{ "Event": { "analysis": "1", "date": "2026-03-19", "extends_uuid": "", "info": "[Threat Intel] The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors", "protected": false, "publish_timestamp": "1774245900", "published": true, "threat_level_id": "1", "timestamp": "1774245900", "uuid": "d5edae47-6ecd-4d6d-b218-73ffcdb26740", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6e57da", "local": false, "name": "misp-galaxy:producer=\"Mandiant\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#f8140a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#8b05c0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1123\"", "relationship_type": "" }, { "colour": "#0ec9f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Peripheral Device Discovery - T1120\"", "relationship_type": "" }, { "colour": "#029dd6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Extensions - T1176\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#423494", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify System Firewall - T1562.004\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#6d779a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0aebeb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Client Execution - T1203\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#5884a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#3b9849", "local": false, "name": "misp-galaxy:target-information=\"Saudi Arabia\"", "relationship_type": "" }, { "colour": "#e4d611", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"vulnerability\"", "relationship_type": "" }, { "colour": "#150052", "local": false, "name": "rectifyq:sub-category=\"zero-day\"", "relationship_type": "" }, { "colour": "#170059", "local": false, "name": "rectifyq:topic=\"mobile-attack\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Turkey\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"russia\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3a00dd", "local": false, "name": "rectifyq:action-taken=\"diamond-model\"", "relationship_type": "" }, { "colour": "#3a00e0", "local": false, "name": "rectifyq:action-taken=\"x\"", "relationship_type": "" }, { "colour": "#3b00e2", "local": false, "name": "rectifyq:action-taken=\"linkedin\"", "relationship_type": "" }, { "colour": "#3b00e5", "local": false, "name": "rectifyq:action-taken=\"tiktok\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773889215", "to_ids": false, "type": "link", "uuid": "12265108-c0b3-46a3-8141-6c2bfdf18535", "value": "https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773889215", "to_ids": false, "type": "text", "uuid": "9f358ac1-0956-4256-9536-afd1038224e8", "value": "Google Threat Intelligence Group has identified a new iOS full-chain exploit called DarkSword, which leverages multiple zero-day vulnerabilities to compromise devices running iOS 18.4 through 18.7. Since November 2025, multiple commercial surveillance vendors and suspected state-sponsored actors have been observed using DarkSword in campaigns targeting users in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit chain utilizes six different vulnerabilities to deploy final-stage payloads, including three distinct malware families: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of DarkSword across various threat actors mirrors the previously discovered Coruna iOS exploit kit. Notable users include UNC6353, a suspected Russian espionage group, which has incorporated DarkSword into their watering hole campaigns targeting Ukrainian websites." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773889215", "to_ids": false, "type": "text", "uuid": "1e510a0f-5355-4019-b9c9-796fa8730aec", "value": "Name: The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors\nAuthor: AlienVault\nAdversary: \nTags: [\"cve-2025-43510\", \"state-sponsored\", \"coruna\", \"ghostsaber\", \"ios\", \"commercial surveillance\", \"cve-2025-43520\", \"cve-2026-20700\", \"ghostblade\", \"zero-day\", \"darksword\", \"cve-2025-31277\", \"watering hole\", \"exploit chain\", \"cve-2025-43529\", \"cve-2025-14174\", \"ghostknife\"]\nTgtd countries: [\"Malaysia\", \"Saudi Arabia\", \"Ukraine\"]\nMlwr families: [\"GHOSTBLADE\", \"GHOSTKNIFE\", \"GHOSTSABER\"]\nAttack_ids: [\"T1047\", \"T1113\", \"T1033\", \"T1056.001\", \"T1059.007\", \"T1123\", \"T1120\", \"T1176\", \"T1005\", \"T1190\", \"T1562.004\", \"T1083\", \"T1057\", \"T1068\", \"T1027\", \"T1203\", \"T1095\", \"T1027.002\", \"T1204.001\"]\nIndustries: [\"Government\"]" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773889215", "to_ids": false, "type": "vulnerability", "uuid": "4d010aee-b4e1-4ab4-ab4d-7560d8d2102d", "value": "CVE-2025-14174" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773889215", "to_ids": false, "type": "vulnerability", "uuid": "b312a4f5-8f71-4f4a-bb66-69c7ece7b4f9", "value": "CVE-2025-31277" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773889215", "to_ids": false, "type": "vulnerability", "uuid": "b35abc83-67cf-46c2-befa-94afdc903729", "value": "CVE-2025-43510" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773889215", "to_ids": false, "type": "vulnerability", "uuid": "2d73e57e-5a8c-4c1f-9399-bd053b607455", "value": "CVE-2025-43520" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773889215", "to_ids": false, "type": "vulnerability", "uuid": "fb915b2c-02ec-4822-b9ac-2b8dd0510e27", "value": "CVE-2025-43529" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773889215", "to_ids": false, "type": "vulnerability", "uuid": "9d1c5155-8560-4f72-91e5-4f29fd18d261", "value": "CVE-2026-20700" }, { "category": "Network activity", "comment": "DarkSword delivery used in Saudi Arabia", "deleted": false, "disable_correlation": false, "timestamp": "1774240327", "to_ids": true, "type": "url", "uuid": "55d7d39d-40af-47e0-b52c-f03817ff9cf8", "value": "https://snapshare.chat/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240349", "to_ids": true, "type": "url", "uuid": "54e50fc6-3da6-4fb9-86ee-a065f4aa2783", "value": "https://static.cdncounter.net/assets/index.html", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Malicious script tag used by UNC6353 (March 2026)", "deleted": false, "disable_correlation": false, "timestamp": "1774240371", "to_ids": true, "type": "url", "uuid": "d52bb119-c346-4e84-81d3-b835b736d5a7", "value": "https://static.cdncounter.net/widgets.js?uhfiu27fajf2948fjfefaa42", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774235077", "to_ids": true, "type": "sha1", "uuid": "846ed9de-89cb-4752-9553-432a266bd96f", "value": "0afa88a4dde47b4ad21dc1de87293814fc51499c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774235079", "to_ids": true, "type": "sha1", "uuid": "62e898ff-8930-4be0-bb90-dedf1e36b491", "value": "bac0e0ef16c3c657967bd2155ba6d8a6ef1df6a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774235081", "to_ids": true, "type": "sha1", "uuid": "ae33838b-a0da-4b7d-9192-b9dfe0b56027", "value": "d2f1ea6229a205b693508c39f654dd8e3475763c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:23/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774235082", "to_ids": true, "type": "sha1", "uuid": "7cfc524e-2430-4e89-b532-bace73c79258", "value": "f4bc68581c02d6f390a8a56ff1c5d04e002afb39", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DarkSword delivery used in Turkey", "deleted": false, "disable_correlation": false, "timestamp": "1774240393", "to_ids": true, "type": "domain", "uuid": "199ad6ea-9d0a-42a5-8a06-9b7823f47413", "value": "sahibndn.io", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DarkSword delivery used in Saudi Arabia", "deleted": false, "disable_correlation": false, "timestamp": "1774240415", "to_ids": true, "type": "domain", "uuid": "4e9b772f-0d9b-4009-9d82-b59f06f1ce3d", "value": "snapshare.chat", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DarkSword delivery used in Malaysia", "deleted": false, "disable_correlation": false, "timestamp": "1774240436", "to_ids": true, "type": "hostname", "uuid": "31e65141-8a51-4597-9568-be584de13138", "value": "e5.malaymoil.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GHOSTBLADE exfiltration server", "deleted": false, "disable_correlation": false, "timestamp": "1774240458", "to_ids": true, "type": "hostname", "uuid": "d1a3cd12-ac01-4a05-9419-d017aa59b1c6", "value": "sqwas.shapelie.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DarkSword delivery via watering holes in Ukraine", "deleted": false, "disable_correlation": false, "timestamp": "1774240480", "to_ids": true, "type": "hostname", "uuid": "562ccfb2-16b4-4699-ab35-d8b5c6a1de16", "value": "static.cdncounter.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774230794", "to_ids": false, "type": "threat-actor", "uuid": "0e1e864c-3c47-4565-863f-3654e8704299", "value": "UNC6353" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774230998", "to_ids": false, "type": "link", "uuid": "9c94ef54-b8bc-4deb-8687-76884df0e1fb", "value": "https://www.lookout.com/threat-intelligence/article/darksword" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774231022", "to_ids": false, "type": "link", "uuid": "62f81844-a97f-4a59-814e-5bdcb075bf85", "value": "https://iverify.io/blog/darksword-ios-exploit-kit-explained" }, { "category": "Network activity", "comment": "GHOSTKNIFE C2 server (November 2025)", "deleted": false, "disable_correlation": false, "timestamp": "1774240505", "to_ids": true, "type": "ip-dst", "uuid": "0e2c4b25-f0db-4ea7-918a-0b8c55bb03ba", "value": "62.72.21.10", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GHOSTKNIFE C2 server (November 2025)", "deleted": false, "disable_correlation": false, "timestamp": "1774240528", "to_ids": true, "type": "ip-dst", "uuid": "4d50de2a-ca2c-4a2b-b234-27f3083151c1", "value": "72.60.98.48", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Waterhole", "deleted": false, "disable_correlation": false, "timestamp": "1774240551", "to_ids": true, "type": "hostname", "uuid": "c00ea33b-33e6-4f83-9f70-986560f74769", "value": "7aac.gov.ua", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Waterhole", "deleted": false, "disable_correlation": false, "timestamp": "1774240572", "to_ids": true, "type": "hostname", "uuid": "dd738972-d28f-47da-a216-98d8bdcc4b08", "value": "novosti.dn.ua", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240594", "to_ids": true, "type": "domain", "uuid": "0ae2f3e7-3b05-4d16-a222-009744db714c", "value": "cdncounter.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240616", "to_ids": true, "type": "hostname", "uuid": "042bf04a-1ea7-46e3-8641-849246046196", "value": "cdn.cdncounter.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240638", "to_ids": true, "type": "hostname", "uuid": "447a94d5-00c1-462d-a8c5-585b308cd702", "value": "count.cdncounter.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240661", "to_ids": true, "type": "ip-dst", "uuid": "01028381-db9c-4e49-ad7b-58898f331aae", "value": "141.105.130.237", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240682", "to_ids": true, "type": "ip-dst", "uuid": "f41aefee-3b89-4344-861d-ab1c41feec8d", "value": "62.72.0.0/19", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774240704", "to_ids": true, "type": "ip-dst", "uuid": "ddc7b913-43eb-4c90-ab14-361125120624", "value": "72.60.0.0/15", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1774240927", "to_ids": false, "type": "comment", "uuid": "d817e2ea-9a52-4046-8cc5-e513b7c1eafc", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2026/260319-DarkSword/9.png" }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1774240927", "to_ids": false, "type": "comment", "uuid": "7861738f-7984-4be2-86c0-61c81422b920", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2026/260319-DarkSword/10.png" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1774231537", "uuid": "824b495d-56cc-4a86-ab30-57d6f2040705", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1774231537", "to_ids": false, "type": "text", "uuid": "fc701f5e-a4d2-41a6-8042-8f858c36647d", "value": "G_Backdoor_GHOSTKNIFE_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1774231537", "to_ids": false, "type": "comment", "uuid": "126668c2-bf26-433d-ac9d-599cd267b4fe", "value": "G_Backdoor_GHOSTKNIFE_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1774231537", "to_ids": true, "type": "yara", "uuid": "2d4520fb-7251-4344-9bba-059d283b9094", "value": "rule G_Backdoor_GHOSTKNIFE_1 {\r\n\tmeta:\r\n\t\tauthor = \"Google Threat Intelligence Group (GTIG)\"\r\n\tstrings:\r\n\t\t$ = \"server_pub_ex\"\r\n\t\t$ = \"client_pri_ds\"\r\n\t\t$ = \"getfilebyExtention\"\r\n\t\t$ = \"getContOfFilesForModule\"\r\n\t\t$ = \"carPlayConnectionState\"\r\n\t\t$ = \"saveRecordingApp\"\r\n\t\t$ = \"getLastItemBack\"\r\n\t\t$ = \"the inherted class\"\r\n\t\t$ = \"passExtetion\"\r\n\tcondition:\r\n\t\tfilesize < 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 4 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1774231553", "uuid": "b4f6f464-006e-46a9-bdcf-603cfbd6490e", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1774231553", "to_ids": false, "type": "text", "uuid": "eb06e1da-90bf-4aad-83b6-5017561afdc0", "value": "G_Backdoor_GHOSTSABER_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1774231553", "to_ids": false, "type": "comment", "uuid": "9c492f51-9c48-4009-bfa2-cc357e521e00", "value": "G_Backdoor_GHOSTSABER_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1774231553", "to_ids": true, "type": "yara", "uuid": "d222674b-5e8b-47e6-920b-ea82caff728e", "value": "rule G_Backdoor_GHOSTSABER_1 {\r\n\tmeta:\r\n\t\tauthor = \"Google Threat Intelligence Group (GTIG)\"\r\n\tstrings:\r\n\t\t$ = \"sendDeviceInfoJson\"\r\n\t\t$ = \"merge2AppLists\"\r\n\t\t$ = \"send_command_to_upper_process\"\r\n\t\t$ = \"ChangeStatusCheckSleepInterval\"\r\n\t\t$ = \"SendRegEx\"\r\n\t\t$ = \"evalJsResponse.json\"\r\n\t\t$ = \"sendSimpleUploadJsonObject\"\r\n\t\t$ = \"device_info_all\"\r\n\t\t$ = \"getPayloadForSimpleStatusRequest\"\r\n\tcondition:\r\n\t\tfilesize < 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 4 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1774231568", "uuid": "7cc94be9-af62-4a58-b072-c5f11bd40921", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1774231568", "to_ids": false, "type": "text", "uuid": "ec671a47-f8c1-4bcb-9b4e-199ae7ad50eb", "value": "G_Datamine_GHOSTBLADE_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1774231568", "to_ids": false, "type": "comment", "uuid": "f267566e-1d10-4620-8b5d-12902913d532", "value": "G_Datamine_GHOSTBLADE_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1774231568", "to_ids": true, "type": "yara", "uuid": "49da45ff-645b-4e5c-8d82-db42f6ccc507", "value": "rule G_Datamine_GHOSTBLADE_1 {\r\n\tmeta:\r\n\t\tauthor = \"Google Threat Intelligence Group (GTIG)\"\r\n\tstrings:\r\n\t\t$ = \"/private/var/tmp/wifi_passwords.txt\"\r\n\t\t$ = \"/private/var/tmp/wifi_passwords_securityd.txt\"\r\n\t\t$ = \"/.com.apple.mobile_container_manager.metadata.plist\" fullword\r\n\t\t$ = \"X-Device-UUID: ${\"\r\n\t\t$ = \"/installed_apps.txt\" fullword\r\n\t\t$ = \"icloud_dump_\" fullword\r\n\tcondition:\r\n\t\tfilesize < 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 3 of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1774231585", "uuid": "1bafca84-385a-464a-873c-a002f719888c", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1774231585", "to_ids": false, "type": "text", "uuid": "861fcb5a-6d16-45e4-90df-5e5bf5056e22", "value": "G_Hunting_DarkSwordExploitChain_ImplantLib_FilePaths_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1774231585", "to_ids": false, "type": "comment", "uuid": "cc73f0fa-0746-4f06-bf31-c1661e9bd4a4", "value": "G_Hunting_DarkSwordExploitChain_ImplantLib_FilePaths_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1774231585", "to_ids": true, "type": "yara", "uuid": "e66698d1-feca-45a5-9ea3-d2909f086748", "value": "rule G_Hunting_DarkSwordExploitChain_ImplantLib_FilePaths_1 {\r\n\tmeta:\r\n\t\tauthor = \"Google Threat Intelligence Group (GTIG)\"\r\n\tstrings:\r\n\t\t$ = \"src/InjectJS.js\"\r\n\t\t$ = \"src/libs/Chain/Chain.js\"\r\n\t\t$ = \"src/libs/Chain/Native.js\"\r\n\t\t$ = \"src/libs/Chain/OffsetsStruct.js\"\r\n\t\t$ = \"src/libs/Driver/Driver.js\"\r\n\t\t$ = \"src/libs/Driver/DriverNewThread.js\"\r\n\t\t$ = \"src/libs/Driver/Offsets.js\"\r\n\t\t$ = \"src/libs/Driver/OffsetsTable.js\"\r\n\t\t$ = \"src/libs/JSUtils/FileUtils.js\"\r\n\t\t$ = \"src/libs/JSUtils/Logger.js\"\r\n\t\t$ = \"src/libs/JSUtils/Utils.js\"\r\n\t\t$ = \"src/libs/TaskRop/Exception.js\"\r\n\t\t$ = \"src/libs/TaskRop/ExceptionMessageStruct.js\"\r\n\t\t$ = \"src/libs/TaskRop/ExceptionReplyStruct.js\"\r\n\t\t$ = \"src/libs/TaskRop/MachMsgHeaderStruct.js\"\r\n\t\t$ = \"src/libs/TaskRop/PAC.js\"\r\n\t\t$ = \"src/libs/TaskRop/PortRightInserter.js\"\r\n\t\t$ = \"src/libs/TaskRop/RegistersStruct.js\"\r\n\t\t$ = \"src/libs/TaskRop/RemoteCall.js\"\r\n\t\t$ = \"src/libs/TaskRop/Sandbox.js\"\r\n\t\t$ = \"src/libs/TaskRop/SelfTaskStruct.js\"\r\n\t\t$ = \"src/libs/TaskRop/Task.js\"\r\n\t\t$ = \"src/libs/TaskRop/TaskRop.js\"\r\n\t\t$ = \"src/libs/TaskRop/Thread.js\"\r\n\t\t$ = \"src/libs/TaskRop/ThreadState.js\"\r\n\t\t$ = \"src/libs/TaskRop/VM.js\"\r\n\t\t$ = \"src/libs/TaskRop/VmMapEntry.js\"\r\n\t\t$ = \"src/libs/TaskRop/VMObject.js\"\r\n\t\t$ = \"src/libs/TaskRop/VmPackingParams.js\"\r\n\t\t$ = \"src/libs/TaskRop/VMShmem.js\"\r\n\t\t$ = \"src/MigFilterBypassThread.js\"\r\n\tcondition:\r\n\t\tany of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774240726", "uuid": "714e8f53-fe8b-4fda-8b13-5dcb1013c450", "Attribute": [ { "category": "Payload delivery", "comment": "Extracted GHOSTBLADE sample", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774240726", "to_ids": true, "type": "md5", "uuid": "24350d2a-4311-4658-8fd7-adaf04abc53a", "value": "c0dc67a629b840bdccc821ff79b88c2c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Extracted GHOSTBLADE sample", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1774235075", "to_ids": true, "type": "sha1", "uuid": "a609877f-5537-4604-b033-4a3f1cb52d7a", "value": "69cc60a53b6d1f3c726918777fe7f2c5696f3ef6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Extracted GHOSTBLADE sample", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1774235075", "to_ids": true, "type": "sha256", "uuid": "afafd392-ec5f-4099-9791-c56f2828f206", "value": "2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774233319", "to_ids": true, "type": "ssdeep", "uuid": "a4b93959-d206-4997-b709-e9d049369b94", "value": "3072:SzkhdX0lVOwOjZbFkAmgH2lR9rGidRWiFU8MfsYutcSTwXtlaEnUxsX7XztXOnYA:Sg0GidRI07GSTwdwEnNm1Znf00VNzwTK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774233319", "to_ids": false, "type": "size-in-bytes", "uuid": "f4d37175-b2b6-4608-859e-318df1fc478e", "value": "562332" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774233319", "to_ids": true, "type": "vhash", "uuid": "2aafe69c-4ddd-4b8a-9b28-d13d93fd6d48", "value": "51baf2e12fbf6c86c9bb705a99dfa55b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774233319", "to_ids": true, "type": "filename", "uuid": "2b2cd901-868a-4186-b87c-a9aaa3d05c31", "value": "ghostblade.js" }, { "category": "Other", "comment": "Checked: 23/03/2026\nLast-scan\t: 22/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774233319", "to_ids": false, "type": "text", "uuid": "3cd2f44c-8b22-4e1d-9fc5-fcc440348fd7", "value": "Extracted GHOSTBLADE sample\r\nType Description: JavaScript\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:21/62\nFirst Submission:2026-03-18T13:52:19.000000+00:00\nLast Submission:2026-03-22T15:08:07.000000+00:00" } ] } ] } }