 = "wmic computersystem get domain" ascii wide
-        $str05 = "ArpInfo" ascii wide
-        $str06 = "$script:List_ProccesCheck" ascii wide
-        $str07 = "Get-Process -Name" ascii wide
-        $str08 = "f001_SetProcessList" ascii wide
-        $str09 = "var WshShell" ascii wide
-        $str10 = "WScript.Sleep" ascii wide
-        $str11 = "WshShell.Run" ascii wide
-        $str12 = "powershell Invoke-WebRequest" ascii wide
-        $str13 = "-nop -w hidden " ascii wide
-        
-    condition:
-        $url and 2 of ($str*) and filesize < 50KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_bumblebee.yar b/yara_rules/sekoiaio_loader_win_bumblebee.yar
deleted file mode 100644
index b04a364..0000000
--- a/yara_rules/sekoiaio_loader_win_bumblebee.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_loader_win_bumblebee {
-    meta:
-        id = "ff36f512-c700-4f52-bc89-68ab9c69462c"
-        version = "1.0"
-        description = "Detect BUMBLEBEE based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-04-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "Z:\\hooker2\\Common\\md5.cpp" wide
-        $str1 = "3C29FEA2-6FE8-4BF9-B98A-0E3442115F67" wide
-        $str2 = "bumblebee" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_dodgebox.yar b/yara_rules/sekoiaio_loader_win_dodgebox.yar
deleted file mode 100644
index 2065b0a..0000000
--- a/yara_rules/sekoiaio_loader_win_dodgebox.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_loader_win_dodgebox {
-    meta:
-        id = "8d5f94f3-1add-4f34-ba9e-f8f576c4e5b8"
-        version = "1.0"
-        description = "Detect the DodgeBox malware using several criteria"
-        author = "Sekoia.io"
-        creation_date = "2024-07-15"
-        classification = "TLP:CLEAR"
-        reference = "https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1"
-        hash1 = "c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db"
-        hash2 = "33fd050760e251ab932e5ca4311b494ef72cee157b20537ce773420845302e49"
-        
-    condition:
-        // Imphash
-        pe.imphash() == "aeea1135af87e6b6b23fa7da995967ea"
-        
-        // Rich PE header
-        or hash.md5(pe.rich_signature.clear_data) == "1c850cf955b35f60ee6c12d01161d95d"
-        
-        // Sections
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "4a80edcce2a5ac85c3f849172ee89c0f"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "53781057440f51882c38d3a9ef611775"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "801b286d84a97fe919721843ab77210d"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_doppeldridex.yar b/yara_rules/sekoiaio_loader_win_doppeldridex.yar
deleted file mode 100644
index 0f5181e..0000000
--- a/yara_rules/sekoiaio_loader_win_doppeldridex.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-import "pe"
-        
-rule sekoiaio_loader_win_doppeldridex {
-    meta:
-        id = "ee5111ae-ba0b-4cd3-abe6-c66324d16840"
-        version = "1.1"
-        description = "Detect the DoppelDridex banking trojan using its Rich header"
-        author = "Sekoia.io"
-        creation_date = "2021-09-28"
-        classification = "TLP:CLEAR"
-        
-    condition:
-        pe.rich_signature.toolid(122, 50727)
-        and pe.rich_signature.toolid(1, 0)
-        and pe.rich_signature.toolid(222, 40629)
-        and pe.rich_signature.toolid(131, 30729)
-        and pe.rich_signature.toolid(220, 31101)
-        and pe.rich_signature.toolid(202, 60315)
-        and pe.rich_signature.toolid(202, 50727)
-        and pe.rich_signature.toolid(261, 23506)
-        and pe.rich_signature.toolid(149, 21022)
-        and pe.rich_signature.toolid(261, 23918)
-        and pe.rich_signature.toolid(219, 21005)
-        and pe.rich_signature.toolid(171, 30319)
-        and pe.rich_signature.toolid(225, 21005)
-        and pe.rich_signature.toolid(221, 21005)
-        and pe.rich_signature.toolid(259, 24210)
-        and pe.rich_signature.toolid(258, 24213)
-        and pe.rich_signature.toolid(158, 40219)
-        and pe.rich_signature.toolid(145, 21022)
-        and pe.rich_signature.toolid(207, 60315)
-        and pe.rich_signature.toolid(256, 23026)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_erbium.yar b/yara_rules/sekoiaio_loader_win_erbium.yar
deleted file mode 100644
index a0bae33..0000000
--- a/yara_rules/sekoiaio_loader_win_erbium.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_loader_win_erbium {
-    meta:
-        version = "1.0"
-        description = "Detect the Erbium loader based on specific user-agent and URI"
-        author = "Sekoia.io"
-        creation_date = "2022-09-30"
-        id = "d1e5be62-5677-4ef4-9f10-65baf36ab619"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36" wide
-        $str02 = "cloud/getHost.php?method=getstub&bid=" wide
-        $str03 = "api.php?method=getstub&bid=" wide
-        
-        $api = "WinHttp" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 2 of ($str*) and #api > 6
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_fudloader.yar b/yara_rules/sekoiaio_loader_win_fudloader.yar
deleted file mode 100644
index 7d2bb64..0000000
--- a/yara_rules/sekoiaio_loader_win_fudloader.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_loader_win_fudloader {
-    meta:
-        id = "4c2ac614-89af-4449-9fd2-9f935e4c27b8"
-        version = "1.0"
-        description = "Finds FUD-Loader samples based on specific strings"
-        author = "Sekoia.io"
-        reference = "https://github.com/0day2/FUD-Loader/"
-        creation_date = "2023-09-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "set_WindowStyle" ascii
-        $str02 = "set_FileName" ascii
-        $str03 = "get_StartInfo" ascii
-        $str04 = "GetRandomFileName" ascii
-        $str05 = "DownloadFile" ascii
-        $str06 = "GetTempPath" ascii
-        $str07 = "ProcessStartInfo" ascii
-        $str08 = "System.Diagnostics" ascii
-        
-    condition:
-        uint16(0) == 0x5a4d and all of them and
-        filesize < 10KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_gcleaner.yar b/yara_rules/sekoiaio_loader_win_gcleaner.yar
deleted file mode 100644
index 8143842..0000000
--- a/yara_rules/sekoiaio_loader_win_gcleaner.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_loader_win_gcleaner {
-    meta:
-        version = "1.0"
-        description = "Detect the GCleaner loader using specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-10-11"
-        id = "0c085da3-ec77-4141-a927-bef1578a6dee"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "G-Cleaner can clean unneeded files, settings, and Registry entries" ascii
-        $str02 = "3.  Click \"Run G-Cleaner\"" ascii
-        $str03 = "Garbage_Cleaner" ascii
-        $str04 = "GCleaner.Properties" ascii
-        $str05 = "SOFTWARE\\GCleaner\\Install" wide
-        $str06 = "SOFTWARE\\GCleaner\\Trial" wide
-        $str07 = "SOFTWARE\\GCleaner\\License" wide
-        $str08 = "G-Cleaner activation" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_goshellcode.yar b/yara_rules/sekoiaio_loader_win_goshellcode.yar
deleted file mode 100644
index 74a84eb..0000000
--- a/yara_rules/sekoiaio_loader_win_goshellcode.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_loader_win_goshellcode {
-    meta:
-        version = "1.0"
-        description = "Finds GoShellcode samples based on the specific strings"
-        author = "Sekoia.io"
-        reference = "https://github.com/yoda66/GoShellcode/blob/main/gosc.go"
-        creation_date = "2023-11-15"
-        id = "61346225-325a-4067-a4d6-3b8c001dd380"
-        classification = "TLP:CLEAR"
-        hash1 = "94445af999055bf7d7cddc0d1d5183ab2776d85285f0522a28fac6c5a6101906"
-        hash2 = "fdea8b01b2597ceafe6f08b5fd12cc603b1e3ce2037731c0b6defde6935b1ce0"
-        
-    strings:
-        $str01 = "main.VirtualAlloc" ascii
-        $str02 = "main.RtlMoveMemory" ascii
-        $str03 = "syscall.Syscall" ascii
-        $str04 = "syscall.NewLazyDLL" ascii
-        $str05 = "runtime.getGetProcAddress" ascii
-        $str06 = "runtime.useAeshash" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and all of ($str*) and filesize < 8MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_jennlog.yar b/yara_rules/sekoiaio_loader_win_jennlog.yar
deleted file mode 100644
index 60fa704..0000000
--- a/yara_rules/sekoiaio_loader_win_jennlog.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_loader_win_jennlog {
-    meta:
-        id = "a69088e5-207f-494f-876b-766b8050e8c2"
-        version = "1.0"
-        description = "Jennlog loader used to deliver the Apostle ransomware"
-        author = "Sekoia.io"
-        creation_date = "2021-10-04"
-        classification = "TLP:CLEAR"
-        reference = "https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/"
-        
-    condition:
-        pe.timestamp == 3140259112
-        or
-        for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "4c4577276ff0323d9aedcc39ecf2c964"
-        )
-        or
-        for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "8476a7fca587f1e5d3ae076293b9fbcccbebc4bd4f7b783228ad5da39305a3d9"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_jinxloader_strings.yar b/yara_rules/sekoiaio_loader_win_jinxloader_strings.yar
deleted file mode 100644
index d5fe441..0000000
--- a/yara_rules/sekoiaio_loader_win_jinxloader_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_loader_win_jinxloader_strings {
-    meta:
-        version = "1.0"
-        description = "Finds JinxLoader samples based on the specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-12-04"
-        id = "fd2f7e8c-f4a8-4452-bbc6-e03790f8ed89"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "JinxV2" ascii
-        $str02 = "main.main.func1" ascii
-        $str03 = "go.shape.struct" ascii
-        
-        $str04 = ".glob..func" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and all of them and #str04 > 100
-        and filesize > 8MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_konni_bat.yar b/yara_rules/sekoiaio_loader_win_konni_bat.yar
deleted file mode 100644
index 2f13842..0000000
--- a/yara_rules/sekoiaio_loader_win_konni_bat.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_loader_win_konni_bat {
-    meta:
-        id = "e8921336-6c91-4b46-bd3f-3cf4a9b31082"
-        version = "1.0"
-        description = "Detect the BAT files (named trap.bat or yup.bat) used by KONNI"
-        author = "Sekoia.io"
-        creation_date = "2023-09-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "del /f /q \"%~dp0\\*.zip\" > nul"
-        $ = "del /f /q \"%~dp0\\*.xml\" > nul"
-        $ = "del /f /q \"%~dp0\\wpnprv*.dll\" > nul"
-        $ = "del /f /q \"%~dp0\\*.bat\" > nul"
-        $ = "del /f /q \"%~dpnx0\" > nul"
-        $ = "echo %~dp0 | findstr /i \"system32\" > nul"
-        $ = "if %ERRORLEVEL% equ 0 (goto INSTALL) else (goto COPYFILE)"
-        $ = "if exist \"%ProgramFiles(x86)%\" ("
-        
-    condition:
-        3 of them and filesize < 3KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_konni_wpnprv.yar b/yara_rules/sekoiaio_loader_win_konni_wpnprv.yar
deleted file mode 100644
index 57bd5f0..0000000
--- a/yara_rules/sekoiaio_loader_win_konni_wpnprv.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_loader_win_konni_wpnprv {
-    meta:
-        id = "02162533-4ace-42bf-8df0-38b140487f01"
-        version = "1.0"
-        description = "Detect the wpnprv DLLs used for KONNI for UAC bypass"
-        author = "Sekoia.io"
-        creation_date = "2023-09-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "wpnprv.dll"
-        // Name of the malicious export
-        $ = "IIIIIIII" fullword
-        $ = "wusa.exe" wide
-        $ = "winver.exe" wide
-        $ = "MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" wide
-        $ = "taskmgr.exe" wide
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_ninerat.yar b/yara_rules/sekoiaio_loader_win_ninerat.yar
deleted file mode 100644
index 46fcf26..0000000
--- a/yara_rules/sekoiaio_loader_win_ninerat.yar
+++ /dev/null
@@ -1,38 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_loader_win_ninerat {
-    meta:
-        id = "b9aa3ddc-7892-402f-b045-182884ee9bad"
-        version = "1.0"
-        description = "Detect the NineRAT instrumentator"
-        author = "Sekoia.io"
-        creation_date = "2023-12-12"
-        classification = "TLP:CLEAR"
-        reference = "https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/"
-        hash1 = "ba8cd92cc059232203bcadee260ddbae273fc4c89b18424974955607476982c4"
-        hash2 = "5b02fc3cfb5d74c09cab724b5b54c53a7c07e5766bffe5b1adf782c9e86a8541"
-        
-    strings:
-        $ = "TelegramRat\\lastest\\Dropper"
-        $ = "\\Release\\ServiceMid.pdb"
-        
-    condition:
-        // Strings
-        all of them
-        
-        // Imphash
-        or pe.imphash() == "104a3dc970a385f64de39e0dad61a9a2"
-        
-        // Rich Header
-        or hash.md5(pe.rich_signature.clear_data) == "aab0aa6b89d883e42be8b65a4e41a139"
-        
-        // Sections
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "827d5fd4b1a0426037529ee9bba48da0"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "82354f92508dcb33acda01c226de2975"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ccd0f5d837a6cc05a861f040cbdfe080"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "8d2c169356afe8b53b0ecb83de3084b9"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_operationmagalenha_vbs.yar b/yara_rules/sekoiaio_loader_win_operationmagalenha_vbs.yar
deleted file mode 100644
index 99d4d6b..0000000
--- a/yara_rules/sekoiaio_loader_win_operationmagalenha_vbs.yar
+++ /dev/null
@@ -1,40 +0,0 @@
-rule sekoiaio_loader_win_operationmagalenha_vbs {
-    meta:
-        version = "1.0"
-        description = "Finds VBS file loading the PeepingTitle backdoor"
-        author = "Sekoia.io"
-        reference = "https://www.sentinelone.com/labs/operation-magalenha-long-running-campaign-pursues-portuguese-credentials-and-pii/"
-        creation_date = "2023-05-31"
-        id = "b1f705d1-de3e-4ce6-9bb7-0e39b6e79add"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "'Skip to content" ascii
-        $str02 = "'Search" ascii
-        $str03 = "'Sign in" ascii
-        $str04 = "'Sign up" ascii
-        $str05 = "'Code" ascii
-        $str06 = "'Terms" ascii
-        $str07 = "'Privacy" ascii
-        $str08 = "'Security" ascii
-        $str09 = "'Status" ascii
-        $str10 = "'Docs" ascii
-        $str11 = "'Contact GitHub" ascii
-        $str12 = "'Pricing" ascii
-        $str13 = "'API" ascii
-        $str14 = "'Training" ascii
-        $str15 = "'Blog" ascii
-        $str16 = "'About" ascii
-        
-        $vbs01 = "WScript.Sleep" ascii nocase
-        $vbs02 = "Set obj" ascii nocase
-        $vbs03 = "Dim obj" ascii nocase
-        $vbs04 = "https://tinyurl.com" ascii nocase
-        $vbs05 = "C:\\Users\\Public" ascii nocase
-        $vbs06 = "CreateObject(\"WScript.Shell\")" ascii nocase
-        $vbs07 = ".SaveToFile" ascii nocase
-        
-    condition:
-        10 of ($str*) and 5 of ($vbs*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_piccassoloader.yar b/yara_rules/sekoiaio_loader_win_piccassoloader.yar
deleted file mode 100644
index 7ca8f32..0000000
--- a/yara_rules/sekoiaio_loader_win_piccassoloader.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_loader_win_piccassoloader {
-    meta:
-        id = "91d9c2de-451e-467e-8f5c-38bbcce92b72"
-        version = "1.0"
-        description = "Detect the variant of Picasso used by GhostWriter as CVE-2023-38831 exploitation payload"
-        author = "Sekoia.io"
-        creation_date = "2023-09-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = {2c 27 44 65 63 72 79 70 74 6f 72 27 2c 27 6e 6f 64 65 27 2c 27 55 73 65 72 2d}
-        $ = {5c 78 32 30 43 68 72 6f 6d 65 2f 31 30 27 2c 27 67 67 65 72 27 2c 27 73 65 64 43 69 70 68 65 72 27 2c 27 5f 61 70 70 65 6e 64 27 2c 27 5f 45 4e 43 5f 58 46 4f 52 4d 27 2c 27 57 53 63 72 69 70 74 2e 53 68 27}
-        
-    condition:
-        1 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_purecrypter.yar b/yara_rules/sekoiaio_loader_win_purecrypter.yar
deleted file mode 100644
index d1b534c..0000000
--- a/yara_rules/sekoiaio_loader_win_purecrypter.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_loader_win_purecrypter {
-    meta:
-        version = "1.0"
-        description = "Detect the PureCrypter loader"
-        author = "Sekoia.io"
-        creation_date = "2022-09-22"
-        id = "500b4d9e-55f8-41d1-ad4f-d587bbeb4507"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $hex01 = /http:\/\/[^\s]{5,90}_[A-Z][a-z]{7}\.(bmp|jpg|png)/ wide
-        $hex02 = "WrapNonExceptionThrows" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and ($hex02 in (@hex01..@hex01 + 1000) or $hex01 in (@hex02..@hex02 + 1000))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_red0044_powershell_may24.yar b/yara_rules/sekoiaio_loader_win_red0044_powershell_may24.yar
deleted file mode 100644
index baa033a..0000000
--- a/yara_rules/sekoiaio_loader_win_red0044_powershell_may24.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_loader_win_red0044_powershell_may24 {
-    meta:
-        id = "ba3454b4-31cf-458d-8d78-c5cc5fa348ff"
-        version = "1.0"
-        description = "Finds PowerShell scripts used in a malvertising campaign to deliver NetSupport RAT"
-        author = "Sekoia.io"
-        reference = "https://twitter.com/crep1x/status/1786150734121120075"
-        creation_date = "2024-05-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "Start-Job -ScriptBlock" ascii
-        $str02 = "Get-WmiObject" ascii
-        $str03 = "-Class Win32_OperatingSystem" ascii
-        $str04 = "-Class AntiVirusProduct" ascii
-        $str05 = "$_.Exception.Message" ascii
-        $str06 = ".DownloadString" ascii
-        $str07 = "New-Object Net.WebClient" ascii
-        $str08 = "myUserAgentHere" ascii
-        $str09 = "GetFolderPath('Desktop'))\\document.pdf" ascii
-        $str10 = "Receive-Job -Job" ascii
-        $str11 = "Start-Process" ascii
-        
-    condition:
-        8 of them and filesize < 20KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_revil_loader.yar b/yara_rules/sekoiaio_loader_win_revil_loader.yar
deleted file mode 100644
index 58c8d29..0000000
--- a/yara_rules/sekoiaio_loader_win_revil_loader.yar
+++ /dev/null
@@ -1,35 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_loader_win_revil_loader {
-    meta:
-        id = "3c293e87-e2d7-475a-9536-8b991961fa11"
-        version = "1.0"
-        description = "Detect the REvil loader using DDL side loading. The detected ressource is a legitimate executable used to load the malicious .dll containing the ransomware"
-        author = "Sekoia.io"
-        creation_date = "2021-07-19"
-        classification = "TLP:CLEAR"
-        reference = "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/revil-ransomware-uses-dll-sideloading"
-        hash1 = "1fe9b489c25bb23b04d9996e8107671edee69bd6f6def2fe7ece38a0fb35f98e"
-        hash2 = "50416e50797cf88a48d086e718c003e2d10c3847b1a251669d6f10f8d3546e03"
-        hash3 = "66490c59cb9630b53fa3fa7125b5c9511afde38edab4459065938c1974229ca8"
-        hash4 = "81d0c71f8b282076cd93fb6bb5bfd3932422d033109e2c92572fc49e4abc2471"
-        hash5 = "aae6e388e774180bc3eb96dad5d5bfefd63d0eb7124d68b6991701936801f1c7"
-        hash6 = "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e"
-        hash7 = "dc6b0e8c1e9c113f0364e1c8370060dee3fcbe25b667ddeca7623a95cd21411f"
-        hash8 = "df2d6ef0450660aaae62c429610b964949812df2da1c57646fc29aa51c3f031e"
-        
-    strings:
-        $crypto = ".\\crypto\\" ascii
-        
-        $dropped_name1 = "MsMpEng.exe" wide
-        $dropped_name2 = "mpsvc.dll" ascii
-        
-    condition:
-        all of ($dropped_name*)
-        and #crypto > 100
-        and for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_squirrelwaffle.yar b/yara_rules/sekoiaio_loader_win_squirrelwaffle.yar
deleted file mode 100644
index 9039cef..0000000
--- a/yara_rules/sekoiaio_loader_win_squirrelwaffle.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_loader_win_squirrelwaffle {
-    meta:
-        id = "bea3125e-6e84-435f-855b-fd3239a0deac"
-        version = "1.0"
-        description = "Detect the Squirrelwaffle DLL"
-        author = "Sekoia.io"
-        creation_date = "2021-09-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "AEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" ascii
-        $s2 = "c:\\equal\\True\\bird_Select\\780\\true.pdb" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_squirrelwaffle_doc.yar b/yara_rules/sekoiaio_loader_win_squirrelwaffle_doc.yar
deleted file mode 100644
index 86e925d..0000000
--- a/yara_rules/sekoiaio_loader_win_squirrelwaffle_doc.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_loader_win_squirrelwaffle_doc {
-    meta:
-        id = "caadeac3-d4c7-4d84-b539-c03cc4c6c274"
-        version = "1.0"
-        description = "Detect the Squirrelwaffle malicious document (not xls)"
-        author = "Sekoia.io"
-        creation_date = "2021-09-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        // OK1 = "cmd /c rundll32.exe C:\ProgramData\www1.dll,ldr"
-        $s1 = {4f4b31203d2022636d64202f632072756e646c6c33322e65786520433a5c50726f6772616d446174615c777777312e646c6c2c6c647222}
-        // AERO BIZ COM COOP EDU GOV INFO INT MIL MUSEUM NAME NET ORG PRO
-        $s2 = {4145524f2042495a20434f4d20434f4f502045445520474f5620494e464f20494e54204d494c204d555345554d204e414d45204e4554204f52472050524f}
-        
-    condition:
-        any of them and filesize > 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_stealthvector.yar b/yara_rules/sekoiaio_loader_win_stealthvector.yar
deleted file mode 100644
index eb56cca..0000000
--- a/yara_rules/sekoiaio_loader_win_stealthvector.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_loader_win_stealthvector {
-    meta:
-        id = "ecf6421a-f492-43c4-9ed7-eb4724d24779"
-        version = "1.0"
-        description = "Detect the StealthVector malware, updated in July 2024"
-        author = "Sekoia.io"
-        creation_date = "2021-08-26"
-        modification_date = "2024-07-15"
-        classification = "TLP:CLEAR"
-        hash1 = "166b6dcdac31f4bf51e4b20a7c3f7d4f7017ca0c30fa123d5591e25c3fa66107"
-        hash2 = "ab56501167fe689fe55f6e6ddc3bb91952299bd5c3ef004b02bf1c3b4061c7cf"
-        hash3 = "0faddbe1713455e3fc9777ec45adf07b28e24f4c3ddca37586c2aa6b539898c0"
-        hash4 = "1c88150ec85a07c3db5f18c5eedcb0b653467b897af01d690ed996e5e07ba8e3"
-        hash5 = "ec10a9396dca694fe64366e0dab82d046cf92457f97efd50a68ceb85adef6b74"
-        
-    strings:
-        $s1 = "Global\\kREwdFrOlvASgP4zWZyV89m6T2K0bIno" ascii
-        $s2 = "Global\\v5EPQFOImpTLaGZes3Nl1JSKHku8AyCw" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 1 of them
-
-        // Imphash
-        or pe.imphash() == "0cd7b92b97ccc7e255df1f46b5299986"
-        or pe.imphash() == "be777e91e3c42ac62471cfb7239be471"
-        
-        // Rich PE Header
-        or hash.md5(pe.rich_signature.clear_data) == "fcc67611d136cce0e785029bbb879b45"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_svcready_imports.yar b/yara_rules/sekoiaio_loader_win_svcready_imports.yar
deleted file mode 100644
index eb2ee06..0000000
--- a/yara_rules/sekoiaio_loader_win_svcready_imports.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-import "pe"
-        
-rule sekoiaio_loader_win_svcready_imports {
-    meta:
-        id = "e89aa736-acee-4881-b367-a9abfe9784ec"
-        version = "1.0"
-        description = "Finds samples of the SVCReady loader"
-        author = "Sekoia.io"
-        reference = "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/"
-        creation_date = "2022-06-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "Svc:RunPEDllNative" ascii
-        $str1 = "RunPEDllNative::" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and
-        filesize > 200KB and filesize < 2MB and
-        pe.imports("GDI32.dll", "Ellipse") and
-        pe.imports("GDI32.dll", "SelectObject") and
-        pe.imports("GDI32.dll", "GetStockObject") and
-        pe.imports("GDI32.dll") == 3 and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_loader_win_truebot_dec22.yar b/yara_rules/sekoiaio_loader_win_truebot_dec22.yar
deleted file mode 100644
index 10e3a63..0000000
--- a/yara_rules/sekoiaio_loader_win_truebot_dec22.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-import "pe"
-        
-rule sekoiaio_loader_win_truebot_dec22 {
-    meta:
-        version = "1.0"
-        description = "Finds TrueBot DLL based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2022-12-12"
-        id = "21e2c57c-8579-4312-b188-bc9171e37e5f"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "GetProcessWindowStation"
-        $str1 = "GetUserObjectInformationW"
-        $str2 = "GetLastActivePopup"
-        $str3 = "GetActiveWindow"
-        $str4 = "VirtualProtect"
-        $str5 = "IsDebuggerPresent"
-        
-        $cle0 = "process call create \"powershell -executionpolicy bypass -nop -w hidden %s" ascii
-        $cle1 = "%s\\%08x-%08x.ps1" ascii
-        $cle2 = "POST %s HTTP/1.0" ascii
-        $cle3 = "%s\\rundll32.exe" wide
-        
-    condition:
-        uint16(0)==0x5A4D and (all of ($str*) or 1 of ($cle*))
-        and (pe.exports("ChkdskExs") or pe.exports("fff"))
-        and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_luckymouse_sysupdate_loader.yar b/yara_rules/sekoiaio_luckymouse_sysupdate_loader.yar
deleted file mode 100644
index 000e77e..0000000
--- a/yara_rules/sekoiaio_luckymouse_sysupdate_loader.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_luckymouse_sysupdate_loader {
-    meta:
-        id = "6007e846-d467-4d07-b345-e25191b7c8bc"
-        version = "1.0"
-        description = "Detects decryption routine prologue of sysupdate loader"
-        author = "Sekoia.io"
-        creation_date = "2022-08-19"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = { DB D4 33 C9 66 B9 ?? ?? E8 FF FF FF FF }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_luckymouse_sysupdate_payload.yar b/yara_rules/sekoiaio_luckymouse_sysupdate_payload.yar
deleted file mode 100644
index 5b00ecf..0000000
--- a/yara_rules/sekoiaio_luckymouse_sysupdate_payload.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_luckymouse_sysupdate_payload {
-    meta:
-        id = "97df4700-de35-49a0-869e-ed89a6d9cbdd"
-        version = "1.0"
-        description = "Detects decryption routine prologue of sysupdate samples"
-        author = "Sekoia.io"
-        creation_date = "2022-08-19"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = { DB ?? ?? C9 66 B9 ?? ?? E8 FF FF FF FF }
-        
-    condition:
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malicious_lnk_exploiting_webdav_share_generic.yar b/yara_rules/sekoiaio_malicious_lnk_exploiting_webdav_share_generic.yar
deleted file mode 100644
index eff0364..0000000
--- a/yara_rules/sekoiaio_malicious_lnk_exploiting_webdav_share_generic.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_malicious_lnk_exploiting_webdav_share_generic {
-    meta:
-        id = "b228643c-ab23-46e1-b170-3da6bcb2dd23"
-        version = "1.0"
-        description = "Detects some malicious LNK"
-        author = "Sekoia.io"
-        creation_date = "2024-11-22"
-        classification = "TLP:CLEAR"
-        hash = "cffb40e13e3aa6761330090b42314c36"
-        
-    strings:
-        $ = "powershell.exe" wide
-        $ = "-Name explorer; \\\\" wide
-        $ = "@80\\"
-        $ = "desktop-tcrdu4c"
-        
-    condition:
-        uint32be(0) == 0x4c000000 and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_httpshell_strings.yar b/yara_rules/sekoiaio_malware_httpshell_strings.yar
deleted file mode 100644
index f4486c1..0000000
--- a/yara_rules/sekoiaio_malware_httpshell_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_malware_httpshell_strings {
-    meta:
-        id = "58f25666-5dc2-4f4f-9fac-fc05d1e66945"
-        version = "1.0"
-        description = "Detects HTTPShell based on URL patterns"
-        author = "Sekoia.io"
-        creation_date = "2024-01-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "/api/v1/Client/Info" wide ascii
-        $ = "/api/v1/Client/Download" wide ascii
-        $ = "/api/v1/Client/Upload" wide ascii
-        $ = "/api/v1/Client/Info" base64 base64wide
-        $ = "/api/v1/Client/Download" base64 base64wide
-        $ = "/api/v1/Client/Upload" base64 base64wide
-        
-    condition:
-        3 of them and filesize < 5MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_remcom_strings.yar b/yara_rules/sekoiaio_malware_remcom_strings.yar
deleted file mode 100644
index bf0f6df..0000000
--- a/yara_rules/sekoiaio_malware_remcom_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_malware_remcom_strings {
-    meta:
-        id = "7a56d55a-2f35-41ef-b7af-259baf215a62"
-        version = "1.0"
-        description = "Detects RemCom based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-08-30"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "RemComSvc"
-        $ = "RemCom_stderr"
-        $ = "RemCom_stdin"
-        $ = "\\\\.\\pipe\\%s%s%d"
-        $ = "RemCom_stdout"
-        $ = "\\\\.\\pipe\\RemCom_communicaton"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_sugargh0st_strings.yar b/yara_rules/sekoiaio_malware_sugargh0st_strings.yar
deleted file mode 100644
index a253161..0000000
--- a/yara_rules/sekoiaio_malware_sugargh0st_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_malware_sugargh0st_strings {
-    meta:
-        id = "51930498-b04a-4f13-8d14-ee975a28126e"
-        version = "1.0"
-        description = "Detects SugarGh0st based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-12-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "%sd.%s /c \"%s\"" wide
-        $ = "[Num Lock]" wide
-        $ = "#32770" wide
-        $ = "]%s (%4d-%02d-%02d %02d:%02d:%02d)" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 100KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_swordldr.yar b/yara_rules/sekoiaio_malware_swordldr.yar
deleted file mode 100644
index 62367a5..0000000
--- a/yara_rules/sekoiaio_malware_swordldr.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule sekoiaio_malware_swordldr {
-    meta:
-        id = "4068c007-50f4-4913-a352-4a40dd4e452b"
-        version = "1.0"
-        description = "Detects Swordldr. Maybe chunk_1 is too restrictive"
-        author = "Sekoia.io"
-        creation_date = "2024-09-25"
-        classification = "TLP:CLEAR"
-        hash = "d0cc758082e303275cbb8cd6b2048eff"
-        hash = "7aa57da44718cd88f7d37b33a5d3ad74"
-        
-    strings:
-        $ = { CC CC CC CC B0 01 C3 CC CC CC CC }
-        $ = { CC CC CC CC B0 02 C3 CC CC CC CC }
-        $ = { CC CC CC CC B0 03 C3 CC CC CC CC }
-        $ = { CC CC CC CC B0 04 C3 CC CC CC CC }
-        $ = { CC CC CC CC B0 05 C3 CC CC CC CC }
-        $ = { CC CC CC CC B0 06 C3 CC CC CC CC }
-        $ = { CC CC CC CC B0 07 C3 CC CC CC CC }
-        $ = { CC CC CC CC B0 08 C3 CC CC CC CC }
-        $ = { CC CC CC CC B0 09 C3 CC CC CC CC }
-        $chunk_1 = {
-        48 63 44 24 40 44 8B 44 86 04 48 63 44 24 40 45 23 ?? 45 03 C0 8B 54 86 04 48 63 44 24 40 41 2B D0 41 03 ?? 89 54 86 04
-        }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        4 of them and #chunk_1 > 5
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_tinyshell_strings.yar b/yara_rules/sekoiaio_malware_tinyshell_strings.yar
deleted file mode 100644
index 09da4ad..0000000
--- a/yara_rules/sekoiaio_malware_tinyshell_strings.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_malware_tinyshell_strings {
-    meta:
-        id = "51fe9986-cb33-4802-bb8d-fe3d4cdfdcc8"
-        version = "1.0"
-        description = "Detects TinyShell based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-09-04"
-        classification = "TLP:CLEAR"
-        hash = "fffc89ebbe6ea37072077996e27f86dd"
-        hash = "59a97d4fbd3a54e991dc7e1f0451acf5"
-        hash = "d7ee59eab7f703bfaf1002a39b05c7b9"
-        hash = "3f2dfe47d4563919d889132b2759fd9c"
-        
-    strings:
-        $ = "_tsh_get_file"
-        $ = "_tsh_put_file"
-        $ = "_tsh_runshell"
-        $ = "Authentication failed."
-        $ = "pel_send_msg"
-        $ = "exec bash --login"
-        
-    condition:
-        3 of them and filesize < 150KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_valleyrat_1ststage_strings.yar b/yara_rules/sekoiaio_malware_valleyrat_1ststage_strings.yar
deleted file mode 100644
index 6e49c75..0000000
--- a/yara_rules/sekoiaio_malware_valleyrat_1ststage_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_malware_valleyrat_1ststage_strings {
-    meta:
-        id = "6628ba47-37ad-4bdb-bbc0-7286d777000e"
-        version = "1.0"
-        description = "Detects ValleyRat 1stage"
-        author = "Sekoia.io"
-        creation_date = "2024-06-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "%016llX.DLL" wide
-        $ = "%s\\%s" wide
-        $ = "%016llX\\%s" wide
-        $ = "connection already in progress"
-        $ = "SleepConditionVariableSRW"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 4MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_valleyrat_downloader_strings.yar b/yara_rules/sekoiaio_malware_valleyrat_downloader_strings.yar
deleted file mode 100644
index 77a5661..0000000
--- a/yara_rules/sekoiaio_malware_valleyrat_downloader_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_malware_valleyrat_downloader_strings {
-    meta:
-        id = "12985f34-f894-402b-80d1-5d6b2486d730"
-        version = "1.0"
-        description = "Detects ValleyRat downloader"
-        author = "Sekoia.io"
-        creation_date = "2024-06-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = { 43 00 3a 00 5c [0-30]
-        5c 00 4e 00 54 00 55
-        00 53 00 45 00 52 00
-        2e 00 44 00 58 }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 2MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_valleyrat_strings_config.yar b/yara_rules/sekoiaio_malware_valleyrat_strings_config.yar
deleted file mode 100644
index 3b52d3f..0000000
--- a/yara_rules/sekoiaio_malware_valleyrat_strings_config.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_malware_valleyrat_strings_config {
-    meta:
-        id = "bb186ab7-60cd-487e-8b9c-c2ff8f121454"
-        version = "1.0"
-        description = "ValleyRAT strings based on HIVE KEYS and config. "
-        author = "Sekoia.io"
-        creation_date = "2024-08-19"
-        classification = "TLP:CLEAR"
-        hash = "b1887a48e59ac7b1b1742854d2a228af"
-        hash = "f6c69e83ce61aacacfbc410345008268"
-        hash = "63ad42e03aca6ce447fb447e21aeb385"
-        hash = "e1d41e5fdfebf8062911ef3c3853b807"
-        hash = "e6cafb4136a9438227086a5826eafe10"
-        hash = "54ba4bbeacd1521164a40e92262b15f6"
-        
-    strings:
-        $key1 = "IpDateInfo" ascii fullword
-        $key2 = "IpDate" ascii fullword
-        $key3 = "SelfPath" ascii fullword
-        $config1 = {7c 00 69 00 3a 00 } // |i:
-        $config2 = {7c 00 70 00 3a 00 } // |p:
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        1 of ($key*) and $config2 in (@config1..@config1+100) 
-        and filesize > 300KB and filesize < 100MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_venom_admin_strings.yar b/yara_rules/sekoiaio_malware_venom_admin_strings.yar
deleted file mode 100644
index 4ca7f79..0000000
--- a/yara_rules/sekoiaio_malware_venom_admin_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_malware_venom_admin_strings {
-    meta:
-        id = "4929340c-310b-4c59-a111-23409f973d22"
-        version = "1.0"
-        description = "Detects Venom admin strings"
-        author = "Sekoia.io"
-        creation_date = "2022-08-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "/admin/admin.go"
-        $ = "/cli/interactive.go"
-        $ = "/cli/cli.go"
-        $ = "/dispather/sender.go"
-        $ = "/dispather/proxy.go"
-        $ = "/dispather/handler.go"
-        $ = "/dispather/forward.go"
-        $ = "/utils/reuse_port.go"
-        
-    condition:
-        filesize < 11MB and 6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_venom_agent_strings.yar b/yara_rules/sekoiaio_malware_venom_agent_strings.yar
deleted file mode 100644
index 52e2ae7..0000000
--- a/yara_rules/sekoiaio_malware_venom_agent_strings.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_malware_venom_agent_strings {
-    meta:
-        id = "87633510-8b39-4eb1-b95b-4ebff21f3bba"
-        version = "1.0"
-        description = "Detects Venom agent strings"
-        author = "Sekoia.io"
-        creation_date = "2022-08-29"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "dispather.handleDownloadCmd"
-        $ = "dispather.handleUploadCmd"
-        $ = "dispather.handleShellCmd"
-        $ = "dispather.handleSocks5Cmd"
-        $ = "dispather.handleLForwardCmd"
-        $ = "dispather.localLForwardServer"
-        $ = "dispather.handleRForwardCmd"
-        $ = "dispather.AgentHandShake"
-        $ = "dispather.AgentParseTarget"
-        $ = "dispather.PipeWhenClose"
-        $ = "dispather.handleSshConnectCmd"
-        $ = "node.(*NetworkTopology).InitNetworkMap"
-        $ = "node.CopyNet2Node"
-        $ = "node.(*Node).CommandHandler.func1"
-        $ = "node.(*Buffer).WriteLowLevelPacket"
-        $ = "protocol.(*Packet).ResolveDat"
-        $ = "netio.InitTCP.func2"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and filesize < 10MB and 6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_win_lyceum_maldoc_macro_20220613.yar b/yara_rules/sekoiaio_malware_win_lyceum_maldoc_macro_20220613.yar
deleted file mode 100644
index 34c18e0..0000000
--- a/yara_rules/sekoiaio_malware_win_lyceum_maldoc_macro_20220613.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_malware_win_lyceum_maldoc_macro_20220613 {
-    meta:
-        id = "3046bffd-261f-4d5b-9015-f2e5fc31c9c9"
-        version = "1.0"
-        description = "Detect the macro contained in Lyceum maldoc to deploy its malware"
-        author = "Sekoia.io"
-        creation_date = "2022-06-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "ActiveDocument.InlineShapes(i).PictureFormat.Brightness = 0.5" ascii
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_win_mex.yar b/yara_rules/sekoiaio_malware_win_mex.yar
deleted file mode 100644
index 7669471..0000000
--- a/yara_rules/sekoiaio_malware_win_mex.yar
+++ /dev/null
@@ -1,58 +0,0 @@
-rule sekoiaio_malware_win_mex {
-    meta:
-        id = "57fe8525-4bab-4078-ac6f-635f0f7963ec"
-        version = "1.0"
-        description = "Detect the MEX malware"
-        author = "Sekoia.io"
-        creation_date = "2022-07-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "MEX: In-memory execution of offensive tradecraft (Version:" wide
-        $ = "Available Options:" wide
-        $ = "-meh <help>" wide
-        $ = "-mep <payload_name_to_use>" wide
-        $ = "-mec <payload_args>" wide
-        $ = "Execution examples:" wide
-        $ = "mex.exe -mep sharphound" wide
-        $ = "mex.exe -mep sharphound -mec -arg1" wide
-        $ = "mex.exe -mep get_version" wide
-        $ = "mex.exe -mep list_plugins" wide
-        $ = "Available plugins:" wide
-        $ = "Payload to execute:" wide
-        $ = "No payload arguments were provided" wide
-        $ = "Payload arguments:" wide
-        $ = "MEX - About to execute payload %s with command line arguments: %s" wide
-        $ = "MEX - About to execute payload %s with no command line arguments" wide
-        $ = "Execution of payload %s just finished. Quitting now." wide
-        $ = "There was a problem executing payload %s. Quitting now." wide
-        $ = "chisel" wide
-        $ = "enum_script" wide
-        $ = "eop_script" wide
-        $ = "mexecatz" wide
-        $ = "scshell" wide
-        $ = "shares_script" wide
-        $ = "internalmonologue" wide
-        $ = "inveigh" wide
-        $ = "pingcastle" wide
-        $ = "rubeus" wide
-        $ = "seatbelt" wide
-        $ = "sharpexec" wide
-        $ = "sharphound3" wide
-        $ = "spoolsample" wide
-        $ = "standin" wide
-        $ = "grouper2" wide
-        $ = "lockless" wide
-        $ = "sharpoxidresolver" wide
-        $ = "sharpprinter" wide
-        $ = "list_plugins" wide
-        $ = "get_version" wide
-        $ = "Current version is %s" wide
-        $ = "Supported plugins:" wide
-        
-    condition:
-        uint16(0)==0x5A4D
-        and filesize > 10MB
-        and 15 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_malware_win_passlib.yar b/yara_rules/sekoiaio_malware_win_passlib.yar
deleted file mode 100644
index 123630a..0000000
--- a/yara_rules/sekoiaio_malware_win_passlib.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-rule sekoiaio_malware_win_passlib {
-    meta:
-        id = "609999e2-a644-4bf3-bce2-b0e1b0e7094b"
-        version = "1.0"
-        description = "Detect the Passlib malware"
-        author = "Sekoia.io"
-        creation_date = "2022-07-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Passlib test utility - Version %s" wide
-        $ = "-l <full_path_to_dll_to_load_into_lsass> (arbitrary dll injection into LSASS)" wide
-        $ = "-u <dll_to_unload_from_lsass> (arbitrary dll uninjection from LSASS)" wide
-        $ = "DLL %s injection was successful requested!" wide
-        $ = "DLL %s uninjection was successful requested!" wide
-        $ = "Process %s was succesfully created with full privileges and system integrity!" wide
-        $ = "full_path_to_volatile_payload_dll" wide
-        $ = "%s: [%s]:[%s] (http_only:%d)" wide
-        $ = "LEX server has been deployed at lsass." wide
-        $ = "LEX client is using volatile payload at: %s" wide
-        $ = "LEX client is using permanent payload at: %s" wide
-        $ = "Passlib execution finished" wide
-        $ = "Running on Passlib version %ws" wide
-        $ = "There was a problem initializing passlib manager interface." wide
-        $ = "Passlib running without high integrity" wide
-        $ = "About to dump passwords through passlib manager interface" wide
-        
-    condition:
-        uint16(0)==0x5A4D
-        and filesize > 1500KB
-        and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_manjusaka_samples.yar b/yara_rules/sekoiaio_manjusaka_samples.yar
deleted file mode 100644
index 6a21821..0000000
--- a/yara_rules/sekoiaio_manjusaka_samples.yar
+++ /dev/null
@@ -1,42 +0,0 @@
-rule sekoiaio_manjusaka_samples {
-    meta:
-        id = "7aa8edb3-2e67-4632-af68-5b65c9aefe39"
-        version = "1.0"
-        author = "Sekoia.io"
-        description = "Detects Manjusaka via protobuf struture names (Windows / Linux / implants / C2)"
-        creation_date = "2022-08-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = ".protos.AgentStatusR" ascii wide
-        $ = ".protos.AgentsR" ascii wide
-        $ = ".protos.FileActionR" ascii wide
-        $ = ".protos.FileEntryR" ascii wide
-        $ = ".protos.HttpFileActionR" ascii wide
-        $ = ".protos.HttpFileEntryR" ascii wide
-        $ = ".protos.PassResultR" ascii wide
-        $ = ".protos.PortResultR" ascii wide
-        $ = ".protos.PortResultR" ascii wide
-        $ = ".protos.PortResultR" ascii wide
-        $ = ".protos.ConfigH" ascii wide
-        $ = ".protos.AgentUpdateH" ascii wide
-        $ = ".protos.PluginExecH" ascii wide
-        $ = ".protos.PluginLoadH" ascii wide
-        $ = ".protos.ReqCwdH" ascii wide
-        $ = ".protos.ReqCmdH" ascii wide
-        $ = ".protos.ReqListFileH" ascii wide
-        $ = ".protos.ReqCatFileH" ascii wide
-        $ = ".protos.ReqNetStatH" ascii wide
-        $ = ".protos.ReqTaskListH" ascii wide
-        $ = ".protos.ReqScreenH" ascii wide
-        $ = ".protos.FileEventH" ascii wide
-        $ = ".protos.HttpFileEventH" ascii wide
-        $ = ".protos.PassGetEventH" ascii wide
-        $ = ".protos.FileGetEventH" ascii wide
-        $ = ".protos.AgentEventR" ascii wide
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        15 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_merlin_crossplatform.yar b/yara_rules/sekoiaio_merlin_crossplatform.yar
deleted file mode 100644
index acbefa1..0000000
--- a/yara_rules/sekoiaio_merlin_crossplatform.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_merlin_crossplatform {
-    meta:
-        id = "c9c57f5e-26c3-43be-b2cf-10f5129d3be6"
-        author = "Sekoia.io"
-        creation_date = "2022-01-03"
-        description = "Detects Merlin agent cross platform"
-        version = "1.0"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = ".CRT" ascii
-        $s2 = ".tls" ascii
-        $s3 = "github.com/Ne0nd0g/merlin" ascii
-        $s4 = "github.com/refraction-networking" ascii
-        $s5 = "SendMerlinMessage" ascii
-        $s6 = "ifconfigH9" ascii
-        
-    condition:
-        (uint16(0) == 0x5a4d or uint16(0) == 0x457f)
-        and all of them
-        and filesize > 5MB
-        and filesize < 15MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_merlin_linux_elf.yar b/yara_rules/sekoiaio_merlin_linux_elf.yar
deleted file mode 100644
index ada12fb..0000000
--- a/yara_rules/sekoiaio_merlin_linux_elf.yar
+++ /dev/null
@@ -1,35 +0,0 @@
-import "elf"
-import "hash"
-        
-rule sekoiaio_merlin_linux_elf {
-    meta:
-        id = "d9c57f5e-26c3-43be-b2cf-10f5129d3be6"
-        author = "Sekoia.io"
-        creation_date = "2022-01-03"
-        description = "Detects Merling agent (ELF)"
-        version = "1.0"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "github.com/Ne0nd0g/merlin" ascii
-        $s2 = "github.com/refraction-networking" ascii
-        $s3 = "SendMerlinMessage" ascii
-        
-    condition:
-        uint32(0)==0x464c457f
-                and for any i in (0..elf.number_of_sections-1) : (
-                        hash.md5(elf.sections[i].offset, elf.sections[i].size) == "80199718ff1821a3fe914cd2279ab3a0"
-        )
-                and for any i in (0..elf.number_of_sections-1) : (
-                        hash.md5(elf.sections[i].offset, elf.sections[i].size) == "7dea362b3fac8e00956a4952a3d4f474"
-        )
-                and for any i in (0..elf.number_of_sections-1) : (
-                        hash.md5(elf.sections[i].offset, elf.sections[i].size) == "d41d8cd98f00b204e9800998ecf8427e"
-        )
-                and for any i in (0..elf.number_of_sections-1) : (
-                        hash.md5(elf.sections[i].offset, elf.sections[i].size) == "91476dafa5ef669483350538fa6ec4cb"
-                )
-        and all of them
-        and filesize < 15MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_merlin_win_dll.yar b/yara_rules/sekoiaio_merlin_win_dll.yar
deleted file mode 100644
index 3d9b1c8..0000000
--- a/yara_rules/sekoiaio_merlin_win_dll.yar
+++ /dev/null
@@ -1,43 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_merlin_win_dll {
-    meta:
-        id = "c9c57f5e-26c3-43be-b2cf-10f5129d3be5"
-        author = "Sekoia.io"
-        creation_date = "2022-01-03"
-        description = "Detects Merling agent (DLL)"
-        version = "1.0"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = ".CRT" ascii
-        $s2 = ".tls" ascii
-        $s3 = "github.com/Ne0nd0g/merlin" ascii
-        $s4 = "github.com/lucas-clemente" ascii
-        $s5 = "SendMerlinMessage" ascii
-        
-    condition:
-        uint16(0)==0x5A4D
-                and pe.imphash() == "da7f8acb6151c95be088a02465d68ef8"
-                and for any i in (0..pe.number_of_sections-1) : (
-                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "491d9a18aea3d0eb3653fdaf0b9b86bb"
-        )
-                and for any i in (0..pe.number_of_sections-1) : (
-                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "d41d8cd98f00b204e9800998ecf8427e"
-        )
-                and for any i in (0..pe.number_of_sections-1) : (
-                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "bf619eac0cdf3f68d496ea9344137e8b"
-        )
-                and for any i in (0..pe.number_of_sections-1) : (
-                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ce7969c1e894363133e386361be064e5"
-        )
-                and for any i in (0..pe.number_of_sections-1) : (
-                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "c6179cdcd9ba0758a18a1280f98062eb"
-                )
-        and all of them
-        and $s1 at 712 
-        and $s2 at 752 
-        and filesize < 15MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_merlin_win_exe.yar b/yara_rules/sekoiaio_merlin_win_exe.yar
deleted file mode 100644
index 303e808..0000000
--- a/yara_rules/sekoiaio_merlin_win_exe.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_merlin_win_exe {
-    meta:
-        id = "c9c57f5e-26c3-43be-b2cf-10f5129d3be4"
-        author = "Sekoia.io"
-        creation_date = "2022-01-03"
-        description = "Detects Merling agent (PE)"
-        version = "1.0"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "B.symtab" ascii
-        $s2 = "github.com/Ne0nd0g/merlin" ascii
-        $s3 = "github.com/lucas-clemente" ascii
-        $s4 = "SendMerlinMessage" ascii
-        
-    condition:
-        uint16(0)==0x5A4D
-        and for any i in (0..pe.number_of_sections-1) : (
-                        hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "07b5472d347d42780469fb2654b7fc54"
-                )
-        and all of them
-        and $s1 at 591
-        and filesize < 15MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_miner_lin_xmrig_strings.yar b/yara_rules/sekoiaio_miner_lin_xmrig_strings.yar
deleted file mode 100644
index 53e2638..0000000
--- a/yara_rules/sekoiaio_miner_lin_xmrig_strings.yar
+++ /dev/null
@@ -1,37 +0,0 @@
-rule sekoiaio_miner_lin_xmrig_strings {
-    meta:
-        id = "2f99020b-424c-4433-860c-5e9ab4e1f1de"
-        version = "1.0"
-        description = "Detects XMRig ELF"
-        author = "Sekoia.io"
-        creation_date = "2022-09-08"
-        modification_date = "2024-01-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "XMRig "
-        $ = "pool_wallet"
-        $ = "IP Address currently banned"
-        $ = "rigid"
-        $ = "diff_current"
-        $ = "shares_good"
-        $ = "shares_total"
-        $ = "avg_time"
-        $ = "avg_time_ms"
-        $ = "hashes_total"
-        $ = "pool address"
-        $ = "ping time"
-        $ = "connection time"
-        $ = "daemon+wss://"
-        $ = "daemon+https://"
-        $ = "daemon+http://"
-        $ = "socks5://"
-        $ = "stratum+ssl://"
-        $ = "stratum+tcp://"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize < 10MB and
-        7 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_miner_win_xmrig_strings.yar b/yara_rules/sekoiaio_miner_win_xmrig_strings.yar
deleted file mode 100644
index 7587f9f..0000000
--- a/yara_rules/sekoiaio_miner_win_xmrig_strings.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule sekoiaio_miner_win_xmrig_strings {
-    meta:
-        id = "35f203aa-20cd-4235-9ead-b34be14255d5"
-        version = "1.0"
-        description = "Detects XMRig EXE"
-        author = "Sekoia.io"
-        creation_date = "2024-01-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "XMRig "
-        $ = "pool_wallet"
-        $ = "IP Address currently banned"
-        $ = "rigid"
-        $ = "diff_current"
-        $ = "shares_good"
-        $ = "shares_total"
-        $ = "avg_time"
-        $ = "avg_time_ms"
-        $ = "hashes_total"
-        $ = "pool address"
-        $ = "ping time"
-        $ = "connection time"
-        $ = "daemon+wss://"
-        $ = "daemon+https://"
-        $ = "daemon+http://"
-        $ = "socks5://"
-        $ = "stratum+ssl://"
-        $ = "stratum+tcp://"
-        
-    condition:
-        uint32be(0) == 0x5A4D and
-        filesize < 15MB and
-        7 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_nomercy.yar b/yara_rules/sekoiaio_nomercy.yar
deleted file mode 100644
index 1cd35c8..0000000
--- a/yara_rules/sekoiaio_nomercy.yar
+++ /dev/null
@@ -1,62 +0,0 @@
-rule sekoiaio_nomercy {
-    meta:
-        id = "2591f74b-8ab8-45ef-ba64-62a93df305c1"
-        version = "1.0"
-        hash1 = "9ecc76d4cda47a93681ddbb67b642c2e1f303ab834160ab94b79b47381e23a65"
-        hash2 = "557acce8b787aba87c8eeb939438b52c5ca953f28ad680a7faeb2b3046d3fda0"
-        description = "Detect NoMercy sample version up to 1.1.0"
-        author = "Sekoia.io"
-        creation_date = "2022-07-11"
-        classification = "TLP:CLEAR"
-        reference = "https://blog.cyble.com/2022/07/07/nomercy-stealer-adding-new-features/"
-        
-    strings:
-        $debug1 = "Posted uid and version" wide ascii
-        $debug2 = "Posted cli info to server" wide ascii
-        $debug3 = "Posted other info to server" wide ascii
-        $debug4 = "Sending screenshot..." wide ascii
-        $debug5 = "Sent screenshot" wide ascii
-        $debug6 = "Listening to Microphone..." wide ascii
-        $debug7 = "Collecting other info..." wide ascii
-        $url1 = "/a?uid=" wide ascii
-        $url2 = "/c?uid=" wide ascii
-        $url3 = "/d?uid=" wide ascii
-        $url4 = "/e?uid=" wide ascii
-        $url5 = "/b?sysinfoother=" wide ascii
-        $url6 = "/b?sysinfocli=" wide ascii
-        $info1 = "PUBLIC IP:" wide ascii
-        $info2 = "HWID:" wide ascii
-        $info3 = "RAM:" wide ascii
-        $info4 = "GPU:" wide ascii
-        $info5 = "MEDIA ACCESS CONTROL ADDRESS:" wide ascii
-        $info6 = "PRIVATE IP:" wide ascii
-        $info7 = "OS VERSION:" wide ascii
-        $info8 = "ANTIVIRUS:" wide ascii
-        $info9 = "KEYBOARD LANGUAGE:" wide ascii
-        $info10 = "CLIPBOARD: {0}{1}{2}" wide ascii
-        $info11 = "RUNNING PROCESSES:" wide ascii
-        $info12 = "WINDOW TITLE:" wide ascii
-        $cmd1 = "/c whoami /all" wide ascii
-        $cmd2 = "/c whoami" wide ascii
-        $cmd3 = "/c arp -a" wide ascii
-        $cmd4 = "/c ipconfig /all" wide ascii
-        $cmd5 = "/c net view /all" wide ascii
-        $cmd6 = "/c net share" wide ascii
-        $cmd7 = "/c route print" wide ascii
-        $cmd8 = "/c netstat -nao" wide ascii
-        $cmd9 = "/c net localgroup" wide ascii
-        $cmd10 = "/c systeminfo" wide ascii
-        $inv1 = "http://api.ipify.org" wide ascii
-        $inv2 = "NoMercy" wide ascii
-        
-    condition:
-    uint16be(0) == 0x4d5a 
-    and 3 of ($debug*)
-    and 8 of ($info*) 
-    and 2 of ($url*)
-    and 6 of ($cmd*) 
-    and 1 of ($inv*) 
-    and filesize > 700KB 
-    and filesize < 3000KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_observerstealer.yar b/yara_rules/sekoiaio_observerstealer.yar
deleted file mode 100644
index 7d1ab37..0000000
--- a/yara_rules/sekoiaio_observerstealer.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_observerstealer {
-    meta:
-        id = "52314870-c100-441d-9ccf-07588325a401"
-        version = "1.0"
-        description = "detection based on the strings"
-        author = "Sekoia.io"
-        creation_date = "2024-02-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "URLOpenBlockingStreamW" ascii
-        $s2 = "processGrabber" wide
-        $s3 = "grabbers" wide
-        $s4 = {2F 00 73}
-        $s5 = "UNKNOWN_HWID" ascii
-        $s6 = {48 00 57 00 49 00 44}
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 400KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_pe_princeransomware_strings.yar b/yara_rules/sekoiaio_pe_princeransomware_strings.yar
deleted file mode 100644
index 12593eb..0000000
--- a/yara_rules/sekoiaio_pe_princeransomware_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_pe_princeransomware_strings {
-    meta:
-        id = "9c5cad6e-2b11-469c-ace1-2dc51562b035"
-        version = "1.0"
-        description = "Prince Ransomware exe files"
-        author = "Sekoia.io"
-        creation_date = "2024-08-07"
-        classification = "TLP:CLEAR"
-        hash = "8bd8de169f45e32bab53f6e06088836d6f0526105f03efa1faf84f3b02c43011"
-        hash = "a83aad6861c8fdfe2392b8e286ab7051d223c6b0bbba5996165964f429657a37"
-        
-    strings:
-        $ = "https://i.imgur.com/RfsCOES.png" ascii
-        $ = {596f75722066696c65732068617665206265656e20656e63727970746564207573696e67205072696e63652052616e736f6d77617265} //Your files have been encrypted using Prince Ransomware
-        
-    condition:
-        all of them and uint16(0) == 0x5a4d and filesize > 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_pe_stealer_axilestealer_strings.yar b/yara_rules/sekoiaio_pe_stealer_axilestealer_strings.yar
deleted file mode 100644
index 9067df4..0000000
--- a/yara_rules/sekoiaio_pe_stealer_axilestealer_strings.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_pe_stealer_axilestealer_strings {
-    meta:
-        id = "412bfc3e-6bb7-4b0d-8bb3-96eae0cc9782"
-        version = "1.0"
-        description = "AxileStealer strings"
-        author = "Sekoia.io"
-        creation_date = "2023-12-13"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "http://ip-api.com/line/?fields=query,country,countryCode,city,regionName,zip,isp" wide
-        $s2 = "Axile.su" wide
-        $s3 = "Unknown Tokens.txt" wide
-        $a1 = "[ <b>General</b> ]" wide
-        $a2 = "[ <b>Browsers</b> ]" wide
-        $a3 = "[ <b>Wallets</b> ]" wide
-        $a4 = "[ <b>Messengers</b> ]" wide
-        $a5 = "[ <b>Applications</b> ]" wide
-        $a6 = "[ <b>Games</b> ]" wide
-        $a7 = "[ <b>Mails</b> ]" wide
-        $a8 = "[ <b>VPNs</b> ]" wide
-        $a9 = "[ <b>FTPs</b> ]" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize > 50KB and filesize < 200KB and
-        2 of ($s*) and 7 of ($a*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_pe_stealer_scarletstealer_strings.yar b/yara_rules/sekoiaio_pe_stealer_scarletstealer_strings.yar
deleted file mode 100644
index 45529cb..0000000
--- a/yara_rules/sekoiaio_pe_stealer_scarletstealer_strings.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-rule sekoiaio_pe_stealer_scarletstealer_strings {
-    meta:
-        id = "ca930851-513f-44e5-abb4-ca0edfde3428"
-        version = "1.0"
-        description = "ScarletStealer strings"
-        author = "Sekoia.io"
-        creation_date = "2023-12-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "Scarlet Client" wide
-        $s2 = "] PC NAME:   (" wide
-        $s3 = "] IP:   (" wide
-        $s4 = " - Wallets -" wide
-        $s5 = "] Exodus:  (" wide
-        $s6 = "] Electrum:  (" wide
-        $s7 = "] Atomic:  (" wide
-        $s8 = "] Guarda:  (" wide
-        $s9 = "] Coinomi: (" wide
-        $s10 = "] Monero:  (" wide
-        $s11 = "] Ledger:  (" wide
-        $s12 = "] Bitbox:  (" wide
-        $s13 = "] Trezor:  (" wide
-        $s14 = ") Support: PointX@exploit.im - @isPointX" wide
-        $a2 = "/config/tk.txt" wide
-        $a3 = "/config/chatid.txt" wide
-        $a1 = "telebyt.com" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize > 50KB and filesize < 2MB and
-        13 of ($s*) and 2 of ($a*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_platypus_winlinmac_strings.yar b/yara_rules/sekoiaio_platypus_winlinmac_strings.yar
deleted file mode 100644
index f858e31..0000000
--- a/yara_rules/sekoiaio_platypus_winlinmac_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_platypus_winlinmac_strings {
-    meta:
-        id = "4519448d-b91b-4794-9521-359b8cf4af78"
-        version = "1.0"
-        description = "Catch Platypus based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-12-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $pl1 = "platypus.go" ascii
-        $pl2 = "Platypus/lib/context/server.go" ascii
-        $pl3 = "Platypus/lib/context/context.go" ascii
-        $pl4 = "Platypus/lib/context/client.go" ascii
-        $pl5 = "github.com/WangYihang/" ascii
-        $f1 = "reflection/reflection.go" ascii
-        $f2 = "socksUsernamePassword" ascii
-        $go = "/golang" ascii
-        
-    condition:
-        uint32(0)==0x464c457f and 4 of ($pl*) and 1 of ($f*) and #go > 30
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_plugx_final_payload.yar b/yara_rules/sekoiaio_plugx_final_payload.yar
deleted file mode 100644
index de16a5c..0000000
--- a/yara_rules/sekoiaio_plugx_final_payload.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-import "pe"
-        
-rule sekoiaio_plugx_final_payload {
-    meta:
-        id = "a4047324-81a7-4c17-be84-c0fa479d2f89"
-        version = "1.0"
-        description = "Detects encrypted plugx config with a specific size"
-        author = "Sekoia.io"
-        creation_date = "2023-07-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = {30 31 32 33 34 35 36 37 38 39 41 42 43 44 45 46 88 13 00 00 60 ea 00 00 ?? ?? ?? ?? 00 00 00 00}
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 8MB and 
-        for any i in (0..pe.number_of_sections-1) : 
-        (
-            pe.sections[i].name == ".data"
-            and $s1 in (pe.sections[i].raw_data_offset..pe.sections[i].raw_data_offset + pe.sections[i].raw_data_size)
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_radx_stealer.yar b/yara_rules/sekoiaio_radx_stealer.yar
deleted file mode 100644
index 07fdcc0..0000000
--- a/yara_rules/sekoiaio_radx_stealer.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_radx_stealer {
-    meta:
-        id = "bf2aae08-169c-4bc9-a1ac-80f4b79ef6d7"
-        version = "1.0"
-        description = "detection of RADX stealer based on function named in the .NET payload"
-        author = "Sekoia.io"
-        creation_date = "2023-12-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "get_FileName" ascii fullword
-        $s2 = "set_FileName" ascii fullword
-        $f1 = "TripleDESCryptoServiceProvider" ascii fullword
-        $f2 = "SendBase64ToServer" ascii fullword
-        $f3 = "SendCommandOutputToServer" ascii fullword
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize > 500KB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_lin_avoslocker_sections.yar b/yara_rules/sekoiaio_ransomware_lin_avoslocker_sections.yar
deleted file mode 100644
index f851b3f..0000000
--- a/yara_rules/sekoiaio_ransomware_lin_avoslocker_sections.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-import "elf"
-import "hash"
-        
-rule sekoiaio_ransomware_lin_avoslocker_sections {
-    meta:
-        id = "3a7bf14d-24fb-47c9-b073-dd734f808983"
-        version = "1.0"
-        description = "Detect AvosLocker ransomware for Linux by using its section hashes"
-        author = "Sekoia.io"
-        creation_date = "2022-02-21"
-        classification = "TLP:CLEAR"
-        hash1 = "0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6"
-        hash2 = "7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1"
-        hash3 = "10ab76cd6d6b50d26fde5fe54e8d80fceeb744de8dbafddff470939fac6a98c4"
-        
-    condition:
-        uint32(0)==0x464c457f and
-        for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "91476dafa5ef669483350538fa6ec4cb")
-        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "c2b21b2556c9d751e203965c825f8a81")
-        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "f858d36231ba743ad8c898d86a67a864")
-        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "7dea362b3fac8e00956a4952a3d4f474")
-        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "489c87d7b1a694980587dfb413fb2afc")
-        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "972e27e9f115278244f5e4ae89dd412a")
-        and for any i in (0..elf.number_of_sections-1) : (hash.md5(elf.sections[i].offset, elf.sections[i].size) == "d1f5b688a92b611e1363945fa552a9d7")
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_lin_avoslocker_strings.yar b/yara_rules/sekoiaio_ransomware_lin_avoslocker_strings.yar
deleted file mode 100644
index ef9d9db..0000000
--- a/yara_rules/sekoiaio_ransomware_lin_avoslocker_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_ransomware_lin_avoslocker_strings {
-    meta:
-        version = "1.0"
-        description = "Detect AvosLocker ransomware for Linux by using strings from its ransom note and the onion domains"
-        author = "Sekoia.io"
-        creation_date = "2022-02-21"
-        classification = "TLP:CLEAR"
-        hash1 = "0cd7b6ea8857ce827180342a1c955e79c3336a6cf2000244e5cfd4279c5fc1b6"
-        hash2 = "7c935dcd672c4854495f41008120288e8e1c144089f1f06a23bd0a0f52a544b1"
-        hash3 = "10ab76cd6d6b50d26fde5fe54e8d80fceeb744de8dbafddff470939fac6a98c4"
-        id = "6056e15c-d656-41cb-bea0-704776c52c92"
-        
-    strings:
-        $s1 = "The corporations whom don't pay or fail to respond in a swift manner can be found in our blog, accessible at" ascii
-        $s2 = "http://avosqxh72b5ia23dl5fgwcpndkctuzqvh2iefk5imp3pi5gfhel5klad.onion" ascii
-        $s3 = "http://avosjon4pfh3y7ew3jdwz6ofw7lljcxlbk7hcxxmnxlh5kvf2akcqjad.onion" ascii
-        
-    condition:
-        uint32(0)==0x464c457f and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_linux_icefire_2023.yar b/yara_rules/sekoiaio_ransomware_linux_icefire_2023.yar
deleted file mode 100644
index 92b2fc6..0000000
--- a/yara_rules/sekoiaio_ransomware_linux_icefire_2023.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_ransomware_linux_icefire_2023 {
-    meta:
-        id = "b04964f4-3fdc-4745-9f4a-95a5a79bc7e1"
-        version = "1.0"
-        description = "Rule to detect Linux IceFire ransomware samples."
-        author = "Sekoia.io"
-        creation_date = "2023-02-13"
-        classification = "TLP:CLEAR"
-        hash1 = "e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b"
-        
-    strings:
-        $string01 = "********************Your network has been infected!!!********************"
-        $string02 = "IMPORTANT : DO NOT DELETE THIS FILE UNTIL ALL YOUR DATA HAVE BEEN RECOVERED!!!"
-        $string03 = "username:"
-        $string04 = "password:"
-        $string05 = ".cfg.o.sh.img.txt.xml.jar.pid.ini.pyc.a.so.run.env.cache.xmlb"
-        $string06 = "./boot./dev./etc./lib./proc./srv./sys./usr./var./run"
-        $string07 = "/iFire-readme.txt"
-        $string08 = ".iFire"
-        $string09 = "iFire.pid"
-        
-    condition:
-        uint32be(0) == 0x7F454C46  and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_mallox.yar b/yara_rules/sekoiaio_ransomware_mallox.yar
deleted file mode 100644
index 3ffc0b9..0000000
--- a/yara_rules/sekoiaio_ransomware_mallox.yar
+++ /dev/null
@@ -1,39 +0,0 @@
-rule sekoiaio_ransomware_mallox {
-    meta:
-        id = "7e2edc94-26e4-4024-8bc0-8e90d76f5a96"
-        version = "1.0"
-        description = "Rule to detect mallox ransomware samples."
-        author = "Sekoia.io"
-        creation_date = "2023-02-20"
-        modification_date = "2023-05-24"
-        classification = "TLP:CLEAR"
-        hash1 = "2a549489e2455a2d84295604e29c727dd20d65f5a874209840ce187c35d9a439"
-        hash2 = "3f843cbffeba010445dae2b171caaa99c6b56360de5407da71210d007fe26673"
-        hash3 = "4075d6e02c022ee45e0cd1c826abf749200639ee8ebc42375dac2430abafb5d6"
-        hash4 = "4db69a0643f6ec795e5450a0563605e91293f233aa60715ae09ed8effa3b7267"
-        hash5 = "77fdce66e7f909300e4493cbe7055254f7992ba65f9b7445a6755d0dbd9f80a5"
-        hash6 = "8e974a3be94b7748f7971f278160a74d738d5cab2c3088b1492cfbbd05e83e22"
-        hash7 = "a5085e571857ec54cf9625050dfc29a195dad4d52bea9b69d3f22e33ed636525"
-        hash8 = "df64e87ecb30f4cadf54f2c1b3d3cba8cc2d315db0fd4af2d11add57baa56f6a"
-        hash9 = "e7e00e0f817fcb305f82aec2e60045fcdb1b334b2621c09133b6b81284002009"
-        
-    strings:
-        $s1 = "C:\\HOW TO RECOVER !!.TXT" wide ascii nocase
-        $s2 = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\Application\\Raccine" wide ascii nocase
-        $s3 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\vssadmin.exe" wide ascii nocase
-        $s4 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\wmic.exe" wide ascii nocase
-        $s5 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\wbadmin.exe" wide ascii nocase
-        $s6 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\bcdedit.exe" wide ascii nocase
-        $s7 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\powershell.exe" wide ascii nocase
-        $s8 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\diskshadow.exe" wide ascii nocase
-        $s9 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\net.exe" wide ascii nocase
-        $s10 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskkill.exe" wide ascii nocase
-        $s11 = "bcdedit /set {current} recoveryenabled no" wide ascii nocase
-        $mallox_fargo = ".FARGO" wide ascii nocase
-        $mallox_mallox = ".mallox" wide ascii nocase
-        $mallox_exploit = "newexploit@tutanota.com"
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of ($s*) and 1 of ($mallox_*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_agenda.yar b/yara_rules/sekoiaio_ransomware_win_agenda.yar
deleted file mode 100644
index 5db670e..0000000
--- a/yara_rules/sekoiaio_ransomware_win_agenda.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_ransomware_win_agenda {
-    meta:
-        version = "1.0"
-        description = "Finds Agenda ransomware (aka Qilin) samples based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2022-12-15"
-        id = "b0ea8e69-8f29-452f-95f7-67ee0e545b66"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str00 = "\"note\": \"-- Qilin" ascii
-        $str01 = "README-RECOVER-.txt" ascii
-        $str02 = "\"file_black_list\": [" ascii
-        $str03 = "\"file_pattern_black_list\": [" ascii
-        $str04 = "Encrypted files have new extension." ascii
-        $str05 = "We have downloaded compromising and sensitive data from you system/network" ascii
-        $str06 = "Employees personal dataCVsDLSSN." ascii
-        $str07 = "ueegj65kwr3v3sjhli73gjtmfnh2uqlte3vyg2kkyqq7cja2yx2ptaad.onion" ascii
-        $str08 = "cmdvssadmin.exe delete shadows /all /quiet" ascii
-        $str09 = "[WARNING] Removing shadows failed." ascii
-        $str10 = "[INFO] Shadow copies removed" ascii
-        $str11 = "[WARNING] net sahre enum failed with:" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_avoslocker.yar b/yara_rules/sekoiaio_ransomware_win_avoslocker.yar
deleted file mode 100644
index e9621b6..0000000
--- a/yara_rules/sekoiaio_ransomware_win_avoslocker.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_ransomware_win_avoslocker {
-    meta:
-        id = "fc5c2483-48cb-4282-b6cb-ac728b948607"
-        version = "1.0"
-        description = "Detect AvosLocker ransomware (2021-07)"
-        author = "Sekoia.io"
-        creation_date = "2021-08-03"
-        classification = "TLP:CLEAR"
-        hash6 = "f810deb1ba171cea5b595c6d3f816127fb182833f7a08a98de93226d4f6a336f"
-        hash7 = "c0a42741eef72991d9d0ee8b6c0531fc19151457a8b59bdcf7b6373d1fe56e02"
-        hash8 = "84d94c032543e8797a514323b0b8fd8bd69b4183f17351628b13d1464093af2d"
-        
-    strings:
-        $s1 = "cryptopp850\\rijndael_simd.cpp" ascii
-        $s2 = "cryptopp850\\sha_simd.cpp" ascii
-        $s3 = "cryptopp850\\gf2n_simd.cpp" ascii
-        $s4 = "cryptopp850\\sse_simd.cpp" ascii
-        
-    condition:
-        all of them
-        and uint16(0)==0x5A4D
-        and filesize > 900KB
-        and filesize < 950KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_blackcat.yar b/yara_rules/sekoiaio_ransomware_win_blackcat.yar
deleted file mode 100644
index 1f17e1e..0000000
--- a/yara_rules/sekoiaio_ransomware_win_blackcat.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_ransomware_win_blackcat {
-    meta:
-        id = "873355f7-3942-4171-9df7-f524bb6b6903"
-        description = "Detect the BlackCat ransomware (Windows version)"
-        author = "Sekoia.io"
-        creation_date = "2022-01-19"
-        classification = "TLP:CLEAR"
-        version = "1.1"
-        
-    strings:
-        $s1 = "desktop_image::set_desktop_wallpaper=" ascii
-        $s2 = "C:\\Users\\Public\\All Usersdeploy_note_and_image_for_all_users=" ascii
-        $s3 = "propagate::none" ascii
-        $s4 = "propagate::failed=" ascii
-        $s5 = "propagate::ok=" ascii
-        $s6 = "query_status_process::ok=" ascii
-        $s7 = "enum_dependent_services::ok=" ascii
-        $s8 = "enum_dependent_services::error=" ascii
-        $s9 = "try_stop=" ascii
-        $s10 = "try_stop::ok=" ascii
-        $s11 = "try_stop::failed=" ascii
-        $s12 = "stop=" ascii
-        $s13 = "dependent_service_name=" ascii
-        $s14 = "kill_all=" ascii
-        $s15 = "detach=" ascii
-        
-    condition:
-        uint16(0)==0x5A4D
-        and filesize > 2MB and filesize < 4MB
-        and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_blackmatter.yar b/yara_rules/sekoiaio_ransomware_win_blackmatter.yar
deleted file mode 100644
index c686631..0000000
--- a/yara_rules/sekoiaio_ransomware_win_blackmatter.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_ransomware_win_blackmatter {
-    meta:
-        id = "9b2d8ac3-b4d1-40f5-ac57-411547dcb2cf"
-        version = "1.0"
-        description = "Detect Black matter ransomware (2021-07-23)"
-        author = "Sekoia.io"
-        creation_date = "2021-08-03"
-        classification = "TLP:CLEAR"
-        
-    condition:
-        for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5e89d335de2021a2c268acf00ec513e5"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_chaos.yar b/yara_rules/sekoiaio_ransomware_win_chaos.yar
deleted file mode 100644
index 518a75b..0000000
--- a/yara_rules/sekoiaio_ransomware_win_chaos.yar
+++ /dev/null
@@ -1,47 +0,0 @@
-rule sekoiaio_ransomware_win_chaos {
-    meta:
-        id = "c1876a18-0618-44e2-8919-b4a041de97e7"
-        description = "Detects the Chaos Ransomware"
-        author = "Sekoia.io"
-        version = "1.0"
-        creation_date = "2022-01-18"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $rep00 = "\\Desktop" wide
-        $rep01 = "\\Links" wide
-        $rep02 = "\\Contacts" wide
-        $rep03 = "\\Documents" wide
-        $rep04 = "\\Downloads" wide
-        $rep05 = "\\Pictures" wide
-        $rep06 = "\\Music" wide
-        $rep07 = "\\OneDrive" wide
-        $rep08 = "\\Saved Games" wide
-        $rep09 = "\\Favorites" wide
-        $rep10 = "\\Searches" wide
-        $rep11 = "\\Videos" wide
-        $rep12 = "C:\\Users\\" wide
-        
-        $str0 = "svchost.exe" wide
-        $str1 = "\\privateKey.chaos" wide
-        $str2 = "Chaos Ransomware" wide
-        $str3 = "read_it.txt" wide
-        $str4 = "<EncryptedKey>" wide
-        $str5 = "passwordBytes" ascii
-        $str6 = "lookForDirectories" ascii
-        $str7 = "Rfc2898DeriveBytes" ascii
-        $str8 = "ICryptoTransform" ascii
-        $str9 = "FromBase64String" ascii
-        
-        $ext0 = ".torrent" wide
-        $ext1 = ".ibank" wide
-        $ext2 = ".wallet" wide
-        $ext3 = ".swift" wide
-        $ext4 = ".onetoc2" wide
-        
-    condition:
-        uint16(0) == 0x5a4d and
-    filesize > 50KB and filesize < 2MB and
-        6 of ($str*) and 10 of ($rep*) and 4 of ($ext*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_dodo_2023.yar b/yara_rules/sekoiaio_ransomware_win_dodo_2023.yar
deleted file mode 100644
index c29d3ba..0000000
--- a/yara_rules/sekoiaio_ransomware_win_dodo_2023.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_ransomware_win_dodo_2023 {
-    meta:
-        id = "190977d4-5a7a-4e15-8f90-085f82ec56c8"
-        version = "1.0"
-        description = "Rule to detect Dodo ransomware samples."
-        author = "Sekoia.io"
-        creation_date = "2023-02-13"
-        classification = "TLP:CLEAR"
-        hash1 = "aee45cc2540d49a28e765c30f1c4d0b853c1a74ea2260bd7614ece8e54c3bcb3"
-        
-    strings:
-        $s1 = "DODOCRYPTER" ascii wide
-        $s2 = "dodov2" ascii wide
-        $s3 = "dodov2SPREAD.exe" ascii wide
-        $s4 = "dodov2_readit.txt" ascii wide
-        $s5 = "WELCOME, DODO has returned" ascii wide
-        $s6 = "Monero Address: 442n8nf9zojie1JdkZqxDQJFDumBEgZmVZozLdYd5jVPSMws2oUPvNLJKca6JKojyA7zDCZCnMyYnKbY1JLNsbzWK6HNNqW" ascii wide
-        $s7 = "The price for the software is $15. Payment can be made in Bitcoin or XMR." ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a  and 4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_eking_rich_header.yar b/yara_rules/sekoiaio_ransomware_win_eking_rich_header.yar
deleted file mode 100644
index d52f76e..0000000
--- a/yara_rules/sekoiaio_ransomware_win_eking_rich_header.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-import "hash"
-import "pe"
-        
-rule sekoiaio_ransomware_win_eking_rich_header {
-    meta:
-        id = "9fe76f89-f27a-4a47-a61c-2d767a1a8acb"
-        version = "1.0"
-        description = "Detect Eking ransomware using its rich header"
-        author = "Sekoia.io"
-        creation_date = "2021-10-07"
-        classification = "TLP:CLEAR"
-        
-    condition:
-        hash.md5(pe.rich_signature.clear_data) == "256b60751602028612562b73ecdb163c"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_fonix.yar b/yara_rules/sekoiaio_ransomware_win_fonix.yar
deleted file mode 100644
index 5e5f514..0000000
--- a/yara_rules/sekoiaio_ransomware_win_fonix.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_ransomware_win_fonix {
-    meta:
-        id = "b28467d5-69a0-4a8b-8938-8fdac2ae8d19"
-        version = "1.0"
-        description = "Detect the Fonix / XINOF ransomware by spotting its specific debug path"
-        author = "Sekoia.io"
-        creation_date = "2021-10-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "Ransomware\\Fonix" ascii
-        $s2 = "Release\\Fonix.pdb" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_honkai_jan2023.yar b/yara_rules/sekoiaio_ransomware_win_honkai_jan2023.yar
deleted file mode 100644
index 5db8edd..0000000
--- a/yara_rules/sekoiaio_ransomware_win_honkai_jan2023.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_ransomware_win_honkai_jan2023 {
-    meta:
-        id = "6ef91cb5-e122-4f91-bc15-3813b8f91cbf"
-        version = "1.0"
-        description = "Rule to detect Honkai ransomware samples."
-        author = "Sekoia.io"
-        creation_date = "2023-02-13"
-        classification = "TLP:CLEAR"
-        hash1 = "989cf96da60d9ebfb6f364717b4f0cae1667fdc7f9d89f77acc254ab47d439e6"
-        
-    strings:
-        $s1 = "DP_Main.exe" ascii wide
-        $s2 = "DP_MainForm" ascii wide
-        $s3 = "DP_Main" ascii wide
-        $s4 = "#DECRYPT MY FILES#.html" ascii wide
-        $s5 = "/api/Encrypted.php" ascii wide
-        $s6 = "http://upload.paradisenewgenshinimpact.top:2095" ascii wide
-        $s7 = "main@paradisenewgenshinimpact.top" ascii wide
-        $s8 = ".honkai" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and 6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_karma.yar b/yara_rules/sekoiaio_ransomware_win_karma.yar
deleted file mode 100644
index c3c8a40..0000000
--- a/yara_rules/sekoiaio_ransomware_win_karma.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_ransomware_win_karma {
-    meta:
-        id = "efd87a17-7c99-404a-8ea6-2f5c2121f9f2"
-        version = "1.0"
-        description = "Detect the Karma ransomware payload"
-        author = "Sekoia.io"
-        creation_date = "2021-08-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $a1 = "KARMA" ascii
-        
-        $u1 = "KARMA" wide
-        $u2 = "-ENCRYPTED.txt" wide
-        $u3 = "Encrypting directory:" wide
-        $u4 = "Encrypting file:" wide
-        $u5 = "Trying to import ECC public key..." wide
-        
-    condition:
-        uint16(0)==0x5A4D and filesize < 150KB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_lorenz.yar b/yara_rules/sekoiaio_ransomware_win_lorenz.yar
deleted file mode 100644
index e909d7f..0000000
--- a/yara_rules/sekoiaio_ransomware_win_lorenz.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_ransomware_win_lorenz {
-    meta:
-        id = "6936cc61-efe5-4d13-b76f-e808ab331457"
-        version = "1.1"
-        description = "Detect the Lorenz ransomware"
-        author = "Sekoia.io"
-        creation_date = "2022-02-10"
-        classification = "TLP:CLEAR"
-        reference = "https://www.cybereason.com/blog/cybereason-vs.-lorenz-ransomware"
-        
-    strings:
-        $s1 = ".onion" ascii
-        $s2 = "---===Lorenz. Welcome. Again. ===--" ascii
-        $s3 = ".Lorenz.sz40" ascii
-        
-        $url1 = "egypghtljedbs3x3ui45tfhosakzb376epl7baq2ruzfyewcypswhgqd.onion" ascii
-        $url2 = "lorenzmlwpzgxq736jzseuterytjueszsvznuibanxomlpkyxk6ksoyd.onion" ascii
-        $url3 = "vsoonropylvbfqnq2urk7uhaxn7afiwgldnj3ntc743awigojm4p7lid.onion" ascii
-        $url4 = "kpb3ss3vwvfejd4g3gvpvqo6ad7nnmvcqoik4mxt2376yu2adlg5fwyd.onion" ascii
-        $url5 = "vldkrmiqriwlgm2wuxg42nvc6kqsdzsdhsybn27hyn34d66465fxz7id.onion" ascii
-        
-    condition:
-        uint16(0) == 0x5a4d
-        and filesize > 900KB
-        and filesize < 1200KB
-        and (all of ($s*) or 1 of ($url*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_masons_jan2023.yar b/yara_rules/sekoiaio_ransomware_win_masons_jan2023.yar
deleted file mode 100644
index 90ddd8f..0000000
--- a/yara_rules/sekoiaio_ransomware_win_masons_jan2023.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_ransomware_win_masons_jan2023 {
-    meta:
-        id = "cf2af08b-b4a8-4245-9308-242e15aeb346"
-        version = "1.0"
-        description = "Rule to detect Masons ransomware samples."
-        author = "Sekoia.io"
-        creation_date = "2023-02-13"
-        classification = "TLP:CLEAR"
-        hash1 = "7826978642c568f975e2b65d1575fdf92e634f7c80db2c86c9d7c8066e8955b8"
-        
-    strings:
-        $s1 = "Masons" wide
-        $s2 = "@mineralIaha/@root_king1" wide
-        $s3 = "Glory @six62ix" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_raworld.yar b/yara_rules/sekoiaio_ransomware_win_raworld.yar
deleted file mode 100644
index a05569e..0000000
--- a/yara_rules/sekoiaio_ransomware_win_raworld.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_ransomware_win_raworld {
-    meta:
-        id = "a9ed9c5a-7a0e-4c2e-90f4-d52f5589b2b8"
-        version = "1.0"
-        description = "Detects files related to stage 1 of a campaign from the ransomware group RA World."
-        author = "Sekoia.io"
-        creation_date = "2024-07-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "Loder.exe" ascii fullword
-        $s2 = "Stage2.exe" wide
-        $s3 = "SYSVOL" wide
-        $s4 = "Finish.exe" wide
-        $s5 = "Exclude.exe" wide
-        $s6 = "Stage3.exe" wide
-        $s7 = "Pay.txt" ascii fullword
-        $s8 = "RA World" ascii fullword
-        $s9 = "Stage1.exe" ascii fullword
-        
-    condition:
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_redeemer.yar b/yara_rules/sekoiaio_ransomware_win_redeemer.yar
deleted file mode 100644
index f6fb9a8..0000000
--- a/yara_rules/sekoiaio_ransomware_win_redeemer.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_ransomware_win_redeemer {
-    meta:
-        version = "1.0"
-        description = "Finds Redeemer samples based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2022-12-09"
-        id = "ef94c1b0-d292-4fae-9801-4860e7347745"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "RedeemerMutex" ascii
-        $str1 = "SOFTWARE\\Redeemer" ascii
-        $str2 = "-----BEGIN REDEEMER PUBLIC KEY-----" ascii
-        $str3 = "dnNzYWRtaW4gZGVsZXRlIHNoYWRvd3MgL0FsbCAvUXVpZXQ=" ascii //vssadmin delete shadows /All /Quiet
-        $str4 = "d2V2dHV0aWwgY2xlYXItbG9nIEFwcGxpY2F0aW9u" ascii //wevtutil clear-log Application
-        $str5 = "d2JhZG1pbiBkZWxldGUgc3lzdGVtc3RhdGViYWNrdXAgLWRlbGV0ZW9sZGVzdCAtcXVpZXQ=" ascii //wbadmin delete systemstatebackup -deleteoldest -quiet
-        $str6 = "YXNzb2MgLnJlZGVlbT1yZWRlZW1lcg==" ascii //assoc .redeem=redeemer
-        $str7 = "UmVkZWVtZXIgUmFuc29td2FyZSAtIFlvdXIgRGF0YSBJcyBFbmNyeXB0ZWQ=" ascii //Redeemer Ransomware - Your Data Is Encrypted
-        $str8 = "redeemer\\DefaultIcon" wide
-        $str9 = "\\Redeemer.sys" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_scransom.yar b/yara_rules/sekoiaio_ransomware_win_scransom.yar
deleted file mode 100644
index a6c346a..0000000
--- a/yara_rules/sekoiaio_ransomware_win_scransom.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_ransomware_win_scransom {
-    meta:
-        id = "ea799295-1332-49c6-9816-035b91fc9b4f"
-        version = "1.0"
-        description = "Finds ScRansom samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-08-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "TIMATOMAFULL" wide
-        $str02 = ".Encrypted" wide
-        $str03 = ".Encrypting" wide
-        $str04 = "File Name :" wide
-        $str05 = "File size :" wide
-        $str06 = "TIMATOMA#" wide
-        $str07 = "Already Encrypted" wide
-        $str08 = "HOW TO RECOVERY FILES.TXT" wide
-        $str09 = "%d folder(s) searched and %d file(s) found - %.3f second(s)" wide
-        $str10 = "Search cancelled -" wide
-        $str11 = "note.txt" wide
-        $str12 = "Cannot sort the list while a search is in progress." wide
-        $str13 = "Cancelling search, please wait..." wide
-        $str14 = "Error showing process list" wide
-        $str15 = "[System Process]" wide
-        $str16 = "taskkill /f /im" wide
-        $str17 = "kill.bat" wide
-        
-    condition:
-        uint16(0) == 0x5a4d and 15 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_shrinklocker.yar b/yara_rules/sekoiaio_ransomware_win_shrinklocker.yar
deleted file mode 100644
index 6b634f8..0000000
--- a/yara_rules/sekoiaio_ransomware_win_shrinklocker.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_ransomware_win_shrinklocker {
-    meta:
-        id = "93a6fbdd-ad62-456a-a1a5-b5ae3b242004"
-        version = "1.0"
-        description = "Detects files related to the ShrinkLocker ransomware"
-        author = "Sekoia.io"
-        creation_date = "2024-06-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $a = "shrinkdisk" ascii fullword
-        $b = "BitLocker" ascii fullword
-        $c = "diskpart" ascii fullword
-        $d = "disk.vbs" ascii fullword
-        $e = "strDriveLetter" ascii fullword
-        $f = "shrinkcomplate" ascii fullword
-        $g = "ADODB.Stream" ascii fullword
-        $h = "Win32_OperatingSystem" ascii fullword
-        $i = "HKLM\\System\\CurrentControlSet\\Control\\Terminal Server" ascii fullword
-        $j = "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System" ascii fullword
-        $k = "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE" ascii fullword
-        
-    condition:
-        9 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_voidcrypt.yar b/yara_rules/sekoiaio_ransomware_win_voidcrypt.yar
deleted file mode 100644
index 30601f7..0000000
--- a/yara_rules/sekoiaio_ransomware_win_voidcrypt.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_ransomware_win_voidcrypt {
-    meta:
-        id = "394033cc-20fe-4ced-8d77-5f1061bb8c96"
-        version = "1.0"
-        description = "Detect the Limbozar / VoidCrypt ransomware"
-        author = "Sekoia.io"
-        creation_date = "2021-10-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "C:\\ProgramData\\pkey.txt" ascii
-        $s2 = "C:\\ProgramData\\IDk.txt" ascii
-        $s3 = "fuckyoufuckyoufuckyoufuckyou" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ransomware_win_wing.yar b/yara_rules/sekoiaio_ransomware_win_wing.yar
deleted file mode 100644
index b4f9a84..0000000
--- a/yara_rules/sekoiaio_ransomware_win_wing.yar
+++ /dev/null
@@ -1,53 +0,0 @@
-rule sekoiaio_ransomware_win_wing {
-    meta:
-        id = "c2fe8321-8013-4aa4-91a6-c0face3e6b52"
-        version = "1.0"
-        description = "Finds Wing ransomware samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2024-01-30"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $fun01 = "LockBIT" ascii fullword
-        $fun02 = "BigEncrypt" ascii
-        $fun03 = "RunEncrypt" ascii
-        $fun04 = "AesEncrypt" ascii
-        $fun05 = "KeyGenerator" ascii
-        $fun06 = "GetUniqueKey" ascii
-        $fun07 = "SearchFolder" ascii
-        $fun08 = "ThreadFolders" ascii
-        $fun09 = "ContainsKeyword" ascii
-        $fun10 = "ReadMeMaker" ascii
-        $fun11 = "StopAndConfigureSqlServices" ascii
-        $fun12 = "WipeRecycleBin" ascii
-        $fun13 = "TelSender" ascii
-        
-        $str01 = "AnyDesk" wide
-        $str02 = "firebird" wide
-        $str03 = "Acronis" wide
-        $str04 = "config \"" wide
-        $str05 = " start= demand" wide
-        $str06 = "' stopped and configured to start automatically." wide
-        $str07 = "Error processing service '" wide
-        $str08 = "$RECYCLE.BIN" wide
-        $str09 = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide
-        $str10 = "UniqueID:" wide
-        $str11 = "PersonalID:" wide
-        
-        $ran01 = "C:\\Readme.txt" wide
-        $ran02 = "C:\\LockBIT\\systemID" wide
-        $ran03 = "Your system has been encrypted by our team, and your files have been locked using our proprietary algorithm !" wide
-        $ran04 = "* Please read this message carefully and patiently *" wide
-        $ran05 = "* If you use any tools, programs, or methods to recover your files and they get damaged, we will not be responsible for any harm to your files !" wide
-        $ran06 = "* Note that your files have not been harmed in any way they have only been encrypted by our algorithm." wide
-        $ran07 = "Your files and your entire system will return to normal mode through the program we provide to you. No one but us will be able to decrypt your files !" wide
-        $ran08 = "* To gain trust in us, you can send us a maximum of 2 non-important files, and we will decrypt them for you free of charge." wide
-        $ran09 = "Please put your Unique ID as the title of the email or as the starting title of the conversation." wide
-        $ran10 = "* For faster decryption, first message us on Telegram. If there is no response within 24 hours, please email us *" wide
-        
-    condition:
-        uint16(0) == 0x5a4d and
-        ((5 of ($fun*) and 5 of ($str*) and 2 of ($ran*)) or
-        12 of ($fun*) or 10 of ($ran*) or 8 of ($ran*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_darkvision_string.yar b/yara_rules/sekoiaio_rat_darkvision_string.yar
deleted file mode 100644
index 3135a04..0000000
--- a/yara_rules/sekoiaio_rat_darkvision_string.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_rat_darkvision_string {
-    meta:
-        id = "ab698a79-42ee-452a-a3ba-1a9872d5e2bc"
-        version = "1.0"
-        description = "DarkVision RAT based on string"
-        author = "Sekoia.io"
-        creation_date = "2024-09-17"
-        classification = "TLP:CLEAR"
-        hash = "8ec5526cecc596e0711c82e39cd4f2ce"
-        hash = "2dd476464e46d91ffe68483cb478d9b4"
-        hash = "20de7547d79d3637430b6a0787e59df5"
-        hash = "60d1e02316e6f22e078f9aa710790912"
-        hash = "e136e51efc22b0e071c11e7d652ea3be"
-        hash = "f466be81310147fcdd9a7886735a3786"
-        hash = "5065134cf4ba765bd97bb2edb61c5869"
-        hash = "6ed21c4f507e8cc830141ff732bd5acc"
-        hash = "40b2641150f291ca07bd08ab629fe1ed"
-        hash = "3f20cd14137e0abfa84b39e29a277350"
-        hash = "7dc8427be8b4d26a49fd380ad40d3b96"
-        
-    strings:
-        $ = "DarkVision Installation" wide
-        $ = "You are about to install DarkVision Remote Access Tool." wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_lin_gobrat_2023.yar b/yara_rules/sekoiaio_rat_lin_gobrat_2023.yar
deleted file mode 100644
index e50ba15..0000000
--- a/yara_rules/sekoiaio_rat_lin_gobrat_2023.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_rat_lin_gobrat_2023 {
-    meta:
-        id = "ca36a586-f87f-445f-95dc-52d447c1d2a2"
-        version = "1.0"
-        description = "This rule detect samples that are downloaded on the GobRAT C2 URL path /a, /b and /c."
-        author = "Sekoia.io"
-        creation_date = "2023-06-09"
-        classification = "TLP:CLEAR"
-        hash1 = "36cb17d9d118bd9692106c8aafab2462aacf1cdad3a6afb0e4f1de898a7db0e1"
-        hash2 = "28a714f7cec4445dbd507b85016c8e96ed5e378bcabe2e422c499975122b3f03"
-        hash3 = "1e80a084ab89da2375bc3cc2f5a37975edff709ef29a3fa2b4df4ccb6d5afe10"
-        
-    strings:
-        $s1 = "Z:/Go/awesomeProject3/main.go" wide ascii
-        
-    condition:
-        uint32(0)==0x464c457f
-        and filesize < 4000KB
-        and $s1
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_arrow_str.yar b/yara_rules/sekoiaio_rat_win_arrow_str.yar
deleted file mode 100644
index 2ece4b8..0000000
--- a/yara_rules/sekoiaio_rat_win_arrow_str.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_rat_win_arrow_str {
-    meta:
-        version = "1.0"
-        description = "Finds Arrow RAT samples based on the specific malware strings"
-        author = "Sekoia.io"
-        creation_date = "2022-08-19"
-        id = "69f6572c-91ed-4fb6-b886-5ad2dabef3d3"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $hvnc01 = "DESKTOP_JOURNALRECORD" ascii
-        $hvnc02 = "DESKTOP_ENUMERATE" ascii
-        $hvnc03 = "DESKTOP_SWITCHDESKTOP" ascii
-        $hvnc04 = "DESKTOP_CREATEWINDOW" ascii
-        $hvnc05 = "StartHVNC" ascii
-        
-        $str01 = "U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c" wide //Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
-        $str02 = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath" wide
-        $str03 = "cvtres.exe" wide
-        $str04 = "qbkTHriRRbQjaArtJfF" wide
-        $str05 = "29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb24=" wide
-        $str06 = "Stub.exe" ascii wide
-        $str07 = "DePikoloData" ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and 4 of ($hvnc*) and 5 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_asbit.yar b/yara_rules/sekoiaio_rat_win_asbit.yar
deleted file mode 100644
index 0cb700d..0000000
--- a/yara_rules/sekoiaio_rat_win_asbit.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_rat_win_asbit {
-    meta:
-        version = "1.0"
-        description = "Finds Asbit samples based on characteristic strings"
-        author = "Sekoia.io"
-        reference = "https://blogs.juniper.net/en-us/threat-research/asbit-an-emerging-remote-desktop-trojan"
-        creation_date = "2022-09-19"
-        id = "b2d60eff-3dc8-4857-a0ea-d4fcd34c40bc"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "/build?project=libexpat&_={0}" wide
-        $str02 = "/resolve?name={0}&short=true&_={1}" wide
-        $str03 = "/c ping 127.0.0.1 & del {0} /q & del /a:H {0} /q" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 1 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_asyncrat.yar b/yara_rules/sekoiaio_rat_win_asyncrat.yar
deleted file mode 100644
index 46281bc..0000000
--- a/yara_rules/sekoiaio_rat_win_asyncrat.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_rat_win_asyncrat {
-    meta:
-        id = "d698e4a1-77ff-4cd7-acb3-27fb16168ceb"
-        version = "1.0"
-        description = "Detect AsyncRAT based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-01-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "get_ActivatePong" ascii
-        $str02 = "get_SslClient" ascii
-        $str03 = "get_TcpClient" ascii
-        $str04 = "get_SendSync" ascii
-        $str05 = "get_IsConnected" ascii
-        $str06 = "set_UseShellExecute" ascii
-        $str07 = "Pastebin" wide
-        $str08 = "Select * from AntivirusProduct" wide
-        $str09 = "Stub.exe" wide
-        $str10 = "timeout 3 > NUL" wide
-        $str11 = "/c schtasks /create /f /sc onlogon /rl highest /tn " wide
-        $str12 = "\\nuR\\noisreVtnerruC\\swodniW\\tfosorciM\\erawtfoS" wide
-        
-    condition:
-        uint16(0) == 0x5A4D and 9 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_atharvan.yar b/yara_rules/sekoiaio_rat_win_atharvan.yar
deleted file mode 100644
index e65f584..0000000
--- a/yara_rules/sekoiaio_rat_win_atharvan.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_rat_win_atharvan {
-    meta:
-        id = "61347490-d281-4892-adba-89cf6187545f"
-        version = "1.0"
-        description = "Detect Atharvan RAT"
-        author = "Sekoia.io"
-        creation_date = "2023-02-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = {44 3a 5c 72 61 6e 67 5c 54 4f 4f 4c 5c 33 52 41 54}
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_babylon.yar b/yara_rules/sekoiaio_rat_win_babylon.yar
deleted file mode 100644
index 8a54f74..0000000
--- a/yara_rules/sekoiaio_rat_win_babylon.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_rat_win_babylon {
-    meta:
-        id = "ba9ab80a-ad7e-4746-aff2-9328440cbb25"
-        version = "1.0"
-        description = "Finds Babylon RAT samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-08-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "ParadoxRAT_Client" ascii
-        $str02 = "*** in database %s ***" ascii
-        $str03 = "\\drivers\\etc\\HOSTS" ascii
-        $str04 = "Babylon RAT Client" wide
-        $str05 = "ClipBoard.txt" wide
-        $str06 = "a,ccs=UTF-16LE" wide
-        $str07 = "[%02d/%02d/%d %02d:%02d:%02d] [%s] (%s):" wide
-        $str08 = "Update Failed [OpenProcess]..." wide
-        $str09 = "DoS Already Active..." wide
-        $str10 = "File Download and Execution Failed..." wide
-        $str11 = "LgDError33x98dGetProcAddress" wide
-        $str12 = "FriendlyName" wide
-        $str13 = "@SPYNET" wide
-        
-    condition:
-        uint16(0) == 0x5a4d and 8 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_borat.yar b/yara_rules/sekoiaio_rat_win_borat.yar
deleted file mode 100644
index 166446a..0000000
--- a/yara_rules/sekoiaio_rat_win_borat.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_rat_win_borat {
-    meta:
-        id = "9f8badb3-ee8b-45d9-8515-c847351bb1f5"
-        version = "1.0"
-        description = "Detect the Borat RAT besed on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-04-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "BoratRatMutex_Sa8XOfH1BudX" ascii
-        $str1 = "BoratRat.exe" ascii
-        $str2 = "BoratRat" ascii
-        $str3 = "CN=BoratRat" wide
-        $str4 = "Sending plugun to " wide
-        $str5 = "Save recorded file fail " wide
-        $str6 = "Sa8XOfH1BudX" wide
-        $str7 = "Alert when process activive." wide
-        $str8 = "disableDefedner" wide
-        $str9 = "bin\\Ransomware.dll" wide
-        $str10 = "disableDefedner" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 7 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_dcrat_qwqdanchun.yar b/yara_rules/sekoiaio_rat_win_dcrat_qwqdanchun.yar
deleted file mode 100644
index db567a3..0000000
--- a/yara_rules/sekoiaio_rat_win_dcrat_qwqdanchun.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_rat_win_dcrat_qwqdanchun {
-    meta:
-        id = "8206a410-48b3-425f-9dcb-7a528673a37a"
-        version = "1.0"
-        description = "Find DcRAT samples (qwqdanchun) based on specific strings"
-        author = "Sekoia.io"
-        reference = "https://github.com/qwqdanchun/DcRat"
-        creation_date = "2023-01-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "DcRatByqwqdanchun" wide
-        $str02 = "U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==" wide
-        $str03 = "Po_ng" wide
-        $str04 = "Pac_ket" wide
-        $str05 = "Perfor_mance" wide
-        $str06 = "Install_ed" wide
-        $str07 = "get_IsConnected" ascii
-        $str08 = "get_ActivatePo_ng" ascii
-        $str09 = "isVM_by_wim_temper" ascii
-        $str10 = "save_Plugin" wide
-        $str11 = "timeout 3 > NUL" wide
-        $str12 = "ProcessHacker.exe" wide
-        $str13 = "Select * from Win32_CacheMemory" wide
-        
-    condition:
-        uint16(0) == 0x5A4D and 8 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_hiddenz.yar b/yara_rules/sekoiaio_rat_win_hiddenz.yar
deleted file mode 100644
index a4c3f86..0000000
--- a/yara_rules/sekoiaio_rat_win_hiddenz.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_rat_win_hiddenz {
-    meta:
-        id = "4e582cda-4c50-4554-8e26-9d26206a02ee"
-        version = "1.0"
-        description = "Lazy rule to detect Hiddenz's HVNC sample based on te malware name contained in numerous samples"
-        author = "Sekoia.io"
-        creation_date = "2022-08-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $name0 = "Hiddenz's HVNC" wide ascii
-        $name1 = "Hiddenzs_HVNC_DLL" wide ascii
-        $name2 = "HiddenzHVNC" wide ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 1 of ($name*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_konni_rat.yar b/yara_rules/sekoiaio_rat_win_konni_rat.yar
deleted file mode 100644
index 2261ceb..0000000
--- a/yara_rules/sekoiaio_rat_win_konni_rat.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_rat_win_konni_rat {
-    meta:
-        id = "032f1c79-6f03-4588-a4af-38b1f3ca1cb8"
-        version = "1.0"
-        description = "Detect the KONNI RAT DLL files (x32 and x64)"
-        author = "Sekoia.io"
-        creation_date = "2023-09-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = ".cab" wide
-        $ = ".zip" wide
-        $ = ".rar" wide
-        $ = ".ini" wide
-        $ = ".dat" wide
-        $ = "%s(%d)" wide
-        $ = "%s %s \"%s\"" wide
-        $ = "\\Temp\\" wide
-        
-    condition:
-        uint16(0)==0x5A4D 
-        and all of them 
-        and filesize > 60KB 
-        and filesize < 120KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_lilith.yar b/yara_rules/sekoiaio_rat_win_lilith.yar
deleted file mode 100644
index 84f547d..0000000
--- a/yara_rules/sekoiaio_rat_win_lilith.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_rat_win_lilith {
-    meta:
-        id = "944637e6-c4e4-423f-9f4c-a26b4fce3729"
-        version = "1.0"
-        description = "Detect the Lilith malware"
-        author = "Sekoia.io"
-        creation_date = "2023-02-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        // UmVnUXVlcnlWYWx1ZUV4QQ==
-        $ = {55 6d 56 6e 55 58 56 6c 63 6e 6c 57 59 57 78 31 5a 55 56 34 51 51 3d 3d}
-        // getaddrinfo: %s
-        $ = {67 65 74 61 64 64 72 69 6e 66 6f 3a 20 25 73}
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_millenium.yar b/yara_rules/sekoiaio_rat_win_millenium.yar
deleted file mode 100644
index 7d74568..0000000
--- a/yara_rules/sekoiaio_rat_win_millenium.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-rule sekoiaio_rat_win_millenium {
-    meta:
-        version = "1.0"
-        description = "Finds MilleniumRAT samples based on the specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-11-16"
-        id = "91320924-5c74-457a-8601-29c4e4034761"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "Millenium RAT, version:" wide
-        $str02 = "Coded by @shinyenigma" wide
-        $str03 = "*gift*<NEW TOKEN>*<NEW CHAT ID>*<message> - gift this bot to another user, his telegram bot has to be started" wide
-        $str04 = "*historyForce - grab more browser history by killing browser processes, use carefully" wide
-        $str05 = "*download - victim`s PC downloads a file attached to this message, if it is a picture it should also be attached as a file" wide
-        $str06 = "No keylogs recorded!" wide
-        $str07 = "Successfully added RAT to startup" wide
-        $str08 = "You`ve gifted gifted a bot:" wide
-        $str09 = "Incorrect agrument, please enter 0/90/180/270" wide
-        $str10 = "SELECT action_url, username_value, password_value FROM logins" wide
-        $str11 = "Yandex\\YandexBrowser\\User Data\\Default" wide
-        
-        $str12 = "Millenium-rat-CSharp (main project)" ascii
-        $str13 = "get_BatteryLifePercent" ascii
-        $str14 = "get_ExpirationMonth" ascii
-        $str15 = "sqlite3_extension_init " ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 10 of ($str*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_nighthawk.yar b/yara_rules/sekoiaio_rat_win_nighthawk.yar
deleted file mode 100644
index 285c818..0000000
--- a/yara_rules/sekoiaio_rat_win_nighthawk.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-import "pe"
-        
-rule sekoiaio_rat_win_nighthawk {
-    meta:
-        version = "1.0"
-        description = "Detects Nighthawk RAT"
-        hash1 = "0551ca07f05c2a8278229c1dc651a2b1273a39914857231b075733753cb2b988"
-        hash2 = "9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8"
-        hash3 = "38881b87826f184cc91559555a3456ecf00128e01986a9df36a72d60fb179ccf"
-        hash4 = "f3bba2bfd4ed48b5426e36eba3b7613973226983a784d24d7a20fcf9df0de74e"
-        hash5 = "b775a8f7629966592cc7727e2081924a7d7cf83edd7447aa60627a2b67d87c94"
-        author = "Sekoia.io"
-        creation_date = "2022-11-23"
-        id = "91bc3c5b-83fd-47f8-9652-df0f6a70b693"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $pattern1 = { 48 8d 0d ?? ?? ?? ?? 51 5a 48 81 c1 ?? ?? ?? ?? 48 81 c2 ?? ?? ?? ?? ff e2 }
-        $pattern2 = { 66 03 D2 66 33 D1 66 C1 E2 02 66 33 D1 66 23 D0 0F B7 C1 }
-        
-    condition:
-        uint16(0) == 0x5A4D and filesize < 2MB and
-        ((1 of them) or
-        (pe.section_index(".profile") and pe.section_index(".detourc")))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_ninerat.yar b/yara_rules/sekoiaio_rat_win_ninerat.yar
deleted file mode 100644
index 13d8b12..0000000
--- a/yara_rules/sekoiaio_rat_win_ninerat.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_rat_win_ninerat {
-    meta:
-        id = "a9f4f78b-5b86-4ac1-9b9b-ba2672b938bf"
-        version = "1.0"
-        description = "Detect the NineRAT payload"
-        author = "Sekoia.io"
-        creation_date = "2023-12-12"
-        classification = "TLP:CLEAR"
-        hash1 = "47e017b40d418374c0889e4d22aa48633b1d41b16b61b1f2897a39112a435d30"
-        hash2 = "82d4a0fef550af4f01a07041c16d851f262d859a3352475c62630e2c16a21def"
-        
-    strings:
-        $ = "https://api.telegram.org/bot"
-        $ = "/getMe"
-        $ = "/upgrade"
-        $ = "/getFile"
-        $ = "/sendMessage"
-        $ = ">> Request send time:"
-        
-    condition:
-        // Strings
-        all of them
-        
-        // Sections
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "3ce78c89e2c0e795ad3382aa12e99683"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_ratel_strings.yar b/yara_rules/sekoiaio_rat_win_ratel_strings.yar
deleted file mode 100644
index 89ff5de..0000000
--- a/yara_rules/sekoiaio_rat_win_ratel_strings.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_rat_win_ratel_strings {
-    meta:
-        id = "d0c8b89b-c811-47aa-9e03-717998c40d91"
-        version = "1.0"
-        description = "Detect RATel based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2023-04-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "[-] Error when changing folder." ascii
-        $s2 = "cmd.exe" wide
-        $s3 = "back slash find: " ascii
-        $s4 = "MOD_ALL:" wide
-        $s5 = "MOD_PERSISTENCE" wide
-        $s6 = "MOD_DESTRUCTION:" wide
-        $s7 = "MOD_RECONNECT" wide
-        $s8 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide
-        $s9 = "powershell.exe -command \"([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')\"" wide
-        $s10 = "The command was executed successfully but no data was returned."
-        $s11 = "[-] TIMEOUT IN CREATEPROCESS, but all the processes in the name of: " ascii
-        $s12 = "we were well and truly killed." ascii
-        
-    condition:
-        (uint16be(0) == 0x4d5a) and
-        filesize > 500KB and filesize < 3MB and
-        8 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_remcos.yar b/yara_rules/sekoiaio_rat_win_remcos.yar
deleted file mode 100644
index d2fa65a..0000000
--- a/yara_rules/sekoiaio_rat_win_remcos.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_rat_win_remcos {
-    meta:
-        id = "011132f5-c5d9-4e97-bfed-0b94c9a30481"
-        version = "1.0"
-        description = "DEPRECATED : Find Remcos RAT samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-01-29"
-        modification_date = "2024-01-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f" ascii
-        $str02 = "Disconnection occurred, retrying to connect..." ascii
-        $str03 = "[Following text has been pasted from clipboard:]" ascii
-        $str04 = "[Following text has been copied to clipboard:]" ascii
-        $str05 = "[Chrome StoredLogins found, cleared!]" ascii
-        $str06 = "PING 127.0.0.1 -n 2" ascii
-        $str07 = "Remcos_Mutex_Inj" ascii
-        $str08 = " * REMCOS v" ascii
-        $str09 = "Connected to C&C!" ascii
-        $str10 = "[Cleared all cookies & stored logins!]" ascii
-        
-    condition:
-        uint16(0) == 0x5A4D and 3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_reverserat.yar b/yara_rules/sekoiaio_rat_win_reverserat.yar
deleted file mode 100644
index 02d213e..0000000
--- a/yara_rules/sekoiaio_rat_win_reverserat.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_rat_win_reverserat {
-    meta:
-        id = "8fbd395f-f44e-46d5-a942-7c7e88f37127"
-        version = "1.0"
-        description = "Detect SideCopy's ReverseRAT v3 observed in January 2023"
-        author = "Sekoia.io"
-        creation_date = "2023-02-22"
-        classification = "TLP:CLEAR"
-        hash = "b277a824b2671f40298ce03586a2ccc0fca2a081a66230c57a3060c2028f13ee"
-        hash = "8b87459483248d7b95424cd52b7d4f3031e89c6644adc2e167556e071d9ec3aa"
-        
-    strings:
-        $ = "SELECT maxclockspeed,  datawidth, name, manufacturer FROM Win32_Processor" wide
-        $ = "select * from Win32_PhysicalMemory" wide
-        $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall" wide
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_romcom_payload.yar b/yara_rules/sekoiaio_rat_win_romcom_payload.yar
deleted file mode 100644
index d453a91..0000000
--- a/yara_rules/sekoiaio_rat_win_romcom_payload.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_rat_win_romcom_payload {
-    meta:
-        id = "c391f84c-f0cb-42d8-a8d8-d59725bf74c2"
-        version = "1.0"
-        description = "Detect the RomCom malware"
-        author = "Sekoia.io"
-        creation_date = "2022-11-04"
-        classification = "TLP:CLEAR"
-        
-    condition:
-        for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "160ed1cdf6e9321cef19cfed6a63b4b5557dd35e174b821bf8a81c4146fa6536"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_tutclient.yar b/yara_rules/sekoiaio_rat_win_tutclient.yar
deleted file mode 100644
index 032ce51..0000000
--- a/yara_rules/sekoiaio_rat_win_tutclient.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_rat_win_tutclient {
-    meta:
-        id = "2bd2d61f-3654-4acd-9773-8d3617c67ee0"
-        version = "1.0"
-        description = "Detect the open-source RAT TutClient"
-        author = "Sekoia.io"
-        creation_date = "2024-02-09"
-        classification = "TLP:CLEAR"
-        reference = "https://github.com/AdvancedHacker101/C-Sharp-R.A.T-Client"
-        
-    strings:
-        $ = "Clipboard Data Not Retrived!" wide
-        $ = "Remote Cmd stream reading failed!" wide
-        $ = "PasswordFox" wide
-        $ = "[Right Click, Position: x = <rtd.xpos>; y = <rtd.ypos>]" wide
-        $ = "SendCommand"
-        $ = "HandleCommand"
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_xeno_rat.yar b/yara_rules/sekoiaio_rat_win_xeno_rat.yar
deleted file mode 100644
index 4b2a379..0000000
--- a/yara_rules/sekoiaio_rat_win_xeno_rat.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_rat_win_xeno_rat {
-    meta:
-        id = "4be1ff07-8180-42a8-9f51-b5e17bf23442"
-        version = "1.0"
-        description = "Xeno RAT is an open-source RAT, used by Kimsuky in January 2024"
-        author = "Sekoia.io"
-        creation_date = "2024-02-09"
-        classification = "TLP:CLEAR"
-        reference = "https://github.com/moom825/xeno-rat/tree/main/xeno%20rat%20client"
-        
-    strings:
-        $ = "Xeno-manager" wide
-        $ = "moom825"
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_xworm_v2.yar b/yara_rules/sekoiaio_rat_win_xworm_v2.yar
deleted file mode 100644
index e678a39..0000000
--- a/yara_rules/sekoiaio_rat_win_xworm_v2.yar
+++ /dev/null
@@ -1,39 +0,0 @@
-rule sekoiaio_rat_win_xworm_v2 {
-    meta:
-        version = "1.0"
-        description = "Finds XWorm v2 samples based on characteristic strings"
-        author = "Sekoia.io"
-        reference = "https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/"
-        creation_date = "2022-11-07"
-        id = "6cf06f52-0337-415d-8f29-f63d67e228f8"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "XWorm.exe" wide ascii
-        $str02 = "ngrok" wide ascii
-        $str03 = "Mutexx" ascii
-        $str04 = "FileManagerSplitFileManagerSplit" wide
-        $str05 = "InstallngC" wide
-        $str06 = "downloadedfile" wide
-        $str07 = "creatfile" wide
-        $str08 = "creatnewfolder" wide
-        $str09 = "showfolderfile" wide
-        $str10 = "hidefolderfile" wide
-        $str11 = "txtttt" wide
-        $str12 = "\\root\\SecurityCenter2" wide
-        $str13 = "[USB]" wide
-        $str14 = "[Drive]" wide
-        $str15 = "[Folder]" wide
-        $str16 = "HVNC" wide
-        $str17 = "http://exmple.com/Uploader.php" wide
-        $str18 = "XKlog.txt" wide
-        $str19 = "Select * from AntivirusProduct" wide
-        $str20 = "runnnnnn" wide
-        $str21 = "RunBotKiller" wide
-        $str22 = "bypss" wide
-        $str23 = "<Xwormmm>" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 12 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rat_win_xworm_v3.yar b/yara_rules/sekoiaio_rat_win_xworm_v3.yar
deleted file mode 100644
index 3d9fa43..0000000
--- a/yara_rules/sekoiaio_rat_win_xworm_v3.yar
+++ /dev/null
@@ -1,31 +0,0 @@
-rule sekoiaio_rat_win_xworm_v3 {
-    meta:
-        version = "1.0"
-        description = "Finds XWorm (version XClient, v3) samples based on characteristic strings"
-        author = "Sekoia.io"
-        creation_date = "2023-03-03"
-        id = "5fb1cbd3-1e37-43b9-9606-86d896f2150b"
-        classification = "TLP:CLEAR"
-        hash = "0016647c3c7031e744c0af6f9eadb73ab5cab1ca4f8ce7633f4aa069b62755cd"
-        hash = "07e747a9313732d2dcf7609b6a09ac58d38f5643299440b827ec55f260e33c12"
-        hash = "de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147"
-        
-    strings:
-        $str01 = "$VB$Local_Port" ascii
-        $str02 = "$VB$Local_Host" ascii
-        $str03 = "get_Jpeg" ascii
-        $str04 = "get_ServicePack" ascii
-        $str05 = "Select * from AntivirusProduct" wide
-        $str06 = "PCRestart" wide
-        $str07 = "shutdown.exe /f /r /t 0" wide
-        $str08 = "StopReport" wide
-        $str09 = "StopDDos" wide
-        $str10 = "sendPlugin" wide
-        $str11 = "OfflineKeylogger Not Enabled" wide
-        $str12 = "-ExecutionPolicy Bypass -File \"" wide
-        $str13 = "Content-length: 5235" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 8 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_recotool_adfind_strings.yar b/yara_rules/sekoiaio_recotool_adfind_strings.yar
deleted file mode 100644
index 27a19f3..0000000
--- a/yara_rules/sekoiaio_recotool_adfind_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_recotool_adfind_strings {
-    meta:
-        id = "afca88ef-756a-4b2b-91d7-d18d730e7074"
-        version = "1.0"
-        description = "Detects Adfind utility based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-02-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Find all person objects on cn=ab container of local ADAM instance"
-        $ = "IPv6 IP address w/ port is specified [address]:port"
-        $ = "Search Global Catalog (port 3268)."
-        $ = "~~~ADCSV~~~"
-        $ = "adfind -b dc="
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 5MB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_reverseshell_win_1st_troy.yar b/yara_rules/sekoiaio_reverseshell_win_1st_troy.yar
deleted file mode 100644
index 17d79a7..0000000
--- a/yara_rules/sekoiaio_reverseshell_win_1st_troy.yar
+++ /dev/null
@@ -1,33 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_reverseshell_win_1st_troy {
-    meta:
-        id = "b40b742d-8b1e-4d99-8df5-6cb8c9a7d8bd"
-        version = "1.0"
-        description = "Detect the 1st Troy Reverse Shell agent used by Andariel"
-        author = "Sekoia.io"
-        creation_date = "2023-09-04"
-        classification = "TLP:CLEAR"
-        hash1 = "186a6663eb91999b3e2637898ab40034f5fcd451150c9199d9b49328e64f90b5"
-        hash2 = "5b015e69629de37507e96ce258c27479d157714121d7c622698c6d1d6b547425"
-        
-    strings:
-        $s1 = "1th Troy/02___Go/Reverse_Base64_Pipe"
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them 
-        
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "657d7495796c36297ec1c13aaedf1dd3"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "debd992f27402355766cf3b5b47abe94"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "687d2535086bd055af5716760a2d87ce"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "78389349844e8d2d719603fc389779bf"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "44563b597e806af8a9ebe026c9ea6a53"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5db8685a067d106fe66292b828a2161c"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "1268012f292e60785825726967a4e63e"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "c7b760c8b603f39a5ff9867accbad427"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "d28526f9543ecf429de4a863b8901575"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rootkit_diamorphine_strings.yar b/yara_rules/sekoiaio_rootkit_diamorphine_strings.yar
deleted file mode 100644
index a28a5b7..0000000
--- a/yara_rules/sekoiaio_rootkit_diamorphine_strings.yar
+++ /dev/null
@@ -1,32 +0,0 @@
-rule sekoiaio_rootkit_diamorphine_strings {
-    meta:
-        id = "5a28be5c-9a57-4204-a7cc-42dfcaa2c2da"
-        version = "1.0"
-        description = "Detects Diamorphine linux rootkit based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-10-21"
-        classification = "TLP:CLEAR"
-        hash = "622675e83bab630adc0f1c6c46c4d6d1"
-        hash = "013b23213975d2646e2435f058afcacf"
-        hash = "f068e83721f10ad74bb6f386a4375a91"
-        hash = "ba9d6a6bbde602fd414cea09fcbd1aa0"
-        hash = "fdd86788e295010c4e61bf6b589f340e"
-        hash = "0d396c1763503b35a7f601831bd684de"
-        hash = "66b8955188a3bda7ecdcd51cfd360313"
-        hash = "1e4fd8c6bf0e381ac395d9bff1f98a31"
-        hash = "ce08ce2b8bc1718052f5d0316e3e71b7"
-        hash = "94982037875d4fdb17681866afc12ade"
-        hash = "4fa2fe9ccde3e6bd4956e2b93ca5fcb6"
-        hash = "644c4ce0bbe4f1f1e3aae537a111d5b8"
-        hash = "fb7d594621fbb4f9bdb0eb74f6090ecd"
-        hash = "9faf1493164e734f533f0ecfb1737a98"
-        hash = "33d48b6c66715ab67a059ab940d759ff"
-        
-    strings:
-        $ = "LKM rootkit" ascii fullword
-        $ = "m0nad"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rootkit_lin_winnti.yar b/yara_rules/sekoiaio_rootkit_lin_winnti.yar
deleted file mode 100644
index 01b6d60..0000000
--- a/yara_rules/sekoiaio_rootkit_lin_winnti.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-import "elf"
-import "hash"
-        
-rule sekoiaio_rootkit_lin_winnti {
-    meta:
-        id = "c800038e-7f8a-4f24-bf0b-06aba6a828cb"
-        version = "1.0"
-        description = "Rootkit used by Winnti"
-        author = "Sekoia.io"
-        creation_date = "2024-05-22"
-        classification = "TLP:CLEAR"
-        reference = "https://x.com/naumovax/status/1792902386295394629"
-        hash1 = "161344ae61278e09eacb1c76508cda45555eee109e6d6a031716a096ab5c84f3"
-        hash2 = "bb56e088739b281c9f56b4fa3fa4d285e45b32c4f9f06b647d7e8cb916054e1a"
-        hash3 = "777c1fda4008f122ff3aef9e80b5b5720c9f2dbc3d7e708277e2ccad1afd8cc5"
-        hash4 = "9c770b12a2da76c41f921f49a22d7bc6b5a1166875b9dc732bc7c05b6ae39241"
-        
-    strings:
-        $ = "[CDATA[%s]]></name><type>%o</type><perm>%o</perm><user>%s:%s</user><size>%llu</size><time>%s</time></LIST>"
-        $ = "HideFile"
-        $ = "DownThread"
-        $ = "PortforwardThread"
-        $ = "HidePidPort"
-        $ = "DownFile"
-        $ = "ReadReConnConf"
-        $ = "DecRemotePort"
-        $ = "DecRemoteIP"
-        
-    condition:
-        uint32(0)==0x464c457f 
-        and 6 of them
-        and for any i in (0..elf.number_of_sections-1) : (
-            hash.md5(elf.sections[i].offset, elf.sections[i].size) == "7dea362b3fac8e00956a4952a3d4f474"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rootkit_win_purplefox_360_tct.yar b/yara_rules/sekoiaio_rootkit_win_purplefox_360_tct.yar
deleted file mode 100644
index 801d5e1..0000000
--- a/yara_rules/sekoiaio_rootkit_win_purplefox_360_tct.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_rootkit_win_purplefox_360_tct {
-    meta:
-        id = "e992d574-6a44-4bea-97e2-6d5579ce8d01"
-        version = "1.0"
-        description = "Detects Purple Fox payloads used during end-2021 and 2022 campaigns based on characteristics shared by TrendMicro details."
-        author = "Sekoia.io"
-        reference = "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html"
-        creation_date = "2022-03-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $rar = "Rar!"
-        $str0 = "svchost.txt"
-        $str1 = "rundll3222.exe"
-        $str2 = "ojbkcg.exe"
-        
-    condition:
-        $rar at 0 and
-        all of ($str*) and
-        filesize > 800KB and filesize < 2800KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rootkit_win_purplefox_kernel_driver.yar b/yara_rules/sekoiaio_rootkit_win_purplefox_kernel_driver.yar
deleted file mode 100644
index d735c7d..0000000
--- a/yara_rules/sekoiaio_rootkit_win_purplefox_kernel_driver.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-import "pe"
-        
-rule sekoiaio_rootkit_win_purplefox_kernel_driver {
-    meta:
-        id = "798dc20b-76cd-4e31-b9ee-f363fb39cd58"
-        version = "1.0"
-        description = "Detect the Purple Fox trojan"
-        author = "Sekoia.io"
-        creation_date = "2022-03-28"
-        classification = "TLP:CLEAR"
-        reference = "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal/IOCs-Purple-Fox.txt"
-        
-    strings:
-        $ = "\\DosDevices\\Global\\MyDriver" wide
-        $ = "IOCTL_IO_KILL_PROCESS" ascii
-        $ = "IOCTL_IO_DELET_FILE" ascii
-        $ = "IOCTL_IO_COPY_FILE" ascii
-        $ = "IOCTL_IO_KILL_MINIFITER" ascii
-        
-    condition:
-        //Native
-        uint16(0)==0x5A4D and all of them
-        
-        // Console
-        or (
-            pe.rich_signature.toolid(171, 30319)
-            and pe.rich_signature.toolid(158, 30319)
-            and pe.rich_signature.toolid(170, 30319)
-            and pe.rich_signature.toolid(147, 30729)
-            and pe.rich_signature.toolid(1, 0)
-        )
-        and for any i in (0..pe.number_of_signatures-1) : (
-            pe.signatures[i].thumbprint == "c7939f8303ca22effb28246e970b13bee6cb8043"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rootkit_win_purplefox_svchost_txt.yar b/yara_rules/sekoiaio_rootkit_win_purplefox_svchost_txt.yar
deleted file mode 100644
index 66e8d53..0000000
--- a/yara_rules/sekoiaio_rootkit_win_purplefox_svchost_txt.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_rootkit_win_purplefox_svchost_txt {
-    meta:
-        id = "e992d574-6a44-4bea-97e2-6d5579ce8d02"
-        version = "1.0"
-        description = "Detects Purple Fox payloads used during end-2021 and 2022 campaigns based on characteristics shared by TrendMicro details."
-        author = "Sekoia.io"
-        reference = "https://www.trendmicro.com/en_us/research/22/c/purple-fox-uses-new-arrival-vector-and-improves-malware-arsenal.html"
-        creation_date = "2022-03-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "C:\\ProgramData\\dll.dll,luohua" wide
-        $str1 = "C:\\ProgramData\\7z.exe" wide
-        $str2 = "F:\\hidden-master\\x64\\Debug\\QAssist.pdb" ascii
-        $str3 = "F:\\Root\\sources\\MedaiUpdateV8\\Release\\MedaiUpdateV8.pdb" ascii
-        $str4 = "cmd.exe /c RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 255" ascii
-        $str5 = "del /s /f %appdata%\\Mozilla\\Firefox\\Profiles\\*.db" ascii
-        
-    condition:
-        4 of ($str*) and
-        filesize > 7000KB and filesize <9500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_rule_lazarus_generic_downloader_7c3f94702fa7.yar b/yara_rules/sekoiaio_rule_lazarus_generic_downloader_7c3f94702fa7.yar
deleted file mode 100644
index 4fd36cb..0000000
--- a/yara_rules/sekoiaio_rule_lazarus_generic_downloader_7c3f94702fa7.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_rule_lazarus_generic_downloader_7c3f94702fa7 {
-    meta:
-        id = "eb0f0a91-5e72-4358-91a3-7c3f94702fa7"
-        version = "1.0"
-        description = "Detects a Generic Downloader used by Lazarus"
-        author = "Sekoia.io"
-        creation_date = "2022-08-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "%s%s%s%s = %s%s%s%s"
-        $ = "sec-ch-ua-mobile: ?0"
-        $ = "%s>%s"
-        $ = "d$f92&^$#FESAfaSDage#FDa"
-        $ = "Sec-Fetch-User: ?1"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 200KB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_shell_win_danfuan.yar b/yara_rules/sekoiaio_shell_win_danfuan.yar
deleted file mode 100644
index adeb085..0000000
--- a/yara_rules/sekoiaio_shell_win_danfuan.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_shell_win_danfuan {
-    meta:
-        id = "d1cf9988-270b-4a22-bdd5-f40b625715a8"
-        version = "1.0"
-        description = "Detect the Danfuan malware"
-        author = "Sekoia.io"
-        creation_date = "2022-11-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "<%@ WebHandler Language=\"C#\" class=\"DynamicCodeCompiler\"%>"
-        $ = "CompilerResults compilerResults = compiler.CompileAssemblyFromSource(comPara, SourceText(txt))"
-        $ = "MethodInfo objMifo = objInstance.GetType().GetMethod("
-        
-    condition:
-        filesize < 15KB
-        and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_spyware_and_bahamut.yar b/yara_rules/sekoiaio_spyware_and_bahamut.yar
deleted file mode 100644
index 380a6bc..0000000
--- a/yara_rules/sekoiaio_spyware_and_bahamut.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_spyware_and_bahamut {
-    meta:
-        id = "d416997e-baf1-412c-bf39-905a6e19b65e"
-        version = "1.0"
-        description = "Detect Bahamut's spyware based on common information gathering function names"
-        author = "Sekoia.io"
-        creation_date = "2022-11-23"
-        classification = "TLP:CLEAR"
-        reference = "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/"
-        hash1 = "c51dc2132c830c560aaeae4bf48e5f0d28c84b36d27840b5c2ba170d87f4afa5"
-        hash2 = "d7e2cf642b236dba9ba0cbe5a9dc28baf22477973d5ce163e21ec40f5f26e078"
-        
-    strings:
-        $ = "FbDao"
-        $ = "SignalDao"
-        $ = "conionDao"
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_spyware_and_fastfire.yar b/yara_rules/sekoiaio_spyware_and_fastfire.yar
deleted file mode 100644
index 85a385c..0000000
--- a/yara_rules/sekoiaio_spyware_and_fastfire.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_spyware_and_fastfire {
-    meta:
-        id = "93c0ffd5-faa5-4ead-8848-1c44b459dc29"
-        version = "1.0"
-        description = "Detect the FastFire malware"
-        author = "Sekoia.io"
-        creation_date = "2022-11-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $funct1 = {22 00 87 18 70 20 f3 ae 40 00 6e 10 f4 ae 00 00 0c 04 1f 04 16 19 13 00 28 23 6e 20 e3 ae 04 00 12 10 6e 20 e5 ae 04 00 1a 00 25 19 6e 20 ea ae 04 00 28 05 0d 00 6e 10 ef ae 00 00 6e 10 da ae 04 00 6e 10 e1 ae 04 00 0a 00 13 01 c8 00 32 10 20 00 1c 00 ea 17 6e 10 73 ad 00 00 0c 00 22 01 60 18 70 10 5d ae 01 00 1a 02 ff 50 6e 20 69 ae 21 00 6e 10 e1 ae 04 00 0a 04 6e 20 64 ae 41 00 6e 10 72 ae 01 00 0c 04 71 20 1d 09 40 00}
-        $funct2 = {22 00 77 00 1a 01 88 56 70 20 f1 02 10 00 15 01 00 10 6e 20 f4 02 10 00 1a 01 80 8d 6e 20 32 ae 13 00 0a 01 38 01 0b 00 1a 01 25 76 71 10 b3 06 01 00 0c 01 6e 20 22 03 10 00 1a 01 56 61 6e 20 32 ae 13 00 0a 01 38 01 0b 00 1a 01 23 76 71 10 b3 06 01 00 0c 01 6e 20 22 03 10 00 1a 01 55 66 6e 20 32 ae 13 00 0a 03 38 03 0b 00 1a 03 24 76 71 10 b3 06 03 00 0c 03 6e 20 22 03 30 00 13 03 64 00 15 01 00 08 71 40 07 02 32 10 0c 03 11 03}
-        $s0 = "TokenResult{token="
-        $s1 = "[-] Send Resp Code ="
-        $s2 = "/report_token/report_token.php?token="
-        $s3 = "naver"
-        $s4 = "daum"
-        $s5 = "facebook"
-        
-    condition:
-        uint32be(0)==0x6465780A
-        and (1 of ($funct*) or all of ($s*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_spyware_and_strongpity_mobile_backdoor.yar b/yara_rules/sekoiaio_spyware_and_strongpity_mobile_backdoor.yar
deleted file mode 100644
index 772ac8b..0000000
--- a/yara_rules/sekoiaio_spyware_and_strongpity_mobile_backdoor.yar
+++ /dev/null
@@ -1,16 +0,0 @@
-rule sekoiaio_spyware_and_strongpity_mobile_backdoor {
-    meta:
-        id = "58ceb85b-d94f-47b2-86e4-59bd41f4fea8"
-        version = "1.0"
-        description = "Detect the mobile backdoor using the name used in the certificate"
-        author = "Sekoia.io"
-        creation_date = "2023-01-16"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "Elizabeth Mckinsen0"
-        
-    condition:
-        all of them and filesize > 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_stealer_win_demotryspy.yar b/yara_rules/sekoiaio_stealer_win_demotryspy.yar
deleted file mode 100644
index c313e8f..0000000
--- a/yara_rules/sekoiaio_stealer_win_demotryspy.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_stealer_win_demotryspy {
-    meta:
-        id = "70af0e40-b177-49a3-bff4-723f3f4aa375"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2024-02-09"
-        classification = "TLP:CLEAR"
-        reference = "https://paper.seebug.org/3115/"
-        
-    strings:
-        $demotry1 = "DemoTry.exe"
-        $demotry2 = "DemoTry\\Release\\DemoTry.pdb"
-        
-        $wide1 = "\\loc.tmp" wide
-        $wide2 = "\\log.tmp" wide
-        $wide3 = "\\Google\\Chrome\\User Data" wide
-        $wide4 = "\\Default\\Login data" wide
-        $wide5 = "\\Local State" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and (1 of ($demotry*) or all of ($wide*))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_stealer_win_luca.yar b/yara_rules/sekoiaio_stealer_win_luca.yar
deleted file mode 100644
index 7fb4689..0000000
--- a/yara_rules/sekoiaio_stealer_win_luca.yar
+++ /dev/null
@@ -1,50 +0,0 @@
-import "pe"
-        
-rule sekoiaio_stealer_win_luca {
-    meta:
-        id = "d2cc1442-0ba5-4e81-9fea-e9e078903eed"
-        version = "1.0"
-        description = "Detect Luca stealer. Open source Rust stealer."
-        author = "Sekoia.io"
-        creation_date = "2022-07-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "cookies"
-        $ = "creditcards"
-        $ = "/Default/Network/CookiesUser Data/Default/Network/Cookies_cookies"
-        $ = "/Default/Web DataUser Data/Default/Web Data_webdata"
-        $ = "SELECT action_url, username_value, password_value FROM loginsSELECT card_number_encrypted, name_on_card, expiration_month, expiration_year FROM credit_cardsSELECT host_key, name, encrypted_value, path, expires_utc, is_secure FROM cookiesLOCALAPPDATA"
-        $ = "\\logsxc\\passwords_.txt"
-        $ = " Name:"
-        $ = "User: "
-        $ = "Installed Languages:  "
-        $ = "Operating System: "
-        $ = "Used/Installed RAM:  GB "
-        $ = "Cores available: "
-        $ = "\\screen-.png"
-        $ = "Username: "
-        $ = "Computer name: "
-        $ = "OS: "
-        $ = "Language: "
-        $ = "Hostname: "
-        $ = "=> networks: B"
-        $ = "=> system:total memory:  KB"
-        $ = "used memory : "
-        $ = "total swap  : "
-        $ = "used swap   : "
-        $ = "NB CPUs: "
-        $ = "Passwords: "
-        $ = "Wallets: "
-        $ = "Files: "
-        $ = "Credit Cards: "
-        $ = "sensfiles.zip"
-        
-    condition:
-        uint16(0)==0x5A4D
-        and filesize > 4000KB
-        and pe.rich_signature.toolid(0, 0)
-        and pe.number_of_resources == 0
-        and 15 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_stealer_win_mgbot_credential_stealer.yar b/yara_rules/sekoiaio_stealer_win_mgbot_credential_stealer.yar
deleted file mode 100644
index 76dd954..0000000
--- a/yara_rules/sekoiaio_stealer_win_mgbot_credential_stealer.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_stealer_win_mgbot_credential_stealer {
-    meta:
-        id = "e06501c1-c842-43f7-a429-9026bc0a4fd4"
-        version = "1.0"
-        description = "Detect MgBot credential stealer plugin"
-        author = "Sekoia.io"
-        creation_date = "2024-03-20"
-        classification = "TLP:CLEAR"
-        hash1 = "174a62201c7e2af67b7ad37bf7935f064a379f169cf257ca16e912a46ecc9841"
-        hash2 = "cb7d9feda7d8ebfba93ec428d5a8a4382bf58e5a70e4b51eb1938d2691d5d4a5"
-        reference = "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/"
-        
-    strings:
-        $ = "Software\\Aerofox\\Foxmail\\Indenties" wide
-        $ = "Software\\Aerofox\\FoxmailPreview" wide
-        $ = "IMAP Password" wide
-        $ = "POP3 Password" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_stealer_win_strela.yar b/yara_rules/sekoiaio_stealer_win_strela.yar
deleted file mode 100644
index 2545d62..0000000
--- a/yara_rules/sekoiaio_stealer_win_strela.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_stealer_win_strela {
-    meta:
-        id = "2c98f84a-4329-476b-98b8-d8e2387b1b69"
-        version = "1.0"
-        description = "Detects IOCs related to the Strela stealer"
-        author = "Sekoia.io"
-        creation_date = "2024-04-09"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\" ascii fullword
-        $s2 = "%s%s\\logins.json" ascii fullword
-        $s3 = "%s%s\\key4.db" ascii fullword
-        $s4 = "\\Thunderbird\\Profiles\\" ascii fullword
-        $s5 = "/server.php" ascii fullword
-        $s6 = "out.dll" ascii fullword
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_storm_1811_files_dat.yar b/yara_rules/sekoiaio_storm_1811_files_dat.yar
deleted file mode 100644
index ef7d99b..0000000
--- a/yara_rules/sekoiaio_storm_1811_files_dat.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_storm_1811_files_dat {
-    meta:
-        id = "8b14f276-0c39-422b-9b19-d96b139a7ae8"
-        version = "1.0"
-        description = "Detects files used in a campaign performed by the intrusion set Storm-1811"
-        author = "Sekoia.io"
-        creation_date = "2024-06-10"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "RuntimeBroker" ascii fullword
-        $s2 = "InstallSpamFilters" ascii fullword
-        $s3 = "newfile333.txt" ascii fullword
-        $s4 = "Installing spam filter kb_outlook" ascii fullword
-        $s5 = "s.zip" ascii fullword
-        $s6 = "Update completed" ascii fullword
-        $s7 = "Updates installed" ascii fullword
-        $s8 = "update_log.tgz uploaded ok" ascii fullword
-        $s9 = "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii fullword
-        $s10 = "runtimebroker_connect" ascii fullword
-        
-    condition:
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_storm_1811_screenconnect_update.yar b/yara_rules/sekoiaio_storm_1811_screenconnect_update.yar
deleted file mode 100644
index e585fea..0000000
--- a/yara_rules/sekoiaio_storm_1811_screenconnect_update.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_storm_1811_screenconnect_update {
-    meta:
-        id = "252ef24a-14dc-41e8-ba91-dcb9b6deb428"
-        version = "1.0"
-        description = "Detects files used in a campaign performed by the intrusion set Storm-1811"
-        author = "Sekoia.io"
-        creation_date = "2024-06-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "upd100.appspot.com/update/u.zip" ascii fullword
-        $s2 = "Unzip ok" ascii fullword
-        $s3 = "Installing update" ascii fullword
-        $s4 = "Administrators" ascii fullword
-        $s5 = "I am not admin" ascii fullword
-        $s6 = "I am admin" ascii fullword
-        $s7 = "ScreenConnect.ClientSetup.exe" ascii fullword
-        $s8 = "for %%x in (%IPS%) do (" ascii fullword
-        
-    condition:
-        6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_strongpity_malware.yar b/yara_rules/sekoiaio_strongpity_malware.yar
deleted file mode 100644
index 81c210e..0000000
--- a/yara_rules/sekoiaio_strongpity_malware.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_strongpity_malware {
-    meta:
-        id = "f19a685c-599d-42cf-a5d8-7a2375102f97"
-        version = "1.0"
-        description = "Detects obfuscation used by StrongPity"
-        author = "Sekoia.io"
-        creation_date = "2024-02-26"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        /*
-        Detects things like :
-        v14= rand() % 8 + 2;
-        */
-        $rand_edi = {E8 ?? ?? ?? ??    8B F8 81 E7 07 00 00 80    79 ?? 4F 83 CF F8 47 83 C7 02}
-        $rand_esi = {E8 ?? ?? ?? ?? 8B F0 81 E6 07 00 00 80 79 ?? 4E 83 CE F8 46 83 C6 02}
-        $rand_eax = {E8 ?? ?? ?? ??    25 07 00 00 80 79 ?? 48 83 C8 F8 40 83 C0 02}
-        
-    condition:
-        uint16be(0) == 0x4d5a and #rand_edi + #rand_esi + #rand_eax>20
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_suspicious_users_dev.yar b/yara_rules/sekoiaio_suspicious_users_dev.yar
deleted file mode 100644
index 868de29..0000000
--- a/yara_rules/sekoiaio_suspicious_users_dev.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_suspicious_users_dev {
-    meta:
-        id = "9e8af456-6f84-4922-a262-20b8f5c8a1eb"
-        version = "1.0"
-        description = "Nirscord stealer"
-        author = "Sekoia.io"
-        creation_date = "2022-12-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $user1 = "\\Users\\raghus1\\" ascii
-        $user2 = "\\Users\\drill\\" ascii
-        $key = {58 69 b3 5f b3 87 74 f6 65 eb 96 e7 6f 4d 16 83 }
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 6MB and
-        1 of ($user*) and $key
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ta410_control_flow_obfuscation.yar b/yara_rules/sekoiaio_ta410_control_flow_obfuscation.yar
deleted file mode 100644
index e131e4b..0000000
--- a/yara_rules/sekoiaio_ta410_control_flow_obfuscation.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_ta410_control_flow_obfuscation {
-    meta:
-        id = "2a784f9b-3624-4c5d-8a64-db7d3c33a8f7"
-        version = "1.0"
-        description = "Detects control flow obfuscation used by TA410 in XXXModule_dlcore0"
-        author = "Sekoia.io"
-        creation_date = "2022-10-11"
-        classification = "TLP:CLEAR"
-        hash = "6cf78943728286d0bddd99049d81065673ab7f679029cdd5f5dc69f90197136e"
-        
-    strings:
-        $chunk_1 = {
-        E8 ?? ?? ?? ??
-        83 C0 10
-        3D 00 00 00 80
-        7D 01
-        EB ff
-        }
-        
-        $chunk_2 = {83 C0 10 3D 00 00 00 80 7d 01 eb ff e0 50 c3 75} //Complete obfuscation
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 10MB and any of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_technique_csv_dde_exec_regex.yar b/yara_rules/sekoiaio_technique_csv_dde_exec_regex.yar
deleted file mode 100644
index 3b43f3a..0000000
--- a/yara_rules/sekoiaio_technique_csv_dde_exec_regex.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_technique_csv_dde_exec_regex {
-    meta:
-        id = "71d0e987-51ab-49bc-9d0d-d2f9006af1de"
-        version = "1.0"
-        description = "Find .csv file exploiting DDE technique"
-        author = "Sekoia.io"
-        creation_date = "2022-02-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $cmd0 = /=\s*wmic\|/ nocase
-        $cmd1 = /=\s*cmd\|/ nocase
-        $cmd2 = /=\s*wscript\|/ nocase
-        $cmd3 = /=\s*cscript\|/ nocase
-        $cmd4 = /=\s*powershell\|/ nocase
-        
-    condition:
-        any of ($cmd*) and filesize < 20000
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tinyfluff_nodejs.yar b/yara_rules/sekoiaio_tinyfluff_nodejs.yar
deleted file mode 100644
index 73ebea2..0000000
--- a/yara_rules/sekoiaio_tinyfluff_nodejs.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_tinyfluff_nodejs {
-    meta:
-        id = "ca8cbd90-f275-4442-8354-b8b069e2efc3"
-        version = "1.0"
-        description = "Detect TinyFluff backdoor by OldGremlin"
-        author = "Sekoia.io"
-        creation_date = "2022-04-20"
-        classification = "TLP:CLEAR"
-        reference = "https://blog.group-ib.com/oldgremlin_comeback"
-        hash = "bd0a6a3628f268a37ac9d708d03f57feef5ed55e"
-        hash = "bd0a6a3628f268a37ac9d708d03f57feef5ed55e"
-        
-    strings:
-        $s1 = "TinyFluff.pdb" fullword ascii
-        $s2 = "node.exe" fullword wide
-        
-    condition:
-        filesize < 500KB and
-        uint16be(0) == 0x4d5a and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_3proxy_strings.yar b/yara_rules/sekoiaio_tool_3proxy_strings.yar
deleted file mode 100644
index d7b2d92..0000000
--- a/yara_rules/sekoiaio_tool_3proxy_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_tool_3proxy_strings {
-    meta:
-        id = "daf6cd97-8033-4bfd-88b5-41c06eb417b0"
-        version = "1.0"
-        description = "Detects 3proxy based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-03-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "of 3proxy-"
-        $ = "-pPORT - service port to accept connections"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 500KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_advancedrun_strings.yar b/yara_rules/sekoiaio_tool_advancedrun_strings.yar
deleted file mode 100644
index c778d69..0000000
--- a/yara_rules/sekoiaio_tool_advancedrun_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_tool_advancedrun_strings {
-    meta:
-        id = "842a996e-0cf2-485f-9d3c-ccbd40c9ab6c"
-        version = "1.0"
-        description = "Detects AdvancedRun strings"
-        author = "Sekoia.io"
-        creation_date = "2024-09-06"
-        classification = "TLP:CLEAR"
-        hash = "a1d50ebe6124584f32de0625475cdb74"
-        
-    strings:
-        $ = "nirsoft.net" wide
-        $ = "Another logged-in user" wide
-        $ = "Choose config file to save" wide
-        $ = "AdvancedRun" ascii wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        all of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_bore_rust_any_platform.yar b/yara_rules/sekoiaio_tool_bore_rust_any_platform.yar
deleted file mode 100644
index 532f963..0000000
--- a/yara_rules/sekoiaio_tool_bore_rust_any_platform.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_tool_bore_rust_any_platform {
-    meta:
-        id = "c0ec0d72-de8e-4b96-9db6-a7a4e2f693f1"
-        version = "1.0"
-        description = "Detects bore tunneling tool"
-        author = "Sekoia.io"
-        creation_date = "2023-07-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "bore_cli::" ascii
-        $ = "server handshake failed" ascii
-        $ = "server listening" ascii
-        $ = "connected to server" ascii
-        $ = "server requires authentication, but no client secret was provided" ascii
-        $ = "client port number too low" ascii
-        $ = "forwarding connection" ascii
-        $ = "Address of the remote server to expose local ports" ascii
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or
-         uint32be(0) == 0xfeedface or
-         uint32be(0) == 0xfeedfacf or
-         uint32be(0) == 0xcafebabe or
-         uint16be(0) == 0x4d5a) and
-        filesize < 15MB and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_bypassgodzilla.yar b/yara_rules/sekoiaio_tool_bypassgodzilla.yar
deleted file mode 100644
index 2619a12..0000000
--- a/yara_rules/sekoiaio_tool_bypassgodzilla.yar
+++ /dev/null
@@ -1,39 +0,0 @@
-rule sekoiaio_tool_bypassgodzilla {
-    meta:
-        id = "fa492f97-a46c-422d-a617-c503744ee22e"
-        version = "1.0"
-        description = "Detects payload of BypassGodzilla"
-        author = "Sekoia.io"
-        creation_date = "2024-09-09"
-        classification = "TLP:CLEAR"
-        hash = "571c9042c627abba19ba1d591e2083eb"
-        hash = "56cfc5a876f8f55bf184be9f368b6d8a"
-        hash = "d4f7ca537701aee8849c474bc4df19d1"
-        hash = "e4be04331c5f447b3ca03aa637d16c85"
-        hash = "905fa3b692577a086ac654ef89e8b83d"
-        
-    strings:
-        $jsp_1a = "response.getWriter().write(\""
-        $jsp_1b = "\".substring("
-        $jsp_2a = "response.getWriter().write(java.util.Base64/*"
-        $jsp_2b = "*/.getEncoder()/*"
-        $jsp_2c = ".toByteArray(),true)));"
-        
-        $asp_1 = "[\"payload\"]).CreateInstance(\"LY\");"
-        $asp_2 = "\\U00000045\\U00000071\\U00000075\\U00000061\\U0000006C\\U00000073(Context);"
-        
-        $php_1 = "=(\"!\"^\"@\").'ss'.Chr(\"101\").'rs';"
-        $php_2 = "*/md5/*"
-        $php_3 = "*/isset($_SESSION/*"
-        $php_4 = "@set_time_limit(Chr(\"48\"))"
-        
-    condition:
-        (
-            (all of ($jsp_*) and (@jsp_1b-@jsp_1a < 70) and (@jsp_2b-@jsp_2a < 70) and (@jsp_2c - @jsp_2a < 160)) or
-            (all of ($asp_*) and (@asp_2 > @asp_1)) or
-            (all of ($php_*))
-        ) and
-        filesize < 30KB and 
-        true
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_cheat_engine.yar b/yara_rules/sekoiaio_tool_cheat_engine.yar
deleted file mode 100644
index 9d5ca19..0000000
--- a/yara_rules/sekoiaio_tool_cheat_engine.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_tool_cheat_engine {
-    meta:
-        id = "51d4246c-f7a1-4589-8f97-bd85d1fe4a0e"
-        version = "1.0"
-        description = "Detects Cheat Engine driver"
-        author = "Sekoia.io"
-        creation_date = "2024-07-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "ObOpenObjectByName" wide
-        $s2 = "PsGetProcessImageFileName" wide
-        $s3 = "PsRemoveCreateThreadNotifyRoutine" wide
-        $s4 = "PsSuspendProcess" wide
-        $s5 = "PsResumeProcess" wide
-        $s6  = "\\device\\physicalmemory" wide
-        $log = "%sCPU%d.trace" wide
-        $ioctl_code = {04 E1 22 00} //base for IOCTL code
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 200KB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_chisel_strings.yar b/yara_rules/sekoiaio_tool_chisel_strings.yar
deleted file mode 100644
index 00e32d4..0000000
--- a/yara_rules/sekoiaio_tool_chisel_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_tool_chisel_strings {
-    meta:
-        id = "667a8aa3-772b-45f1-8c89-acb7b976888d"
-        version = "1.0"
-        description = "Detects Chisel"
-        author = "Sekoia.io"
-        creation_date = "2024-03-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "tunnel.(*Tunnel).handleSSHChannel."
-        $ = "server.(*Server).handleWebsocket"
-        $ = "tunnel.(*udpHandler)"
-        $ = "server.(*Server).tlsLetsEncrypt"
-        $ = "cnet.(*wsConn).SetPingHandler.(*Conn)"
-        $ = "tunnel.(*udpConns).dial."
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 15MB and 3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_dogtunnel_strings.yar b/yara_rules/sekoiaio_tool_dogtunnel_strings.yar
deleted file mode 100644
index dcde3c8..0000000
--- a/yara_rules/sekoiaio_tool_dogtunnel_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_tool_dogtunnel_strings {
-    meta:
-        id = "00705613-6367-454f-b3f2-1e2b0a52459c"
-        version = "1.0"
-        description = "Detects Dog Tunnel based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-03-14"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "pipe.(*UDPMakeSession).doAndWait"
-        $ = "ikcp.ikcp_parse_fastack"
-        $ = "pipe.ListenWithSetting"
-        $ = "pipe.DialTimeoutWithSetting"
-        $ = "common.ReadUDP"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) 
-        and all of them and filesize < 10MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_dynamicwrapper_strings.yar b/yara_rules/sekoiaio_tool_dynamicwrapper_strings.yar
deleted file mode 100644
index a0bbfe1..0000000
--- a/yara_rules/sekoiaio_tool_dynamicwrapper_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_tool_dynamicwrapper_strings {
-    meta:
-        id = "bbfad0a8-8b86-47c7-bf70-0a3f6859d64b"
-        version = "1.0"
-        description = "Detects DynamicWrapperX"
-        author = "Sekoia.io"
-        creation_date = "2023-12-01"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Software\\Classes\\DynamicWrapperX" ascii
-        $ = "DllRegisterServer" ascii
-        $ = "GoLink, GoAsm" ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 100KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_edrsandblast_api_strings.yar b/yara_rules/sekoiaio_tool_edrsandblast_api_strings.yar
deleted file mode 100644
index af2b106..0000000
--- a/yara_rules/sekoiaio_tool_edrsandblast_api_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_tool_edrsandblast_api_strings {
-    meta:
-        id = "8a5dc171-dce8-4b5a-96e9-53dd1855e8c1"
-        version = "1.0"
-        description = "Detects EDRSandblast API strings"
-        author = "Sekoia.io"
-        creation_date = "2024-01-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[!] Required driver file not present at" wide
-        $ = "[!] New uninstall / install attempt failed" wide
-        $ = "[!] Kernel offsets are missing from the CSV" wide
-        $ = "[+] Downloading wdigest offsets from the MS Symbol Server" wide
-        $ = "[+] Check if EDR callbacks are registered on process" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_edrsandblast_cli_strings.yar b/yara_rules/sekoiaio_tool_edrsandblast_cli_strings.yar
deleted file mode 100644
index e15f4cf..0000000
--- a/yara_rules/sekoiaio_tool_edrsandblast_cli_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_tool_edrsandblast_cli_strings {
-    meta:
-        id = "baf3c68a-1d28-464e-8240-28cc66c8c151"
-        version = "1.0"
-        description = "Detects EDRSandblast CLI strings"
-        author = "Sekoia.io"
-        creation_date = "2024-01-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[!] LSASS dump might fail if RunAsPPL" wide
-        $ = "[!] You did not provide at least one option between" wide
-        $ = "[+] Detecting userland hooks in all loaded DLLs" wide
-        $ = "[+] Saving them to the CSV file" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_edrsandblast_kernelcallbacks.yar b/yara_rules/sekoiaio_tool_edrsandblast_kernelcallbacks.yar
deleted file mode 100644
index bb97d3e..0000000
--- a/yara_rules/sekoiaio_tool_edrsandblast_kernelcallbacks.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_tool_edrsandblast_kernelcallbacks {
-    meta:
-        id = "74cf4444-5bd6-4167-930a-5dbf2e529f92"
-        version = "1.0"
-        description = "Detects EDRSandblast KernelCallbacks strings"
-        author = "Sekoia.io"
-        creation_date = "2024-11-25"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[+] '%s' service ACL configured to for Everyone" wide
-        $ = "%s callback of EDR driver \"%s\" [callback addr: 0x%I64x" wide
-        $ = "[!] Could not resolve %s kernel module's address" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 3MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_edrsandblast_strings.yar b/yara_rules/sekoiaio_tool_edrsandblast_strings.yar
deleted file mode 100644
index ecdc905..0000000
--- a/yara_rules/sekoiaio_tool_edrsandblast_strings.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule sekoiaio_tool_edrsandblast_strings {
-    meta:
-        id = "7059b89c-80b5-4768-b3eb-02f173f628b0"
-        version = "1.0"
-        description = "Detects EDRSandblast strings"
-        author = "Sekoia.io"
-        creation_date = "2024-01-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[!] Cred Guard bypass failed: obtained invalid" wide
-        $ = "[!] Cred Guard bypass non fatal error:" wide
-        $ = "[+] Successfully overwrote wdigest's g_fParameter_UseLogonCredential" wide
-        $ = "[!] ERROR: could not allocate memory for the handl" wide
-        $ = "[+] [ProcessProtection] Found the handle of the current" wide
-        $ = "[+] [ProcessProtection] Found self process EPROCCES struct at" wide
-        $ = "ETW Threat Intel ProviderEnableInfo address could not be found." wide
-        $ = "The ETW Threat Intel provider was successfully" wide
-        $ = "[+] [NotifyRountines]" wide
-        $ = "[callback addr: 0x" wide
-        $ = "EDR / security products driver(s)" wide
-        $ = "Object callback offsets not loaded ! Aborting..." wide
-        $ = "No more space to store object callbacks !!" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_efspotato.yar b/yara_rules/sekoiaio_tool_efspotato.yar
deleted file mode 100644
index a5c0bdf..0000000
--- a/yara_rules/sekoiaio_tool_efspotato.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_tool_efspotato {
-    meta:
-        id = "4440ea37-d7d0-4107-867c-576c6e2f4f7e"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-08-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "usage: EfsPotato <cmd> [pipe]" ascii wide
-        $s2 = "Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability)." ascii wide
-        $s3 = "Part of GMH's fuck Tools, Code By zcgonvh." ascii wide
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 4MB and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_ehole.yar b/yara_rules/sekoiaio_tool_ehole.yar
deleted file mode 100644
index 35ac228..0000000
--- a/yara_rules/sekoiaio_tool_ehole.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_tool_ehole {
-    meta:
-        id = "7d30ffd0-fada-4ef4-98c3-5572a4e1e140"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-06-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "main.http400"
-        $s2 = "main.fofa_c"
-        $s3 = "main.Jsjump"
-        $s4 = "main.StandBase64"
-        $s5 = "main.fofa_http"
-        $s6 = "main.fofa_seach"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 11MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_enum4linux_strings.yar b/yara_rules/sekoiaio_tool_enum4linux_strings.yar
deleted file mode 100644
index 672b362..0000000
--- a/yara_rules/sekoiaio_tool_enum4linux_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_tool_enum4linux_strings {
-    meta:
-        id = "6b3094fe-1292-4da3-a1ed-9e255be531da"
-        version = "1.0"
-        description = "Detects enum4linux based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-02-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "my $os_info = `$command`;"
-        $ = "($global_workgroup) = $os_info =~"
-        $ = "sub enum_groups {"
-        $ = "if ($shares =~ /NT_STATUS_ACCESS_DENIED/) {"
-        $ = "Can't open share list file $shares_file"
-        $ = "my $users = `$command`;"
-        $ = "my @shares = <SHARES>;"
-        $ = "foreach my $grouptype (\"builtin\", \"domain\") {"
-        
-    condition:
-        6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_execit_obfuscator_strings.yar b/yara_rules/sekoiaio_tool_execit_obfuscator_strings.yar
deleted file mode 100644
index d14f226..0000000
--- a/yara_rules/sekoiaio_tool_execit_obfuscator_strings.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_tool_execit_obfuscator_strings {
-    meta:
-        id = "59eaeb20-150b-41a4-b866-1c91a07623ac"
-        version = "1.0"
-        description = "Detects ExecIT Dlls"
-        author = "Sekoia.io"
-        creation_date = "2024-09-11"
-        classification = "TLP:CLEAR"
-        hash = "1c185e2e11d8eadccfb130766ca30d85"
-        hash = "a0898f57f2b139ea278d8a7e97bbe358"
-        hash = "e0e12a8891f5585ce1ad55dbffb4f9c2"
-        hash = "d4102676d536bacffcf6c94364e26828"
-        
-    strings:
-        $ = "yromeMlautriVetacollAtN"
-        $ = "xEdaerhTetaerCtN"
-        $ = "tcejbOelgniSroFtiaWtN"
-        $ = "lld.esablenrek"
-        $ = "txetnoCdaerhTteG"
-        $ = "txetnoCdaerhTteS"
-        $ = "cef_api_hash"
-        $ = "cef_execute_process"
-        $ = "cef_get_path"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_exploit_badpotato_strings.yar b/yara_rules/sekoiaio_tool_exploit_badpotato_strings.yar
deleted file mode 100644
index e44680b..0000000
--- a/yara_rules/sekoiaio_tool_exploit_badpotato_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_tool_exploit_badpotato_strings {
-    meta:
-        id = "079aabbc-6978-4d71-92d2-d2a7ce1cc915"
-        version = "1.0"
-        description = "Detects BadPotato compiled exploit"
-        author = "Sekoia.io"
-        creation_date = "2022-09-09"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "RpcStringBindingCompose failed with status 0x" wide
-        $ = "RpcBindingFromStringBinding failed with status 0x" wide
-        $ = "RpcBindingSetAuthInfoEx failed with status 0x" wide
-        $ = "RpcBindingSetOption failed with status 0x" wide
-        $ = "\\\\.\\pipe\\{0}\\pipe\\spoolss" wide
-        $ = "[*] {0} Success! ProcessPid:{1}" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_exploit_comahawk_strings.yar b/yara_rules/sekoiaio_tool_exploit_comahawk_strings.yar
deleted file mode 100644
index b59f2c9..0000000
--- a/yara_rules/sekoiaio_tool_exploit_comahawk_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_tool_exploit_comahawk_strings {
-    meta:
-        id = "cc0d10ae-1a14-48c1-9c45-d65fac15f8f1"
-        version = "1.0"
-        description = "Detects COMahawk exploit compiled binaries"
-        author = "Sekoia.io"
-        creation_date = "2022-09-09"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "sc config UsoSvc binpath=" wide
-        $ = "binpath= \"cmd.exe /c net localgroup administrators /add"
-        $ = "[+] Command executed."
-        $ = "Release\\COMahawk.pdb"
-        $ = " is added as an admin."
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_exploit_rottenpotato_strings.yar b/yara_rules/sekoiaio_tool_exploit_rottenpotato_strings.yar
deleted file mode 100644
index 64d61cf..0000000
--- a/yara_rules/sekoiaio_tool_exploit_rottenpotato_strings.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_tool_exploit_rottenpotato_strings {
-    meta:
-        id = "453646d4-b128-40ea-8840-4c53b8f1e486"
-        version = "1.0"
-        description = "Detects RottenPotato compiled binaries"
-        author = "Sekoia.io"
-        creation_date = "2022-09-09"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "WSAStartup failed with error: %d"
-        $ = "getaddrinfo failed with error: %d"
-        $ = "RPC -> send failed with error: %d"
-        $ = "RPC-> Connection closed"
-        $ = "COM -> bytes sent: %d"
-        $ = "COM -> recv failed with error: %d"
-        $ = "Running %S with args %S"
-        $ = "[-] Failed to create proc: %d"
-        $ = "Waiting for auth..."
-        $ = "Auth result: %d"
-        $ = "SeImpersonatePrivilege" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        8 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_generic_python_reverse_shell_strings.yar b/yara_rules/sekoiaio_tool_generic_python_reverse_shell_strings.yar
deleted file mode 100644
index 06c1397..0000000
--- a/yara_rules/sekoiaio_tool_generic_python_reverse_shell_strings.yar
+++ /dev/null
@@ -1,17 +0,0 @@
-rule sekoiaio_tool_generic_python_reverse_shell_strings {
-    meta:
-        id = "5b926d15-4f21-428c-a9fa-ee085a98d42b"
-        version = "1.0"
-        description = "Detects reverse shell"
-        author = "Sekoia.io"
-        creation_date = "2024-04-16"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "import sys,socket,os,pty;"
-        $ = "[os.dup2(s.fileno(),fd) for fd in (0,1,2)]"
-        
-    condition:
-        all of them and filesize < 1000
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_godpotato.yar b/yara_rules/sekoiaio_tool_godpotato.yar
deleted file mode 100644
index c1cd69d..0000000
--- a/yara_rules/sekoiaio_tool_godpotato.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_tool_godpotato {
-    meta:
-        id = "cc396771-f187-43ae-903f-147d15483c46"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-08-23"
-        classification = "TLP:CLEAR"
-        author = "Sekoia.io"
-        
-    strings:
-        $s1 = "[!] Cannot create process Win32Error:{0}" ascii wide
-        $s2 = "[*] process start with pid {0}" ascii wide
-        $s3 = "MEOW" ascii wide
-        $s4 = "2ae886c3-3272-40be-8d3c-ebaede9e61e1" ascii wide
-        $s5 = "GodPotatoUnmarshalTrigger" ascii wide
-        $s6 = "GodPotato.exe" ascii wide
-        $s7 = "GodPotato.exe" wide
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 4MB and 
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_gost_tunnel_strings.yar b/yara_rules/sekoiaio_tool_gost_tunnel_strings.yar
deleted file mode 100644
index 622aec1..0000000
--- a/yara_rules/sekoiaio_tool_gost_tunnel_strings.yar
+++ /dev/null
@@ -1,36 +0,0 @@
-rule sekoiaio_tool_gost_tunnel_strings {
-    meta:
-        id = "2de7aae9-9cf8-4007-aa27-5caea4123713"
-        version = "1.0"
-        description = "Detects GOST Go Tunnel, based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-02-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = ".(*shadowUDPHandler).transportUDP" ascii
-        $ = ".(*quicCipherConn).decrypt" ascii
-        $ = ".(*socks4aConnector).ConnectContext.func1" ascii
-        $ = ".(*mtlsTransporter).Handshake" ascii
-        $ = ".(*FIFOStrategy).Apply" ascii
-        $ = ".dnsTCPExchanger" ascii
-        $ = ".dohResponseWriter" ascii
-        $ = ".tcpRemoteForwardListener" ascii
-        $ = ".shadowUDPPacketConn" ascii
-        $ = ".sshTunnelListener" ascii
-        $ = "/listener/rtcp/listener.go" ascii
-        $ = "/handler/unix/handler.go" ascii
-        $ = "/handler/tunnel/tunnel.go"ascii
-        $ = "/internal/net/proxyproto/listener.go" ascii
-        $ = "/internal/util/serial/conn.go" ascii
-        $ = "github.com/go-gost/x" ascii
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or 
-         uint16be(0) == 0x4d5a or 
-         uint32be(0) == 0xcefaedfe or 
-         uint32be(0) == 0xcffaedfe or 
-         uint32be(0) == 0xbebafeca) and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_gsocket_strings.yar b/yara_rules/sekoiaio_tool_gsocket_strings.yar
deleted file mode 100644
index 575fd9c..0000000
--- a/yara_rules/sekoiaio_tool_gsocket_strings.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_tool_gsocket_strings {
-    meta:
-        id = "55fb2f2b-1074-4b6d-9113-48eaeb0e1e27"
-        version = "1.0"
-        description = "Detects Gsocket based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-06-10"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "proxy. It allows multiple gs-netcat clients to (securely) relay"
-        $ = "GS-NETCAT(1)            General Commands Manual          GS-NETCAT(1)"
-        $ = "-T      Use TOR. The gs-netcat tool will connect via TOR to the GSRN."
-        $ = "-D      Daemon & Watchdog mode. Start gs-netcat as a background process"
-        $ = "gs-netcat [-rlgvqwCTSDiu] [-s secret] [-k keyfile] [-L logfile] [-d IP]"
-        $ = "The gs-netcat utility is a re-implementation of netcat."
-        
-    condition:
-        (
-            uint32be(0) == 0x7f454c46 or 
-            uint16be(0) == 0x4d5a or 
-            uint32be(0) == 0xfeedface or 
-            uint32be(0) == 0xcffaedfe or 
-            uint32be(0) == 0xcafebabe
-        ) and
-        filesize > 2MB and filesize < 6MB and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_htran_strings.yar b/yara_rules/sekoiaio_tool_htran_strings.yar
deleted file mode 100644
index af6b2b7..0000000
--- a/yara_rules/sekoiaio_tool_htran_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_tool_htran_strings {
-    meta:
-        id = "0184937e-eefa-4c6d-ae00-9b0af80dc7db"
-        version = "1.0"
-        description = "Detects HTran based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-09-09"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>"
-        $ = "-tran <ConnectPort> <TransmitHost> <TransmitPort>"
-        $ = "-listen <ConnectPort> <TransmitPort>"
-        $ = "[-] There is a error...Create a new connection."
-        $ = "[+] Start Transmit (%s:%d <-> %s:%d) ......"
-        $ = "[+] Accept a Client on port %d from %s"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_impersonate_strings.yar b/yara_rules/sekoiaio_tool_impersonate_strings.yar
deleted file mode 100644
index d0df131..0000000
--- a/yara_rules/sekoiaio_tool_impersonate_strings.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-import "pe"
-        
-rule sekoiaio_tool_impersonate_strings {
-    meta:
-        id = "2ab345a2-9366-4673-b398-a59ba6954af5"
-        version = "1.0"
-        description = "Detects Impersonate"
-        author = "Sekoia.io"
-        creation_date = "2024-07-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[*] Listing available tokens"
-        $ = "[ID: %2d][SESSION: %d][INTEGRITY: %-6ws][%-18ws][%-22ws] User: %ws"
-        $ = "[*] Impersonating %ws"
-        $ = "[!] Impersonation failed error: %d"
-        $ = "[*] Adding user %ls on %ls"
-        $ = "[!] Add user failed with error: %d"
-        $ = "[*] Adding user %ws to domain group %ws"
-        $ = "[!] Add user in domain %ws failed with error: %d"
-        $ = "[!] Couldn't change token session id (error: %d)"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        3 of them or pe.imphash() == "e14ce763114276674e22b7b8b637bd4b"
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_inswor_strings.yar b/yara_rules/sekoiaio_tool_inswor_strings.yar
deleted file mode 100644
index a69cb9c..0000000
--- a/yara_rules/sekoiaio_tool_inswor_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_tool_inswor_strings {
-    meta:
-        id = "99aaad33-510a-41b9-9022-800588c18d6d"
-        version = "1.0"
-        description = "Detects In-Swor based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-09-09"
-        classification = "TLP:CLEAR"
-        hash = "c393128a143b2a3397100b4a30c75112"
-        
-    strings:
-        $ = "open encrypted file error:" ascii
-        $ = "open config file error:" ascii
-        $ = "payload.ini" ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_iodine_strings.yar b/yara_rules/sekoiaio_tool_iodine_strings.yar
deleted file mode 100644
index 7eea909..0000000
--- a/yara_rules/sekoiaio_tool_iodine_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_tool_iodine_strings {
-    meta:
-        id = "029766cc-80fb-423d-adc5-8867c438c5d3"
-        version = "1.0"
-        description = "Detects iodine based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-02-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Sending DNS queries for %s to %s"
-        $ = "No tun devices found, trying utun"
-        $ = "iodine IP over DNS tunneling client"
-        $ = "topdomain is the FQDN that is delegated to the tunnel endpoint."
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-         filesize < 1MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_juicypotato_exploit_strings.yar b/yara_rules/sekoiaio_tool_juicypotato_exploit_strings.yar
deleted file mode 100644
index e15b7c4..0000000
--- a/yara_rules/sekoiaio_tool_juicypotato_exploit_strings.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_tool_juicypotato_exploit_strings {
-    meta:
-        id = "03d697ae-69a7-490b-8b3c-9a8c21fb46a2"
-        version = "1.0"
-        description = "Detects the JuicyPotato exploit based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-09-09"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "JuicyPotato v%s"
-        $ = "-t createprocess call: <t> CreateProcessWithTokenW"
-        $ = "-p <program>: program to launch"
-        $ = "-l <port>: COM server listen port"
-        $ = "-m <ip>: COM server listen address"
-        $ = "-n <port>: RPC server listen port"
-        $ = "Error - Unknown NTLM message type..."
-        $ = "[+] authresult %d"
-        $ = "Waiting for auth..."
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 500KB and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_juicypotatong_strings.yar b/yara_rules/sekoiaio_tool_juicypotatong_strings.yar
deleted file mode 100644
index 0325a6b..0000000
--- a/yara_rules/sekoiaio_tool_juicypotatong_strings.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_tool_juicypotatong_strings {
-    meta:
-        id = "4634251b-ea41-4f58-aabd-db83ccf4edaa"
-        version = "1.0"
-        description = "Detects JuicyPotatoNG"
-        author = "Sekoia.io"
-        creation_date = "2023-06-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[!] CryptStringToBinaryW failed with error code %d" ascii
-        $ = "-b : Bruteforce all CLSIDs. !ALERT:" ascii
-        $ = "[-] CreateProcessWithTokenW Failed to create proc: %d" ascii
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_koblas_server_strings.yar b/yara_rules/sekoiaio_tool_koblas_server_strings.yar
deleted file mode 100644
index 8cf6a93..0000000
--- a/yara_rules/sekoiaio_tool_koblas_server_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_tool_koblas_server_strings {
-    meta:
-        id = "ebd891da-69dd-474c-9e08-63d0b4cc654e"
-        version = "1.0"
-        description = "Detects Koblas server"
-        author = "Sekoia.io"
-        creation_date = "2024-05-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "sent {sent} bytes and received {received} bytes" wide ascii
-        $ = "connection denied" ascii
-        $ = "loaded {} users" ascii
-        $ = "listening on {}:{} for incoming connections" ascii
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_ladon_strings.yar b/yara_rules/sekoiaio_tool_ladon_strings.yar
deleted file mode 100644
index 6192956..0000000
--- a/yara_rules/sekoiaio_tool_ladon_strings.yar
+++ /dev/null
@@ -1,62 +0,0 @@
-rule sekoiaio_tool_ladon_strings {
-    meta:
-        id = "7f06f755-a103-4e74-a9df-136355775233"
-        version = "1.0"
-        description = "Detects Ladon based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-06-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $a1 = ".GetType('Ladon.Scan')"
-        $a2 = "= New-object Byte[]("
-        $a3 = "([IO.MemoryStream][Convert]::FromBase64String("
-        
-        $b1 = "DeflateStream([IO.MemoryStream][Convert]::FromBase64String("
-        $b2 = "))}}}}}}}}}"
-        $b3 = "::Main(@($"
-        $b4 = "))} else {If("
-        $b5 = "= [Reflection.Assembly]::Load("
-        
-        $c1 = "ChatLadon.Form1.resources"
-        $c2 = "ChatLadon.Properties.Resources.resources"
-        $c3 = "WebClientUploadEvent"
-        $c4 = "WebClientDownloadEvent"
-        $c5 = "K8robot"
-        $c6 = "K8IPselect"
-        
-        $d1 = "loadASM"
-        $d2 = "ConsoleApp1.exe"
-        $d3 = "K8Ladon"
-        
-        $e1 = "get_network_16px_1219919_easyicon_net"
-        $e2 = "K8gege"
-        $e3 = "LadonExpBuild"
-        
-        $f1 = "Ladon url.txt CitrixVer"
-        $f2 = "Ladon MssqlCmd"
-        $f3 = "Example: Ladon "
-        $f4 = "k8gege.org"
-        $f5 = "K8crack"
-        
-        $g1 = "LadonStudy.exe"
-        $g2 = "LadonStudy.frmMain.resources"
-        $g3 = "LadonStudy.Properties.Resources.resources"
-        $g4 = "K8gege"
-        
-        $h1 = "LadonShell.exe" wide
-        $h2 = "ForceRemove"
-        $h3 = "GetUserObjectInformationA"
-        
-    condition:
-        ( all of ($a*) or 
-        all of ($b*) or 
-        all of ($c*) or 
-        all of ($d*) or 
-        all of ($e*) or 
-        all of ($f*) or 
-        all of ($g*) or 
-        all of ($h*) )
-        and filesize < 5MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_lsass_dump_strings.yar b/yara_rules/sekoiaio_tool_lsass_dump_strings.yar
deleted file mode 100644
index 0334e64..0000000
--- a/yara_rules/sekoiaio_tool_lsass_dump_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_tool_lsass_dump_strings {
-    meta:
-        id = "bf024dc6-a1c8-4c3f-9bf8-8d246c129639"
-        version = "1.0"
-        description = "Detects Lsass dump based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-09-09"
-        classification = "TLP:CLEAR"
-        hash = "f4540f42902c068b9290239729c45324"
-        
-    strings:
-        $ = "[SUCCESS] Successfully dumped core LSASS information for PID:"
-        $ = "[SUCCESS] All data dumped to "
-        $ = "[ERROR] Unable to dump process"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_masky_strings.yar b/yara_rules/sekoiaio_tool_masky_strings.yar
deleted file mode 100644
index c506748..0000000
--- a/yara_rules/sekoiaio_tool_masky_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_tool_masky_strings {
-    meta:
-        id = "542670ee-9f2e-4148-853d-a3f055bd584c"
-        version = "1.0"
-        description = "Detects Masky tool"
-        author = "Sekoia.io"
-        creation_date = "2022-08-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "caa1aa2e-8a2a-4f98-bc51-b7cf10663fa9" ascii
-        $s2 = "Masky" ascii
-        $s3 = "\\Windows\\Temp\\" wide
-        $s4 = "Length must be non-negative" wide
-        $s5 = "CSP does not contain a private key" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        4 of them or $s1
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_multidump_strings.yar b/yara_rules/sekoiaio_tool_multidump_strings.yar
deleted file mode 100644
index 097baff..0000000
--- a/yara_rules/sekoiaio_tool_multidump_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_tool_multidump_strings {
-    meta:
-        id = "4897c898-01dd-40d2-bf28-266231c88f8a"
-        version = "1.0"
-        description = "Detects MultiDump"
-        author = "Sekoia.io"
-        creation_date = "2024-03-19"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "--nodump\tDisable LSASS dumping"
-        $ = "-r 192.168.1.100:5000"
-        $ = "Path to save procdump.exe"
-        $ = "[!] CreateFileW [R] Failed With Error"
-        $ = "LSASS is Running, Continuin"
-        $ = "Dumping LSASS Using ProcDump"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_nping_strings.yar b/yara_rules/sekoiaio_tool_nping_strings.yar
deleted file mode 100644
index 19120f6..0000000
--- a/yara_rules/sekoiaio_tool_nping_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_tool_nping_strings {
-    meta:
-        id = "fcfd9539-b224-45b4-9252-0b4d56a40be4"
-        version = "1.0"
-        description = "Detects NPing"
-        author = "Sekoia.io"
-        creation_date = "2022-08-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "http://nmap.org/nping"
-        $ = "nping scanme.nmap.org"
-        $ = "Bogus target structure passed to %s"
-        $ = "Packet too short."
-        $ = "read_arp_reply_pcap"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        3 of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_nssm_strings.yar b/yara_rules/sekoiaio_tool_nssm_strings.yar
deleted file mode 100644
index 7cd1e21..0000000
--- a/yara_rules/sekoiaio_tool_nssm_strings.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_tool_nssm_strings {
-    meta:
-        id = "fab99d44-6494-4bfc-80c0-67c45bad0425"
-        version = "1.0"
-        description = "Detects nssm tool"
-        author = "Sekoia.io"
-        creation_date = "2024-09-06"
-        classification = "TLP:CLEAR"
-        hash = "beceae2fdc4f7729a93e94ac2ccd78cc"
-        
-    strings:
-        $ = "nssm start <servicename>" wide
-        $ = "nssm stop <servicename>" wide
-        $ = "nssm restart <servicename>" wide
-        $ = "nssm status <servicename>" wide
-        $ = "nssm rotate <servicename>" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a 
-        and all of them 
-        and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_paexec_strings.yar b/yara_rules/sekoiaio_tool_paexec_strings.yar
deleted file mode 100644
index da50a4c..0000000
--- a/yara_rules/sekoiaio_tool_paexec_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_tool_paexec_strings {
-    meta:
-        id = "c48b897c-0d88-4fa9-b64b-0e14a38a62d7"
-        version = "1.0"
-        description = "Detects PAExec based on strings"
-        author = "Sekoia.io"
-        creation_date = "2022-09-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "\\\\%s\\%s\\PAExec_Move%u.dat" wide
-        $ = "PAExec_Move%u.dat" wide
-        $ = "Usage: PAExec [\\\\computer[,computer2[,...]]" wide
-        $ = "PAExec returning exit code %d" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and 3 of them
-        and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_pchunter_and_related_certificate.yar b/yara_rules/sekoiaio_tool_pchunter_and_related_certificate.yar
deleted file mode 100644
index 709635a..0000000
--- a/yara_rules/sekoiaio_tool_pchunter_and_related_certificate.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-import "pe"
-        
-rule sekoiaio_tool_pchunter_and_related_certificate {
-    meta:
-        id = "757c7738-4ee8-4b4e-bdda-0c5b0c010f40"
-        version = "1.0"
-        description = "Detects PCHunter and associated binairies & drivers"
-        author = "Sekoia.io"
-        creation_date = "2022-09-07"
-        classification = "TLP:CLEAR"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        for any i in (0 .. pe.number_of_signatures) : (
-         pe.signatures[i].serial contains "05:51:bc:8c:6a:a2:ca:03:2b:c6:71:38:30:d8:49:a3"
-      ) and filesize>400KB and filesize<20MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_petitpotato.yar b/yara_rules/sekoiaio_tool_petitpotato.yar
deleted file mode 100644
index 7b7e0ee..0000000
--- a/yara_rules/sekoiaio_tool_petitpotato.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_tool_petitpotato {
-    meta:
-        id = "72808202-a124-478e-bc60-59d35824b948"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-08-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s2 = "set_FileName" ascii wide
-        $s3 = "VarFileInfo" ascii wide
-        $s4 = "PetitPotato.exe" ascii wide
-        $s5 = "0.0.0.0" ascii wide
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 4MB and 
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_pivotnacci.yar b/yara_rules/sekoiaio_tool_pivotnacci.yar
deleted file mode 100644
index bbd8635..0000000
--- a/yara_rules/sekoiaio_tool_pivotnacci.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_tool_pivotnacci {
-    meta:
-        id = "31ecb08a-fc92-4cbe-a865-7ce869a5fa6a"
-        version = "1.0"
-        description = "Detects Pivotnacci"
-        author = "Sekoia.io"
-        creation_date = "2024-04-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $pivotnacci = "pivotnacci"
-        $s1 = "Socks server => %s:%s"
-        $s2 = "The default listening address"
-        $s3 = "Socks server for HTTP agents"
-        $s4 = "Message returned by the agent web page"
-        $s5 = "Password to communicate with the agent"
-        $s6 = "To specify agent type in case is not automatically detected."
-        
-    condition:
-        $pivotnacci and 3 of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_pivotnacci_webshell.yar b/yara_rules/sekoiaio_tool_pivotnacci_webshell.yar
deleted file mode 100644
index 1f63ffa..0000000
--- a/yara_rules/sekoiaio_tool_pivotnacci_webshell.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_tool_pivotnacci_webshell {
-    meta:
-        id = "729b6381-b59d-46fe-9ad4-b8b68fb0ceea"
-        version = "1.0"
-        description = "Detects pivotnacci webshell"
-        author = "Sekoia.io"
-        creation_date = "2024-04-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "if (cmd == SEND_OPERATION) {"
-        $ = "Response.BinaryWrite(newBuff)"
-        $ = "Request.Headers.Get(ID_HEADER)"
-        $ = "[$READ_BUFFER_SESSION_KEY . $connection_id]"
-        $ = "extract_session_readbuf($conn_id"
-        $ = "Failed connecting to target $addr:$port : $errstr"
-        $ = "void handle_post(String cmd)"
-        $ = "SocketChannel socketChannel = this.get_socket(socket_id"
-        $ = "this.get_svc().compareTo(this.get_hostname())"
-        
-    condition:
-        3 of them and filesize < 10KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_powershell_unicorn.yar b/yara_rules/sekoiaio_tool_powershell_unicorn.yar
deleted file mode 100644
index 9a605c7..0000000
--- a/yara_rules/sekoiaio_tool_powershell_unicorn.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_tool_powershell_unicorn {
-    meta:
-        id = "287c1669-2ee1-488e-bf66-a99bfe309c90"
-        version = "1.0"
-        description = "Detects Unicorn Powershell"
-        author = "Sekoia.io"
-        creation_date = "2022-08-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = ").value.toString() ('JAB" ascii wide
-        $ = ").value.toString());powershell (" ascii wide
-        $ = "powershell /w 1 " ascii wide
-        
-    condition:
-        all of them and filesize < 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_printnotifypotato.yar b/yara_rules/sekoiaio_tool_printnotifypotato.yar
deleted file mode 100644
index 2e5db90..0000000
--- a/yara_rules/sekoiaio_tool_printnotifypotato.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_tool_printnotifypotato {
-    meta:
-        id = "8dde175f-025a-4c27-bcc6-d0016dd7238c"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-08-23"
-        classification = "TLP:CLEAR"
-        author = "Sekoia.io"
-        
-    strings:
-        $s1 = "PrintNotifyPotato.exe" ascii wide
-        $s2 = "BeichenDream" ascii wide
-        $s3 = "interactive" ascii wide
-        $s4 = "DuplicateTokenEx" ascii wide
-        $s5 = "CurrentUser" ascii wide
-        $s6 = "FakeIUnknown" ascii wide
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 8MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_quarkspwdump.yar b/yara_rules/sekoiaio_tool_quarkspwdump.yar
deleted file mode 100644
index 2b04d4d..0000000
--- a/yara_rules/sekoiaio_tool_quarkspwdump.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_tool_quarkspwdump {
-    meta:
-        id = "859823f9-6d47-4b0f-844b-d3af7bad498b"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-06-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "quarks-pwdump.exe"
-        $s2 = "--------------------------------------------- BEGIN DUMP --------------------------------------------"
-        $s3 = "%s_hist%d:\"\":\"\":%s:%s"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_rathole_strings.yar b/yara_rules/sekoiaio_tool_rathole_strings.yar
deleted file mode 100644
index b8e77d3..0000000
--- a/yara_rules/sekoiaio_tool_rathole_strings.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_tool_rathole_strings {
-    meta:
-        id = "39d11285-a3bf-46c3-901d-ab46601a9066"
-        version = "1.0"
-        description = "Detects RATHole based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-05-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "rathole\\src\\" ascii
-        $ = "\\\\?\\\\\\?\\UNC\\" wide
-        $ = "rathole::" ascii
-        $ = "src/server.rs"
-        $ = "`[server]` or `[client]"
-        
-    condition:
-        ( uint32be(0) == 0x7f454c46 or 
-          uint16be(0) == 0x4d5a or 
-          uint32be(0) == 0xfeedface or 
-          uint32be(0) == 0xfeedfacf or 
-          uint32be(0) ==  0xcafebabe or
-          uint32be(0) ==  0xCFFAEDFE) and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_realblindingedr_strings.yar b/yara_rules/sekoiaio_tool_realblindingedr_strings.yar
deleted file mode 100644
index 9bc6214..0000000
--- a/yara_rules/sekoiaio_tool_realblindingedr_strings.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_tool_realblindingedr_strings {
-    meta:
-        id = "505dcbee-ae37-47c1-a322-2c52d10e68d7"
-        version = "1.0"
-        description = "Detects RealBlindingEDR based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-09-11"
-        classification = "TLP:CLEAR"
-        hash = "cb6219e2b6577b8d4a18114d595e10d7"
-        hash = "d0a251709c24a8f4c26d456dea22d90f"
-        
-    strings:
-        $ = "Unload Driver Error 1"
-        $ = "Failed to create pipe. Error %d"
-        $ = "icacls \"%s\" /grant Everyone:(F)"
-        $ = "Register MiniFilter Callback driver:"
-        $ = "The driver's certificate has been revoked,"
-        $ = "[Success] Killed %s(%s)."
-        $ = "ntoskrnl.exe base address not found."
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_reversessh_strings.yar b/yara_rules/sekoiaio_tool_reversessh_strings.yar
deleted file mode 100644
index 08cb04b..0000000
--- a/yara_rules/sekoiaio_tool_reversessh_strings.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_tool_reversessh_strings {
-    meta:
-        id = "b20c2c8e-3910-4545-a87a-3d428283a447"
-        version = "1.0"
-        description = "Detects reverse SSH based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-04-16"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $fun_1 = "createLocalPortForwardingCallback"
-        $fun_2 = "createReversePortForwardingCallback"
-        $fun_3 = "createPasswordHandler"
-        $fun_4 = "createPublicKeyHandler"
-        $fun_5 = "createSFTPHandler"
-        $fun_6 = "dialHomeAndListen"
-        $fun_7 = "createExtraInfoHandler"
-        $fun_8 = "createSSHSessionHandler"
-        $fun_9 = "createReversePortForwardingCallback"
-        $proj_1 = "github.com/Fahrj/reverse-ssh"
-        
-    condition:
-        any of ($proj_*) or
-        4 of ($fun_*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_revsocks_strings.yar b/yara_rules/sekoiaio_tool_revsocks_strings.yar
deleted file mode 100644
index ff09e43..0000000
--- a/yara_rules/sekoiaio_tool_revsocks_strings.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_tool_revsocks_strings {
-    meta:
-        id = "f5f34e74-0795-4c81-a385-218a8197a0b7"
-        version = "1.0"
-        description = "Detects revsocks client"
-        author = "Sekoia.io"
-        creation_date = "2024-03-07"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "reverse socks5 server/client by kost" ascii fullword
-        $ = "github.com/kost/"
-        $ = "revsocks -listen"
-        $ = "Start on the DNS server: revsocks -dns"
-        $ = "crypto/aes."
-        
-    condition:
-        ( uint32be(0) == 0x7f454c46 or 
-          uint16be(0) == 0x4d5a or 
-          uint32be(0) == 0xfeedface or 
-          uint32be(0) == 0xfeedfacf or 
-          uint32be(0) ==  0xcafebabe or
-          uint32be(0) ==  0xCFFAEDFE) and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_rsockstun_strings.yar b/yara_rules/sekoiaio_tool_rsockstun_strings.yar
deleted file mode 100644
index 7fa8a0c..0000000
--- a/yara_rules/sekoiaio_tool_rsockstun_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_tool_rsockstun_strings {
-    meta:
-        id = "94d8cb39-3421-441c-8404-62a591b86912"
-        version = "1.0"
-        description = "Detects Rsockstun based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-12-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "main.connectviaproxy"
-        $ = "main.connectForSocks"
-        $ = "main.listenForClients"
-        $ = "main.listenForSocks"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 10MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_rubeus_strings.yar b/yara_rules/sekoiaio_tool_rubeus_strings.yar
deleted file mode 100644
index 32606a0..0000000
--- a/yara_rules/sekoiaio_tool_rubeus_strings.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_tool_rubeus_strings {
-    meta:
-        id = "df1860d0-ec34-4c2d-bd83-5f16b26d075c"
-        version = "1.0"
-        description = "Detects Rubeus"
-        author = "Sekoia.io"
-        creation_date = "2024-03-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = ".Ndr.RPC_DISPATCH_TABLE32"
-        $ = ".Ndr.RPC_PROTSEQ_ENDPOINT32"
-        $ = ".Ndr.RPC_SERVER_INTERFACE32"
-        $ = ".Ndr.NDR_EXPR_DESC32"
-        $ = "$krb5tgs${0}$*{1}${2}${3}*${4}${5}" wide
-        $ = "$krb5asrep$23${0}@{1}:{2}" wide
-        $ = "Unable to decrypt the EncTicketPart using key:" wide
-        $ = "[*] Target service  : {0:x}" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 1MB and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_runpeinmemory_strings.yar b/yara_rules/sekoiaio_tool_runpeinmemory_strings.yar
deleted file mode 100644
index ed21de1..0000000
--- a/yara_rules/sekoiaio_tool_runpeinmemory_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_tool_runpeinmemory_strings {
-    meta:
-        id = "64129ab0-b599-4760-ab21-20c475c2c07f"
-        version = "1.0"
-        description = "Detects standard implementation of RunPEInMemory"
-        author = "Sekoia.io"
-        creation_date = "2024-05-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[+] Fix Import Address Table"
-        $ = "[+] Relocation Fixed."
-        $ = "[+] File %s isn't a PE file."
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 500KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_safetykatz.yar b/yara_rules/sekoiaio_tool_safetykatz.yar
deleted file mode 100644
index 27d4a5f..0000000
--- a/yara_rules/sekoiaio_tool_safetykatz.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_tool_safetykatz {
-    meta:
-        id = "90f93244-38a7-4574-87c6-15d494e9173b"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-06-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "SafetyKatz" ascii fullword
-        $s2 = "get_mimikatz" ascii fullword
-        $s3 = "$8347e81b-89fc-42a9-b22c-f59a6a572dec" ascii fullword
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 1MB and 
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_scanline_strings.yar b/yara_rules/sekoiaio_tool_scanline_strings.yar
deleted file mode 100644
index 0a6bb68..0000000
--- a/yara_rules/sekoiaio_tool_scanline_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_tool_scanline_strings {
-    meta:
-        id = "65677b81-d077-4d01-8398-cbb06ce49edf"
-        version = "1.0"
-        description = "Detects scanline (non-packed)"
-        author = "Sekoia.io"
-        creation_date = "2024-09-06"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Resolve IP addresses to hostnames"
-        $ = "Randomize IP and port scan order"
-        $ = "?bhijnprsT"
-        $ = "sl -bht"
-        
-    condition:
-        uint16be(0) == 0x4d5a and 3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_sharpefspotato_strings.yar b/yara_rules/sekoiaio_tool_sharpefspotato_strings.yar
deleted file mode 100644
index ede2812..0000000
--- a/yara_rules/sekoiaio_tool_sharpefspotato_strings.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_tool_sharpefspotato_strings {
-    meta:
-        id = "4286c72b-c0b9-4d2c-9847-68fc39ed4894"
-        version = "1.0"
-        description = "Detects SharpEfsPotato based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-06-20"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Program to launch (default cmd.exe)" wide
-        $ = "[!] Cannot perform interception, necessary privileges missing." wide
-        $ = "[!] Failed to created impersonated process with token:" wide
-        $ = "No authenticated interception took place, exploit failed"
-        
-    condition:
-        uint16be(0) == 0x4d5a and 3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_sharphoundexecutable_strings.yar b/yara_rules/sekoiaio_tool_sharphoundexecutable_strings.yar
deleted file mode 100644
index 6e6f9f6..0000000
--- a/yara_rules/sekoiaio_tool_sharphoundexecutable_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_tool_sharphoundexecutable_strings {
-    meta:
-        id = "2cf8046e-5b4d-4ff7-b4b2-7aaeaf58883b"
-        version = "1.0"
-        description = "Detects the SharpHound tool"
-        author = "Sekoia.io"
-        creation_date = "2022-08-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "BloodHoundLoopResults.zip" wide
-        $ = "[-] Removed PSRemote Collection" wide
-        $ = "Initializing SharpHound at {time} on {date}" wide
-        $ = "[SearchForest] Cross-domain enumeration may result in reduced data quality" wide
-        $ = "SharpHound Enumeration Completed at {Time} on {Date}! Happy Graphing!" wide
-        $ = "Consumer task on thread {id} completed" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_sharphoundpowershell_strings.yar b/yara_rules/sekoiaio_tool_sharphoundpowershell_strings.yar
deleted file mode 100644
index b828192..0000000
--- a/yara_rules/sekoiaio_tool_sharphoundpowershell_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_tool_sharphoundpowershell_strings {
-    meta:
-        id = "f27a0bdc-1a8c-43f9-843c-6c8506726f37"
-        version = "1.0"
-        description = "Detects SharpHound Powershell"
-        author = "Sekoia.io"
-        creation_date = "2022-08-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "function Invoke-BloodHound"
-        $ = "$vars.Add($RealDNSName)"
-        $ = "$vars.Add($Jitter)"
-        $ = "CmdletBinding(PositionalBinding = $false)"
-        $ = ").Invoke($Null, @(,$passed))"
-        $ = "$EncodedCompressedFile ="
-        
-    condition:
-        filesize < 2MB and 4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_sharpnbtscan_strings.yar b/yara_rules/sekoiaio_tool_sharpnbtscan_strings.yar
deleted file mode 100644
index fa28588..0000000
--- a/yara_rules/sekoiaio_tool_sharpnbtscan_strings.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_tool_sharpnbtscan_strings {
-    meta:
-        id = "e9d28dcb-b4b1-4d66-b225-ed0925f307d9"
-        version = "1.0"
-        description = "Detects SharpNBTScan based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-09-09"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "[+]Udp client will stop in 10 s ..." ascii wide
-        $ = "[*]Stop udp client ..." ascii wide
-        $ = "[*]Start udp client ..." ascii wide
-        $ = "[+] ip range {0} - {1} " ascii wide
-        
-    condition:
-        uint32be(0) == 0x5A4D and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_sharpsecdump.yar b/yara_rules/sekoiaio_tool_sharpsecdump.yar
deleted file mode 100644
index 6a71776..0000000
--- a/yara_rules/sekoiaio_tool_sharpsecdump.yar
+++ /dev/null
@@ -1,20 +0,0 @@
-rule sekoiaio_tool_sharpsecdump {
-    meta:
-        id = "359bf48b-81c8-4d12-ac02-777d4865411a"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-06-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "SharpSecDump"
-        $s2 = "e2fdd6cc-9886-456c-9021-ee2c47cf67b7"
-        $s3 = "Md4Hash2"
-        $s4 = "RidToKey"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 1MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_soaphound_strings.yar b/yara_rules/sekoiaio_tool_soaphound_strings.yar
deleted file mode 100644
index 3e76324..0000000
--- a/yara_rules/sekoiaio_tool_soaphound_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_tool_soaphound_strings {
-    meta:
-        id = "adf48506-f07d-445a-83cc-0aed3b6b55eb"
-        version = "1.0"
-        description = "Detects SOAPHound based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-11-12"
-        classification = "TLP:CLEAR"
-        hash = "b2a953590d75213388473fb51e6b5f2f"
-        
-    strings:
-        $ = "Output files generated in" wide
-        $ = "(&(cn=*)(!(cn=a*))(!(cn=b*))" wide
-        $ = "unicodePassword" wide
-        $ = "net.tcp://localhost:9389/ActiveDirectoryWebServices/" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize < 2MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_ssf_strings.yar b/yara_rules/sekoiaio_tool_ssf_strings.yar
deleted file mode 100644
index 718c779..0000000
--- a/yara_rules/sekoiaio_tool_ssf_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_tool_ssf_strings {
-    meta:
-        id = "47fc3df8-a153-4045-a5f0-ed30df662984"
-        version = "1.0"
-        description = "Detects SSF based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-05-31"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "could NOT read SSF reply"
-        $ = "SSF reply NOT ok {}"
-        $ = "SSF reply OK"
-        $ = "SSF protocol error {}"
-        $ = "SSF reply ok"
-        $ = "SSF version NOT read {}"
-        $ = "SSF version {}"
-        $ = "SSF version NOT supported {}"
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_swor.yar b/yara_rules/sekoiaio_tool_swor.yar
deleted file mode 100644
index 318dcef..0000000
--- a/yara_rules/sekoiaio_tool_swor.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_tool_swor {
-    meta:
-        id = "75ce2ed7-2972-4e04-98dc-451acf80c842"
-        version = "1.0"
-        description = "Detects swor"
-        author = "Sekoia.io"
-        creation_date = "2024-09-09"
-        classification = "TLP:CLEAR"
-        hash = "d3f92b3349109fc6de26f5e40800fec15308c27fa4fe81fe42af5030637a3a63"
-        
-    strings:
-        $old_sword_s1 = "Failed to open payload file: "
-        $old_sword_s2 = "Failed to open config file: "
-        $sword_s1 = "open encrypted file error: "
-        $sword_s2 = "open config file error: "
-        $enum_calendar = "EnumCalendarInfo"
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        $enum_calendar and 
-        (2 of ($old_sword_s*) or 2 of ($sword_s*)) and
-        filesize <1MB and 
-        true
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_sy_runas.yar b/yara_rules/sekoiaio_tool_sy_runas.yar
deleted file mode 100644
index 1dc4570..0000000
--- a/yara_rules/sekoiaio_tool_sy_runas.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_tool_sy_runas {
-    meta:
-        id = "cb1f3707-6716-49b5-9fe0-45c5baf2e491"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-08-23"
-        classification = "TLP:CLEAR"
-        author = "Sekoia.io"
-        
-    strings:
-        $s1 = "Sy_Runas.exe" ascii wide
-        $s2 = "password *.exe" ascii wide
-        $s3 = "This tools just work on webshell" ascii wide
-        $s4 = "Code By slls124@gmail.com" ascii wide
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 4MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_tacticalrmm_installer_strings.yar b/yara_rules/sekoiaio_tool_tacticalrmm_installer_strings.yar
deleted file mode 100644
index c3b9a40..0000000
--- a/yara_rules/sekoiaio_tool_tacticalrmm_installer_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_tool_tacticalrmm_installer_strings {
-    meta:
-        id = "c4a0ba33-b458-4c2a-abfa-4c33481d6491"
-        version = "1.0"
-        description = "Detects TacticalRMM installer"
-        author = "Sekoia.io"
-        creation_date = "2024-05-23"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "TacticalRMMInstaller" ascii
-        $ = "tacticalagent-" ascii
-        $ = "tactical/go" ascii
-        $ = "tacticalrmm." ascii
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize > 3MB and filesize < 8MB and
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_tokenplayer_strings.yar b/yara_rules/sekoiaio_tool_tokenplayer_strings.yar
deleted file mode 100644
index a8e874f..0000000
--- a/yara_rules/sekoiaio_tool_tokenplayer_strings.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_tool_tokenplayer_strings {
-    meta:
-        id = "74ed8812-f113-47a9-9ff2-6cbe2746ee11"
-        version = "1.0"
-        description = "Detects TokenPlayer based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-11-04"
-        classification = "TLP:CLEAR"
-        hash = "f01eae4ee3cc03d621be7b0af7d60411"
-        
-    strings:
-        $ = "[*]Spawning Process as user: %s\\%s" wide
-        $ = "[-]Target isn't vulnerable!"
-        $ = "[+]Process spawned!"
-        $ = "[+]Process Spawned"
-        $ = "[+]OpenProcessToken() success!"
-        $ = "CreateProcessWithLogonW() error : % u"
-        $ = "[+]CreateProcessWithLogonW() succeed!"
-        $ = "TokenPlayer.pdb"
-        
-    condition:
-        uint16be(0) == 0x4d5a and 
-        5 of them and 
-        filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_webshell_b374k_strings.yar b/yara_rules/sekoiaio_tool_webshell_b374k_strings.yar
deleted file mode 100644
index b557c95..0000000
--- a/yara_rules/sekoiaio_tool_webshell_b374k_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_tool_webshell_b374k_strings {
-    meta:
-        id = "f53fc668-e1fc-4b85-b850-59aceefb6418"
-        version = "1.0"
-        description = "Detects b374k webshell"
-        author = "Sekoia.io"
-        creation_date = "2024-09-06"
-        classification = "TLP:CLEAR"
-        hash = "1d27b23fceecbb9e854c41f6a8fb878e"
-        hash = "71fd853a3f3efc3dc2846e866187ee59"
-        hash = "187e001c32487d0d68197ddb7e7796c3"
-        hash = "6eac497dfc1020a8475e95542fad197e"
-        hash = "61c6a0bc15efa442853f04bb276ac96e"
-        
-    strings:
-        $ = "$func('$x','ev'.'al'.'("
-        $ = "(ba'.'se'.'64'.'_de'.'co'.'de($x)))"
-        
-    condition:
-        2 of them and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_win_blackfly_proxy_config.yar b/yara_rules/sekoiaio_tool_win_blackfly_proxy_config.yar
deleted file mode 100644
index 390e3f6..0000000
--- a/yara_rules/sekoiaio_tool_win_blackfly_proxy_config.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_tool_win_blackfly_proxy_config {
-    meta:
-        id = "c8a8be5d-bd28-4306-9466-ad582e53fede"
-        version = "1.0"
-        description = "Detect Blackfly proxy configuration tool"
-        author = "Sekoia.io"
-        creation_date = "2023-02-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "c:\\ProgramData\\l.dat"
-        $ = "C:\\ProgramData\\b.dat"
-        $ = "winmm_DotNetfile.dll"
-        
-    condition:
-        pe.imphash() == "ff47f65286cc51a1328bc94efbf4007f"
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f5923d4331f7e84fbbbd6fd84b6d3e6a"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "56acc10233c711a4eba9ca9aeab47e30"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "824dcebe93ac83bf5c95c781a60b3578"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ec716a08b5e647f5c00c5dfc079dfa62"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5cb63f7392c9e05c22e89cd86bd7f718"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ee04e245066e25edd3062d823f15deda"
-        )
-        or (uint16(0)==0x5A4D and 1 of them)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_win_driverjack.yar b/yara_rules/sekoiaio_tool_win_driverjack.yar
deleted file mode 100644
index f348fdc..0000000
--- a/yara_rules/sekoiaio_tool_win_driverjack.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_tool_win_driverjack {
-    meta:
-        id = "08bc0fe8-38f1-4c73-99c8-2659b4a55815"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2024-09-11"
-        classification = "TLP:CLEAR"
-        hash = "649fc12915bdcdebbc3798a8ad0b9b32"
-        reference = "https://github.com/klezVirus/DriverJack/blob/master/DriverJack"
-        
-    strings:
-        $ = "(*) Decrypting %llu bytes of file content using key '%s' of length %u..."
-        $ = "(*) Modifying file %s in mapped drive..."
-        $ = "(*) Checking file %s in mapped drive..."
-        $ = "(-) CreateProcess failed '%s' (%08x)."
-        $ = "(*) Mounted Drive Letter: %s"
-        
-    condition:
-        uint16be(0) == 0x4d5a and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_win_forkplayground.yar b/yara_rules/sekoiaio_tool_win_forkplayground.yar
deleted file mode 100644
index fa7ce98..0000000
--- a/yara_rules/sekoiaio_tool_win_forkplayground.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_tool_win_forkplayground {
-    meta:
-        id = "ec9af403-7647-447d-af17-c6931363a166"
-        version = "1.0"
-        description = "Detect the ForkPlayground malware"
-        author = "Sekoia.io"
-        creation_date = "2023-02-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Failed to open dump file %s with the last error %i."
-        $ = "Successfully dumped process %i to %s"
-        $ = "ForkPlayground"
-        $ = "Second attempt at taking a snapshot of the target failed. It is likely that there is a difference in process privilege or the handle was stripped."
-        $ = "Failed to take a snapshot of the target process. Attempting to escalate debug privilege..."
-        $ = "Failed to escalate debug privileges, are you running ForkDump as Administrator"
-        
-    condition:
-        uint16(0)==0x5A4D and 1 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_win_gosecretsdump.yar b/yara_rules/sekoiaio_tool_win_gosecretsdump.yar
deleted file mode 100644
index e93c1cd..0000000
--- a/yara_rules/sekoiaio_tool_win_gosecretsdump.yar
+++ /dev/null
@@ -1,28 +0,0 @@
-rule sekoiaio_tool_win_gosecretsdump {
-    meta:
-        id = "9225fe95-e37c-48ff-b5b5-680f255349bd"
-        version = "1.0"
-        description = "Finds gosecretsdump EXE based on strings"
-        author = "Sekoia.io"
-        reference = "https://github.com/C-Sto/gosecretsdump/releases"
-        creation_date = "2024-06-10"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "github.com/C-Sto/gosecretsdump" ascii
-        $str02 = "/pkg/esent" ascii
-        $str03 = "/pkg/ditreader" ascii
-        $str04 = "/pkg/samreader" ascii
-        $str05 = "ntdsFileLocation" ascii
-        $str06 = "NTDSLoc" ascii
-        $str07 = "SAMEntries" ascii
-        $str08 = "SAMHashAES" ascii
-        $str09 = "NTLMHash" ascii
-        $str10 = "HasNoLMHashPolicy" ascii
-        $str11 = "PreviousIncBackup" ascii
-        $str12 = "Esent_record" ascii
-        
-    condition:
-        uint16(0)==0x5A4D and 7 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_win_lightrail.yar b/yara_rules/sekoiaio_tool_win_lightrail.yar
deleted file mode 100644
index 5f79f57..0000000
--- a/yara_rules/sekoiaio_tool_win_lightrail.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_tool_win_lightrail {
-    meta:
-        id = "39259f2c-11fe-4edd-8a9e-f36920132272"
-        version = "1.0"
-        description = "Detect the LIGHTRAIL tunneler used by UNC1549"
-        author = "Sekoia.io"
-        creation_date = "2024-02-29"
-        classification = "TLP:CLEAR"
-        reference = "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east"
-        hash1 = "e7ddab967b0487827db069833221aa2fe4ca05f7cda976cbc528ecb306a22774"
-        hash2 = "4ecd511d9654f7fd66a61eb4ab6d7153040b5092d1594ff39935f01fbdbd4914"
-        hash3 = "3472bc8ed6182eb17811c97ada7ebd48034ad09b6a7062b341fe09818d7a309f"
-        hash4 = "ec7b97092278123f0c0613c5f9252eeccf55265d4aa5f2cfed57a63ebf3530ac"
-        hash5 = "8f3757b8f5888a1303af71cbc1a106927d3d6c45552ee192c3ed0347804c2194"
-        hash6 = "8b47b5ed1ed7afcc9194e1350d4e1996bd91ca3204747b586f309f4609a1a4cc"
-        
-    strings:
-        $s1 = "lastenzug.dll"
-        $s2 = "Lastenzug.dll"
-        $azure = ".cloudapp.azure.com" wide
-        
-    condition:
-        uint16be(0)==0x4d5a and 1 of ($s*) and $azure
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_win_sharpshares.yar b/yara_rules/sekoiaio_tool_win_sharpshares.yar
deleted file mode 100644
index b338514..0000000
--- a/yara_rules/sekoiaio_tool_win_sharpshares.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_tool_win_sharpshares {
-    meta:
-        id = "ef90d573-12f8-4216-9a9e-96e7d1e841d0"
-        version = "1.0"
-        description = "Finds sharpshares EXE based on strings"
-        author = "Sekoia.io"
-        reference = "https://github.com/mitchmoser/SharpShares/releases"
-        creation_date = "2024-06-10"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "<GetAllShares>b__0" ascii
-        $str02 = "<SearchLDAP>b__0_0" ascii
-        $str03 = "get_AccessControlType" ascii
-        $str04 = "get_IdentityReference" ascii
-        $str05 = "get_PropertiesToLoad" ascii
-        $str06 = "SharpShares\\obj\\Release\\SharpShares.pdb" ascii
-        $str07 = "/filter:SYSVOL,NETLOGON,IPC$,PRINT$" wide
-        $str08 = "/threads:50 /ldap:servers" wide
-        $str09 = "SharpShares.exe" ascii wide
-        $str10 = "[+] LDAP Search Results:" wide
-        $str11 = "[+] Finished Enumerating Shares" wide
-        
-    condition:
-        uint16(0)==0x5A4D and 6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_win_snap2html.yar b/yara_rules/sekoiaio_tool_win_snap2html.yar
deleted file mode 100644
index ef8cc2c..0000000
--- a/yara_rules/sekoiaio_tool_win_snap2html.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_tool_win_snap2html {
-    meta:
-        id = "9865daac-f23b-417e-813e-cbed03f45161"
-        version = "1.0"
-        description = "Finds Snap2HTML samples based on specific strings. Legitimate tool used by ransomware affiliates to perform discovery"
-        author = "Sekoia.io"
-        creation_date = "2024-02-08"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "Snap2HTML.exe" fullword wide ascii
-        $str02 = "Snap2HTML.Properties" ascii
-        $str03 = "set_txtRoot" ascii
-        $str04 = "set_chkHidden" ascii
-        $str05 = "set_chkSystem" ascii
-        $str06 = "set_chkLinkFiles" ascii
-        $str07 = "set_txtLinkRoot" ascii
-        $str08 = "set_chkOpenOutput" ascii
-        $str09 = "set_txtTitle" ascii
-        $str10 = "get_CancellationPending" ascii
-        $str11 = "set_RootFolder" ascii
-        $str12 = "add_SettingsLoaded" ascii
-        
-    condition:
-        uint16(0) == 0x5a4d and 7 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_xiebroc2_strings.yar b/yara_rules/sekoiaio_tool_xiebroc2_strings.yar
deleted file mode 100644
index d9f204d..0000000
--- a/yara_rules/sekoiaio_tool_xiebroc2_strings.yar
+++ /dev/null
@@ -1,41 +0,0 @@
-rule sekoiaio_tool_xiebroc2_strings {
-    meta:
-        id = "8451878e-5371-440b-b8ac-f9e6f7643d3c"
-        version = "1.0"
-        description = "Detects XiebroC2 based on strings"
-        author = "Sekoia.io"
-        creation_date = "2024-09-11"
-        classification = "TLP:CLEAR"
-        hash = "84e665bcbf963a2cf67d879aa3422d79"
-        hash = "3558c376420724694ba244a2e2acd20c"
-        hash = "e29fb9cd825db51a7a2e519f188e61ba"
-        hash = "a3b31739ad5eed51277c8478a83160a3"
-        hash = "d6e2499ea7fe8f047da1a95dae16d2c3"
-        hash = "1616818b65bf49d985bb1816461a4a75"
-        hash = "2e72d3ef2492088a4623d77d5e419ab8"
-        hash = "351770f860507d652ec3644ed1988f7f"
-        hash = "58fa6ad96028753ba8b0b0ed8fa6dccb"
-        hash = "607b541525b27eeefbef1455397bff35"
-        hash = "c2a242612468814e2e951e4db3762059"
-        hash = "431e275f4e43ec4ef7c2cc8ba126e9d3"
-        hash = "ace54bd32c226a7b9a6d4d53791e4021"
-        hash = "f22c21ed7bba1ddfc42ffdc66da3a4dd"
-        hash = "9a5ff9e07ed04cb0e71102cf1aae380c"
-        hash = "d20e01a1af3f40a7a9646d7e7df1b42e"
-        hash = "5544b621c9772cd32c4db77a0e59515a"
-        
-    strings:
-        $s1 = "RemarkClientColor"
-        $s2 = "HandlePacket"
-        $s3 = "-hide"
-        $s4 = "Failed to send data:"
-        $s5 = "Pac_ket"
-        $s6 = "WANip"
-        $s7 = "%s %s && Kernel: %s"
-        $g1 = "go.buildid"
-        $g2 = "dep    golang.org"
-        
-    condition:
-        3 of ($s*) and any of ($g*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_tool_yasso_strings.yar b/yara_rules/sekoiaio_tool_yasso_strings.yar
deleted file mode 100644
index 1b2dfb7..0000000
--- a/yara_rules/sekoiaio_tool_yasso_strings.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_tool_yasso_strings {
-    meta:
-        id = "31ec7510-6770-4fde-b835-e8b12f8f2b30"
-        version = "1.0"
-        description = "Detects Yasso based on strings"
-        author = "Sekoia.io"
-        creation_date = "2023-06-21"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "Yasso/cmd.setting"
-        $ = "Yasso/cmd.Client"
-        $ = "Yasso/cmd.IdentifyResult"
-        $ = "Yasso/cmd.RespLab"
-        $ = "Go build ID"
-        
-    condition:
-        uint16be(0) == 0x4d5a and 
-        filesize > 15MB and filesize < 20MB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_trojan_and_keepspy.yar b/yara_rules/sekoiaio_trojan_and_keepspy.yar
deleted file mode 100644
index 5624e8f..0000000
--- a/yara_rules/sekoiaio_trojan_and_keepspy.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_trojan_and_keepspy {
-    meta:
-        id = "9390e7c8-a996-45cc-b642-c23d4b7dcf34"
-        version = "1.0"
-        description = "Finds KeepSpy samples based on specific strings"
-        author = "Sekoia.io"
-        creation_date = "2023-06-28"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str01 = "Characters entered %1$d of %2$d" ascii
-        $str02 = "com.google.android.material.behavior.HideBottomViewOnScrollBehavior" ascii
-        $str03 = "com/j256/ormlite/core/VERSION.txt" ascii
-        $str04 = "res/raw/empty.wav" ascii
-        $str05 = "res/mipmap/ic_launcher.png" ascii
-        $str06 = "res/interpolator/fast_out_slow_in.xml" ascii
-        $str07 = "OnePixelActivity" ascii
-        
-    condition:
-        uint32be(0) == 0x504B0304 and 6 of them 
-        and filesize > 2MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_trojan_android_brata.yar b/yara_rules/sekoiaio_trojan_android_brata.yar
deleted file mode 100644
index f577605..0000000
--- a/yara_rules/sekoiaio_trojan_android_brata.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule sekoiaio_trojan_android_brata {
-    meta:
-        id = "fde9b82e-c677-44ed-b512-b225a3aba201"
-        author = "Sekoia.io"
-        creation_date = "2022-01-27"
-        description = "Detect samples of the Android banking trojan BRATA"
-        version = "1.0"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $goo0 = "Google Play services error"
-        $goo1 = "Error de Serveis de Google Play"
-        $goo2 = "Fehler bei Zugriff auf Google Play-Dienste"
-        $goo3 = "Erro nos servizos de Google Play"
-        $goo4 = "Fout met Google Play-services"
-        $goo5 = "Virhe Google Play -palveluissa"
-        $goo6 = "Erro do Google Play Services"
-        $goo7 = "Error de Google Play Services"
-        
-        $res0 = "res/xml/device_admin.xml"
-        $res1 = "res/xml/windowchangedetectingservice.xml"
-        $res2 = "res/xml-v22/windowchangedetectingservice.xml"
-        
-    condition:
-        uint32be(0) == 0x504B0304
-        and filesize > 2MB
-        and filesize < 6MB
-        and 7 of ($goo*) and 2 of ($res*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_trojan_android_cerberus.yar b/yara_rules/sekoiaio_trojan_android_cerberus.yar
deleted file mode 100644
index 6a4b7dc..0000000
--- a/yara_rules/sekoiaio_trojan_android_cerberus.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_trojan_android_cerberus {
-    meta:
-        id = "3ea398bd-a80c-40f4-ad52-73b528add4ad"
-        author = "Sekoia.io"
-        creation_date = "2022-01-24"
-        description = "Detect samples of the Android banking trojan Cerberus, or its family"
-        version = "1.0"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $str0 = "assets/neurax.txt"
-        $str1 = "assets/Card_UpPotency_UI.json"
-        $str2 = "assets/Card_SignetFoster_UI.json"
-        $str3 = "assets/Gene_EmpathyTrainer.png"
-        
-        $bin0 = "assets/180417.bin"
-        $bin1 = "assets/180513.bin"
-        $bin2 = "assets/180527.bin"
-        $bin3 = "assets/180528.bin"
-        
-    condition:
-        uint32be(0) == 0x504B0304
-        and filesize > 1MB
-        and filesize < 4MB
-        and 3 of ($str*) and 3 of ($bin*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_trojan_android_xenomorph.yar b/yara_rules/sekoiaio_trojan_android_xenomorph.yar
deleted file mode 100644
index 3a1be6b..0000000
--- a/yara_rules/sekoiaio_trojan_android_xenomorph.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_trojan_android_xenomorph {
-    meta:
-        id = "ec65ca1b-e71f-4772-8be0-2a2b6a690987"
-        author = "Sekoia.io"
-        creation_date = "2022-02-25"
-        description = "Detect samples of the Android banking trojan Xenomorph"
-        version = "1.0"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ass0 = "assets/shadows/knife_shadow_"
-        $ass1 = "assets/knife_"
-        $ass2 = "okhttp3"
-        
-    condition:
-        uint32be(0) == 0x504B0304
-        and filesize > 1MB
-        and filesize < 4MB
-        and #ass0 > 10 and #ass1 > 10 and $ass2
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_trojan_win_bazarloader_setscreen.yar b/yara_rules/sekoiaio_trojan_win_bazarloader_setscreen.yar
deleted file mode 100644
index c23a426..0000000
--- a/yara_rules/sekoiaio_trojan_win_bazarloader_setscreen.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_trojan_win_bazarloader_setscreen {
-    meta:
-        id = "fe2709e5-5cdd-4e52-8ab4-79a56a60bef8"
-        author = "Sekoia.io"
-        creation_date = "2022-02-02"
-        description = "Finds BazarLoader DLL using setscreen as exported entry. (I know this rule is bad but I wanted to experiment YARA rule writing on this specific dll exported entry setscreen)"
-        version = "1.0"
-        classification = "TLP:CLEAR"
-        hash1 = "716f2ae73525362939d52104e809ea9da5e031f9d31f0b53d8de77df989c8b85"
-        hash2 = "cf53b4386f5efb01cd84a8aa13f240b83ce152e8984233fa3ea440f01dcc0131"
-        
-    strings:
-        $entry = {44 89 4c 24 ?? 4c 89 44 24 ?? (eb 1a|3a ff 74 0b)}
-        $second = {48 89 54 24 ?? 48 89 4c 24 ?? (eb e9|66 3b e4 74 05) 48 83 c4 ?? c3}
-        
-    condition:
-        $second in (@entry..@entry+50)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_trojan_win_bbtok_dll1_sep23.yar b/yara_rules/sekoiaio_trojan_win_bbtok_dll1_sep23.yar
deleted file mode 100644
index 66d6a1c..0000000
--- a/yara_rules/sekoiaio_trojan_win_bbtok_dll1_sep23.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_trojan_win_bbtok_dll1_sep23 {
-    meta:
-        id = "eebed24b-24ec-4a85-852c-52d0acc9a698"
-        version = "1.0"
-        description = "Finds BBTok installation DLL file"
-        author = "Sekoia.io"
-        reference = "https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/"
-        creation_date = "2023-09-26"
-        classification = "TLP:CLEAR"
-        hash = "5353956345206982af9bde55300fc405ba6e40722e8f51e8717c30ad32bc8f91"
-        
-    strings:
-        $str01 = "C:\\Windows\\System32\\rundll32.exe" wide
-        $str02 = "C:\\ProgramData\\mmd.exe" wide
-        $str03 = "REG ADD HKCU\\Software\\Classes\\.pwn\\Shell\\Open\\command -ve /d" wide
-        $str04 = "C:\\ProgramData\\mmd.exe \\\\" wide
-        $str05 = "\\file\\Trammy.dll" wide
-        $str06 = "Dacl & REG DELETE HKCU\\Software\\Classes\\ms-settings /f" wide
-        $str07 = "REG DELETE  HKCU\\Software\\Classes\\.pwn /f" wide
-        $str08 = "REG ADD HKCU\\Software\\Classes\\ms-settings\\CurVer -ve /d \".pwn\" /f" wide
-        $str09 = "timeout /t 3 >nul & start /MIN computerdefaults.exe" wide
-        $str10 = "set_StartInfo" ascii
-        $str11 = "set_WindowStyle" ascii
-        
-    condition:
-        uint16(0)==0x5a4d and 7 of them
-        and filesize < 50KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_trojan_win_bbtok_iso_sep23.yar b/yara_rules/sekoiaio_trojan_win_bbtok_iso_sep23.yar
deleted file mode 100644
index bd5bae9..0000000
--- a/yara_rules/sekoiaio_trojan_win_bbtok_iso_sep23.yar
+++ /dev/null
@@ -1,23 +0,0 @@
-rule sekoiaio_trojan_win_bbtok_iso_sep23 {
-    meta:
-        id = "6032853d-b872-4b2e-913d-366e7f3d0f32"
-        version = "1.0"
-        description = "Finds BBTok installation ISO file"
-        author = "Sekoia.io"
-        reference = "https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/"
-        creation_date = "2023-09-26"
-        classification = "TLP:CLEAR"
-        hash = "140e83d2e0d012cdd5625ea89c3b3af05a80877cfc8215bbe20823e7e88c80b1"
-        
-    strings:
-        $iso = {43 44 30 30 31} //iso magic number
-        
-        $str01 = "POWERISO" ascii
-        $str02 = "%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe" ascii wide
-        $str03 = ".pdf /Y & start" wide
-        $str04 = "\\MSBuild.exe -nologo \\\\" ascii wide
-        
-    condition:
-        all of them and filesize < 500KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_trojan_win_bbtok_lnk_sep23.yar b/yara_rules/sekoiaio_trojan_win_bbtok_lnk_sep23.yar
deleted file mode 100644
index eb2530b..0000000
--- a/yara_rules/sekoiaio_trojan_win_bbtok_lnk_sep23.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_trojan_win_bbtok_lnk_sep23 {
-    meta:
-        id = "b1d5dae6-d92f-4a4a-ae90-528cdb3e9e4c"
-        version = "1.0"
-        description = "Finds BBTok installation LNK file"
-        author = "Sekoia.io"
-        reference = "https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/"
-        creation_date = "2023-09-26"
-        classification = "TLP:CLEAR"
-        hash = "32bf07e3740399105359b62d8a612dfa731b024e06c9104b71b496919b5efe9e"
-        
-    strings:
-        $lnk = {4C 00 00 00} //lnk magic number
-        
-        $str01 = "%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe" ascii wide
-        $str02 = ".pdf /Y & start" wide
-        $str03 = "\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe -nologo" wide
-        
-    condition:
-        all of them and filesize < 10KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_trojan_win_grandoreiro.yar b/yara_rules/sekoiaio_trojan_win_grandoreiro.yar
deleted file mode 100644
index 5343948..0000000
--- a/yara_rules/sekoiaio_trojan_win_grandoreiro.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_trojan_win_grandoreiro {
-    meta:
-        version = "1.0"
-        description = "Finds Grandorerio samples based on the specific strings"
-        author = "Sekoia.io"
-        creation_date = "2022-08-24"
-        id = "e48c86a1-e34f-4945-817a-9c85198a77bb"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $mut = "ZTP@11" wide
-        
-        $reg01 = "Software\\Embarcadero\\Locales" wide
-        $reg02 = "Software\\CodeGear\\Locales" wide
-        $reg03 = "Software\\Borland\\Locales" wide
-        $reg04 = "Software\\Borland\\Delphi\\Locale" wide
-        $reg05 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" wide
-        
-        $str01 = "SELECT * FROM AntiVirusProduct" wide
-        $str02 = "GetTickCount64" wide
-        $str03 = "C:\\Program Files (x86)\\Embarcadero\\Studio\\20.0\\lib\\Clever Internet Suite" wide
-        $str04 = "{43826D1E-E718-42EE-BC55-A1E261C37BFE}" wide
-        
-    condition:
-        uint16(0)==0x5A4D and all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_truesightkiller_avkiller_strings.yar b/yara_rules/sekoiaio_truesightkiller_avkiller_strings.yar
deleted file mode 100644
index bc32f07..0000000
--- a/yara_rules/sekoiaio_truesightkiller_avkiller_strings.yar
+++ /dev/null
@@ -1,46 +0,0 @@
-rule sekoiaio_truesightkiller_avkiller_strings {
-    meta:
-        id = "8f249ac4-5181-4169-9eb2-7d73ec4fd68d"
-        version = "1.0"
-        description = "TrueSightKiller based on string"
-        author = "Sekoia.io"
-        creation_date = "2024-10-29"
-        classification = "TLP:CLEAR"
-        hash = "891202963430a4b1dea2dc5b9af01dc5"
-        hash = "367af202029bf51fc347a8f414fa2a5c"
-        hash = "64439836d69084b129c2dc4264176149"
-        hash = "6e69b890b1c228fa4225776b185b5af7"
-        hash = "daaf7bdf1e7fd882c0bfb89450ec0ab2"
-        hash = "dcf36765ed9386c169eb2695d26f6a6f"
-        
-    strings:
-        $ = "[+] Process PID: " wide
-        $ = "[-] OpenSCManager failed" wide
-        $ = "[+] Creating service: truesight" wide
-        $ = "[+] Full path: " wide
-        $ = "[-] Error getting current directory." wide
-        $ = "[-] CreateService failed" wide
-        $ = "[!] Service is already running" wide
-        $ = "[-] QueryServiceStatus failed" wide
-        $ = "[-] StartService failed" wide
-        $ = "[+] Driver loaded successfully!" wide
-        $ = "[-] OpenService failed" wide
-        $ = "[-] ControlService failed" wide
-        $ = "[-] DeleteService failed" wide
-        $ = "Welcome to EDR/AV Killer using truesight driver!" wide
-        $ = "This is a PoC, use it at your own risk!" wide
-        $ = "[-] Failed to set CTRL+C handler. Exiting..." wide
-        $ = "ntdll.dll" wide
-        $ = "\\\\.\\TrueSight" wide
-        $ = "[-] CreateFileA failed" wide
-        $ = " not running" wide
-        $ = "[-] Process name: " wide
-        $ = "[+] Terminating PID: " wide
-        $ = "[-] DevicesIoControl failed" wide
-        $ = "[!] Stoping and Deleting trueSight Service!" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and filesize < 1MB and filesize > 20KB and 
-        20 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_typhon_reborn_stealer.yar b/yara_rules/sekoiaio_typhon_reborn_stealer.yar
deleted file mode 100644
index 53a29d9..0000000
--- a/yara_rules/sekoiaio_typhon_reborn_stealer.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-import "pe"
-        
-rule sekoiaio_typhon_reborn_stealer {
-    meta:
-        id = "aab7279b-b651-4092-b988-d186d0a433de"
-        version = "1.0"
-        description = "Typhon Reborn v2 string based detection"
-        author = "Sekoia.io"
-        creation_date = "2023-05-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "api.telegram.org/bot" wide
-        $s2 = "TyphonReborn Stealer v2 log!" wide
-        
-    condition:
-        all of them and pe.is_pe
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_unk_quad7_fsynet_strings.yar b/yara_rules/sekoiaio_unk_quad7_fsynet_strings.yar
deleted file mode 100644
index 8cd7402..0000000
--- a/yara_rules/sekoiaio_unk_quad7_fsynet_strings.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-rule sekoiaio_unk_quad7_fsynet_strings {
-    meta:
-        id = "897b2421-c177-48c0-8f5b-82d8434208cb"
-        version = "1.0"
-        description = "Matches node-r-control, asr_node, node-relay"
-        author = "Sekoia.io"
-        creation_date = "2024-08-20"
-        classification = "TLP:CLEAR"
-        hash = "f42849076e24b7827218f7a25bc11ccc"
-        hash = "b3b09819f820a4ecd31f82f369000af2"
-        hash = "92093dd7ba6ae8fe34a215c4c4bd1cd4"
-        hash = "e6f6a6de285d7c2361c32b1f29a6c3f6"
-        hash = "408152285671bbd0e6e63bd71d6abaaf"
-        hash = "5efc7d824851be9ec90a97d889a40d23"
-        
-    strings:
-        $ = "prev_hop_port"
-        $ = "next_hop_port"
-        $ = "back_hop_port"
-        $ = "next_tsn_port"
-        $ = "prev_hop_ip"
-        $ = "next_hop_ip"
-        $ = "back_hop_ip"
-        $ = "next_tsn_ip"
-        $ = "ikcp_"
-        $ = "/tmp/log_r"
-        $ = "total_hop"
-        
-    condition:
-        uint32be(0) == 0x7f454c46
-        and filesize < 5MB
-        and 6 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_unk_quad7_netd_strings.yar b/yara_rules/sekoiaio_unk_quad7_netd_strings.yar
deleted file mode 100644
index 1021de9..0000000
--- a/yara_rules/sekoiaio_unk_quad7_netd_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_unk_quad7_netd_strings {
-    meta:
-        id = "3f527f0e-c101-4356-9024-fc61aea644d1"
-        version = "1.0"
-        description = "Matches netd binary"
-        author = "Sekoia.io"
-        creation_date = "2024-08-23"
-        classification = "TLP:CLEAR"
-        hash = "cdb37db4543dde5ca2bd98a43699828f"
-        
-    strings:
-        $ = "./netd.dat"
-        $ = "./sys.dat"
-        $ = "--conf"
-        $ = "--init"
-        $ = "--nobg"
-        $ = "Url is NULL."
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize < 1MB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_unk_quad7_updtae_reverse_shell_strings.yar b/yara_rules/sekoiaio_unk_quad7_updtae_reverse_shell_strings.yar
deleted file mode 100644
index 4a0dca8..0000000
--- a/yara_rules/sekoiaio_unk_quad7_updtae_reverse_shell_strings.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_unk_quad7_updtae_reverse_shell_strings {
-    meta:
-        id = "02d5394e-734c-4744-b293-1bf96bf1518c"
-        version = "1.0"
-        description = "Reverse shell used by Quad7 operators"
-        author = "Sekoia.io"
-        creation_date = "2024-08-19"
-        classification = "TLP:CLEAR"
-        hash = "40b5ac87ff87634c48fdd2cf64ccb66b"
-        hash = "4b8e97260d9ef6ca774675be682d9c8c"
-        
-    strings:
-        $ = "User-Agent: IOT"
-        $ = "/iot/post"
-        $ = "vender"
-        $ = "Response:  %s"
-        $ = "cmdNum"
-        $ = "UPDTAE"
-        $ = "cmdResult"
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize < 5MB and
-        4 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_unknown_7777_xlogin.yar b/yara_rules/sekoiaio_unknown_7777_xlogin.yar
deleted file mode 100644
index dbc1bc9..0000000
--- a/yara_rules/sekoiaio_unknown_7777_xlogin.yar
+++ /dev/null
@@ -1,25 +0,0 @@
-rule sekoiaio_unknown_7777_xlogin {
-    meta:
-        id = "ce0beffc-f957-43ef-a739-f4a1099a7a67"
-        version = "1.0"
-        description = "Detects the xlogin bind shell and its variants"
-        author = "Sekoia.io"
-        creation_date = "2024-07-18"
-        classification = "TLP:CLEAR"
-        hash = "4d9067e7cf517158337123a30a9bd0e3"
-        hash = "43ea387b8294cc4d0baaef6d26ff7c72"
-        hash = "777d6f907da38365924a0c2a12e973c5"
-        hash = "8542a3cbe232fe78baa0882736c61926"
-        
-    strings:
-        $string1 = { 2f 62 69 6e 2f 73 68 00 2f 74 6d 70 2f 6c 6f 67 69 6e }
-        $string2 = { 2F 64 65 76 2F 6E 75 6C 6C [1-3] 2F 62 69 6E 2F 73 68 00 2D 63 }
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize < 180KB and
-        (
-            (@string2 - @string1 < 3400)
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_unknown_quad7_wildcard_login.yar b/yara_rules/sekoiaio_unknown_quad7_wildcard_login.yar
deleted file mode 100644
index 5e798d2..0000000
--- a/yara_rules/sekoiaio_unknown_quad7_wildcard_login.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_unknown_quad7_wildcard_login {
-    meta:
-        id = "01510244-0795-4299-aa66-056a2b4682e7"
-        version = "1.0"
-        description = "Detects the (x|r|a)login bind shells"
-        author = "Sekoia.io"
-        creation_date = "2024-07-18"
-        classification = "TLP:CLEAR"
-        hash = "4d9067e7cf517158337123a30a9bd0e3"
-        hash = "43ea387b8294cc4d0baaef6d26ff7c72"
-        hash = "777d6f907da38365924a0c2a12e973c5"
-        hash = "8542a3cbe232fe78baa0882736c61926"
-        hash = "1b08725acc371f6b7d05bb72d0c2d759"
-        
-    strings:
-        $string1 = { 2f 62 69 6e 2f 73 68 00 2f 74 6d 70 2f 6c 6f 67 69 6e }
-        $string2 = { 2f 62 69 6e 2f 73 68 00 2d 63 00 65 78 69 74 20 30 }
-        
-    condition:
-        uint32be(0) == 0x7f454c46 and
-        filesize < 180KB and
-        @string2 - @string1 < 3400
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ursnif.yar b/yara_rules/sekoiaio_ursnif.yar
deleted file mode 100644
index b95cd8b..0000000
--- a/yara_rules/sekoiaio_ursnif.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_ursnif {
-    meta:
-        description = "Ursnif Payload"
-        author = "Sekoia.io"
-        id = "ac392af3-c344-453c-9427-5bb46223e01c"
-        version = "1.0"
-        classification = "TLP:CLEAR"
-        author = "Sekoia.io"
-        
-    strings:
-        $crypto64_1 = {41 8B 02 ?? C1 [0-1] 41 33 C3 45 8B 1A 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 D?}
-        $crypto64_2 = {44 01 44 24 10 FF C1 41 8B C0 D1 64 24 10 33 C3 41 8B D8 FF 4C 24 10 41 33 C3 01 44 24 10 D3 C8 01 44 24 10 41 89 02 49 83 C2 04 83 C2 FF 75 C3}
-        $crypto64_3 = {33 C6 ?? C7 [0-1] 49 83 C2 04 33 C3 8B F1 8B CF D3 C8 89 02 48 83 C2 04 41 83 C3 FF 75 ?? 45 85 C9 75 ?? 41 83 E0 03}
-        $crypto64_4 = {41 8B 02 41 8B CB 41 83 F3 01 33 C3 41 8B 1A C1 E1 03 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 C6}
-        $decrypt_config64 = {44 8B D9 33 C0 45 33 C9 44 33 1D ?? ?? ?? 00 ?? ?? D2 ?? ?? D2 74 ?? 4C 8D 42 10 45 3B 0A 73 2? 45 39 58 F8 75 1C 41 F6 40 FC 01 74 12}
-        
-        $crypto32_1 = {01 45 FC D1 65 FC FF 4D FC 33 C1 33 45 0C 01 45 FC 43 8A CB D3 C8 8B CE 01 45 FC 89 02 83 C2 04 FF 4D 08 75 CD}
-        $crypto32_2 = {33 C1 33 44 24 10 43 8A CB D3 C8 8B CE 89 02 83 C2 04 FF 4C 24 0C 75 D9}
-        $decrypt_config32 = {8B ?? 08 5? 33 F? 3B [1-2] 74 14 A1 0? ?? ?? ?? 35 ?? ?? ?? ?? 50 8B D? E8 ?? D? 00 00 EB 02 33 C0 ?B ?? ?? ?? ?? ?? ?? ?? 74 14 8D 4D ?? ?? ?? 50 FF D? 85 C0 74 08}
-        
-    condition:
-        true and uint16(0) == 0x5A4D and (($decrypt_config64 and any of ($crypto64*)) or ($decrypt_config32 and any of ($crypto32*)))
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_ursnif_ldr4.yar b/yara_rules/sekoiaio_ursnif_ldr4.yar
deleted file mode 100644
index 1a572e6..0000000
--- a/yara_rules/sekoiaio_ursnif_ldr4.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-rule sekoiaio_ursnif_ldr4 {
-    meta:
-        description = "Ursnif LDR4"
-        author = "Sekoia.io"
-        id = "73e63481-8a89-4342-87f0-8dc7ad459396"
-        version = "1.0"
-        classification = "TLP:CLEAR"
-        author = "Sekoia.io"
-        
-    strings:
-        $str1 = "LOADER.dll" fullword
-        $str2 = "DllRegisterServer" fullword
-        $str3 = ".bss" fullword
-        $x64_code1 = { 3D 2E 62 73 73 74 0A 48 83 C7 28 }
-        $x64_code2 = { 8B 17 48 83 C7 04 8B CA 8b C2 23 CB 0B C3 F7 D1 23 C8 41 2B CA 44 8B D2 41 89 08 41 8B CB 49 83 C0 04 83 E1 07 FF C1 41 D3 C2 41 83 EB 04 79 }
-        $x64_code3 = { 41 0F B6 01 49 FF C1 8B C8 8B D0 83 E1 03 C1 E1 03 D3 E2 44 03 C2 41 83 C2 FF 75 }
-        $x64_code4 = { 45 8D 45 08 48 8D 8C 24 [4] BA 30 00 FE 7F E8 }
-        $x64_code5 = { 48 8D 8C 24 [4] BA 30 00 FE 7F 41 B8 08 00 00 00 E8 }
-        $x86_code1 = { 81 F9 2E 62 73 73 74 09 83 C6 28 }
-        $x86_code2 = { 8B 06 8B D0 23 55 0C 8B D8 0B 5D 0C F7 D2 23 D3 2B D1 8A 4D 08 80 E1 07 83 C6 04 89 17 83 C7 04 FE C1 D3 C0 83 6D 08 04 8B C8 79 }
-        $x86_code3 = { 8A 0E 0F B6 D1 8B CA 83 E1 03 C1 E1 03 D3 E2 46 03 C2 4F 75 }
-        $x86_code4 = { 6A 08 8D 45 F8 68 30 00 FE 7F 50 E8 }
-        
-    condition:
-        true and 5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_vpn_mul_softether.yar b/yara_rules/sekoiaio_vpn_mul_softether.yar
deleted file mode 100644
index b127884..0000000
--- a/yara_rules/sekoiaio_vpn_mul_softether.yar
+++ /dev/null
@@ -1,30 +0,0 @@
-rule sekoiaio_vpn_mul_softether {
-    meta:
-        id = "a1fbf4fe-b934-4a66-b6b1-ebe2f83505cd"
-        version = "1.0"
-        description = "Detect the open-source SoftEther VPN"
-        author = "Sekoia.io"
-        creation_date = "2024-04-15"
-        classification = "TLP:CLEAR"
-        reference = "https://www.softether.org/"
-        
-    strings:
-        $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\softether_se%s"
-        $ = "GET /vgc_download_dat/ HTTP/1.1"
-        $ = "http://x%c.x%c.client.api.vpngate2.jp/api/"
-        $ = "http://x0.x0.client.api.vpngate2.jp/check/check.txt"
-        $ = "https://x%c.x%c.statistics.api.vpngate2.jp/api/statistics/"
-        $ = "Software\\SoftEther Project\\SoftEther VPN\\"
-        
-        $ = "|vpnsetup_nosign.exe" wide
-        $ = "/ISEASYINSTALLER:%u" wide
-        $ = "/CALLERSFXPATH:\"%s\"" wide
-        $ = "vpn_client.config" wide
-        $ = "vpn_bridge.config" wide
-        $ = "|backup_dir_readme.txt" wide
-        $ = "vpn_debuginfo_%04u%02u%02u_%02u%02u%02u.zip" wide
-        
-    condition:
-        8 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_water_sigbin_group.yar b/yara_rules/sekoiaio_water_sigbin_group.yar
deleted file mode 100644
index 6846a5c..0000000
--- a/yara_rules/sekoiaio_water_sigbin_group.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_water_sigbin_group {
-    meta:
-        id = "c49728e8-db7e-4d83-97d2-7d56b51f8a52"
-        version = "1.0"
-        description = "Detects IOCs related to the 8220 Mining group."
-        author = "Sekoia.io"
-        creation_date = "2024-06-11"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "Z12A3" ascii fullword
-        $s2 = "FromBase64String" ascii fullword
-        $s3 = "Start-Process" ascii fullword
-        $s4 = "WriteAllBytes" ascii fullword
-        
-    condition:
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_webshell_icesword_strings.yar b/yara_rules/sekoiaio_webshell_icesword_strings.yar
deleted file mode 100644
index 1797860..0000000
--- a/yara_rules/sekoiaio_webshell_icesword_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_webshell_icesword_strings {
-    meta:
-        id = "2c6b3cec-4200-4386-8cd5-4004c9b5b96a"
-        version = "1.0"
-        description = "Detects icesword webshell"
-        author = "Sekoia.io"
-        creation_date = "2024-11-22"
-        classification = "TLP:CLEAR"
-        hash = "0447352827e61696304a8e3d34e1d270"
-        hash = "f49cfcda0abdefa385eda7ec7e7a5411"
-        hash = "e1518388375ba772ed20503ec6dc6c8a"
-        hash = "ecf08cd6af127e01f913354529174a23"
-        
-    strings:
-        $ = "&fsAction=rename&newName="
-        $ = "&fsAction=copyto&dstPath="
-        
-    condition:
-        2 of them and filesize < 100KB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_webshell_wso_webshell_strings.yar b/yara_rules/sekoiaio_webshell_wso_webshell_strings.yar
deleted file mode 100644
index 1035e0c..0000000
--- a/yara_rules/sekoiaio_webshell_wso_webshell_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_webshell_wso_webshell_strings {
-    meta:
-        id = "84340792-73a4-4d61-9957-6cfa1f6444a7"
-        version = "1.0"
-        description = "Detects the WSO webshells"
-        author = "Sekoia.io"
-        creation_date = "2022-04-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "decrypt($str,$pwd){$pwd=base64_encode($pwd);"
-        $ = "prototype(md5($_SERVER['HTTP_HOST'])"
-        $ = "$_COOKIE[md5($_SERVER['HTTP_HOST'])."
-        $ = "set(a,c,p1,p2,p3,charset)"
-        $ = "(($p & 0x0008) ? (($p & 0x0400)"
-        $ = "gcc','lcc','cc','ld','make','php"
-        
-    condition:
-        3 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_weevely_webshell_payload.yar b/yara_rules/sekoiaio_weevely_webshell_payload.yar
deleted file mode 100644
index b34565f..0000000
--- a/yara_rules/sekoiaio_weevely_webshell_payload.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_weevely_webshell_payload {
-    meta:
-        id = "f2879c6e-3d1b-41be-8b1d-4f0503fd4b29"
-        version = "1.0"
-        description = "Detects weevely webshell"
-        author = "Sekoia.io"
-        creation_date = "2024-04-22"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "<?php include \""
-        $s2 = ".basename(__FILE__).\""
-        $s3 = ";__HALT_COMPILER(); ?>"
-        
-    condition:
-        all of them and filesize < 1MB and @s1 == 0 and @s2 < @s3
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_win_clipper_generic.yar b/yara_rules/sekoiaio_win_clipper_generic.yar
deleted file mode 100644
index 5915a20..0000000
--- a/yara_rules/sekoiaio_win_clipper_generic.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_win_clipper_generic {
-    meta:
-        id = "a94b3d01-dbc7-41e4-8d45-793bf443b1d2"
-        version = "1.0"
-        description = "Clipper found during investigation: 892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6"
-        author = "Sekoia.io"
-        creation_date = "2024-07-03"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        // $ranpth = if ((Get-Random) % 2) { Join-Path $env:TEMP "$ran.ps1" } else { Join-Path $env:APPDATA "$ran.ps1" }
-        $s = { 24 72 61 6e 70 74 68 20 3d 20 69 66 20 28 28 47 65 74 2d 52 61 6e 64 6f 6d 29 20 25 20 32 29 20 7b 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 54 45 4d 50 20 22 24 72 61 6e 2e 70 73 31 22 20 7d 20 65 6c 73 65 20 7b 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 41 50 50 44 41 54 41 20 22 24 72 61 6e 2e 70 73 31 22 20 7d  }
-        
-    condition:
-        filesize > 1KB and
-        all of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_win_infostealer_serpent_strings.yar b/yara_rules/sekoiaio_win_infostealer_serpent_strings.yar
deleted file mode 100644
index 67f4f24..0000000
--- a/yara_rules/sekoiaio_win_infostealer_serpent_strings.yar
+++ /dev/null
@@ -1,24 +0,0 @@
-rule sekoiaio_win_infostealer_serpent_strings {
-    meta:
-        id = "ad9e2366-c95e-4090-a0db-48f3cc325209"
-        version = "1.0"
-        description = "Serpent Stealer string"
-        author = "Sekoia.io"
-        creation_date = "2023-12-04"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "User Has SSH Dir." wide
-        $s2 = "[+] Executing Wallets" wide
-        $s3 = "'serpent' folder" wide
-        $s4 = "Buddy Kys!!!" wide
-        $s5 = "http://checkip.dyndns.org/" wide
-        $s6 = "[+] Target has discord installed" wide
-        $s7 = "Target has minecraft." wide
-        
-    condition:
-        (uint16be(0) == 0x4d5a) and
-        filesize < 100KB and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_win_loader_astasialoader_strings.yar b/yara_rules/sekoiaio_win_loader_astasialoader_strings.yar
deleted file mode 100644
index 489b0b2..0000000
--- a/yara_rules/sekoiaio_win_loader_astasialoader_strings.yar
+++ /dev/null
@@ -1,26 +0,0 @@
-rule sekoiaio_win_loader_astasialoader_strings {
-    meta:
-        id = "8dfabf28-4b5a-43db-87e9-5b9080541ec3"
-        version = "1.0"
-        description = "AstasiaLoader strings"
-        author = "Sekoia.io"
-        creation_date = "2023-08-16"
-        classification = "TLP:CLEAR"
-        hash = "44b6f7508a82ff6a4d65defc189303eeee393b5fd498de73d74d0a2c75c87401"
-        
-    strings:
-        $s1 = "newuploaders" wide
-        $s2 = "\\infected.exe" wide
-        $s3 = "AstasiaLoader" wide
-        $s4 = "Astasia.pdb" ascii
-        $s5 = "ip-api.com/line/?fields=hosting" wide
-        $s6 = "https://api.telegram.org/bot" wide
-        $s7 = "currentscript.txt" wide
-        $s8 = "sessionlog.txt" wide
-        
-    condition:
-        uint16be(0) == 0x4d5a and
-        filesize > 50KB and filesize < 1MB and
-        5 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_win_malware_agnianestealer.yar b/yara_rules/sekoiaio_win_malware_agnianestealer.yar
deleted file mode 100644
index 29e4a3f..0000000
--- a/yara_rules/sekoiaio_win_malware_agnianestealer.yar
+++ /dev/null
@@ -1,19 +0,0 @@
-rule sekoiaio_win_malware_agnianestealer {
-    meta:
-        id = "704c85b7-8b82-4160-ae1b-fd1054cae8e2"
-        version = "1.0"
-        description = "Detect the Agniane stealer using strings"
-        author = "Sekoia.io"
-        creation_date = "2023-08-10"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "Agniane.pdb" ascii
-        $s2 = "Agniane.exe" wide ascii
-        
-    condition:
-        (uint16be(0) == 0x4d5a) and
-        filesize > 100KB and filesize < 3MB and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_win_malware_janelarat_strings.yar b/yara_rules/sekoiaio_win_malware_janelarat_strings.yar
deleted file mode 100644
index 7dad55d..0000000
--- a/yara_rules/sekoiaio_win_malware_janelarat_strings.yar
+++ /dev/null
@@ -1,21 +0,0 @@
-rule sekoiaio_win_malware_janelarat_strings {
-    meta:
-        id = "891f182e-8a7a-4d0c-a481-62c198bb901b"
-        version = "1.0"
-        description = "Detect the JanelaRAT malware"
-        author = "Sekoia.io"
-        creation_date = "2023-08-11"
-        classification = "TLP:CLEAR"
-        hash = "00df0a1f037e24ff1528d524fb7398735e2c3e0a9995a9f95a5293b04748f06e"
-        
-    strings:
-        // E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\
-        $s2 = {4d 58 4e 4f 42 55 47 4d 41 47}
-        $s1 =  "block.blq" wide
-        
-    condition:
-        (uint16be(0) == 0x4d5a) and
-        filesize > 100KB and filesize < 1MB and
-        2 of them
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_win_malware_statc_downloader.yar b/yara_rules/sekoiaio_win_malware_statc_downloader.yar
deleted file mode 100644
index e2e48e6..0000000
--- a/yara_rules/sekoiaio_win_malware_statc_downloader.yar
+++ /dev/null
@@ -1,29 +0,0 @@
-rule sekoiaio_win_malware_statc_downloader {
-    meta:
-        id = "4a2e9607-635b-4cd8-ba27-d70e0c76fd45"
-        version = "1.0"
-        description = "Statc Downloader powershell script. Base64 powershell"
-        author = "Sekoia.io"
-        creation_date = "2023-08-09"
-        classification = "TLP:CLEAR"
-        hash = "173ea5af2e71b6ed70abd52a5d2f4de040393a6d2ff4978bbb6e73d96742b010"
-        
-    strings:
-        $powershell = "powershell.exe"
-        // (New-Object Net.Webclient).downloadfile("https://
-        $a1 = "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAGYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8A"
-        $a2 = "gATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABmAGkAbABlACgAIgBoAHQAdABwAHMAOgAvA"
-        $a3 = "oAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAZgBpAGwAZQAoACIAaAB0AHQAcABzADoALw"
-        // invoke-expression "$env:TEMP\
-        $b1 = "aQBuAHYAbwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACAAIgAkAGUAbgB2ADoAVABFAE0AUABc"
-        $b2 = "kAbgB2AG8AawBlAC0AZQB4AHAAcgBlAHMAcwBpAG8AbgAgACIAJABlAG4AdgA6AFQARQBNAFAAX"
-        $b3 = "pAG4AdgBvAGsAZQAtAGUAeABwAHIAZQBzAHMAaQBvAG4AIAAiACQAZQBuAHYAOgBUAEUATQBQAF"
-        // 1 1"; "OK";
-        $c1 = "MQAgADEAIgA7ACAAIgBPAEsAIgA7"
-        $c2 = "EAIAAxACIAOwAgACIATwBLACIAO"
-        $c3 = "xACAAMQAiADsAIAAiAE8ASwAiAD"
-        
-    condition:
-        $powershell at 0 and 1 of ($a*) and 1 of ($b*) and 1 of ($c*) and filesize < 1MB
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_wiper_hermeticwiper_variants.yar b/yara_rules/sekoiaio_wiper_hermeticwiper_variants.yar
deleted file mode 100644
index be5a39b..0000000
--- a/yara_rules/sekoiaio_wiper_hermeticwiper_variants.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-import "pe"
-        
-rule sekoiaio_wiper_hermeticwiper_variants {
-    meta:
-        id = "102ecf15-167e-49e4-932c-6334e3cdcc69"
-        version = "1.0"
-        description = "Matches HermeticWiper and possible variants"
-        author = "Sekoia.io"
-        creation_date = "2022-02-24"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "SeLoadDriverPrivilege" wide
-        $ = "\\\\.\\PhysicalDrive" wide
-        $ = "::$INDEX_ALLOCATION" wide
-        $ = "CrashDumpEnabled" wide
-        
-    condition:
-        2 of them and
-        pe.characteristics and
-        pe.number_of_signatures == 1 and
-        pe.number_of_resources > 2 and
-        for 2 i in (0..pe.number_of_resources - 1):
-        ( uint32be( pe.resources[i].offset+15 ) == 0x4D5A9000 and
-        uint16be( pe.resources[i].offset ) == 0x535A )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_wiper_win_caddywiper.yar b/yara_rules/sekoiaio_wiper_win_caddywiper.yar
deleted file mode 100644
index f5886c4..0000000
--- a/yara_rules/sekoiaio_wiper_win_caddywiper.yar
+++ /dev/null
@@ -1,38 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_wiper_win_caddywiper {
-    meta:
-        id = "869d44ff-79fc-403d-a45d-d33712da5bd0"
-        version = "1.0"
-        description = "Detect CaddyWiper"
-        author = "Sekoia.io"
-        creation_date = "2022-03-15"
-        classification = "TLP:CLEAR"
-        hash1_upx = "b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7"
-        hash1 = "ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72"
-        hash2 = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
-        
-    strings:
-        $ = "NETAPI32.dll" ascii
-        $ = "DsRoleGetPrimaryDomainInformation" ascii
-        
-    condition:
-        uint16(0)==0x5A4D
-        and filesize > 5KB and filesize < 20KB
-        and pe.number_of_sections == 3
-        and pe.number_of_resources == 0
-        and all of them
-        
-        // Imphash
-        or pe.imphash() == "ea8609d4dad999f73ec4b6f8e7b28e55"
-        or pe.imphash() == "bae2d138abe43164fb5e95f313de3d14" //UPX
-        
-        // PE section
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f0d4c11521fc3891965534e6c52e128b"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "6be6e878d1e8fed277c5feaf60b57a19" //UPX
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "11f22fc72c3ca7dd6b874bda37c1fe82" //UPX
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_wiper_win_dnwipe.yar b/yara_rules/sekoiaio_wiper_win_dnwipe.yar
deleted file mode 100644
index d1fa02b..0000000
--- a/yara_rules/sekoiaio_wiper_win_dnwipe.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_wiper_win_dnwipe {
-    meta:
-        id = "522fdaa5-8fe6-4e37-aaf8-13e3a7787d21"
-        version = "1.0"
-        description = "Detect the dnWipe malware"
-        author = "Sekoia.io"
-        creation_date = "2022-11-21"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "dnWIPE"
-        $ = "dnWIPE" wide
-        $ = "C:\\Users\\Admin1\\source\\repos\\dnWIPE\\dnWIPE\\obj\\Debug\\dnWIPE.pdb"
-        
-    condition:
-        // Strings
-        uint16(0)==0x5A4D and all of them and filesize < 50KB
-
-        // Resource
-        or for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "93290ef6447b0a16b92e50a1652ac3eb8f1237cc5f8005e080750fb58c19d230"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_wiper_win_isaacwiper.yar b/yara_rules/sekoiaio_wiper_win_isaacwiper.yar
deleted file mode 100644
index 54c4829..0000000
--- a/yara_rules/sekoiaio_wiper_win_isaacwiper.yar
+++ /dev/null
@@ -1,46 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_wiper_win_isaacwiper {
-    meta:
-        id = "b081e3a3-612e-46ae-93af-82e7ee98fcf7"
-        version = "1.0"
-        description = "Detect the IsaacWiper using multiple methods + ReversingLab rule's condition"
-        author = "Sekoia.io"
-        creation_date = "2022-03-15"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $s1 = "getting drives..." wide
-        $s2 = "physical drives:" wide
-        $s3 = "-- system physical drive" wide
-        $s4 = "-- physical drive" wide
-        $s5 = "logical drives:" wide
-        $s6 = "-- system logical drive:" wide
-        $s7 = "-- logical drive:" wide
-        $s8 = "start erasing physical drives..." wide
-        $s9 = "-- FAILED" wide
-        $s10 = "-- start erasing logical drive" wide
-        $s11 = "start erasing system physical drive..." wide
-        $s12 = "system physical drive -- FAILED" wide
-        $s13 = "start erasing system logical drive" wide
-        
-    condition:
-        // Imphash
-        pe.imphash() == "a4b162717c197e11b76a4d9bc58ea25d"
-        
-        // Section hashs
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "06d63fddf89fae3948764028712c36d6"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "48f101db632bb445c21a10fd5501e343"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5efc98798d0979e69e2a667fc20e3f24"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "9676f7c827fb9388358aaba3e4bd0cc6"
-        )
-        
-        // Rich header
-        or hash.md5(pe.rich_signature.clear_data) == "ec862d3013903478c2ff8dce2792815f"
-        
-        // Strings
-        or all of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_wiper_win_nominatus_toxicbattery.yar b/yara_rules/sekoiaio_wiper_win_nominatus_toxicbattery.yar
deleted file mode 100644
index 0418245..0000000
--- a/yara_rules/sekoiaio_wiper_win_nominatus_toxicbattery.yar
+++ /dev/null
@@ -1,43 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_wiper_win_nominatus_toxicbattery {
-    meta:
-        id = "0262378f-f509-4ea4-a3eb-cd0183c4361d"
-        version = "1.0"
-        description = "Detect the Nominatus_ToxicBattery malware"
-        author = "Sekoia.io"
-        creation_date = "2022-11-21"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "DISK"
-        $ = "FileNaME"
-        $ = "FILNAME"
-        $ = "runCommand"
-        $ = "HAHAH"
-        $ = "Damage"
-        $ = "fastInfector"
-        $ = "d:\\again\\SharpDevelop Projects\\RInjector\\Virus.win32RozbehStrike\\obj\\Debug\\Nominatus_ToxicBattery.pdb"
-        $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide
-        $ = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" wide
-        $ = "\\Antivirus.bat" wide
-        $ = "\\Antivirus3.vbs" wide
-        $ = "vssadmin Delete Shadows /all /quiet" wide
-        
-    condition:
-        // Strings
-        uint16(0)==0x5A4D and 10 of them
-
-        // Sections
-        or for any i in (0..pe.number_of_sections-1) : (
-            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "e7f35c173c34b7080d437a90ec90a982"
-            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "2e25c5d3baba182f008a5a15c6f06403"
-        )
-
-        //Resource
-        or for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "70b1c002e4c0c9782c7ce1ef4a13c58ec1da54a26fd06dd7821a71f29431da82"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_wiper_win_ruransom.yar b/yara_rules/sekoiaio_wiper_win_ruransom.yar
deleted file mode 100644
index 47675bb..0000000
--- a/yara_rules/sekoiaio_wiper_win_ruransom.yar
+++ /dev/null
@@ -1,27 +0,0 @@
-import "pe"
-import "hash"
-        
-rule sekoiaio_wiper_win_ruransom {
-    meta:
-        id = "7bf3694b-c689-482f-88cd-b1f3b86bbc36"
-        version = "1.0"
-        description = "Detect the RURansom malware"
-        author = "Sekoia.io"
-        creation_date = "2022-11-21"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $ = "RURansom"
-        $ = "AesCrypter"
-        $ = "RURansom" wide
-        
-    condition:
-        // Strings
-        uint16(0)==0x5A4D and all of them
-        
-        // Resource
-        or for any i in (0..pe.number_of_resources-1) : (
-            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "e4b6b5b2b293d497ddf373ca9f7e97458328703d2769f451890ac48771c85070"
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_xworm_dotnet_injector.yar b/yara_rules/sekoiaio_xworm_dotnet_injector.yar
deleted file mode 100644
index 9006dd1..0000000
--- a/yara_rules/sekoiaio_xworm_dotnet_injector.yar
+++ /dev/null
@@ -1,22 +0,0 @@
-rule sekoiaio_xworm_dotnet_injector {
-    meta:
-        id = "50581a9d-afc3-43da-9e34-3a553cbd01b4"
-        version = "1.0"
-        description = ".NET injector used by XWorm TA"
-        author = "Sekoia.io"
-        creation_date = "2022-12-02"
-        classification = "TLP:CLEAR"
-        
-    strings:
-        $first_payload = "jBGIcSr2fKhj1ZT2YNLBTcYYeAw/vWUT98dCA/H6hpI+dY+lkoSe1ATx7XEIXKtAdTSwl1PKhNROoxstXsnsHTZbS2ikRLv6lmHd5v09DltsPeXIOA789wZC8qR1OScJFohGxuWQSQ8K2TAFUQAntIFdX+Om1QZUARdDnb4f+P8VFucU9avWD75yK1IcTDDDEYwvm/rwUYTqWitcrfIY+aFcgQwyvEzkN7Pbsah4Kts+XmK0C3TzlnDd2mz6TdsPphGbBxcbBdZGMTyzunZUEKRYea7xM6u+az9v7m6a1G6vhsSqz4C/nleDmzL2dIVnVR6Ni6+0hlExcP" wide
-        $rijndael_key1 = { e5 a0 b1 e8 89 be e8 8e 8e e4 bb a3 e5 ba b5 e9 85 8d e7 89 b9 e6 b0 8f e5 85 8b e9 9b 99 e8 89 be e5 8b 92 e6 8b 89 e6 a1 83 e9 ad 9a e6 88 91 e6 96 af e6 a1 83 e5 ba 95 e5 be b7 }
-        $rijndael_key2 = { e7 9b 9f e7 91 aa e6 a1 83 e9 87 91 e5 90 89 e9 97 95 e5 a0 b1 e9 9b 99 e9 97 95 e5 96 ac e5 ba 95 e5 a0 b1 e5 be b7 e6 8b 89 e5 92 8c e7 a0 b4 e7 88 be e9 a6 ac e6 88 91 e5 8a a0 }
-        $rijndael_key3 = { e6 9b b2 e6 b0 8f e5 ba b5 e5 a3 ab e9 97 95 e5 be b7 e6 96 af e8 9b 8b }
-        $s1 = "fullofdick"
-        $s2 = "holdmeback"
-        $s3 = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" wide
-        
-    condition:
-        ($first_payload  and all of ($rijndael_key*)) or 2 of ($s*)
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_yara_runascs.yar b/yara_rules/sekoiaio_yara_runascs.yar
deleted file mode 100644
index fd166ba..0000000
--- a/yara_rules/sekoiaio_yara_runascs.yar
+++ /dev/null
@@ -1,34 +0,0 @@
-import "pe"
-        
-rule sekoiaio_yara_runascs {
-    meta:
-        id = "1720f042-2cc6-4ef1-b66c-fe8a4214366a"
-        version = "1.0"
-        author = "Sekoia.io"
-        creation_date = "2023-08-23"
-        classification = "TLP:CLEAR"
-        author = "Sekoia.io"
-        
-    strings:
-        $s1 = "RunasCs" ascii wide
-        $s2 = "LOGON32_LOGON_INTERACTIVE" ascii wide
-        $s3 = "LOGON32_LOGON_NETWORK" ascii wide
-        $s4 = "LOGON32_LOGON_BATCH" ascii wide
-        $s5 = "LOGON32_LOGON_SERVICE" ascii wide
-        $s6 = "dwLogonProvider" ascii wide
-        $s7 = "LogonUser" ascii wide
-        $s8 = "CreateProcessAsUser" ascii wide
-        
-    condition:
-        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
-        filesize < 4MB and
-        all of them and
-        not (
-            pe.version_info["OriginalFilename"] == "Atera.AgentPackages.CommonLib.dll" and
-            for any sig in pe.signatures: (
-                sig.subject contains "CN=Atera Networks Ltd" and
-                sig.issuer contains "CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
-            )
-        )
-}
-        
\ No newline at end of file
diff --git a/yara_rules/sekoiaio_zip_win_abcloader.yar b/yara_rules/sekoiaio_zip_win_abcloader.yar
deleted file mode 100644
index cd2e7c2..0000000
--- a/yara_rules/sekoiaio_zip_win_abcloader.yar
+++ /dev/null
@@ -1,18 +0,0 @@
-rule sekoiaio_zip_win_abcloader {
-    meta:
-        id = "0d14b34a-9095-48fa-b616-4e8239f3b547"
-        version = "1.0"
-        description = "Use the CRC32 to detect a zip containing the doc file used to drop and launch ABCloader"
-        author = "Sekoia.io"
-        creation_date = "2024-08-19"
-        classification = "TLP:CLEAR"
-        hash = "0c7d8e611781b29e15df415640858294"
-        
-    strings:
-        $crc = {32 56 27 e2}
-        $name = "iden.doc"
-        
-    condition:
-        $name at @crc[1] + 16
-}
-        
\ No newline at end of file
diff --git a/yara_rules/shell_win_danfuan.yar b/yara_rules/shell_win_danfuan.yar
new file mode 100644
index 0000000..49c864e
--- /dev/null
+++ b/yara_rules/shell_win_danfuan.yar
@@ -0,0 +1,19 @@
+rule shell_win_danfuan {
+    meta:
+        id = "d1cf9988-270b-4a22-bdd5-f40b625715a8"
+        version = "1.0"
+        description = "Detect the Danfuan malware"
+        author = "Sekoia.io"
+        creation_date = "2022-11-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "<%@ WebHandler Language=\"C#\" class=\"DynamicCodeCompiler\"%>"
+        $ = "CompilerResults compilerResults = compiler.CompileAssemblyFromSource(comPara, SourceText(txt))"
+        $ = "MethodInfo objMifo = objInstance.GetType().GetMethod("
+        
+    condition:
+        filesize < 15KB
+        and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/spyware_and_bahamut.yar b/yara_rules/spyware_and_bahamut.yar
new file mode 100644
index 0000000..aa6828b
--- /dev/null
+++ b/yara_rules/spyware_and_bahamut.yar
@@ -0,0 +1,21 @@
+rule spyware_and_bahamut {
+    meta:
+        id = "d416997e-baf1-412c-bf39-905a6e19b65e"
+        version = "1.0"
+        description = "Detect Bahamut's spyware based on common information gathering function names"
+        author = "Sekoia.io"
+        creation_date = "2022-11-23"
+        classification = "TLP:CLEAR"
+        reference = "https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targets-android-users-fake-vpn-apps/"
+        hash1 = "c51dc2132c830c560aaeae4bf48e5f0d28c84b36d27840b5c2ba170d87f4afa5"
+        hash2 = "d7e2cf642b236dba9ba0cbe5a9dc28baf22477973d5ce163e21ec40f5f26e078"
+        
+    strings:
+        $ = "FbDao"
+        $ = "SignalDao"
+        $ = "conionDao"
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/spyware_and_fastfire.yar b/yara_rules/spyware_and_fastfire.yar
new file mode 100644
index 0000000..8742420
--- /dev/null
+++ b/yara_rules/spyware_and_fastfire.yar
@@ -0,0 +1,24 @@
+rule spyware_and_fastfire {
+    meta:
+        id = "93c0ffd5-faa5-4ead-8848-1c44b459dc29"
+        version = "1.0"
+        description = "Detect the FastFire malware"
+        author = "Sekoia.io"
+        creation_date = "2022-11-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $funct1 = {22 00 87 18 70 20 f3 ae 40 00 6e 10 f4 ae 00 00 0c 04 1f 04 16 19 13 00 28 23 6e 20 e3 ae 04 00 12 10 6e 20 e5 ae 04 00 1a 00 25 19 6e 20 ea ae 04 00 28 05 0d 00 6e 10 ef ae 00 00 6e 10 da ae 04 00 6e 10 e1 ae 04 00 0a 00 13 01 c8 00 32 10 20 00 1c 00 ea 17 6e 10 73 ad 00 00 0c 00 22 01 60 18 70 10 5d ae 01 00 1a 02 ff 50 6e 20 69 ae 21 00 6e 10 e1 ae 04 00 0a 04 6e 20 64 ae 41 00 6e 10 72 ae 01 00 0c 04 71 20 1d 09 40 00}
+        $funct2 = {22 00 77 00 1a 01 88 56 70 20 f1 02 10 00 15 01 00 10 6e 20 f4 02 10 00 1a 01 80 8d 6e 20 32 ae 13 00 0a 01 38 01 0b 00 1a 01 25 76 71 10 b3 06 01 00 0c 01 6e 20 22 03 10 00 1a 01 56 61 6e 20 32 ae 13 00 0a 01 38 01 0b 00 1a 01 23 76 71 10 b3 06 01 00 0c 01 6e 20 22 03 10 00 1a 01 55 66 6e 20 32 ae 13 00 0a 03 38 03 0b 00 1a 03 24 76 71 10 b3 06 03 00 0c 03 6e 20 22 03 30 00 13 03 64 00 15 01 00 08 71 40 07 02 32 10 0c 03 11 03}
+        $s0 = "TokenResult{token="
+        $s1 = "[-] Send Resp Code ="
+        $s2 = "/report_token/report_token.php?token="
+        $s3 = "naver"
+        $s4 = "daum"
+        $s5 = "facebook"
+        
+    condition:
+        uint32be(0)==0x6465780A
+        and (1 of ($funct*) or all of ($s*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/spyware_and_strongpity_mobile_backdoor.yar b/yara_rules/spyware_and_strongpity_mobile_backdoor.yar
new file mode 100644
index 0000000..63decd0
--- /dev/null
+++ b/yara_rules/spyware_and_strongpity_mobile_backdoor.yar
@@ -0,0 +1,16 @@
+rule spyware_and_strongpity_mobile_backdoor {
+    meta:
+        id = "58ceb85b-d94f-47b2-86e4-59bd41f4fea8"
+        version = "1.0"
+        description = "Detect the mobile backdoor using the name used in the certificate"
+        author = "Sekoia.io"
+        creation_date = "2023-01-16"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "Elizabeth Mckinsen0"
+        
+    condition:
+        all of them and filesize > 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/stealer_win_demotryspy.yar b/yara_rules/stealer_win_demotryspy.yar
new file mode 100644
index 0000000..0945074
--- /dev/null
+++ b/yara_rules/stealer_win_demotryspy.yar
@@ -0,0 +1,23 @@
+rule stealer_win_demotryspy {
+    meta:
+        id = "70af0e40-b177-49a3-bff4-723f3f4aa375"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2024-02-09"
+        classification = "TLP:CLEAR"
+        reference = "https://paper.seebug.org/3115/"
+        
+    strings:
+        $demotry1 = "DemoTry.exe"
+        $demotry2 = "DemoTry\\Release\\DemoTry.pdb"
+        
+        $wide1 = "\\loc.tmp" wide
+        $wide2 = "\\log.tmp" wide
+        $wide3 = "\\Google\\Chrome\\User Data" wide
+        $wide4 = "\\Default\\Login data" wide
+        $wide5 = "\\Local State" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and (1 of ($demotry*) or all of ($wide*))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/stealer_win_luca.yar b/yara_rules/stealer_win_luca.yar
new file mode 100644
index 0000000..38c805d
--- /dev/null
+++ b/yara_rules/stealer_win_luca.yar
@@ -0,0 +1,50 @@
+import "pe"
+        
+rule stealer_win_luca {
+    meta:
+        id = "d2cc1442-0ba5-4e81-9fea-e9e078903eed"
+        version = "1.0"
+        description = "Detect Luca stealer. Open source Rust stealer."
+        author = "Sekoia.io"
+        creation_date = "2022-07-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "cookies"
+        $ = "creditcards"
+        $ = "/Default/Network/CookiesUser Data/Default/Network/Cookies_cookies"
+        $ = "/Default/Web DataUser Data/Default/Web Data_webdata"
+        $ = "SELECT action_url, username_value, password_value FROM loginsSELECT card_number_encrypted, name_on_card, expiration_month, expiration_year FROM credit_cardsSELECT host_key, name, encrypted_value, path, expires_utc, is_secure FROM cookiesLOCALAPPDATA"
+        $ = "\\logsxc\\passwords_.txt"
+        $ = " Name:"
+        $ = "User: "
+        $ = "Installed Languages:  "
+        $ = "Operating System: "
+        $ = "Used/Installed RAM:  GB "
+        $ = "Cores available: "
+        $ = "\\screen-.png"
+        $ = "Username: "
+        $ = "Computer name: "
+        $ = "OS: "
+        $ = "Language: "
+        $ = "Hostname: "
+        $ = "=> networks: B"
+        $ = "=> system:total memory:  KB"
+        $ = "used memory : "
+        $ = "total swap  : "
+        $ = "used swap   : "
+        $ = "NB CPUs: "
+        $ = "Passwords: "
+        $ = "Wallets: "
+        $ = "Files: "
+        $ = "Credit Cards: "
+        $ = "sensfiles.zip"
+        
+    condition:
+        uint16(0)==0x5A4D
+        and filesize > 4000KB
+        and pe.rich_signature.toolid(0, 0)
+        and pe.number_of_resources == 0
+        and 15 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/stealer_win_mgbot_credential_stealer.yar b/yara_rules/stealer_win_mgbot_credential_stealer.yar
new file mode 100644
index 0000000..43dbd3b
--- /dev/null
+++ b/yara_rules/stealer_win_mgbot_credential_stealer.yar
@@ -0,0 +1,22 @@
+rule stealer_win_mgbot_credential_stealer {
+    meta:
+        id = "e06501c1-c842-43f7-a429-9026bc0a4fd4"
+        version = "1.0"
+        description = "Detect MgBot credential stealer plugin"
+        author = "Sekoia.io"
+        creation_date = "2024-03-20"
+        classification = "TLP:CLEAR"
+        hash1 = "174a62201c7e2af67b7ad37bf7935f064a379f169cf257ca16e912a46ecc9841"
+        hash2 = "cb7d9feda7d8ebfba93ec428d5a8a4382bf58e5a70e4b51eb1938d2691d5d4a5"
+        reference = "https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/"
+        
+    strings:
+        $ = "Software\\Aerofox\\Foxmail\\Indenties" wide
+        $ = "Software\\Aerofox\\FoxmailPreview" wide
+        $ = "IMAP Password" wide
+        $ = "POP3 Password" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/stealer_win_strela.yar b/yara_rules/stealer_win_strela.yar
new file mode 100644
index 0000000..7a44e7a
--- /dev/null
+++ b/yara_rules/stealer_win_strela.yar
@@ -0,0 +1,21 @@
+rule stealer_win_strela {
+    meta:
+        id = "2c98f84a-4329-476b-98b8-d8e2387b1b69"
+        version = "1.0"
+        description = "Detects IOCs related to the Strela stealer"
+        author = "Sekoia.io"
+        creation_date = "2024-04-09"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "SOFTWARE\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\" ascii fullword
+        $s2 = "%s%s\\logins.json" ascii fullword
+        $s3 = "%s%s\\key4.db" ascii fullword
+        $s4 = "\\Thunderbird\\Profiles\\" ascii fullword
+        $s5 = "/server.php" ascii fullword
+        $s6 = "out.dll" ascii fullword
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/storm_1811_files_dat.yar b/yara_rules/storm_1811_files_dat.yar
new file mode 100644
index 0000000..99699c8
--- /dev/null
+++ b/yara_rules/storm_1811_files_dat.yar
@@ -0,0 +1,25 @@
+rule storm_1811_files_dat {
+    meta:
+        id = "8b14f276-0c39-422b-9b19-d96b139a7ae8"
+        version = "1.0"
+        description = "Detects files used in a campaign performed by the intrusion set Storm-1811"
+        author = "Sekoia.io"
+        creation_date = "2024-06-10"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "RuntimeBroker" ascii fullword
+        $s2 = "InstallSpamFilters" ascii fullword
+        $s3 = "newfile333.txt" ascii fullword
+        $s4 = "Installing spam filter kb_outlook" ascii fullword
+        $s5 = "s.zip" ascii fullword
+        $s6 = "Update completed" ascii fullword
+        $s7 = "Updates installed" ascii fullword
+        $s8 = "update_log.tgz uploaded ok" ascii fullword
+        $s9 = "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ascii fullword
+        $s10 = "runtimebroker_connect" ascii fullword
+        
+    condition:
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/storm_1811_screenconnect_update.yar b/yara_rules/storm_1811_screenconnect_update.yar
new file mode 100644
index 0000000..6ba2f67
--- /dev/null
+++ b/yara_rules/storm_1811_screenconnect_update.yar
@@ -0,0 +1,23 @@
+rule storm_1811_screenconnect_update {
+    meta:
+        id = "252ef24a-14dc-41e8-ba91-dcb9b6deb428"
+        version = "1.0"
+        description = "Detects files used in a campaign performed by the intrusion set Storm-1811"
+        author = "Sekoia.io"
+        creation_date = "2024-06-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "upd100.appspot.com/update/u.zip" ascii fullword
+        $s2 = "Unzip ok" ascii fullword
+        $s3 = "Installing update" ascii fullword
+        $s4 = "Administrators" ascii fullword
+        $s5 = "I am not admin" ascii fullword
+        $s6 = "I am admin" ascii fullword
+        $s7 = "ScreenConnect.ClientSetup.exe" ascii fullword
+        $s8 = "for %%x in (%IPS%) do (" ascii fullword
+        
+    condition:
+        6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/strongpity_malware.yar b/yara_rules/strongpity_malware.yar
new file mode 100644
index 0000000..17c9db7
--- /dev/null
+++ b/yara_rules/strongpity_malware.yar
@@ -0,0 +1,22 @@
+rule strongpity_malware {
+    meta:
+        id = "f19a685c-599d-42cf-a5d8-7a2375102f97"
+        version = "1.0"
+        description = "Detects obfuscation used by StrongPity"
+        author = "Sekoia.io"
+        creation_date = "2024-02-26"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        /*
+        Detects things like :
+        v14= rand() % 8 + 2;
+        */
+        $rand_edi = {E8 ?? ?? ?? ??    8B F8 81 E7 07 00 00 80    79 ?? 4F 83 CF F8 47 83 C7 02}
+        $rand_esi = {E8 ?? ?? ?? ?? 8B F0 81 E6 07 00 00 80 79 ?? 4E 83 CE F8 46 83 C6 02}
+        $rand_eax = {E8 ?? ?? ?? ??    25 07 00 00 80 79 ?? 48 83 C8 F8 40 83 C0 02}
+        
+    condition:
+        uint16be(0) == 0x4d5a and #rand_edi + #rand_esi + #rand_eax>20
+}
+        
\ No newline at end of file
diff --git a/yara_rules/suspicious_users_dev.yar b/yara_rules/suspicious_users_dev.yar
new file mode 100644
index 0000000..f16c2e1
--- /dev/null
+++ b/yara_rules/suspicious_users_dev.yar
@@ -0,0 +1,20 @@
+rule suspicious_users_dev {
+    meta:
+        id = "9e8af456-6f84-4922-a262-20b8f5c8a1eb"
+        version = "1.0"
+        description = "Nirscord stealer"
+        author = "Sekoia.io"
+        creation_date = "2022-12-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $user1 = "\\Users\\raghus1\\" ascii
+        $user2 = "\\Users\\drill\\" ascii
+        $key = {58 69 b3 5f b3 87 74 f6 65 eb 96 e7 6f 4d 16 83 }
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 6MB and
+        1 of ($user*) and $key
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ta410_control_flow_obfuscation.yar b/yara_rules/ta410_control_flow_obfuscation.yar
new file mode 100644
index 0000000..996fc64
--- /dev/null
+++ b/yara_rules/ta410_control_flow_obfuscation.yar
@@ -0,0 +1,25 @@
+rule ta410_control_flow_obfuscation {
+    meta:
+        id = "2a784f9b-3624-4c5d-8a64-db7d3c33a8f7"
+        version = "1.0"
+        description = "Detects control flow obfuscation used by TA410 in XXXModule_dlcore0"
+        author = "Sekoia.io"
+        creation_date = "2022-10-11"
+        classification = "TLP:CLEAR"
+        hash = "6cf78943728286d0bddd99049d81065673ab7f679029cdd5f5dc69f90197136e"
+        
+    strings:
+        $chunk_1 = {
+        E8 ?? ?? ?? ??
+        83 C0 10
+        3D 00 00 00 80
+        7D 01
+        EB ff
+        }
+        
+        $chunk_2 = {83 C0 10 3D 00 00 00 80 7d 01 eb ff e0 50 c3 75} //Complete obfuscation
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 10MB and any of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/technique_csv_dde_exec_regex.yar b/yara_rules/technique_csv_dde_exec_regex.yar
new file mode 100644
index 0000000..96c7e9b
--- /dev/null
+++ b/yara_rules/technique_csv_dde_exec_regex.yar
@@ -0,0 +1,20 @@
+rule technique_csv_dde_exec_regex {
+    meta:
+        id = "71d0e987-51ab-49bc-9d0d-d2f9006af1de"
+        version = "1.0"
+        description = "Find .csv file exploiting DDE technique"
+        author = "Sekoia.io"
+        creation_date = "2022-02-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $cmd0 = /=\s*wmic\|/ nocase
+        $cmd1 = /=\s*cmd\|/ nocase
+        $cmd2 = /=\s*wscript\|/ nocase
+        $cmd3 = /=\s*cscript\|/ nocase
+        $cmd4 = /=\s*powershell\|/ nocase
+        
+    condition:
+        any of ($cmd*) and filesize < 20000
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tinyfluff_nodejs.yar b/yara_rules/tinyfluff_nodejs.yar
new file mode 100644
index 0000000..0cd7344
--- /dev/null
+++ b/yara_rules/tinyfluff_nodejs.yar
@@ -0,0 +1,22 @@
+rule tinyfluff_nodejs {
+    meta:
+        id = "ca8cbd90-f275-4442-8354-b8b069e2efc3"
+        version = "1.0"
+        description = "Detect TinyFluff backdoor by OldGremlin"
+        author = "Sekoia.io"
+        creation_date = "2022-04-20"
+        classification = "TLP:CLEAR"
+        reference = "https://blog.group-ib.com/oldgremlin_comeback"
+        hash = "bd0a6a3628f268a37ac9d708d03f57feef5ed55e"
+        hash = "bd0a6a3628f268a37ac9d708d03f57feef5ed55e"
+        
+    strings:
+        $s1 = "TinyFluff.pdb" fullword ascii
+        $s2 = "node.exe" fullword wide
+        
+    condition:
+        filesize < 500KB and
+        uint16be(0) == 0x4d5a and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_3proxy_strings.yar b/yara_rules/tool_3proxy_strings.yar
new file mode 100644
index 0000000..2f5d459
--- /dev/null
+++ b/yara_rules/tool_3proxy_strings.yar
@@ -0,0 +1,19 @@
+rule tool_3proxy_strings {
+    meta:
+        id = "daf6cd97-8033-4bfd-88b5-41c06eb417b0"
+        version = "1.0"
+        description = "Detects 3proxy based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-03-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "of 3proxy-"
+        $ = "-pPORT - service port to accept connections"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 500KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_advancedrun_strings.yar b/yara_rules/tool_advancedrun_strings.yar
new file mode 100644
index 0000000..076d46e
--- /dev/null
+++ b/yara_rules/tool_advancedrun_strings.yar
@@ -0,0 +1,21 @@
+rule tool_advancedrun_strings {
+    meta:
+        id = "842a996e-0cf2-485f-9d3c-ccbd40c9ab6c"
+        version = "1.0"
+        description = "Detects AdvancedRun strings"
+        author = "Sekoia.io"
+        creation_date = "2024-09-06"
+        classification = "TLP:CLEAR"
+        hash = "a1d50ebe6124584f32de0625475cdb74"
+        
+    strings:
+        $ = "nirsoft.net" wide
+        $ = "Another logged-in user" wide
+        $ = "Choose config file to save" wide
+        $ = "AdvancedRun" ascii wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        all of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_bore_rust_any_platform.yar b/yara_rules/tool_bore_rust_any_platform.yar
new file mode 100644
index 0000000..1c3fceb
--- /dev/null
+++ b/yara_rules/tool_bore_rust_any_platform.yar
@@ -0,0 +1,29 @@
+rule tool_bore_rust_any_platform {
+    meta:
+        id = "c0ec0d72-de8e-4b96-9db6-a7a4e2f693f1"
+        version = "1.0"
+        description = "Detects bore tunneling tool"
+        author = "Sekoia.io"
+        creation_date = "2023-07-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "bore_cli::" ascii
+        $ = "server handshake failed" ascii
+        $ = "server listening" ascii
+        $ = "connected to server" ascii
+        $ = "server requires authentication, but no client secret was provided" ascii
+        $ = "client port number too low" ascii
+        $ = "forwarding connection" ascii
+        $ = "Address of the remote server to expose local ports" ascii
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or
+         uint32be(0) == 0xfeedface or
+         uint32be(0) == 0xfeedfacf or
+         uint32be(0) == 0xcafebabe or
+         uint16be(0) == 0x4d5a) and
+        filesize < 15MB and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_bypassgodzilla.yar b/yara_rules/tool_bypassgodzilla.yar
new file mode 100644
index 0000000..a4fb307
--- /dev/null
+++ b/yara_rules/tool_bypassgodzilla.yar
@@ -0,0 +1,39 @@
+rule tool_bypassgodzilla {
+    meta:
+        id = "fa492f97-a46c-422d-a617-c503744ee22e"
+        version = "1.0"
+        description = "Detects payload of BypassGodzilla"
+        author = "Sekoia.io"
+        creation_date = "2024-09-09"
+        classification = "TLP:CLEAR"
+        hash = "571c9042c627abba19ba1d591e2083eb"
+        hash = "56cfc5a876f8f55bf184be9f368b6d8a"
+        hash = "d4f7ca537701aee8849c474bc4df19d1"
+        hash = "e4be04331c5f447b3ca03aa637d16c85"
+        hash = "905fa3b692577a086ac654ef89e8b83d"
+        
+    strings:
+        $jsp_1a = "response.getWriter().write(\""
+        $jsp_1b = "\".substring("
+        $jsp_2a = "response.getWriter().write(java.util.Base64/*"
+        $jsp_2b = "*/.getEncoder()/*"
+        $jsp_2c = ".toByteArray(),true)));"
+        
+        $asp_1 = "[\"payload\"]).CreateInstance(\"LY\");"
+        $asp_2 = "\\U00000045\\U00000071\\U00000075\\U00000061\\U0000006C\\U00000073(Context);"
+        
+        $php_1 = "=(\"!\"^\"@\").'ss'.Chr(\"101\").'rs';"
+        $php_2 = "*/md5/*"
+        $php_3 = "*/isset($_SESSION/*"
+        $php_4 = "@set_time_limit(Chr(\"48\"))"
+        
+    condition:
+        (
+            (all of ($jsp_*) and (@jsp_1b-@jsp_1a < 70) and (@jsp_2b-@jsp_2a < 70) and (@jsp_2c - @jsp_2a < 160)) or
+            (all of ($asp_*) and (@asp_2 > @asp_1)) or
+            (all of ($php_*))
+        ) and
+        filesize < 30KB and 
+        true
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_cheat_engine.yar b/yara_rules/tool_cheat_engine.yar
new file mode 100644
index 0000000..3a68b28
--- /dev/null
+++ b/yara_rules/tool_cheat_engine.yar
@@ -0,0 +1,23 @@
+rule tool_cheat_engine {
+    meta:
+        id = "51d4246c-f7a1-4589-8f97-bd85d1fe4a0e"
+        version = "1.0"
+        description = "Detects Cheat Engine driver"
+        author = "Sekoia.io"
+        creation_date = "2024-07-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "ObOpenObjectByName" wide
+        $s2 = "PsGetProcessImageFileName" wide
+        $s3 = "PsRemoveCreateThreadNotifyRoutine" wide
+        $s4 = "PsSuspendProcess" wide
+        $s5 = "PsResumeProcess" wide
+        $s6  = "\\device\\physicalmemory" wide
+        $log = "%sCPU%d.trace" wide
+        $ioctl_code = {04 E1 22 00} //base for IOCTL code
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 200KB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_chisel_strings.yar b/yara_rules/tool_chisel_strings.yar
new file mode 100644
index 0000000..ab4beed
--- /dev/null
+++ b/yara_rules/tool_chisel_strings.yar
@@ -0,0 +1,22 @@
+rule tool_chisel_strings {
+    meta:
+        id = "667a8aa3-772b-45f1-8c89-acb7b976888d"
+        version = "1.0"
+        description = "Detects Chisel"
+        author = "Sekoia.io"
+        creation_date = "2024-03-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "tunnel.(*Tunnel).handleSSHChannel."
+        $ = "server.(*Server).handleWebsocket"
+        $ = "tunnel.(*udpHandler)"
+        $ = "server.(*Server).tlsLetsEncrypt"
+        $ = "cnet.(*wsConn).SetPingHandler.(*Conn)"
+        $ = "tunnel.(*udpConns).dial."
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 15MB and 3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_dogtunnel_strings.yar b/yara_rules/tool_dogtunnel_strings.yar
new file mode 100644
index 0000000..ff973aa
--- /dev/null
+++ b/yara_rules/tool_dogtunnel_strings.yar
@@ -0,0 +1,21 @@
+rule tool_dogtunnel_strings {
+    meta:
+        id = "00705613-6367-454f-b3f2-1e2b0a52459c"
+        version = "1.0"
+        description = "Detects Dog Tunnel based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-03-14"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "pipe.(*UDPMakeSession).doAndWait"
+        $ = "ikcp.ikcp_parse_fastack"
+        $ = "pipe.ListenWithSetting"
+        $ = "pipe.DialTimeoutWithSetting"
+        $ = "common.ReadUDP"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) 
+        and all of them and filesize < 10MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_dynamicwrapper_strings.yar b/yara_rules/tool_dynamicwrapper_strings.yar
new file mode 100644
index 0000000..dd8677e
--- /dev/null
+++ b/yara_rules/tool_dynamicwrapper_strings.yar
@@ -0,0 +1,20 @@
+rule tool_dynamicwrapper_strings {
+    meta:
+        id = "bbfad0a8-8b86-47c7-bf70-0a3f6859d64b"
+        version = "1.0"
+        description = "Detects DynamicWrapperX"
+        author = "Sekoia.io"
+        creation_date = "2023-12-01"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Software\\Classes\\DynamicWrapperX" ascii
+        $ = "DllRegisterServer" ascii
+        $ = "GoLink, GoAsm" ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 100KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_edrsandblast_api_strings.yar b/yara_rules/tool_edrsandblast_api_strings.yar
new file mode 100644
index 0000000..46e340a
--- /dev/null
+++ b/yara_rules/tool_edrsandblast_api_strings.yar
@@ -0,0 +1,22 @@
+rule tool_edrsandblast_api_strings {
+    meta:
+        id = "8a5dc171-dce8-4b5a-96e9-53dd1855e8c1"
+        version = "1.0"
+        description = "Detects EDRSandblast API strings"
+        author = "Sekoia.io"
+        creation_date = "2024-01-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[!] Required driver file not present at" wide
+        $ = "[!] New uninstall / install attempt failed" wide
+        $ = "[!] Kernel offsets are missing from the CSV" wide
+        $ = "[+] Downloading wdigest offsets from the MS Symbol Server" wide
+        $ = "[+] Check if EDR callbacks are registered on process" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_edrsandblast_cli_strings.yar b/yara_rules/tool_edrsandblast_cli_strings.yar
new file mode 100644
index 0000000..9690b6f
--- /dev/null
+++ b/yara_rules/tool_edrsandblast_cli_strings.yar
@@ -0,0 +1,20 @@
+rule tool_edrsandblast_cli_strings {
+    meta:
+        id = "baf3c68a-1d28-464e-8240-28cc66c8c151"
+        version = "1.0"
+        description = "Detects EDRSandblast CLI strings"
+        author = "Sekoia.io"
+        creation_date = "2024-01-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[!] LSASS dump might fail if RunAsPPL" wide
+        $ = "[!] You did not provide at least one option between" wide
+        $ = "[+] Detecting userland hooks in all loaded DLLs" wide
+        $ = "[+] Saving them to the CSV file" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_edrsandblast_kernelcallbacks.yar b/yara_rules/tool_edrsandblast_kernelcallbacks.yar
new file mode 100644
index 0000000..1fef06c
--- /dev/null
+++ b/yara_rules/tool_edrsandblast_kernelcallbacks.yar
@@ -0,0 +1,20 @@
+rule tool_edrsandblast_kernelcallbacks {
+    meta:
+        id = "74cf4444-5bd6-4167-930a-5dbf2e529f92"
+        version = "1.0"
+        description = "Detects EDRSandblast KernelCallbacks strings"
+        author = "Sekoia.io"
+        creation_date = "2024-11-25"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[+] '%s' service ACL configured to for Everyone" wide
+        $ = "%s callback of EDR driver \"%s\" [callback addr: 0x%I64x" wide
+        $ = "[!] Could not resolve %s kernel module's address" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 3MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_edrsandblast_strings.yar b/yara_rules/tool_edrsandblast_strings.yar
new file mode 100644
index 0000000..923ad91
--- /dev/null
+++ b/yara_rules/tool_edrsandblast_strings.yar
@@ -0,0 +1,30 @@
+rule tool_edrsandblast_strings {
+    meta:
+        id = "7059b89c-80b5-4768-b3eb-02f173f628b0"
+        version = "1.0"
+        description = "Detects EDRSandblast strings"
+        author = "Sekoia.io"
+        creation_date = "2024-01-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[!] Cred Guard bypass failed: obtained invalid" wide
+        $ = "[!] Cred Guard bypass non fatal error:" wide
+        $ = "[+] Successfully overwrote wdigest's g_fParameter_UseLogonCredential" wide
+        $ = "[!] ERROR: could not allocate memory for the handl" wide
+        $ = "[+] [ProcessProtection] Found the handle of the current" wide
+        $ = "[+] [ProcessProtection] Found self process EPROCCES struct at" wide
+        $ = "ETW Threat Intel ProviderEnableInfo address could not be found." wide
+        $ = "The ETW Threat Intel provider was successfully" wide
+        $ = "[+] [NotifyRountines]" wide
+        $ = "[callback addr: 0x" wide
+        $ = "EDR / security products driver(s)" wide
+        $ = "Object callback offsets not loaded ! Aborting..." wide
+        $ = "No more space to store object callbacks !!" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_efspotato.yar b/yara_rules/tool_efspotato.yar
new file mode 100644
index 0000000..11ade38
--- /dev/null
+++ b/yara_rules/tool_efspotato.yar
@@ -0,0 +1,18 @@
+rule tool_efspotato {
+    meta:
+        id = "4440ea37-d7d0-4107-867c-576c6e2f4f7e"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-08-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "usage: EfsPotato <cmd> [pipe]" ascii wide
+        $s2 = "Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability)." ascii wide
+        $s3 = "Part of GMH's fuck Tools, Code By zcgonvh." ascii wide
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 4MB and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_ehole.yar b/yara_rules/tool_ehole.yar
new file mode 100644
index 0000000..bac9384
--- /dev/null
+++ b/yara_rules/tool_ehole.yar
@@ -0,0 +1,22 @@
+rule tool_ehole {
+    meta:
+        id = "7d30ffd0-fada-4ef4-98c3-5572a4e1e140"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-06-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "main.http400"
+        $s2 = "main.fofa_c"
+        $s3 = "main.Jsjump"
+        $s4 = "main.StandBase64"
+        $s5 = "main.fofa_http"
+        $s6 = "main.fofa_seach"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 11MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_enum4linux_strings.yar b/yara_rules/tool_enum4linux_strings.yar
new file mode 100644
index 0000000..0b9b20f
--- /dev/null
+++ b/yara_rules/tool_enum4linux_strings.yar
@@ -0,0 +1,23 @@
+rule tool_enum4linux_strings {
+    meta:
+        id = "6b3094fe-1292-4da3-a1ed-9e255be531da"
+        version = "1.0"
+        description = "Detects enum4linux based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-02-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "my $os_info = `$command`;"
+        $ = "($global_workgroup) = $os_info =~"
+        $ = "sub enum_groups {"
+        $ = "if ($shares =~ /NT_STATUS_ACCESS_DENIED/) {"
+        $ = "Can't open share list file $shares_file"
+        $ = "my $users = `$command`;"
+        $ = "my @shares = <SHARES>;"
+        $ = "foreach my $grouptype (\"builtin\", \"domain\") {"
+        
+    condition:
+        6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_execit_obfuscator_strings.yar b/yara_rules/tool_execit_obfuscator_strings.yar
new file mode 100644
index 0000000..7b61762
--- /dev/null
+++ b/yara_rules/tool_execit_obfuscator_strings.yar
@@ -0,0 +1,29 @@
+rule tool_execit_obfuscator_strings {
+    meta:
+        id = "59eaeb20-150b-41a4-b866-1c91a07623ac"
+        version = "1.0"
+        description = "Detects ExecIT Dlls"
+        author = "Sekoia.io"
+        creation_date = "2024-09-11"
+        classification = "TLP:CLEAR"
+        hash = "1c185e2e11d8eadccfb130766ca30d85"
+        hash = "a0898f57f2b139ea278d8a7e97bbe358"
+        hash = "e0e12a8891f5585ce1ad55dbffb4f9c2"
+        hash = "d4102676d536bacffcf6c94364e26828"
+        
+    strings:
+        $ = "yromeMlautriVetacollAtN"
+        $ = "xEdaerhTetaerCtN"
+        $ = "tcejbOelgniSroFtiaWtN"
+        $ = "lld.esablenrek"
+        $ = "txetnoCdaerhTteG"
+        $ = "txetnoCdaerhTteS"
+        $ = "cef_api_hash"
+        $ = "cef_execute_process"
+        $ = "cef_get_path"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_exploit_badpotato_strings.yar b/yara_rules/tool_exploit_badpotato_strings.yar
new file mode 100644
index 0000000..e09b94e
--- /dev/null
+++ b/yara_rules/tool_exploit_badpotato_strings.yar
@@ -0,0 +1,23 @@
+rule tool_exploit_badpotato_strings {
+    meta:
+        id = "079aabbc-6978-4d71-92d2-d2a7ce1cc915"
+        version = "1.0"
+        description = "Detects BadPotato compiled exploit"
+        author = "Sekoia.io"
+        creation_date = "2022-09-09"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "RpcStringBindingCompose failed with status 0x" wide
+        $ = "RpcBindingFromStringBinding failed with status 0x" wide
+        $ = "RpcBindingSetAuthInfoEx failed with status 0x" wide
+        $ = "RpcBindingSetOption failed with status 0x" wide
+        $ = "\\\\.\\pipe\\{0}\\pipe\\spoolss" wide
+        $ = "[*] {0} Success! ProcessPid:{1}" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_exploit_comahawk_strings.yar b/yara_rules/tool_exploit_comahawk_strings.yar
new file mode 100644
index 0000000..1f105d7
--- /dev/null
+++ b/yara_rules/tool_exploit_comahawk_strings.yar
@@ -0,0 +1,22 @@
+rule tool_exploit_comahawk_strings {
+    meta:
+        id = "cc0d10ae-1a14-48c1-9c45-d65fac15f8f1"
+        version = "1.0"
+        description = "Detects COMahawk exploit compiled binaries"
+        author = "Sekoia.io"
+        creation_date = "2022-09-09"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "sc config UsoSvc binpath=" wide
+        $ = "binpath= \"cmd.exe /c net localgroup administrators /add"
+        $ = "[+] Command executed."
+        $ = "Release\\COMahawk.pdb"
+        $ = " is added as an admin."
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_exploit_rottenpotato_strings.yar b/yara_rules/tool_exploit_rottenpotato_strings.yar
new file mode 100644
index 0000000..6b7d0ba
--- /dev/null
+++ b/yara_rules/tool_exploit_rottenpotato_strings.yar
@@ -0,0 +1,28 @@
+rule tool_exploit_rottenpotato_strings {
+    meta:
+        id = "453646d4-b128-40ea-8840-4c53b8f1e486"
+        version = "1.0"
+        description = "Detects RottenPotato compiled binaries"
+        author = "Sekoia.io"
+        creation_date = "2022-09-09"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "WSAStartup failed with error: %d"
+        $ = "getaddrinfo failed with error: %d"
+        $ = "RPC -> send failed with error: %d"
+        $ = "RPC-> Connection closed"
+        $ = "COM -> bytes sent: %d"
+        $ = "COM -> recv failed with error: %d"
+        $ = "Running %S with args %S"
+        $ = "[-] Failed to create proc: %d"
+        $ = "Waiting for auth..."
+        $ = "Auth result: %d"
+        $ = "SeImpersonatePrivilege" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        8 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_generic_python_reverse_shell_strings.yar b/yara_rules/tool_generic_python_reverse_shell_strings.yar
new file mode 100644
index 0000000..020e973
--- /dev/null
+++ b/yara_rules/tool_generic_python_reverse_shell_strings.yar
@@ -0,0 +1,17 @@
+rule tool_generic_python_reverse_shell_strings {
+    meta:
+        id = "5b926d15-4f21-428c-a9fa-ee085a98d42b"
+        version = "1.0"
+        description = "Detects reverse shell"
+        author = "Sekoia.io"
+        creation_date = "2024-04-16"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "import sys,socket,os,pty;"
+        $ = "[os.dup2(s.fileno(),fd) for fd in (0,1,2)]"
+        
+    condition:
+        all of them and filesize < 1000
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_godpotato.yar b/yara_rules/tool_godpotato.yar
new file mode 100644
index 0000000..f1a3027
--- /dev/null
+++ b/yara_rules/tool_godpotato.yar
@@ -0,0 +1,24 @@
+rule tool_godpotato {
+    meta:
+        id = "cc396771-f187-43ae-903f-147d15483c46"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-08-23"
+        classification = "TLP:CLEAR"
+        author = "Sekoia.io"
+        
+    strings:
+        $s1 = "[!] Cannot create process Win32Error:{0}" ascii wide
+        $s2 = "[*] process start with pid {0}" ascii wide
+        $s3 = "MEOW" ascii wide
+        $s4 = "2ae886c3-3272-40be-8d3c-ebaede9e61e1" ascii wide
+        $s5 = "GodPotatoUnmarshalTrigger" ascii wide
+        $s6 = "GodPotato.exe" ascii wide
+        $s7 = "GodPotato.exe" wide
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 4MB and 
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_gost_tunnel_strings.yar b/yara_rules/tool_gost_tunnel_strings.yar
new file mode 100644
index 0000000..7b54d7e
--- /dev/null
+++ b/yara_rules/tool_gost_tunnel_strings.yar
@@ -0,0 +1,36 @@
+rule tool_gost_tunnel_strings {
+    meta:
+        id = "2de7aae9-9cf8-4007-aa27-5caea4123713"
+        version = "1.0"
+        description = "Detects GOST Go Tunnel, based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-02-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = ".(*shadowUDPHandler).transportUDP" ascii
+        $ = ".(*quicCipherConn).decrypt" ascii
+        $ = ".(*socks4aConnector).ConnectContext.func1" ascii
+        $ = ".(*mtlsTransporter).Handshake" ascii
+        $ = ".(*FIFOStrategy).Apply" ascii
+        $ = ".dnsTCPExchanger" ascii
+        $ = ".dohResponseWriter" ascii
+        $ = ".tcpRemoteForwardListener" ascii
+        $ = ".shadowUDPPacketConn" ascii
+        $ = ".sshTunnelListener" ascii
+        $ = "/listener/rtcp/listener.go" ascii
+        $ = "/handler/unix/handler.go" ascii
+        $ = "/handler/tunnel/tunnel.go"ascii
+        $ = "/internal/net/proxyproto/listener.go" ascii
+        $ = "/internal/util/serial/conn.go" ascii
+        $ = "github.com/go-gost/x" ascii
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or 
+         uint16be(0) == 0x4d5a or 
+         uint32be(0) == 0xcefaedfe or 
+         uint32be(0) == 0xcffaedfe or 
+         uint32be(0) == 0xbebafeca) and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_gsocket_strings.yar b/yara_rules/tool_gsocket_strings.yar
new file mode 100644
index 0000000..c8f5456
--- /dev/null
+++ b/yara_rules/tool_gsocket_strings.yar
@@ -0,0 +1,29 @@
+rule tool_gsocket_strings {
+    meta:
+        id = "55fb2f2b-1074-4b6d-9113-48eaeb0e1e27"
+        version = "1.0"
+        description = "Detects Gsocket based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-06-10"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "proxy. It allows multiple gs-netcat clients to (securely) relay"
+        $ = "GS-NETCAT(1)            General Commands Manual          GS-NETCAT(1)"
+        $ = "-T      Use TOR. The gs-netcat tool will connect via TOR to the GSRN."
+        $ = "-D      Daemon & Watchdog mode. Start gs-netcat as a background process"
+        $ = "gs-netcat [-rlgvqwCTSDiu] [-s secret] [-k keyfile] [-L logfile] [-d IP]"
+        $ = "The gs-netcat utility is a re-implementation of netcat."
+        
+    condition:
+        (
+            uint32be(0) == 0x7f454c46 or 
+            uint16be(0) == 0x4d5a or 
+            uint32be(0) == 0xfeedface or 
+            uint32be(0) == 0xcffaedfe or 
+            uint32be(0) == 0xcafebabe
+        ) and
+        filesize > 2MB and filesize < 6MB and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_htran_strings.yar b/yara_rules/tool_htran_strings.yar
new file mode 100644
index 0000000..77c2cbb
--- /dev/null
+++ b/yara_rules/tool_htran_strings.yar
@@ -0,0 +1,23 @@
+rule tool_htran_strings {
+    meta:
+        id = "0184937e-eefa-4c6d-ae00-9b0af80dc7db"
+        version = "1.0"
+        description = "Detects HTran based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-09-09"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "-slave <ConnectHost> <ConnectPort> <TransmitHost> <TransmitPort>"
+        $ = "-tran <ConnectPort> <TransmitHost> <TransmitPort>"
+        $ = "-listen <ConnectPort> <TransmitPort>"
+        $ = "[-] There is a error...Create a new connection."
+        $ = "[+] Start Transmit (%s:%d <-> %s:%d) ......"
+        $ = "[+] Accept a Client on port %d from %s"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_impersonate_strings.yar b/yara_rules/tool_impersonate_strings.yar
new file mode 100644
index 0000000..cee12de
--- /dev/null
+++ b/yara_rules/tool_impersonate_strings.yar
@@ -0,0 +1,27 @@
+import "pe"
+        
+rule tool_impersonate_strings {
+    meta:
+        id = "2ab345a2-9366-4673-b398-a59ba6954af5"
+        version = "1.0"
+        description = "Detects Impersonate"
+        author = "Sekoia.io"
+        creation_date = "2024-07-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[*] Listing available tokens"
+        $ = "[ID: %2d][SESSION: %d][INTEGRITY: %-6ws][%-18ws][%-22ws] User: %ws"
+        $ = "[*] Impersonating %ws"
+        $ = "[!] Impersonation failed error: %d"
+        $ = "[*] Adding user %ls on %ls"
+        $ = "[!] Add user failed with error: %d"
+        $ = "[*] Adding user %ws to domain group %ws"
+        $ = "[!] Add user in domain %ws failed with error: %d"
+        $ = "[!] Couldn't change token session id (error: %d)"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        3 of them or pe.imphash() == "e14ce763114276674e22b7b8b637bd4b"
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_inswor_strings.yar b/yara_rules/tool_inswor_strings.yar
new file mode 100644
index 0000000..a95602b
--- /dev/null
+++ b/yara_rules/tool_inswor_strings.yar
@@ -0,0 +1,19 @@
+rule tool_inswor_strings {
+    meta:
+        id = "99aaad33-510a-41b9-9022-800588c18d6d"
+        version = "1.0"
+        description = "Detects In-Swor based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-09-09"
+        classification = "TLP:CLEAR"
+        hash = "c393128a143b2a3397100b4a30c75112"
+        
+    strings:
+        $ = "open encrypted file error:" ascii
+        $ = "open config file error:" ascii
+        $ = "payload.ini" ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_iodine_strings.yar b/yara_rules/tool_iodine_strings.yar
new file mode 100644
index 0000000..fb6c54f
--- /dev/null
+++ b/yara_rules/tool_iodine_strings.yar
@@ -0,0 +1,21 @@
+rule tool_iodine_strings {
+    meta:
+        id = "029766cc-80fb-423d-adc5-8867c438c5d3"
+        version = "1.0"
+        description = "Detects iodine based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-02-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Sending DNS queries for %s to %s"
+        $ = "No tun devices found, trying utun"
+        $ = "iodine IP over DNS tunneling client"
+        $ = "topdomain is the FQDN that is delegated to the tunnel endpoint."
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+         filesize < 1MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_juicypotato_exploit_strings.yar b/yara_rules/tool_juicypotato_exploit_strings.yar
new file mode 100644
index 0000000..2de9492
--- /dev/null
+++ b/yara_rules/tool_juicypotato_exploit_strings.yar
@@ -0,0 +1,26 @@
+rule tool_juicypotato_exploit_strings {
+    meta:
+        id = "03d697ae-69a7-490b-8b3c-9a8c21fb46a2"
+        version = "1.0"
+        description = "Detects the JuicyPotato exploit based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-09-09"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "JuicyPotato v%s"
+        $ = "-t createprocess call: <t> CreateProcessWithTokenW"
+        $ = "-p <program>: program to launch"
+        $ = "-l <port>: COM server listen port"
+        $ = "-m <ip>: COM server listen address"
+        $ = "-n <port>: RPC server listen port"
+        $ = "Error - Unknown NTLM message type..."
+        $ = "[+] authresult %d"
+        $ = "Waiting for auth..."
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 500KB and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_juicypotatong_strings.yar b/yara_rules/tool_juicypotatong_strings.yar
new file mode 100644
index 0000000..856d875
--- /dev/null
+++ b/yara_rules/tool_juicypotatong_strings.yar
@@ -0,0 +1,18 @@
+rule tool_juicypotatong_strings {
+    meta:
+        id = "4634251b-ea41-4f58-aabd-db83ccf4edaa"
+        version = "1.0"
+        description = "Detects JuicyPotatoNG"
+        author = "Sekoia.io"
+        creation_date = "2023-06-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[!] CryptStringToBinaryW failed with error code %d" ascii
+        $ = "-b : Bruteforce all CLSIDs. !ALERT:" ascii
+        $ = "[-] CreateProcessWithTokenW Failed to create proc: %d" ascii
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_koblas_server_strings.yar b/yara_rules/tool_koblas_server_strings.yar
new file mode 100644
index 0000000..bb6d47a
--- /dev/null
+++ b/yara_rules/tool_koblas_server_strings.yar
@@ -0,0 +1,20 @@
+rule tool_koblas_server_strings {
+    meta:
+        id = "ebd891da-69dd-474c-9e08-63d0b4cc654e"
+        version = "1.0"
+        description = "Detects Koblas server"
+        author = "Sekoia.io"
+        creation_date = "2024-05-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "sent {sent} bytes and received {received} bytes" wide ascii
+        $ = "connection denied" ascii
+        $ = "loaded {} users" ascii
+        $ = "listening on {}:{} for incoming connections" ascii
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_ladon_strings.yar b/yara_rules/tool_ladon_strings.yar
new file mode 100644
index 0000000..f5af7c7
--- /dev/null
+++ b/yara_rules/tool_ladon_strings.yar
@@ -0,0 +1,62 @@
+rule tool_ladon_strings {
+    meta:
+        id = "7f06f755-a103-4e74-a9df-136355775233"
+        version = "1.0"
+        description = "Detects Ladon based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-06-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $a1 = ".GetType('Ladon.Scan')"
+        $a2 = "= New-object Byte[]("
+        $a3 = "([IO.MemoryStream][Convert]::FromBase64String("
+        
+        $b1 = "DeflateStream([IO.MemoryStream][Convert]::FromBase64String("
+        $b2 = "))}}}}}}}}}"
+        $b3 = "::Main(@($"
+        $b4 = "))} else {If("
+        $b5 = "= [Reflection.Assembly]::Load("
+        
+        $c1 = "ChatLadon.Form1.resources"
+        $c2 = "ChatLadon.Properties.Resources.resources"
+        $c3 = "WebClientUploadEvent"
+        $c4 = "WebClientDownloadEvent"
+        $c5 = "K8robot"
+        $c6 = "K8IPselect"
+        
+        $d1 = "loadASM"
+        $d2 = "ConsoleApp1.exe"
+        $d3 = "K8Ladon"
+        
+        $e1 = "get_network_16px_1219919_easyicon_net"
+        $e2 = "K8gege"
+        $e3 = "LadonExpBuild"
+        
+        $f1 = "Ladon url.txt CitrixVer"
+        $f2 = "Ladon MssqlCmd"
+        $f3 = "Example: Ladon "
+        $f4 = "k8gege.org"
+        $f5 = "K8crack"
+        
+        $g1 = "LadonStudy.exe"
+        $g2 = "LadonStudy.frmMain.resources"
+        $g3 = "LadonStudy.Properties.Resources.resources"
+        $g4 = "K8gege"
+        
+        $h1 = "LadonShell.exe" wide
+        $h2 = "ForceRemove"
+        $h3 = "GetUserObjectInformationA"
+        
+    condition:
+        ( all of ($a*) or 
+        all of ($b*) or 
+        all of ($c*) or 
+        all of ($d*) or 
+        all of ($e*) or 
+        all of ($f*) or 
+        all of ($g*) or 
+        all of ($h*) )
+        and filesize < 5MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_lsass_dump_strings.yar b/yara_rules/tool_lsass_dump_strings.yar
new file mode 100644
index 0000000..cb0edf6
--- /dev/null
+++ b/yara_rules/tool_lsass_dump_strings.yar
@@ -0,0 +1,20 @@
+rule tool_lsass_dump_strings {
+    meta:
+        id = "bf024dc6-a1c8-4c3f-9bf8-8d246c129639"
+        version = "1.0"
+        description = "Detects Lsass dump based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-09-09"
+        classification = "TLP:CLEAR"
+        hash = "f4540f42902c068b9290239729c45324"
+        
+    strings:
+        $ = "[SUCCESS] Successfully dumped core LSASS information for PID:"
+        $ = "[SUCCESS] All data dumped to "
+        $ = "[ERROR] Unable to dump process"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_masky_strings.yar b/yara_rules/tool_masky_strings.yar
new file mode 100644
index 0000000..4414952
--- /dev/null
+++ b/yara_rules/tool_masky_strings.yar
@@ -0,0 +1,22 @@
+rule tool_masky_strings {
+    meta:
+        id = "542670ee-9f2e-4148-853d-a3f055bd584c"
+        version = "1.0"
+        description = "Detects Masky tool"
+        author = "Sekoia.io"
+        creation_date = "2022-08-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "caa1aa2e-8a2a-4f98-bc51-b7cf10663fa9" ascii
+        $s2 = "Masky" ascii
+        $s3 = "\\Windows\\Temp\\" wide
+        $s4 = "Length must be non-negative" wide
+        $s5 = "CSP does not contain a private key" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        4 of them or $s1
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_multidump_strings.yar b/yara_rules/tool_multidump_strings.yar
new file mode 100644
index 0000000..cc8dd63
--- /dev/null
+++ b/yara_rules/tool_multidump_strings.yar
@@ -0,0 +1,23 @@
+rule tool_multidump_strings {
+    meta:
+        id = "4897c898-01dd-40d2-bf28-266231c88f8a"
+        version = "1.0"
+        description = "Detects MultiDump"
+        author = "Sekoia.io"
+        creation_date = "2024-03-19"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "--nodump\tDisable LSASS dumping"
+        $ = "-r 192.168.1.100:5000"
+        $ = "Path to save procdump.exe"
+        $ = "[!] CreateFileW [R] Failed With Error"
+        $ = "LSASS is Running, Continuin"
+        $ = "Dumping LSASS Using ProcDump"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_nping_strings.yar b/yara_rules/tool_nping_strings.yar
new file mode 100644
index 0000000..889a197
--- /dev/null
+++ b/yara_rules/tool_nping_strings.yar
@@ -0,0 +1,21 @@
+rule tool_nping_strings {
+    meta:
+        id = "fcfd9539-b224-45b4-9252-0b4d56a40be4"
+        version = "1.0"
+        description = "Detects NPing"
+        author = "Sekoia.io"
+        creation_date = "2022-08-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "http://nmap.org/nping"
+        $ = "nping scanme.nmap.org"
+        $ = "Bogus target structure passed to %s"
+        $ = "Packet too short."
+        $ = "read_arp_reply_pcap"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        3 of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_nssm_strings.yar b/yara_rules/tool_nssm_strings.yar
new file mode 100644
index 0000000..5e535b2
--- /dev/null
+++ b/yara_rules/tool_nssm_strings.yar
@@ -0,0 +1,23 @@
+rule tool_nssm_strings {
+    meta:
+        id = "fab99d44-6494-4bfc-80c0-67c45bad0425"
+        version = "1.0"
+        description = "Detects nssm tool"
+        author = "Sekoia.io"
+        creation_date = "2024-09-06"
+        classification = "TLP:CLEAR"
+        hash = "beceae2fdc4f7729a93e94ac2ccd78cc"
+        
+    strings:
+        $ = "nssm start <servicename>" wide
+        $ = "nssm stop <servicename>" wide
+        $ = "nssm restart <servicename>" wide
+        $ = "nssm status <servicename>" wide
+        $ = "nssm rotate <servicename>" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a 
+        and all of them 
+        and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_paexec_strings.yar b/yara_rules/tool_paexec_strings.yar
new file mode 100644
index 0000000..a3234a4
--- /dev/null
+++ b/yara_rules/tool_paexec_strings.yar
@@ -0,0 +1,20 @@
+rule tool_paexec_strings {
+    meta:
+        id = "c48b897c-0d88-4fa9-b64b-0e14a38a62d7"
+        version = "1.0"
+        description = "Detects PAExec based on strings"
+        author = "Sekoia.io"
+        creation_date = "2022-09-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "\\\\%s\\%s\\PAExec_Move%u.dat" wide
+        $ = "PAExec_Move%u.dat" wide
+        $ = "Usage: PAExec [\\\\computer[,computer2[,...]]" wide
+        $ = "PAExec returning exit code %d" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and 3 of them
+        and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_pchunter_and_related_certificate.yar b/yara_rules/tool_pchunter_and_related_certificate.yar
new file mode 100644
index 0000000..f88e06b
--- /dev/null
+++ b/yara_rules/tool_pchunter_and_related_certificate.yar
@@ -0,0 +1,18 @@
+import "pe"
+        
+rule tool_pchunter_and_related_certificate {
+    meta:
+        id = "757c7738-4ee8-4b4e-bdda-0c5b0c010f40"
+        version = "1.0"
+        description = "Detects PCHunter and associated binairies & drivers"
+        author = "Sekoia.io"
+        creation_date = "2022-09-07"
+        classification = "TLP:CLEAR"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        for any i in (0 .. pe.number_of_signatures) : (
+         pe.signatures[i].serial contains "05:51:bc:8c:6a:a2:ca:03:2b:c6:71:38:30:d8:49:a3"
+      ) and filesize>400KB and filesize<20MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_petitpotato.yar b/yara_rules/tool_petitpotato.yar
new file mode 100644
index 0000000..9018ea9
--- /dev/null
+++ b/yara_rules/tool_petitpotato.yar
@@ -0,0 +1,20 @@
+rule tool_petitpotato {
+    meta:
+        id = "72808202-a124-478e-bc60-59d35824b948"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-08-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s2 = "set_FileName" ascii wide
+        $s3 = "VarFileInfo" ascii wide
+        $s4 = "PetitPotato.exe" ascii wide
+        $s5 = "0.0.0.0" ascii wide
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 4MB and 
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_pivotnacci.yar b/yara_rules/tool_pivotnacci.yar
new file mode 100644
index 0000000..dd7b91e
--- /dev/null
+++ b/yara_rules/tool_pivotnacci.yar
@@ -0,0 +1,22 @@
+rule tool_pivotnacci {
+    meta:
+        id = "31ecb08a-fc92-4cbe-a865-7ce869a5fa6a"
+        version = "1.0"
+        description = "Detects Pivotnacci"
+        author = "Sekoia.io"
+        creation_date = "2024-04-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $pivotnacci = "pivotnacci"
+        $s1 = "Socks server => %s:%s"
+        $s2 = "The default listening address"
+        $s3 = "Socks server for HTTP agents"
+        $s4 = "Message returned by the agent web page"
+        $s5 = "Password to communicate with the agent"
+        $s6 = "To specify agent type in case is not automatically detected."
+        
+    condition:
+        $pivotnacci and 3 of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_pivotnacci_webshell.yar b/yara_rules/tool_pivotnacci_webshell.yar
new file mode 100644
index 0000000..afc9451
--- /dev/null
+++ b/yara_rules/tool_pivotnacci_webshell.yar
@@ -0,0 +1,24 @@
+rule tool_pivotnacci_webshell {
+    meta:
+        id = "729b6381-b59d-46fe-9ad4-b8b68fb0ceea"
+        version = "1.0"
+        description = "Detects pivotnacci webshell"
+        author = "Sekoia.io"
+        creation_date = "2024-04-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "if (cmd == SEND_OPERATION) {"
+        $ = "Response.BinaryWrite(newBuff)"
+        $ = "Request.Headers.Get(ID_HEADER)"
+        $ = "[$READ_BUFFER_SESSION_KEY . $connection_id]"
+        $ = "extract_session_readbuf($conn_id"
+        $ = "Failed connecting to target $addr:$port : $errstr"
+        $ = "void handle_post(String cmd)"
+        $ = "SocketChannel socketChannel = this.get_socket(socket_id"
+        $ = "this.get_svc().compareTo(this.get_hostname())"
+        
+    condition:
+        3 of them and filesize < 10KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_powershell_unicorn.yar b/yara_rules/tool_powershell_unicorn.yar
new file mode 100644
index 0000000..685d792
--- /dev/null
+++ b/yara_rules/tool_powershell_unicorn.yar
@@ -0,0 +1,18 @@
+rule tool_powershell_unicorn {
+    meta:
+        id = "287c1669-2ee1-488e-bf66-a99bfe309c90"
+        version = "1.0"
+        description = "Detects Unicorn Powershell"
+        author = "Sekoia.io"
+        creation_date = "2022-08-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = ").value.toString() ('JAB" ascii wide
+        $ = ").value.toString());powershell (" ascii wide
+        $ = "powershell /w 1 " ascii wide
+        
+    condition:
+        all of them and filesize < 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_printnotifypotato.yar b/yara_rules/tool_printnotifypotato.yar
new file mode 100644
index 0000000..23544fe
--- /dev/null
+++ b/yara_rules/tool_printnotifypotato.yar
@@ -0,0 +1,23 @@
+rule tool_printnotifypotato {
+    meta:
+        id = "8dde175f-025a-4c27-bcc6-d0016dd7238c"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-08-23"
+        classification = "TLP:CLEAR"
+        author = "Sekoia.io"
+        
+    strings:
+        $s1 = "PrintNotifyPotato.exe" ascii wide
+        $s2 = "BeichenDream" ascii wide
+        $s3 = "interactive" ascii wide
+        $s4 = "DuplicateTokenEx" ascii wide
+        $s5 = "CurrentUser" ascii wide
+        $s6 = "FakeIUnknown" ascii wide
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 8MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_quarkspwdump.yar b/yara_rules/tool_quarkspwdump.yar
new file mode 100644
index 0000000..3b92174
--- /dev/null
+++ b/yara_rules/tool_quarkspwdump.yar
@@ -0,0 +1,19 @@
+rule tool_quarkspwdump {
+    meta:
+        id = "859823f9-6d47-4b0f-844b-d3af7bad498b"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-06-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "quarks-pwdump.exe"
+        $s2 = "--------------------------------------------- BEGIN DUMP --------------------------------------------"
+        $s3 = "%s_hist%d:\"\":\"\":%s:%s"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_rathole_strings.yar b/yara_rules/tool_rathole_strings.yar
new file mode 100644
index 0000000..8934605
--- /dev/null
+++ b/yara_rules/tool_rathole_strings.yar
@@ -0,0 +1,26 @@
+rule tool_rathole_strings {
+    meta:
+        id = "39d11285-a3bf-46c3-901d-ab46601a9066"
+        version = "1.0"
+        description = "Detects RATHole based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-05-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "rathole\\src\\" ascii
+        $ = "\\\\?\\\\\\?\\UNC\\" wide
+        $ = "rathole::" ascii
+        $ = "src/server.rs"
+        $ = "`[server]` or `[client]"
+        
+    condition:
+        ( uint32be(0) == 0x7f454c46 or 
+          uint16be(0) == 0x4d5a or 
+          uint32be(0) == 0xfeedface or 
+          uint32be(0) == 0xfeedfacf or 
+          uint32be(0) ==  0xcafebabe or
+          uint32be(0) ==  0xCFFAEDFE) and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_realblindingedr_strings.yar b/yara_rules/tool_realblindingedr_strings.yar
new file mode 100644
index 0000000..1811767
--- /dev/null
+++ b/yara_rules/tool_realblindingedr_strings.yar
@@ -0,0 +1,25 @@
+rule tool_realblindingedr_strings {
+    meta:
+        id = "505dcbee-ae37-47c1-a322-2c52d10e68d7"
+        version = "1.0"
+        description = "Detects RealBlindingEDR based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-09-11"
+        classification = "TLP:CLEAR"
+        hash = "cb6219e2b6577b8d4a18114d595e10d7"
+        hash = "d0a251709c24a8f4c26d456dea22d90f"
+        
+    strings:
+        $ = "Unload Driver Error 1"
+        $ = "Failed to create pipe. Error %d"
+        $ = "icacls \"%s\" /grant Everyone:(F)"
+        $ = "Register MiniFilter Callback driver:"
+        $ = "The driver's certificate has been revoked,"
+        $ = "[Success] Killed %s(%s)."
+        $ = "ntoskrnl.exe base address not found."
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_reversessh_strings.yar b/yara_rules/tool_reversessh_strings.yar
new file mode 100644
index 0000000..67aade9
--- /dev/null
+++ b/yara_rules/tool_reversessh_strings.yar
@@ -0,0 +1,26 @@
+rule tool_reversessh_strings {
+    meta:
+        id = "b20c2c8e-3910-4545-a87a-3d428283a447"
+        version = "1.0"
+        description = "Detects reverse SSH based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-04-16"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $fun_1 = "createLocalPortForwardingCallback"
+        $fun_2 = "createReversePortForwardingCallback"
+        $fun_3 = "createPasswordHandler"
+        $fun_4 = "createPublicKeyHandler"
+        $fun_5 = "createSFTPHandler"
+        $fun_6 = "dialHomeAndListen"
+        $fun_7 = "createExtraInfoHandler"
+        $fun_8 = "createSSHSessionHandler"
+        $fun_9 = "createReversePortForwardingCallback"
+        $proj_1 = "github.com/Fahrj/reverse-ssh"
+        
+    condition:
+        any of ($proj_*) or
+        4 of ($fun_*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_revsocks_strings.yar b/yara_rules/tool_revsocks_strings.yar
new file mode 100644
index 0000000..7bc2861
--- /dev/null
+++ b/yara_rules/tool_revsocks_strings.yar
@@ -0,0 +1,26 @@
+rule tool_revsocks_strings {
+    meta:
+        id = "f5f34e74-0795-4c81-a385-218a8197a0b7"
+        version = "1.0"
+        description = "Detects revsocks client"
+        author = "Sekoia.io"
+        creation_date = "2024-03-07"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "reverse socks5 server/client by kost" ascii fullword
+        $ = "github.com/kost/"
+        $ = "revsocks -listen"
+        $ = "Start on the DNS server: revsocks -dns"
+        $ = "crypto/aes."
+        
+    condition:
+        ( uint32be(0) == 0x7f454c46 or 
+          uint16be(0) == 0x4d5a or 
+          uint32be(0) == 0xfeedface or 
+          uint32be(0) == 0xfeedfacf or 
+          uint32be(0) ==  0xcafebabe or
+          uint32be(0) ==  0xCFFAEDFE) and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_rsockstun_strings.yar b/yara_rules/tool_rsockstun_strings.yar
new file mode 100644
index 0000000..9524e35
--- /dev/null
+++ b/yara_rules/tool_rsockstun_strings.yar
@@ -0,0 +1,21 @@
+rule tool_rsockstun_strings {
+    meta:
+        id = "94d8cb39-3421-441c-8404-62a591b86912"
+        version = "1.0"
+        description = "Detects Rsockstun based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-12-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "main.connectviaproxy"
+        $ = "main.connectForSocks"
+        $ = "main.listenForClients"
+        $ = "main.listenForSocks"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 10MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_rubeus_strings.yar b/yara_rules/tool_rubeus_strings.yar
new file mode 100644
index 0000000..067c5d7
--- /dev/null
+++ b/yara_rules/tool_rubeus_strings.yar
@@ -0,0 +1,25 @@
+rule tool_rubeus_strings {
+    meta:
+        id = "df1860d0-ec34-4c2d-bd83-5f16b26d075c"
+        version = "1.0"
+        description = "Detects Rubeus"
+        author = "Sekoia.io"
+        creation_date = "2024-03-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = ".Ndr.RPC_DISPATCH_TABLE32"
+        $ = ".Ndr.RPC_PROTSEQ_ENDPOINT32"
+        $ = ".Ndr.RPC_SERVER_INTERFACE32"
+        $ = ".Ndr.NDR_EXPR_DESC32"
+        $ = "$krb5tgs${0}$*{1}${2}${3}*${4}${5}" wide
+        $ = "$krb5asrep$23${0}@{1}:{2}" wide
+        $ = "Unable to decrypt the EncTicketPart using key:" wide
+        $ = "[*] Target service  : {0:x}" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 1MB and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_runpeinmemory_strings.yar b/yara_rules/tool_runpeinmemory_strings.yar
new file mode 100644
index 0000000..62f1008
--- /dev/null
+++ b/yara_rules/tool_runpeinmemory_strings.yar
@@ -0,0 +1,20 @@
+rule tool_runpeinmemory_strings {
+    meta:
+        id = "64129ab0-b599-4760-ab21-20c475c2c07f"
+        version = "1.0"
+        description = "Detects standard implementation of RunPEInMemory"
+        author = "Sekoia.io"
+        creation_date = "2024-05-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[+] Fix Import Address Table"
+        $ = "[+] Relocation Fixed."
+        $ = "[+] File %s isn't a PE file."
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 500KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_safetykatz.yar b/yara_rules/tool_safetykatz.yar
new file mode 100644
index 0000000..2de3a3c
--- /dev/null
+++ b/yara_rules/tool_safetykatz.yar
@@ -0,0 +1,19 @@
+rule tool_safetykatz {
+    meta:
+        id = "90f93244-38a7-4574-87c6-15d494e9173b"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-06-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "SafetyKatz" ascii fullword
+        $s2 = "get_mimikatz" ascii fullword
+        $s3 = "$8347e81b-89fc-42a9-b22c-f59a6a572dec" ascii fullword
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 1MB and 
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_scanline_strings.yar b/yara_rules/tool_scanline_strings.yar
new file mode 100644
index 0000000..46de766
--- /dev/null
+++ b/yara_rules/tool_scanline_strings.yar
@@ -0,0 +1,19 @@
+rule tool_scanline_strings {
+    meta:
+        id = "65677b81-d077-4d01-8398-cbb06ce49edf"
+        version = "1.0"
+        description = "Detects scanline (non-packed)"
+        author = "Sekoia.io"
+        creation_date = "2024-09-06"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Resolve IP addresses to hostnames"
+        $ = "Randomize IP and port scan order"
+        $ = "?bhijnprsT"
+        $ = "sl -bht"
+        
+    condition:
+        uint16be(0) == 0x4d5a and 3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_sharpefspotato_strings.yar b/yara_rules/tool_sharpefspotato_strings.yar
new file mode 100644
index 0000000..04880f8
--- /dev/null
+++ b/yara_rules/tool_sharpefspotato_strings.yar
@@ -0,0 +1,19 @@
+rule tool_sharpefspotato_strings {
+    meta:
+        id = "4286c72b-c0b9-4d2c-9847-68fc39ed4894"
+        version = "1.0"
+        description = "Detects SharpEfsPotato based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-06-20"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Program to launch (default cmd.exe)" wide
+        $ = "[!] Cannot perform interception, necessary privileges missing." wide
+        $ = "[!] Failed to created impersonated process with token:" wide
+        $ = "No authenticated interception took place, exploit failed"
+        
+    condition:
+        uint16be(0) == 0x4d5a and 3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_sharphoundexecutable_strings.yar b/yara_rules/tool_sharphoundexecutable_strings.yar
new file mode 100644
index 0000000..08e8077
--- /dev/null
+++ b/yara_rules/tool_sharphoundexecutable_strings.yar
@@ -0,0 +1,22 @@
+rule tool_sharphoundexecutable_strings {
+    meta:
+        id = "2cf8046e-5b4d-4ff7-b4b2-7aaeaf58883b"
+        version = "1.0"
+        description = "Detects the SharpHound tool"
+        author = "Sekoia.io"
+        creation_date = "2022-08-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "BloodHoundLoopResults.zip" wide
+        $ = "[-] Removed PSRemote Collection" wide
+        $ = "Initializing SharpHound at {time} on {date}" wide
+        $ = "[SearchForest] Cross-domain enumeration may result in reduced data quality" wide
+        $ = "SharpHound Enumeration Completed at {Time} on {Date}! Happy Graphing!" wide
+        $ = "Consumer task on thread {id} completed" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_sharphoundpowershell_strings.yar b/yara_rules/tool_sharphoundpowershell_strings.yar
new file mode 100644
index 0000000..f3e7c76
--- /dev/null
+++ b/yara_rules/tool_sharphoundpowershell_strings.yar
@@ -0,0 +1,21 @@
+rule tool_sharphoundpowershell_strings {
+    meta:
+        id = "f27a0bdc-1a8c-43f9-843c-6c8506726f37"
+        version = "1.0"
+        description = "Detects SharpHound Powershell"
+        author = "Sekoia.io"
+        creation_date = "2022-08-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "function Invoke-BloodHound"
+        $ = "$vars.Add($RealDNSName)"
+        $ = "$vars.Add($Jitter)"
+        $ = "CmdletBinding(PositionalBinding = $false)"
+        $ = ").Invoke($Null, @(,$passed))"
+        $ = "$EncodedCompressedFile ="
+        
+    condition:
+        filesize < 2MB and 4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_sharpnbtscan_strings.yar b/yara_rules/tool_sharpnbtscan_strings.yar
new file mode 100644
index 0000000..54622b2
--- /dev/null
+++ b/yara_rules/tool_sharpnbtscan_strings.yar
@@ -0,0 +1,20 @@
+rule tool_sharpnbtscan_strings {
+    meta:
+        id = "e9d28dcb-b4b1-4d66-b225-ed0925f307d9"
+        version = "1.0"
+        description = "Detects SharpNBTScan based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-09-09"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "[+]Udp client will stop in 10 s ..." ascii wide
+        $ = "[*]Stop udp client ..." ascii wide
+        $ = "[*]Start udp client ..." ascii wide
+        $ = "[+] ip range {0} - {1} " ascii wide
+        
+    condition:
+        uint32be(0) == 0x5A4D and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_sharpsecdump.yar b/yara_rules/tool_sharpsecdump.yar
new file mode 100644
index 0000000..0737cbc
--- /dev/null
+++ b/yara_rules/tool_sharpsecdump.yar
@@ -0,0 +1,20 @@
+rule tool_sharpsecdump {
+    meta:
+        id = "359bf48b-81c8-4d12-ac02-777d4865411a"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-06-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "SharpSecDump"
+        $s2 = "e2fdd6cc-9886-456c-9021-ee2c47cf67b7"
+        $s3 = "Md4Hash2"
+        $s4 = "RidToKey"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 1MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_soaphound_strings.yar b/yara_rules/tool_soaphound_strings.yar
new file mode 100644
index 0000000..f4fa844
--- /dev/null
+++ b/yara_rules/tool_soaphound_strings.yar
@@ -0,0 +1,22 @@
+rule tool_soaphound_strings {
+    meta:
+        id = "adf48506-f07d-445a-83cc-0aed3b6b55eb"
+        version = "1.0"
+        description = "Detects SOAPHound based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-11-12"
+        classification = "TLP:CLEAR"
+        hash = "b2a953590d75213388473fb51e6b5f2f"
+        
+    strings:
+        $ = "Output files generated in" wide
+        $ = "(&(cn=*)(!(cn=a*))(!(cn=b*))" wide
+        $ = "unicodePassword" wide
+        $ = "net.tcp://localhost:9389/ActiveDirectoryWebServices/" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize < 2MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_ssf_strings.yar b/yara_rules/tool_ssf_strings.yar
new file mode 100644
index 0000000..8635305
--- /dev/null
+++ b/yara_rules/tool_ssf_strings.yar
@@ -0,0 +1,24 @@
+rule tool_ssf_strings {
+    meta:
+        id = "47fc3df8-a153-4045-a5f0-ed30df662984"
+        version = "1.0"
+        description = "Detects SSF based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-05-31"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "could NOT read SSF reply"
+        $ = "SSF reply NOT ok {}"
+        $ = "SSF reply OK"
+        $ = "SSF protocol error {}"
+        $ = "SSF reply ok"
+        $ = "SSF version NOT read {}"
+        $ = "SSF version {}"
+        $ = "SSF version NOT supported {}"
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_swor.yar b/yara_rules/tool_swor.yar
new file mode 100644
index 0000000..2373612
--- /dev/null
+++ b/yara_rules/tool_swor.yar
@@ -0,0 +1,25 @@
+rule tool_swor {
+    meta:
+        id = "75ce2ed7-2972-4e04-98dc-451acf80c842"
+        version = "1.0"
+        description = "Detects swor"
+        author = "Sekoia.io"
+        creation_date = "2024-09-09"
+        classification = "TLP:CLEAR"
+        hash = "d3f92b3349109fc6de26f5e40800fec15308c27fa4fe81fe42af5030637a3a63"
+        
+    strings:
+        $old_sword_s1 = "Failed to open payload file: "
+        $old_sword_s2 = "Failed to open config file: "
+        $sword_s1 = "open encrypted file error: "
+        $sword_s2 = "open config file error: "
+        $enum_calendar = "EnumCalendarInfo"
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        $enum_calendar and 
+        (2 of ($old_sword_s*) or 2 of ($sword_s*)) and
+        filesize <1MB and 
+        true
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_sy_runas.yar b/yara_rules/tool_sy_runas.yar
new file mode 100644
index 0000000..1fad8c5
--- /dev/null
+++ b/yara_rules/tool_sy_runas.yar
@@ -0,0 +1,21 @@
+rule tool_sy_runas {
+    meta:
+        id = "cb1f3707-6716-49b5-9fe0-45c5baf2e491"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-08-23"
+        classification = "TLP:CLEAR"
+        author = "Sekoia.io"
+        
+    strings:
+        $s1 = "Sy_Runas.exe" ascii wide
+        $s2 = "password *.exe" ascii wide
+        $s3 = "This tools just work on webshell" ascii wide
+        $s4 = "Code By slls124@gmail.com" ascii wide
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 4MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_tacticalrmm_installer_strings.yar b/yara_rules/tool_tacticalrmm_installer_strings.yar
new file mode 100644
index 0000000..a62f90b
--- /dev/null
+++ b/yara_rules/tool_tacticalrmm_installer_strings.yar
@@ -0,0 +1,21 @@
+rule tool_tacticalrmm_installer_strings {
+    meta:
+        id = "c4a0ba33-b458-4c2a-abfa-4c33481d6491"
+        version = "1.0"
+        description = "Detects TacticalRMM installer"
+        author = "Sekoia.io"
+        creation_date = "2024-05-23"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "TacticalRMMInstaller" ascii
+        $ = "tacticalagent-" ascii
+        $ = "tactical/go" ascii
+        $ = "tacticalrmm." ascii
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize > 3MB and filesize < 8MB and
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_tokenplayer_strings.yar b/yara_rules/tool_tokenplayer_strings.yar
new file mode 100644
index 0000000..a6ab983
--- /dev/null
+++ b/yara_rules/tool_tokenplayer_strings.yar
@@ -0,0 +1,26 @@
+rule tool_tokenplayer_strings {
+    meta:
+        id = "74ed8812-f113-47a9-9ff2-6cbe2746ee11"
+        version = "1.0"
+        description = "Detects TokenPlayer based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-11-04"
+        classification = "TLP:CLEAR"
+        hash = "f01eae4ee3cc03d621be7b0af7d60411"
+        
+    strings:
+        $ = "[*]Spawning Process as user: %s\\%s" wide
+        $ = "[-]Target isn't vulnerable!"
+        $ = "[+]Process spawned!"
+        $ = "[+]Process Spawned"
+        $ = "[+]OpenProcessToken() success!"
+        $ = "CreateProcessWithLogonW() error : % u"
+        $ = "[+]CreateProcessWithLogonW() succeed!"
+        $ = "TokenPlayer.pdb"
+        
+    condition:
+        uint16be(0) == 0x4d5a and 
+        5 of them and 
+        filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_webshell_b374k_strings.yar b/yara_rules/tool_webshell_b374k_strings.yar
new file mode 100644
index 0000000..3a28a00
--- /dev/null
+++ b/yara_rules/tool_webshell_b374k_strings.yar
@@ -0,0 +1,22 @@
+rule tool_webshell_b374k_strings {
+    meta:
+        id = "f53fc668-e1fc-4b85-b850-59aceefb6418"
+        version = "1.0"
+        description = "Detects b374k webshell"
+        author = "Sekoia.io"
+        creation_date = "2024-09-06"
+        classification = "TLP:CLEAR"
+        hash = "1d27b23fceecbb9e854c41f6a8fb878e"
+        hash = "71fd853a3f3efc3dc2846e866187ee59"
+        hash = "187e001c32487d0d68197ddb7e7796c3"
+        hash = "6eac497dfc1020a8475e95542fad197e"
+        hash = "61c6a0bc15efa442853f04bb276ac96e"
+        
+    strings:
+        $ = "$func('$x','ev'.'al'.'("
+        $ = "(ba'.'se'.'64'.'_de'.'co'.'de($x)))"
+        
+    condition:
+        2 of them and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_win_blackfly_proxy_config.yar b/yara_rules/tool_win_blackfly_proxy_config.yar
new file mode 100644
index 0000000..a98a2df
--- /dev/null
+++ b/yara_rules/tool_win_blackfly_proxy_config.yar
@@ -0,0 +1,30 @@
+import "pe"
+import "hash"
+        
+rule tool_win_blackfly_proxy_config {
+    meta:
+        id = "c8a8be5d-bd28-4306-9466-ad582e53fede"
+        version = "1.0"
+        description = "Detect Blackfly proxy configuration tool"
+        author = "Sekoia.io"
+        creation_date = "2023-02-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "c:\\ProgramData\\l.dat"
+        $ = "C:\\ProgramData\\b.dat"
+        $ = "winmm_DotNetfile.dll"
+        
+    condition:
+        pe.imphash() == "ff47f65286cc51a1328bc94efbf4007f"
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f5923d4331f7e84fbbbd6fd84b6d3e6a"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "56acc10233c711a4eba9ca9aeab47e30"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "824dcebe93ac83bf5c95c781a60b3578"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ec716a08b5e647f5c00c5dfc079dfa62"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5cb63f7392c9e05c22e89cd86bd7f718"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "ee04e245066e25edd3062d823f15deda"
+        )
+        or (uint16(0)==0x5A4D and 1 of them)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_win_driverjack.yar b/yara_rules/tool_win_driverjack.yar
new file mode 100644
index 0000000..e3c52d7
--- /dev/null
+++ b/yara_rules/tool_win_driverjack.yar
@@ -0,0 +1,21 @@
+rule tool_win_driverjack {
+    meta:
+        id = "08bc0fe8-38f1-4c73-99c8-2659b4a55815"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2024-09-11"
+        classification = "TLP:CLEAR"
+        hash = "649fc12915bdcdebbc3798a8ad0b9b32"
+        reference = "https://github.com/klezVirus/DriverJack/blob/master/DriverJack"
+        
+    strings:
+        $ = "(*) Decrypting %llu bytes of file content using key '%s' of length %u..."
+        $ = "(*) Modifying file %s in mapped drive..."
+        $ = "(*) Checking file %s in mapped drive..."
+        $ = "(-) CreateProcess failed '%s' (%08x)."
+        $ = "(*) Mounted Drive Letter: %s"
+        
+    condition:
+        uint16be(0) == 0x4d5a and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_win_forkplayground.yar b/yara_rules/tool_win_forkplayground.yar
new file mode 100644
index 0000000..959c3df
--- /dev/null
+++ b/yara_rules/tool_win_forkplayground.yar
@@ -0,0 +1,21 @@
+rule tool_win_forkplayground {
+    meta:
+        id = "ec9af403-7647-447d-af17-c6931363a166"
+        version = "1.0"
+        description = "Detect the ForkPlayground malware"
+        author = "Sekoia.io"
+        creation_date = "2023-02-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Failed to open dump file %s with the last error %i."
+        $ = "Successfully dumped process %i to %s"
+        $ = "ForkPlayground"
+        $ = "Second attempt at taking a snapshot of the target failed. It is likely that there is a difference in process privilege or the handle was stripped."
+        $ = "Failed to take a snapshot of the target process. Attempting to escalate debug privilege..."
+        $ = "Failed to escalate debug privileges, are you running ForkDump as Administrator"
+        
+    condition:
+        uint16(0)==0x5A4D and 1 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_win_gosecretsdump.yar b/yara_rules/tool_win_gosecretsdump.yar
new file mode 100644
index 0000000..9a734b5
--- /dev/null
+++ b/yara_rules/tool_win_gosecretsdump.yar
@@ -0,0 +1,28 @@
+rule tool_win_gosecretsdump {
+    meta:
+        id = "9225fe95-e37c-48ff-b5b5-680f255349bd"
+        version = "1.0"
+        description = "Finds gosecretsdump EXE based on strings"
+        author = "Sekoia.io"
+        reference = "https://github.com/C-Sto/gosecretsdump/releases"
+        creation_date = "2024-06-10"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "github.com/C-Sto/gosecretsdump" ascii
+        $str02 = "/pkg/esent" ascii
+        $str03 = "/pkg/ditreader" ascii
+        $str04 = "/pkg/samreader" ascii
+        $str05 = "ntdsFileLocation" ascii
+        $str06 = "NTDSLoc" ascii
+        $str07 = "SAMEntries" ascii
+        $str08 = "SAMHashAES" ascii
+        $str09 = "NTLMHash" ascii
+        $str10 = "HasNoLMHashPolicy" ascii
+        $str11 = "PreviousIncBackup" ascii
+        $str12 = "Esent_record" ascii
+        
+    condition:
+        uint16(0)==0x5A4D and 7 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_win_lightrail.yar b/yara_rules/tool_win_lightrail.yar
new file mode 100644
index 0000000..3596819
--- /dev/null
+++ b/yara_rules/tool_win_lightrail.yar
@@ -0,0 +1,25 @@
+rule tool_win_lightrail {
+    meta:
+        id = "39259f2c-11fe-4edd-8a9e-f36920132272"
+        version = "1.0"
+        description = "Detect the LIGHTRAIL tunneler used by UNC1549"
+        author = "Sekoia.io"
+        creation_date = "2024-02-29"
+        classification = "TLP:CLEAR"
+        reference = "https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east"
+        hash1 = "e7ddab967b0487827db069833221aa2fe4ca05f7cda976cbc528ecb306a22774"
+        hash2 = "4ecd511d9654f7fd66a61eb4ab6d7153040b5092d1594ff39935f01fbdbd4914"
+        hash3 = "3472bc8ed6182eb17811c97ada7ebd48034ad09b6a7062b341fe09818d7a309f"
+        hash4 = "ec7b97092278123f0c0613c5f9252eeccf55265d4aa5f2cfed57a63ebf3530ac"
+        hash5 = "8f3757b8f5888a1303af71cbc1a106927d3d6c45552ee192c3ed0347804c2194"
+        hash6 = "8b47b5ed1ed7afcc9194e1350d4e1996bd91ca3204747b586f309f4609a1a4cc"
+        
+    strings:
+        $s1 = "lastenzug.dll"
+        $s2 = "Lastenzug.dll"
+        $azure = ".cloudapp.azure.com" wide
+        
+    condition:
+        uint16be(0)==0x4d5a and 1 of ($s*) and $azure
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_win_sharpshares.yar b/yara_rules/tool_win_sharpshares.yar
new file mode 100644
index 0000000..e8fad58
--- /dev/null
+++ b/yara_rules/tool_win_sharpshares.yar
@@ -0,0 +1,27 @@
+rule tool_win_sharpshares {
+    meta:
+        id = "ef90d573-12f8-4216-9a9e-96e7d1e841d0"
+        version = "1.0"
+        description = "Finds sharpshares EXE based on strings"
+        author = "Sekoia.io"
+        reference = "https://github.com/mitchmoser/SharpShares/releases"
+        creation_date = "2024-06-10"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "<GetAllShares>b__0" ascii
+        $str02 = "<SearchLDAP>b__0_0" ascii
+        $str03 = "get_AccessControlType" ascii
+        $str04 = "get_IdentityReference" ascii
+        $str05 = "get_PropertiesToLoad" ascii
+        $str06 = "SharpShares\\obj\\Release\\SharpShares.pdb" ascii
+        $str07 = "/filter:SYSVOL,NETLOGON,IPC$,PRINT$" wide
+        $str08 = "/threads:50 /ldap:servers" wide
+        $str09 = "SharpShares.exe" ascii wide
+        $str10 = "[+] LDAP Search Results:" wide
+        $str11 = "[+] Finished Enumerating Shares" wide
+        
+    condition:
+        uint16(0)==0x5A4D and 6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_win_snap2html.yar b/yara_rules/tool_win_snap2html.yar
new file mode 100644
index 0000000..b437511
--- /dev/null
+++ b/yara_rules/tool_win_snap2html.yar
@@ -0,0 +1,27 @@
+rule tool_win_snap2html {
+    meta:
+        id = "9865daac-f23b-417e-813e-cbed03f45161"
+        version = "1.0"
+        description = "Finds Snap2HTML samples based on specific strings. Legitimate tool used by ransomware affiliates to perform discovery"
+        author = "Sekoia.io"
+        creation_date = "2024-02-08"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "Snap2HTML.exe" fullword wide ascii
+        $str02 = "Snap2HTML.Properties" ascii
+        $str03 = "set_txtRoot" ascii
+        $str04 = "set_chkHidden" ascii
+        $str05 = "set_chkSystem" ascii
+        $str06 = "set_chkLinkFiles" ascii
+        $str07 = "set_txtLinkRoot" ascii
+        $str08 = "set_chkOpenOutput" ascii
+        $str09 = "set_txtTitle" ascii
+        $str10 = "get_CancellationPending" ascii
+        $str11 = "set_RootFolder" ascii
+        $str12 = "add_SettingsLoaded" ascii
+        
+    condition:
+        uint16(0) == 0x5a4d and 7 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_xiebroc2_strings.yar b/yara_rules/tool_xiebroc2_strings.yar
new file mode 100644
index 0000000..087ae7d
--- /dev/null
+++ b/yara_rules/tool_xiebroc2_strings.yar
@@ -0,0 +1,41 @@
+rule tool_xiebroc2_strings {
+    meta:
+        id = "8451878e-5371-440b-b8ac-f9e6f7643d3c"
+        version = "1.0"
+        description = "Detects XiebroC2 based on strings"
+        author = "Sekoia.io"
+        creation_date = "2024-09-11"
+        classification = "TLP:CLEAR"
+        hash = "84e665bcbf963a2cf67d879aa3422d79"
+        hash = "3558c376420724694ba244a2e2acd20c"
+        hash = "e29fb9cd825db51a7a2e519f188e61ba"
+        hash = "a3b31739ad5eed51277c8478a83160a3"
+        hash = "d6e2499ea7fe8f047da1a95dae16d2c3"
+        hash = "1616818b65bf49d985bb1816461a4a75"
+        hash = "2e72d3ef2492088a4623d77d5e419ab8"
+        hash = "351770f860507d652ec3644ed1988f7f"
+        hash = "58fa6ad96028753ba8b0b0ed8fa6dccb"
+        hash = "607b541525b27eeefbef1455397bff35"
+        hash = "c2a242612468814e2e951e4db3762059"
+        hash = "431e275f4e43ec4ef7c2cc8ba126e9d3"
+        hash = "ace54bd32c226a7b9a6d4d53791e4021"
+        hash = "f22c21ed7bba1ddfc42ffdc66da3a4dd"
+        hash = "9a5ff9e07ed04cb0e71102cf1aae380c"
+        hash = "d20e01a1af3f40a7a9646d7e7df1b42e"
+        hash = "5544b621c9772cd32c4db77a0e59515a"
+        
+    strings:
+        $s1 = "RemarkClientColor"
+        $s2 = "HandlePacket"
+        $s3 = "-hide"
+        $s4 = "Failed to send data:"
+        $s5 = "Pac_ket"
+        $s6 = "WANip"
+        $s7 = "%s %s && Kernel: %s"
+        $g1 = "go.buildid"
+        $g2 = "dep    golang.org"
+        
+    condition:
+        3 of ($s*) and any of ($g*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/tool_yasso_strings.yar b/yara_rules/tool_yasso_strings.yar
new file mode 100644
index 0000000..e141a12
--- /dev/null
+++ b/yara_rules/tool_yasso_strings.yar
@@ -0,0 +1,22 @@
+rule tool_yasso_strings {
+    meta:
+        id = "31ec7510-6770-4fde-b835-e8b12f8f2b30"
+        version = "1.0"
+        description = "Detects Yasso based on strings"
+        author = "Sekoia.io"
+        creation_date = "2023-06-21"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "Yasso/cmd.setting"
+        $ = "Yasso/cmd.Client"
+        $ = "Yasso/cmd.IdentifyResult"
+        $ = "Yasso/cmd.RespLab"
+        $ = "Go build ID"
+        
+    condition:
+        uint16be(0) == 0x4d5a and 
+        filesize > 15MB and filesize < 20MB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/trojan_and_keepspy.yar b/yara_rules/trojan_and_keepspy.yar
new file mode 100644
index 0000000..ba61794
--- /dev/null
+++ b/yara_rules/trojan_and_keepspy.yar
@@ -0,0 +1,23 @@
+rule trojan_and_keepspy {
+    meta:
+        id = "9390e7c8-a996-45cc-b642-c23d4b7dcf34"
+        version = "1.0"
+        description = "Finds KeepSpy samples based on specific strings"
+        author = "Sekoia.io"
+        creation_date = "2023-06-28"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str01 = "Characters entered %1$d of %2$d" ascii
+        $str02 = "com.google.android.material.behavior.HideBottomViewOnScrollBehavior" ascii
+        $str03 = "com/j256/ormlite/core/VERSION.txt" ascii
+        $str04 = "res/raw/empty.wav" ascii
+        $str05 = "res/mipmap/ic_launcher.png" ascii
+        $str06 = "res/interpolator/fast_out_slow_in.xml" ascii
+        $str07 = "OnePixelActivity" ascii
+        
+    condition:
+        uint32be(0) == 0x504B0304 and 6 of them 
+        and filesize > 2MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/trojan_android_brata.yar b/yara_rules/trojan_android_brata.yar
new file mode 100644
index 0000000..8427315
--- /dev/null
+++ b/yara_rules/trojan_android_brata.yar
@@ -0,0 +1,30 @@
+rule trojan_android_brata {
+    meta:
+        id = "fde9b82e-c677-44ed-b512-b225a3aba201"
+        author = "Sekoia.io"
+        creation_date = "2022-01-27"
+        description = "Detect samples of the Android banking trojan BRATA"
+        version = "1.0"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $goo0 = "Google Play services error"
+        $goo1 = "Error de Serveis de Google Play"
+        $goo2 = "Fehler bei Zugriff auf Google Play-Dienste"
+        $goo3 = "Erro nos servizos de Google Play"
+        $goo4 = "Fout met Google Play-services"
+        $goo5 = "Virhe Google Play -palveluissa"
+        $goo6 = "Erro do Google Play Services"
+        $goo7 = "Error de Google Play Services"
+        
+        $res0 = "res/xml/device_admin.xml"
+        $res1 = "res/xml/windowchangedetectingservice.xml"
+        $res2 = "res/xml-v22/windowchangedetectingservice.xml"
+        
+    condition:
+        uint32be(0) == 0x504B0304
+        and filesize > 2MB
+        and filesize < 6MB
+        and 7 of ($goo*) and 2 of ($res*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/trojan_android_cerberus.yar b/yara_rules/trojan_android_cerberus.yar
new file mode 100644
index 0000000..33f6f17
--- /dev/null
+++ b/yara_rules/trojan_android_cerberus.yar
@@ -0,0 +1,27 @@
+rule trojan_android_cerberus {
+    meta:
+        id = "3ea398bd-a80c-40f4-ad52-73b528add4ad"
+        author = "Sekoia.io"
+        creation_date = "2022-01-24"
+        description = "Detect samples of the Android banking trojan Cerberus, or its family"
+        version = "1.0"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $str0 = "assets/neurax.txt"
+        $str1 = "assets/Card_UpPotency_UI.json"
+        $str2 = "assets/Card_SignetFoster_UI.json"
+        $str3 = "assets/Gene_EmpathyTrainer.png"
+        
+        $bin0 = "assets/180417.bin"
+        $bin1 = "assets/180513.bin"
+        $bin2 = "assets/180527.bin"
+        $bin3 = "assets/180528.bin"
+        
+    condition:
+        uint32be(0) == 0x504B0304
+        and filesize > 1MB
+        and filesize < 4MB
+        and 3 of ($str*) and 3 of ($bin*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/trojan_android_xenomorph.yar b/yara_rules/trojan_android_xenomorph.yar
new file mode 100644
index 0000000..a813ad7
--- /dev/null
+++ b/yara_rules/trojan_android_xenomorph.yar
@@ -0,0 +1,21 @@
+rule trojan_android_xenomorph {
+    meta:
+        id = "ec65ca1b-e71f-4772-8be0-2a2b6a690987"
+        author = "Sekoia.io"
+        creation_date = "2022-02-25"
+        description = "Detect samples of the Android banking trojan Xenomorph"
+        version = "1.0"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ass0 = "assets/shadows/knife_shadow_"
+        $ass1 = "assets/knife_"
+        $ass2 = "okhttp3"
+        
+    condition:
+        uint32be(0) == 0x504B0304
+        and filesize > 1MB
+        and filesize < 4MB
+        and #ass0 > 10 and #ass1 > 10 and $ass2
+}
+        
\ No newline at end of file
diff --git a/yara_rules/trojan_win_bbtok_dll1_sep23.yar b/yara_rules/trojan_win_bbtok_dll1_sep23.yar
new file mode 100644
index 0000000..2b7d250
--- /dev/null
+++ b/yara_rules/trojan_win_bbtok_dll1_sep23.yar
@@ -0,0 +1,29 @@
+rule trojan_win_bbtok_dll1_sep23 {
+    meta:
+        id = "eebed24b-24ec-4a85-852c-52d0acc9a698"
+        version = "1.0"
+        description = "Finds BBTok installation DLL file"
+        author = "Sekoia.io"
+        reference = "https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/"
+        creation_date = "2023-09-26"
+        classification = "TLP:CLEAR"
+        hash = "5353956345206982af9bde55300fc405ba6e40722e8f51e8717c30ad32bc8f91"
+        
+    strings:
+        $str01 = "C:\\Windows\\System32\\rundll32.exe" wide
+        $str02 = "C:\\ProgramData\\mmd.exe" wide
+        $str03 = "REG ADD HKCU\\Software\\Classes\\.pwn\\Shell\\Open\\command -ve /d" wide
+        $str04 = "C:\\ProgramData\\mmd.exe \\\\" wide
+        $str05 = "\\file\\Trammy.dll" wide
+        $str06 = "Dacl & REG DELETE HKCU\\Software\\Classes\\ms-settings /f" wide
+        $str07 = "REG DELETE  HKCU\\Software\\Classes\\.pwn /f" wide
+        $str08 = "REG ADD HKCU\\Software\\Classes\\ms-settings\\CurVer -ve /d \".pwn\" /f" wide
+        $str09 = "timeout /t 3 >nul & start /MIN computerdefaults.exe" wide
+        $str10 = "set_StartInfo" ascii
+        $str11 = "set_WindowStyle" ascii
+        
+    condition:
+        uint16(0)==0x5a4d and 7 of them
+        and filesize < 50KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/trojan_win_bbtok_iso_sep23.yar b/yara_rules/trojan_win_bbtok_iso_sep23.yar
new file mode 100644
index 0000000..4567ced
--- /dev/null
+++ b/yara_rules/trojan_win_bbtok_iso_sep23.yar
@@ -0,0 +1,23 @@
+rule trojan_win_bbtok_iso_sep23 {
+    meta:
+        id = "6032853d-b872-4b2e-913d-366e7f3d0f32"
+        version = "1.0"
+        description = "Finds BBTok installation ISO file"
+        author = "Sekoia.io"
+        reference = "https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/"
+        creation_date = "2023-09-26"
+        classification = "TLP:CLEAR"
+        hash = "140e83d2e0d012cdd5625ea89c3b3af05a80877cfc8215bbe20823e7e88c80b1"
+        
+    strings:
+        $iso = {43 44 30 30 31} //iso magic number
+        
+        $str01 = "POWERISO" ascii
+        $str02 = "%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe" ascii wide
+        $str03 = ".pdf /Y & start" wide
+        $str04 = "\\MSBuild.exe -nologo \\\\" ascii wide
+        
+    condition:
+        all of them and filesize < 500KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/trojan_win_bbtok_lnk_sep23.yar b/yara_rules/trojan_win_bbtok_lnk_sep23.yar
new file mode 100644
index 0000000..5d84b8e
--- /dev/null
+++ b/yara_rules/trojan_win_bbtok_lnk_sep23.yar
@@ -0,0 +1,22 @@
+rule trojan_win_bbtok_lnk_sep23 {
+    meta:
+        id = "b1d5dae6-d92f-4a4a-ae90-528cdb3e9e4c"
+        version = "1.0"
+        description = "Finds BBTok installation LNK file"
+        author = "Sekoia.io"
+        reference = "https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/"
+        creation_date = "2023-09-26"
+        classification = "TLP:CLEAR"
+        hash = "32bf07e3740399105359b62d8a612dfa731b024e06c9104b71b496919b5efe9e"
+        
+    strings:
+        $lnk = {4C 00 00 00} //lnk magic number
+        
+        $str01 = "%ProgramFiles(x86)%\\Microsoft\\Edge\\Application\\msedge.exe" ascii wide
+        $str02 = ".pdf /Y & start" wide
+        $str03 = "\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe -nologo" wide
+        
+    condition:
+        all of them and filesize < 10KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/trojan_win_grandoreiro.yar b/yara_rules/trojan_win_grandoreiro.yar
new file mode 100644
index 0000000..e0c80a3
--- /dev/null
+++ b/yara_rules/trojan_win_grandoreiro.yar
@@ -0,0 +1,27 @@
+rule trojan_win_grandoreiro {
+    meta:
+        version = "1.0"
+        description = "Finds Grandorerio samples based on the specific strings"
+        author = "Sekoia.io"
+        creation_date = "2022-08-24"
+        id = "e48c86a1-e34f-4945-817a-9c85198a77bb"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $mut = "ZTP@11" wide
+        
+        $reg01 = "Software\\Embarcadero\\Locales" wide
+        $reg02 = "Software\\CodeGear\\Locales" wide
+        $reg03 = "Software\\Borland\\Locales" wide
+        $reg04 = "Software\\Borland\\Delphi\\Locale" wide
+        $reg05 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes" wide
+        
+        $str01 = "SELECT * FROM AntiVirusProduct" wide
+        $str02 = "GetTickCount64" wide
+        $str03 = "C:\\Program Files (x86)\\Embarcadero\\Studio\\20.0\\lib\\Clever Internet Suite" wide
+        $str04 = "{43826D1E-E718-42EE-BC55-A1E261C37BFE}" wide
+        
+    condition:
+        uint16(0)==0x5A4D and all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/truesightkiller_avkiller_strings.yar b/yara_rules/truesightkiller_avkiller_strings.yar
new file mode 100644
index 0000000..19046dc
--- /dev/null
+++ b/yara_rules/truesightkiller_avkiller_strings.yar
@@ -0,0 +1,46 @@
+rule truesightkiller_avkiller_strings {
+    meta:
+        id = "8f249ac4-5181-4169-9eb2-7d73ec4fd68d"
+        version = "1.0"
+        description = "TrueSightKiller based on string"
+        author = "Sekoia.io"
+        creation_date = "2024-10-29"
+        classification = "TLP:CLEAR"
+        hash = "891202963430a4b1dea2dc5b9af01dc5"
+        hash = "367af202029bf51fc347a8f414fa2a5c"
+        hash = "64439836d69084b129c2dc4264176149"
+        hash = "6e69b890b1c228fa4225776b185b5af7"
+        hash = "daaf7bdf1e7fd882c0bfb89450ec0ab2"
+        hash = "dcf36765ed9386c169eb2695d26f6a6f"
+        
+    strings:
+        $ = "[+] Process PID: " wide
+        $ = "[-] OpenSCManager failed" wide
+        $ = "[+] Creating service: truesight" wide
+        $ = "[+] Full path: " wide
+        $ = "[-] Error getting current directory." wide
+        $ = "[-] CreateService failed" wide
+        $ = "[!] Service is already running" wide
+        $ = "[-] QueryServiceStatus failed" wide
+        $ = "[-] StartService failed" wide
+        $ = "[+] Driver loaded successfully!" wide
+        $ = "[-] OpenService failed" wide
+        $ = "[-] ControlService failed" wide
+        $ = "[-] DeleteService failed" wide
+        $ = "Welcome to EDR/AV Killer using truesight driver!" wide
+        $ = "This is a PoC, use it at your own risk!" wide
+        $ = "[-] Failed to set CTRL+C handler. Exiting..." wide
+        $ = "ntdll.dll" wide
+        $ = "\\\\.\\TrueSight" wide
+        $ = "[-] CreateFileA failed" wide
+        $ = " not running" wide
+        $ = "[-] Process name: " wide
+        $ = "[+] Terminating PID: " wide
+        $ = "[-] DevicesIoControl failed" wide
+        $ = "[!] Stoping and Deleting trueSight Service!" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and filesize < 1MB and filesize > 20KB and 
+        20 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/typhon_reborn_stealer.yar b/yara_rules/typhon_reborn_stealer.yar
new file mode 100644
index 0000000..c4e1473
--- /dev/null
+++ b/yara_rules/typhon_reborn_stealer.yar
@@ -0,0 +1,19 @@
+import "pe"
+        
+rule typhon_reborn_stealer {
+    meta:
+        id = "aab7279b-b651-4092-b988-d186d0a433de"
+        version = "1.0"
+        description = "Typhon Reborn v2 string based detection"
+        author = "Sekoia.io"
+        creation_date = "2023-05-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "api.telegram.org/bot" wide
+        $s2 = "TyphonReborn Stealer v2 log!" wide
+        
+    condition:
+        all of them and pe.is_pe
+}
+        
\ No newline at end of file
diff --git a/yara_rules/unk_quad7_fsynet_strings.yar b/yara_rules/unk_quad7_fsynet_strings.yar
new file mode 100644
index 0000000..78cad95
--- /dev/null
+++ b/yara_rules/unk_quad7_fsynet_strings.yar
@@ -0,0 +1,34 @@
+rule unk_quad7_fsynet_strings {
+    meta:
+        id = "897b2421-c177-48c0-8f5b-82d8434208cb"
+        version = "1.0"
+        description = "Matches node-r-control, asr_node, node-relay"
+        author = "Sekoia.io"
+        creation_date = "2024-08-20"
+        classification = "TLP:CLEAR"
+        hash = "f42849076e24b7827218f7a25bc11ccc"
+        hash = "b3b09819f820a4ecd31f82f369000af2"
+        hash = "92093dd7ba6ae8fe34a215c4c4bd1cd4"
+        hash = "e6f6a6de285d7c2361c32b1f29a6c3f6"
+        hash = "408152285671bbd0e6e63bd71d6abaaf"
+        hash = "5efc7d824851be9ec90a97d889a40d23"
+        
+    strings:
+        $ = "prev_hop_port"
+        $ = "next_hop_port"
+        $ = "back_hop_port"
+        $ = "next_tsn_port"
+        $ = "prev_hop_ip"
+        $ = "next_hop_ip"
+        $ = "back_hop_ip"
+        $ = "next_tsn_ip"
+        $ = "ikcp_"
+        $ = "/tmp/log_r"
+        $ = "total_hop"
+        
+    condition:
+        uint32be(0) == 0x7f454c46
+        and filesize < 5MB
+        and 6 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/unk_quad7_netd_strings.yar b/yara_rules/unk_quad7_netd_strings.yar
new file mode 100644
index 0000000..2060d8d
--- /dev/null
+++ b/yara_rules/unk_quad7_netd_strings.yar
@@ -0,0 +1,24 @@
+rule unk_quad7_netd_strings {
+    meta:
+        id = "3f527f0e-c101-4356-9024-fc61aea644d1"
+        version = "1.0"
+        description = "Matches netd binary"
+        author = "Sekoia.io"
+        creation_date = "2024-08-23"
+        classification = "TLP:CLEAR"
+        hash = "cdb37db4543dde5ca2bd98a43699828f"
+        
+    strings:
+        $ = "./netd.dat"
+        $ = "./sys.dat"
+        $ = "--conf"
+        $ = "--init"
+        $ = "--nobg"
+        $ = "Url is NULL."
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize < 1MB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/unk_quad7_updtae_reverse_shell_strings.yar b/yara_rules/unk_quad7_updtae_reverse_shell_strings.yar
new file mode 100644
index 0000000..12f99a7
--- /dev/null
+++ b/yara_rules/unk_quad7_updtae_reverse_shell_strings.yar
@@ -0,0 +1,26 @@
+rule unk_quad7_updtae_reverse_shell_strings {
+    meta:
+        id = "02d5394e-734c-4744-b293-1bf96bf1518c"
+        version = "1.0"
+        description = "Reverse shell used by Quad7 operators"
+        author = "Sekoia.io"
+        creation_date = "2024-08-19"
+        classification = "TLP:CLEAR"
+        hash = "40b5ac87ff87634c48fdd2cf64ccb66b"
+        hash = "4b8e97260d9ef6ca774675be682d9c8c"
+        
+    strings:
+        $ = "User-Agent: IOT"
+        $ = "/iot/post"
+        $ = "vender"
+        $ = "Response:  %s"
+        $ = "cmdNum"
+        $ = "UPDTAE"
+        $ = "cmdResult"
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize < 5MB and
+        4 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/unknown_7777_xlogin.yar b/yara_rules/unknown_7777_xlogin.yar
new file mode 100644
index 0000000..2dafc32
--- /dev/null
+++ b/yara_rules/unknown_7777_xlogin.yar
@@ -0,0 +1,25 @@
+rule unknown_7777_xlogin {
+    meta:
+        id = "ce0beffc-f957-43ef-a739-f4a1099a7a67"
+        version = "1.0"
+        description = "Detects the xlogin bind shell and its variants"
+        author = "Sekoia.io"
+        creation_date = "2024-07-18"
+        classification = "TLP:CLEAR"
+        hash = "4d9067e7cf517158337123a30a9bd0e3"
+        hash = "43ea387b8294cc4d0baaef6d26ff7c72"
+        hash = "777d6f907da38365924a0c2a12e973c5"
+        hash = "8542a3cbe232fe78baa0882736c61926"
+        
+    strings:
+        $string1 = { 2f 62 69 6e 2f 73 68 00 2f 74 6d 70 2f 6c 6f 67 69 6e }
+        $string2 = { 2F 64 65 76 2F 6E 75 6C 6C [1-3] 2F 62 69 6E 2F 73 68 00 2D 63 }
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize < 180KB and
+        (
+            (@string2 - @string1 < 3400)
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/unknown_quad7_wildcard_login.yar b/yara_rules/unknown_quad7_wildcard_login.yar
new file mode 100644
index 0000000..413706a
--- /dev/null
+++ b/yara_rules/unknown_quad7_wildcard_login.yar
@@ -0,0 +1,24 @@
+rule unknown_quad7_wildcard_login {
+    meta:
+        id = "01510244-0795-4299-aa66-056a2b4682e7"
+        version = "1.0"
+        description = "Detects the (x|r|a)login bind shells"
+        author = "Sekoia.io"
+        creation_date = "2024-07-18"
+        classification = "TLP:CLEAR"
+        hash = "4d9067e7cf517158337123a30a9bd0e3"
+        hash = "43ea387b8294cc4d0baaef6d26ff7c72"
+        hash = "777d6f907da38365924a0c2a12e973c5"
+        hash = "8542a3cbe232fe78baa0882736c61926"
+        hash = "1b08725acc371f6b7d05bb72d0c2d759"
+        
+    strings:
+        $string1 = { 2f 62 69 6e 2f 73 68 00 2f 74 6d 70 2f 6c 6f 67 69 6e }
+        $string2 = { 2f 62 69 6e 2f 73 68 00 2d 63 00 65 78 69 74 20 30 }
+        
+    condition:
+        uint32be(0) == 0x7f454c46 and
+        filesize < 180KB and
+        @string2 - @string1 < 3400
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ursnif.yar b/yara_rules/ursnif.yar
new file mode 100644
index 0000000..e53cfcb
--- /dev/null
+++ b/yara_rules/ursnif.yar
@@ -0,0 +1,24 @@
+rule ursnif {
+    meta:
+        description = "Ursnif Payload"
+        author = "Sekoia.io"
+        id = "ac392af3-c344-453c-9427-5bb46223e01c"
+        version = "1.0"
+        classification = "TLP:CLEAR"
+        author = "Sekoia.io"
+        
+    strings:
+        $crypto64_1 = {41 8B 02 ?? C1 [0-1] 41 33 C3 45 8B 1A 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 D?}
+        $crypto64_2 = {44 01 44 24 10 FF C1 41 8B C0 D1 64 24 10 33 C3 41 8B D8 FF 4C 24 10 41 33 C3 01 44 24 10 D3 C8 01 44 24 10 41 89 02 49 83 C2 04 83 C2 FF 75 C3}
+        $crypto64_3 = {33 C6 ?? C7 [0-1] 49 83 C2 04 33 C3 8B F1 8B CF D3 C8 89 02 48 83 C2 04 41 83 C3 FF 75 ?? 45 85 C9 75 ?? 41 83 E0 03}
+        $crypto64_4 = {41 8B 02 41 8B CB 41 83 F3 01 33 C3 41 8B 1A C1 E1 03 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 C6}
+        $decrypt_config64 = {44 8B D9 33 C0 45 33 C9 44 33 1D ?? ?? ?? 00 ?? ?? D2 ?? ?? D2 74 ?? 4C 8D 42 10 45 3B 0A 73 2? 45 39 58 F8 75 1C 41 F6 40 FC 01 74 12}
+        
+        $crypto32_1 = {01 45 FC D1 65 FC FF 4D FC 33 C1 33 45 0C 01 45 FC 43 8A CB D3 C8 8B CE 01 45 FC 89 02 83 C2 04 FF 4D 08 75 CD}
+        $crypto32_2 = {33 C1 33 44 24 10 43 8A CB D3 C8 8B CE 89 02 83 C2 04 FF 4C 24 0C 75 D9}
+        $decrypt_config32 = {8B ?? 08 5? 33 F? 3B [1-2] 74 14 A1 0? ?? ?? ?? 35 ?? ?? ?? ?? 50 8B D? E8 ?? D? 00 00 EB 02 33 C0 ?B ?? ?? ?? ?? ?? ?? ?? 74 14 8D 4D ?? ?? ?? 50 FF D? 85 C0 74 08}
+        
+    condition:
+        true and uint16(0) == 0x5A4D and (($decrypt_config64 and any of ($crypto64*)) or ($decrypt_config32 and any of ($crypto32*)))
+}
+        
\ No newline at end of file
diff --git a/yara_rules/ursnif_ldr4.yar b/yara_rules/ursnif_ldr4.yar
new file mode 100644
index 0000000..dc0e134
--- /dev/null
+++ b/yara_rules/ursnif_ldr4.yar
@@ -0,0 +1,27 @@
+rule ursnif_ldr4 {
+    meta:
+        description = "Ursnif LDR4"
+        author = "Sekoia.io"
+        id = "73e63481-8a89-4342-87f0-8dc7ad459396"
+        version = "1.0"
+        classification = "TLP:CLEAR"
+        author = "Sekoia.io"
+        
+    strings:
+        $str1 = "LOADER.dll" fullword
+        $str2 = "DllRegisterServer" fullword
+        $str3 = ".bss" fullword
+        $x64_code1 = { 3D 2E 62 73 73 74 0A 48 83 C7 28 }
+        $x64_code2 = { 8B 17 48 83 C7 04 8B CA 8b C2 23 CB 0B C3 F7 D1 23 C8 41 2B CA 44 8B D2 41 89 08 41 8B CB 49 83 C0 04 83 E1 07 FF C1 41 D3 C2 41 83 EB 04 79 }
+        $x64_code3 = { 41 0F B6 01 49 FF C1 8B C8 8B D0 83 E1 03 C1 E1 03 D3 E2 44 03 C2 41 83 C2 FF 75 }
+        $x64_code4 = { 45 8D 45 08 48 8D 8C 24 [4] BA 30 00 FE 7F E8 }
+        $x64_code5 = { 48 8D 8C 24 [4] BA 30 00 FE 7F 41 B8 08 00 00 00 E8 }
+        $x86_code1 = { 81 F9 2E 62 73 73 74 09 83 C6 28 }
+        $x86_code2 = { 8B 06 8B D0 23 55 0C 8B D8 0B 5D 0C F7 D2 23 D3 2B D1 8A 4D 08 80 E1 07 83 C6 04 89 17 83 C7 04 FE C1 D3 C0 83 6D 08 04 8B C8 79 }
+        $x86_code3 = { 8A 0E 0F B6 D1 8B CA 83 E1 03 C1 E1 03 D3 E2 46 03 C2 4F 75 }
+        $x86_code4 = { 6A 08 8D 45 F8 68 30 00 FE 7F 50 E8 }
+        
+    condition:
+        true and 5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/vpn_mul_softether.yar b/yara_rules/vpn_mul_softether.yar
new file mode 100644
index 0000000..2ffb186
--- /dev/null
+++ b/yara_rules/vpn_mul_softether.yar
@@ -0,0 +1,30 @@
+rule vpn_mul_softether {
+    meta:
+        id = "a1fbf4fe-b934-4a66-b6b1-ebe2f83505cd"
+        version = "1.0"
+        description = "Detect the open-source SoftEther VPN"
+        author = "Sekoia.io"
+        creation_date = "2024-04-15"
+        classification = "TLP:CLEAR"
+        reference = "https://www.softether.org/"
+        
+    strings:
+        $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\softether_se%s"
+        $ = "GET /vgc_download_dat/ HTTP/1.1"
+        $ = "http://x%c.x%c.client.api.vpngate2.jp/api/"
+        $ = "http://x0.x0.client.api.vpngate2.jp/check/check.txt"
+        $ = "https://x%c.x%c.statistics.api.vpngate2.jp/api/statistics/"
+        $ = "Software\\SoftEther Project\\SoftEther VPN\\"
+        
+        $ = "|vpnsetup_nosign.exe" wide
+        $ = "/ISEASYINSTALLER:%u" wide
+        $ = "/CALLERSFXPATH:\"%s\"" wide
+        $ = "vpn_client.config" wide
+        $ = "vpn_bridge.config" wide
+        $ = "|backup_dir_readme.txt" wide
+        $ = "vpn_debuginfo_%04u%02u%02u_%02u%02u%02u.zip" wide
+        
+    condition:
+        8 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/water_sigbin_group.yar b/yara_rules/water_sigbin_group.yar
new file mode 100644
index 0000000..1096d42
--- /dev/null
+++ b/yara_rules/water_sigbin_group.yar
@@ -0,0 +1,19 @@
+rule water_sigbin_group {
+    meta:
+        id = "c49728e8-db7e-4d83-97d2-7d56b51f8a52"
+        version = "1.0"
+        description = "Detects IOCs related to the 8220 Mining group."
+        author = "Sekoia.io"
+        creation_date = "2024-06-11"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "Z12A3" ascii fullword
+        $s2 = "FromBase64String" ascii fullword
+        $s3 = "Start-Process" ascii fullword
+        $s4 = "WriteAllBytes" ascii fullword
+        
+    condition:
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/webshell_icesword_strings.yar b/yara_rules/webshell_icesword_strings.yar
new file mode 100644
index 0000000..568eb22
--- /dev/null
+++ b/yara_rules/webshell_icesword_strings.yar
@@ -0,0 +1,21 @@
+rule webshell_icesword_strings {
+    meta:
+        id = "2c6b3cec-4200-4386-8cd5-4004c9b5b96a"
+        version = "1.0"
+        description = "Detects icesword webshell"
+        author = "Sekoia.io"
+        creation_date = "2024-11-22"
+        classification = "TLP:CLEAR"
+        hash = "0447352827e61696304a8e3d34e1d270"
+        hash = "f49cfcda0abdefa385eda7ec7e7a5411"
+        hash = "e1518388375ba772ed20503ec6dc6c8a"
+        hash = "ecf08cd6af127e01f913354529174a23"
+        
+    strings:
+        $ = "&fsAction=rename&newName="
+        $ = "&fsAction=copyto&dstPath="
+        
+    condition:
+        2 of them and filesize < 100KB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/webshell_wso_webshell_strings.yar b/yara_rules/webshell_wso_webshell_strings.yar
new file mode 100644
index 0000000..e910c42
--- /dev/null
+++ b/yara_rules/webshell_wso_webshell_strings.yar
@@ -0,0 +1,21 @@
+rule webshell_wso_webshell_strings {
+    meta:
+        id = "84340792-73a4-4d61-9957-6cfa1f6444a7"
+        version = "1.0"
+        description = "Detects the WSO webshells"
+        author = "Sekoia.io"
+        creation_date = "2022-04-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "decrypt($str,$pwd){$pwd=base64_encode($pwd);"
+        $ = "prototype(md5($_SERVER['HTTP_HOST'])"
+        $ = "$_COOKIE[md5($_SERVER['HTTP_HOST'])."
+        $ = "set(a,c,p1,p2,p3,charset)"
+        $ = "(($p & 0x0008) ? (($p & 0x0400)"
+        $ = "gcc','lcc','cc','ld','make','php"
+        
+    condition:
+        3 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/weevely_webshell_payload.yar b/yara_rules/weevely_webshell_payload.yar
new file mode 100644
index 0000000..da032e3
--- /dev/null
+++ b/yara_rules/weevely_webshell_payload.yar
@@ -0,0 +1,18 @@
+rule weevely_webshell_payload {
+    meta:
+        id = "f2879c6e-3d1b-41be-8b1d-4f0503fd4b29"
+        version = "1.0"
+        description = "Detects weevely webshell"
+        author = "Sekoia.io"
+        creation_date = "2024-04-22"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "<?php include \""
+        $s2 = ".basename(__FILE__).\""
+        $s3 = ";__HALT_COMPILER(); ?>"
+        
+    condition:
+        all of them and filesize < 1MB and @s1 == 0 and @s2 < @s3
+}
+        
\ No newline at end of file
diff --git a/yara_rules/win_clipper_generic.yar b/yara_rules/win_clipper_generic.yar
new file mode 100644
index 0000000..128e68d
--- /dev/null
+++ b/yara_rules/win_clipper_generic.yar
@@ -0,0 +1,18 @@
+rule win_clipper_generic {
+    meta:
+        id = "a94b3d01-dbc7-41e4-8d45-793bf443b1d2"
+        version = "1.0"
+        description = "Clipper found during investigation: 892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6"
+        author = "Sekoia.io"
+        creation_date = "2024-07-03"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        // $ranpth = if ((Get-Random) % 2) { Join-Path $env:TEMP "$ran.ps1" } else { Join-Path $env:APPDATA "$ran.ps1" }
+        $s = { 24 72 61 6e 70 74 68 20 3d 20 69 66 20 28 28 47 65 74 2d 52 61 6e 64 6f 6d 29 20 25 20 32 29 20 7b 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 54 45 4d 50 20 22 24 72 61 6e 2e 70 73 31 22 20 7d 20 65 6c 73 65 20 7b 20 4a 6f 69 6e 2d 50 61 74 68 20 24 65 6e 76 3a 41 50 50 44 41 54 41 20 22 24 72 61 6e 2e 70 73 31 22 20 7d  }
+        
+    condition:
+        filesize > 1KB and
+        all of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/win_infostealer_serpent_strings.yar b/yara_rules/win_infostealer_serpent_strings.yar
new file mode 100644
index 0000000..eb88103
--- /dev/null
+++ b/yara_rules/win_infostealer_serpent_strings.yar
@@ -0,0 +1,24 @@
+rule win_infostealer_serpent_strings {
+    meta:
+        id = "ad9e2366-c95e-4090-a0db-48f3cc325209"
+        version = "1.0"
+        description = "Serpent Stealer string"
+        author = "Sekoia.io"
+        creation_date = "2023-12-04"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "User Has SSH Dir." wide
+        $s2 = "[+] Executing Wallets" wide
+        $s3 = "'serpent' folder" wide
+        $s4 = "Buddy Kys!!!" wide
+        $s5 = "http://checkip.dyndns.org/" wide
+        $s6 = "[+] Target has discord installed" wide
+        $s7 = "Target has minecraft." wide
+        
+    condition:
+        (uint16be(0) == 0x4d5a) and
+        filesize < 100KB and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/win_loader_astasialoader_strings.yar b/yara_rules/win_loader_astasialoader_strings.yar
new file mode 100644
index 0000000..2d85e71
--- /dev/null
+++ b/yara_rules/win_loader_astasialoader_strings.yar
@@ -0,0 +1,26 @@
+rule win_loader_astasialoader_strings {
+    meta:
+        id = "8dfabf28-4b5a-43db-87e9-5b9080541ec3"
+        version = "1.0"
+        description = "AstasiaLoader strings"
+        author = "Sekoia.io"
+        creation_date = "2023-08-16"
+        classification = "TLP:CLEAR"
+        hash = "44b6f7508a82ff6a4d65defc189303eeee393b5fd498de73d74d0a2c75c87401"
+        
+    strings:
+        $s1 = "newuploaders" wide
+        $s2 = "\\infected.exe" wide
+        $s3 = "AstasiaLoader" wide
+        $s4 = "Astasia.pdb" ascii
+        $s5 = "ip-api.com/line/?fields=hosting" wide
+        $s6 = "https://api.telegram.org/bot" wide
+        $s7 = "currentscript.txt" wide
+        $s8 = "sessionlog.txt" wide
+        
+    condition:
+        uint16be(0) == 0x4d5a and
+        filesize > 50KB and filesize < 1MB and
+        5 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/win_malware_agnianestealer.yar b/yara_rules/win_malware_agnianestealer.yar
new file mode 100644
index 0000000..67c9007
--- /dev/null
+++ b/yara_rules/win_malware_agnianestealer.yar
@@ -0,0 +1,19 @@
+rule win_malware_agnianestealer {
+    meta:
+        id = "704c85b7-8b82-4160-ae1b-fd1054cae8e2"
+        version = "1.0"
+        description = "Detect the Agniane stealer using strings"
+        author = "Sekoia.io"
+        creation_date = "2023-08-10"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "Agniane.pdb" ascii
+        $s2 = "Agniane.exe" wide ascii
+        
+    condition:
+        (uint16be(0) == 0x4d5a) and
+        filesize > 100KB and filesize < 3MB and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/win_malware_janelarat_strings.yar b/yara_rules/win_malware_janelarat_strings.yar
new file mode 100644
index 0000000..74a5518
--- /dev/null
+++ b/yara_rules/win_malware_janelarat_strings.yar
@@ -0,0 +1,21 @@
+rule win_malware_janelarat_strings {
+    meta:
+        id = "891f182e-8a7a-4d0c-a481-62c198bb901b"
+        version = "1.0"
+        description = "Detect the JanelaRAT malware"
+        author = "Sekoia.io"
+        creation_date = "2023-08-11"
+        classification = "TLP:CLEAR"
+        hash = "00df0a1f037e24ff1528d524fb7398735e2c3e0a9995a9f95a5293b04748f06e"
+        
+    strings:
+        // E:\PROJETOS2023\CSHARP\RAT\MXNOBUGMAG\
+        $s2 = {4d 58 4e 4f 42 55 47 4d 41 47}
+        $s1 =  "block.blq" wide
+        
+    condition:
+        (uint16be(0) == 0x4d5a) and
+        filesize > 100KB and filesize < 1MB and
+        2 of them
+}
+        
\ No newline at end of file
diff --git a/yara_rules/win_malware_statc_downloader.yar b/yara_rules/win_malware_statc_downloader.yar
new file mode 100644
index 0000000..d62fea7
--- /dev/null
+++ b/yara_rules/win_malware_statc_downloader.yar
@@ -0,0 +1,29 @@
+rule win_malware_statc_downloader {
+    meta:
+        id = "4a2e9607-635b-4cd8-ba27-d70e0c76fd45"
+        version = "1.0"
+        description = "Statc Downloader powershell script. Base64 powershell"
+        author = "Sekoia.io"
+        creation_date = "2023-08-09"
+        classification = "TLP:CLEAR"
+        hash = "173ea5af2e71b6ed70abd52a5d2f4de040393a6d2ff4978bbb6e73d96742b010"
+        
+    strings:
+        $powershell = "powershell.exe"
+        // (New-Object Net.Webclient).downloadfile("https://
+        $a1 = "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAGYAaQBsAGUAKAAiAGgAdAB0AHAAcwA6AC8A"
+        $a2 = "gATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABmAGkAbABlACgAIgBoAHQAdABwAHMAOgAvA"
+        $a3 = "oAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAZgBpAGwAZQAoACIAaAB0AHQAcABzADoALw"
+        // invoke-expression "$env:TEMP\
+        $b1 = "aQBuAHYAbwBrAGUALQBlAHgAcAByAGUAcwBzAGkAbwBuACAAIgAkAGUAbgB2ADoAVABFAE0AUABc"
+        $b2 = "kAbgB2AG8AawBlAC0AZQB4AHAAcgBlAHMAcwBpAG8AbgAgACIAJABlAG4AdgA6AFQARQBNAFAAX"
+        $b3 = "pAG4AdgBvAGsAZQAtAGUAeABwAHIAZQBzAHMAaQBvAG4AIAAiACQAZQBuAHYAOgBUAEUATQBQAF"
+        // 1 1"; "OK";
+        $c1 = "MQAgADEAIgA7ACAAIgBPAEsAIgA7"
+        $c2 = "EAIAAxACIAOwAgACIATwBLACIAO"
+        $c3 = "xACAAMQAiADsAIAAiAE8ASwAiAD"
+        
+    condition:
+        $powershell at 0 and 1 of ($a*) and 1 of ($b*) and 1 of ($c*) and filesize < 1MB
+}
+        
\ No newline at end of file
diff --git a/yara_rules/wiper_hermeticwiper_variants.yar b/yara_rules/wiper_hermeticwiper_variants.yar
new file mode 100644
index 0000000..1a1f5e2
--- /dev/null
+++ b/yara_rules/wiper_hermeticwiper_variants.yar
@@ -0,0 +1,27 @@
+import "pe"
+        
+rule wiper_hermeticwiper_variants {
+    meta:
+        id = "102ecf15-167e-49e4-932c-6334e3cdcc69"
+        version = "1.0"
+        description = "Matches HermeticWiper and possible variants"
+        author = "Sekoia.io"
+        creation_date = "2022-02-24"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "SeLoadDriverPrivilege" wide
+        $ = "\\\\.\\PhysicalDrive" wide
+        $ = "::$INDEX_ALLOCATION" wide
+        $ = "CrashDumpEnabled" wide
+        
+    condition:
+        2 of them and
+        pe.characteristics and
+        pe.number_of_signatures == 1 and
+        pe.number_of_resources > 2 and
+        for 2 i in (0..pe.number_of_resources - 1):
+        ( uint32be( pe.resources[i].offset+15 ) == 0x4D5A9000 and
+        uint16be( pe.resources[i].offset ) == 0x535A )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/wiper_win_caddywiper.yar b/yara_rules/wiper_win_caddywiper.yar
new file mode 100644
index 0000000..b39762e
--- /dev/null
+++ b/yara_rules/wiper_win_caddywiper.yar
@@ -0,0 +1,38 @@
+import "pe"
+import "hash"
+        
+rule wiper_win_caddywiper {
+    meta:
+        id = "869d44ff-79fc-403d-a45d-d33712da5bd0"
+        version = "1.0"
+        description = "Detect CaddyWiper"
+        author = "Sekoia.io"
+        creation_date = "2022-03-15"
+        classification = "TLP:CLEAR"
+        hash1_upx = "b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7"
+        hash1 = "ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72"
+        hash2 = "a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea"
+        
+    strings:
+        $ = "NETAPI32.dll" ascii
+        $ = "DsRoleGetPrimaryDomainInformation" ascii
+        
+    condition:
+        uint16(0)==0x5A4D
+        and filesize > 5KB and filesize < 20KB
+        and pe.number_of_sections == 3
+        and pe.number_of_resources == 0
+        and all of them
+        
+        // Imphash
+        or pe.imphash() == "ea8609d4dad999f73ec4b6f8e7b28e55"
+        or pe.imphash() == "bae2d138abe43164fb5e95f313de3d14" //UPX
+        
+        // PE section
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "f0d4c11521fc3891965534e6c52e128b"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "6be6e878d1e8fed277c5feaf60b57a19" //UPX
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "11f22fc72c3ca7dd6b874bda37c1fe82" //UPX
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/wiper_win_dnwipe.yar b/yara_rules/wiper_win_dnwipe.yar
new file mode 100644
index 0000000..3ab672a
--- /dev/null
+++ b/yara_rules/wiper_win_dnwipe.yar
@@ -0,0 +1,27 @@
+import "pe"
+import "hash"
+        
+rule wiper_win_dnwipe {
+    meta:
+        id = "522fdaa5-8fe6-4e37-aaf8-13e3a7787d21"
+        version = "1.0"
+        description = "Detect the dnWipe malware"
+        author = "Sekoia.io"
+        creation_date = "2022-11-21"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "dnWIPE"
+        $ = "dnWIPE" wide
+        $ = "C:\\Users\\Admin1\\source\\repos\\dnWIPE\\dnWIPE\\obj\\Debug\\dnWIPE.pdb"
+        
+    condition:
+        // Strings
+        uint16(0)==0x5A4D and all of them and filesize < 50KB
+
+        // Resource
+        or for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "93290ef6447b0a16b92e50a1652ac3eb8f1237cc5f8005e080750fb58c19d230"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/wiper_win_isaacwiper.yar b/yara_rules/wiper_win_isaacwiper.yar
new file mode 100644
index 0000000..0742390
--- /dev/null
+++ b/yara_rules/wiper_win_isaacwiper.yar
@@ -0,0 +1,46 @@
+import "pe"
+import "hash"
+        
+rule wiper_win_isaacwiper {
+    meta:
+        id = "b081e3a3-612e-46ae-93af-82e7ee98fcf7"
+        version = "1.0"
+        description = "Detect the IsaacWiper using multiple methods + ReversingLab rule's condition"
+        author = "Sekoia.io"
+        creation_date = "2022-03-15"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $s1 = "getting drives..." wide
+        $s2 = "physical drives:" wide
+        $s3 = "-- system physical drive" wide
+        $s4 = "-- physical drive" wide
+        $s5 = "logical drives:" wide
+        $s6 = "-- system logical drive:" wide
+        $s7 = "-- logical drive:" wide
+        $s8 = "start erasing physical drives..." wide
+        $s9 = "-- FAILED" wide
+        $s10 = "-- start erasing logical drive" wide
+        $s11 = "start erasing system physical drive..." wide
+        $s12 = "system physical drive -- FAILED" wide
+        $s13 = "start erasing system logical drive" wide
+        
+    condition:
+        // Imphash
+        pe.imphash() == "a4b162717c197e11b76a4d9bc58ea25d"
+        
+        // Section hashs
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "06d63fddf89fae3948764028712c36d6"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "48f101db632bb445c21a10fd5501e343"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "5efc98798d0979e69e2a667fc20e3f24"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "9676f7c827fb9388358aaba3e4bd0cc6"
+        )
+        
+        // Rich header
+        or hash.md5(pe.rich_signature.clear_data) == "ec862d3013903478c2ff8dce2792815f"
+        
+        // Strings
+        or all of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/wiper_win_nominatus_toxicbattery.yar b/yara_rules/wiper_win_nominatus_toxicbattery.yar
new file mode 100644
index 0000000..cd76c24
--- /dev/null
+++ b/yara_rules/wiper_win_nominatus_toxicbattery.yar
@@ -0,0 +1,43 @@
+import "pe"
+import "hash"
+        
+rule wiper_win_nominatus_toxicbattery {
+    meta:
+        id = "0262378f-f509-4ea4-a3eb-cd0183c4361d"
+        version = "1.0"
+        description = "Detect the Nominatus_ToxicBattery malware"
+        author = "Sekoia.io"
+        creation_date = "2022-11-21"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "DISK"
+        $ = "FileNaME"
+        $ = "FILNAME"
+        $ = "runCommand"
+        $ = "HAHAH"
+        $ = "Damage"
+        $ = "fastInfector"
+        $ = "d:\\again\\SharpDevelop Projects\\RInjector\\Virus.win32RozbehStrike\\obj\\Debug\\Nominatus_ToxicBattery.pdb"
+        $ = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" wide
+        $ = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" wide
+        $ = "\\Antivirus.bat" wide
+        $ = "\\Antivirus3.vbs" wide
+        $ = "vssadmin Delete Shadows /all /quiet" wide
+        
+    condition:
+        // Strings
+        uint16(0)==0x5A4D and 10 of them
+
+        // Sections
+        or for any i in (0..pe.number_of_sections-1) : (
+            hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "e7f35c173c34b7080d437a90ec90a982"
+            or hash.md5(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) == "2e25c5d3baba182f008a5a15c6f06403"
+        )
+
+        //Resource
+        or for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "70b1c002e4c0c9782c7ce1ef4a13c58ec1da54a26fd06dd7821a71f29431da82"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/wiper_win_ruransom.yar b/yara_rules/wiper_win_ruransom.yar
new file mode 100644
index 0000000..d8c135f
--- /dev/null
+++ b/yara_rules/wiper_win_ruransom.yar
@@ -0,0 +1,27 @@
+import "pe"
+import "hash"
+        
+rule wiper_win_ruransom {
+    meta:
+        id = "7bf3694b-c689-482f-88cd-b1f3b86bbc36"
+        version = "1.0"
+        description = "Detect the RURansom malware"
+        author = "Sekoia.io"
+        creation_date = "2022-11-21"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $ = "RURansom"
+        $ = "AesCrypter"
+        $ = "RURansom" wide
+        
+    condition:
+        // Strings
+        uint16(0)==0x5A4D and all of them
+        
+        // Resource
+        or for any i in (0..pe.number_of_resources-1) : (
+            hash.sha256(pe.resources[i].offset, pe.resources[i].length) == "e4b6b5b2b293d497ddf373ca9f7e97458328703d2769f451890ac48771c85070"
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/xworm_dotnet_injector.yar b/yara_rules/xworm_dotnet_injector.yar
new file mode 100644
index 0000000..962ea96
--- /dev/null
+++ b/yara_rules/xworm_dotnet_injector.yar
@@ -0,0 +1,22 @@
+rule xworm_dotnet_injector {
+    meta:
+        id = "50581a9d-afc3-43da-9e34-3a553cbd01b4"
+        version = "1.0"
+        description = ".NET injector used by XWorm TA"
+        author = "Sekoia.io"
+        creation_date = "2022-12-02"
+        classification = "TLP:CLEAR"
+        
+    strings:
+        $first_payload = "jBGIcSr2fKhj1ZT2YNLBTcYYeAw/vWUT98dCA/H6hpI+dY+lkoSe1ATx7XEIXKtAdTSwl1PKhNROoxstXsnsHTZbS2ikRLv6lmHd5v09DltsPeXIOA789wZC8qR1OScJFohGxuWQSQ8K2TAFUQAntIFdX+Om1QZUARdDnb4f+P8VFucU9avWD75yK1IcTDDDEYwvm/rwUYTqWitcrfIY+aFcgQwyvEzkN7Pbsah4Kts+XmK0C3TzlnDd2mz6TdsPphGbBxcbBdZGMTyzunZUEKRYea7xM6u+az9v7m6a1G6vhsSqz4C/nleDmzL2dIVnVR6Ni6+0hlExcP" wide
+        $rijndael_key1 = { e5 a0 b1 e8 89 be e8 8e 8e e4 bb a3 e5 ba b5 e9 85 8d e7 89 b9 e6 b0 8f e5 85 8b e9 9b 99 e8 89 be e5 8b 92 e6 8b 89 e6 a1 83 e9 ad 9a e6 88 91 e6 96 af e6 a1 83 e5 ba 95 e5 be b7 }
+        $rijndael_key2 = { e7 9b 9f e7 91 aa e6 a1 83 e9 87 91 e5 90 89 e9 97 95 e5 a0 b1 e9 9b 99 e9 97 95 e5 96 ac e5 ba 95 e5 a0 b1 e5 be b7 e6 8b 89 e5 92 8c e7 a0 b4 e7 88 be e9 a6 ac e6 88 91 e5 8a a0 }
+        $rijndael_key3 = { e6 9b b2 e6 b0 8f e5 ba b5 e5 a3 ab e9 97 95 e5 be b7 e6 96 af e8 9b 8b }
+        $s1 = "fullofdick"
+        $s2 = "holdmeback"
+        $s3 = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" wide
+        
+    condition:
+        ($first_payload  and all of ($rijndael_key*)) or 2 of ($s*)
+}
+        
\ No newline at end of file
diff --git a/yara_rules/yara_runascs.yar b/yara_rules/yara_runascs.yar
new file mode 100644
index 0000000..4dce828
--- /dev/null
+++ b/yara_rules/yara_runascs.yar
@@ -0,0 +1,34 @@
+import "pe"
+        
+rule yara_runascs {
+    meta:
+        id = "1720f042-2cc6-4ef1-b66c-fe8a4214366a"
+        version = "1.0"
+        author = "Sekoia.io"
+        creation_date = "2023-08-23"
+        classification = "TLP:CLEAR"
+        author = "Sekoia.io"
+        
+    strings:
+        $s1 = "RunasCs" ascii wide
+        $s2 = "LOGON32_LOGON_INTERACTIVE" ascii wide
+        $s3 = "LOGON32_LOGON_NETWORK" ascii wide
+        $s4 = "LOGON32_LOGON_BATCH" ascii wide
+        $s5 = "LOGON32_LOGON_SERVICE" ascii wide
+        $s6 = "dwLogonProvider" ascii wide
+        $s7 = "LogonUser" ascii wide
+        $s8 = "CreateProcessAsUser" ascii wide
+        
+    condition:
+        (uint32be(0) == 0x7f454c46 or uint16be(0) == 0x4d5a) and
+        filesize < 4MB and
+        all of them and
+        not (
+            pe.version_info["OriginalFilename"] == "Atera.AgentPackages.CommonLib.dll" and
+            for any sig in pe.signatures: (
+                sig.subject contains "CN=Atera Networks Ltd" and
+                sig.issuer contains "CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
+            )
+        )
+}
+        
\ No newline at end of file
diff --git a/yara_rules/zip_win_abcloader.yar b/yara_rules/zip_win_abcloader.yar
new file mode 100644
index 0000000..97bf492
--- /dev/null
+++ b/yara_rules/zip_win_abcloader.yar
@@ -0,0 +1,18 @@
+rule zip_win_abcloader {
+    meta:
+        id = "0d14b34a-9095-48fa-b616-4e8239f3b547"
+        version = "1.0"
+        description = "Use the CRC32 to detect a zip containing the doc file used to drop and launch ABCloader"
+        author = "Sekoia.io"
+        creation_date = "2024-08-19"
+        classification = "TLP:CLEAR"
+        hash = "0c7d8e611781b29e15df415640858294"
+        
+    strings:
+        $crc = {32 56 27 e2}
+        $name = "iden.doc"
+        
+    condition:
+        $name at @crc[1] + 16
+}
+        
\ No newline at end of file