decoderloop/rust-malware-gallery
GitHub: decoderloop/rust-malware-gallery
一个系统整理 Rust 编写恶意软件的样本库,为逆向工程师提供学习资源和技术文章索引。
Stars: 209 | Forks: 10
# 🦀💮 Rust 恶意软件样本库
_[Hokusai - Crab and Flowers](https://harvardartmuseums.org/collections/object/100101)_
## 关于
本页面旨在收集并展示使用 Rust 编程语言编写的恶意软件,为恶意软件逆向工程师提供一套用于练习逆向 Rust 二进制文件的样本集合。随着 BlackCat 等高影响勒索软件家族的出现,用 Rust 编写的恶意软件正迅速成为一个严重的问题。然而,恶意软件逆向工程社区关于如何逆向 Rust 二进制文件的知识仍然非常匮乏。
我为每个家族收集了至少一个公开可用的样本。恶意软件家族的确切识别很难,而且我个人并不熟悉这里的每一个恶意软件家族,因此我尽量坚持使用链接报告中直接提到的样本哈希值。对于提到的每个样本,都提供了 [Malware Bazaar](https://bazaar.abuse.ch) 或 [MalShare](https://malshare.com/) 的下载链接 —— 这两个网站下载样本均无需账户。
本页面并非旨在全面追踪这些恶意软件家族的演变,或收集关于某个恶意软件家族的所有文章。我试图收集的是技术性的文章,或者突出了该家族新颖或有趣之处的文章。重点也放在了野外观察到的恶意软件上,因此用 Rust 编写的红队工具不会列在这里,除非它们被独立方发现曾在野外使用。
本仓库由 Cindy Xiao @ [Decoder Loop](https://decoderloop.com) 维护。(在 2025-12-15 之前,本仓库位于 `github.com/cxiao/decoderloop`。)
如果您想做出贡献或发现应该更改的内容,请在 [此 GitHub 仓库](https://github.com/decoderloop/rust-malware-gallery/pulls) 提交 Pull Request。或者,您可以直接 [联系](https://decoderloop.com/contact/) 我。
_有兴趣学习如何分析 Rust 恶意软件?在 Decoder Loop,我们提供逆向工程 Rust 二进制文件的专业培训。您可以在 [decoderloop.com](https://decoderloop.com) 了解更多关于我们即将推出的培训信息。_
## 01flip
### 文章
- [2025-12-10 - Palo Alto Networks - 01flip: Multi-Platform Ransomware Written in Rust](https://unit42.paloaltonetworks.com/new-ransomware-01flip-written-in-rust/)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `e5834b7bdd70ec904470d541713e38fe933e96a4e49f80dbfb25148d9674f957` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e5834b7bdd70ec904470d541713e38fe933e96a4e49f80dbfb25148d9674f957/) |
## Agenda 勒索软件
### 别名
Qilin, AgendaCrypt
### 文章
- [2022-12-16 - Trend Micro - Agenda Ransomware Uses Rust to Target More Vital Industries](https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-to-target-more-vital-industries.html)
### Malpedia
- [win.agendacrypt](https://malpedia.caad.fkie.fraunhofer.de/details/win.agendacrypt)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527/) |
## Akira 勒索软件 (Rust "Akira v2" 变种)
### 文章
- [2024-10-21 - Cisco - Akira ransomware continues to evolve](https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/)
- [2024-12-03 - Check Point - Inside Akira Ransomware's Rust Experiment](https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/)
### Malpedia
- [elf.akira](https://malpedia.caad.fkie.fraunhofer.de/details/elf.akira)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c/) |
## Akira 勒索软件 (Rust "Megazord" 变种)
### 文章
- [2024-10-21 - Cisco - Akira ransomware continues to evolve](https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/)
- [2024-12-02 - Palo Alto - Threat Assessment: Howling Scorpius (Akira Ransomware)](https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/)
### Malpedia
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e` | [MalwareBazaar](https://bazaar.abuse.ch/sample/28cea00267fa30fb63e80a3c3b193bd9cd2a3d46dd9ae6cede5f932ac15c7e2e/) |
| `131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07` | [MalwareBazaar](https://bazaar.abuse.ch/sample/131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07/) |
## AsyncRAT (Rust 变种)
### 文章
- [2025-05-26 - G DATA - Reborn in Rust: AsyncRAT](https://www.gdatasoftware.com/blog/2025/05/38207-asyncrat-rust)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `eb12c198fc1b6ec79ea4b457988db4478ee6bc9aca128aa24a85b76a57add459` | [MalwareBazaar](https://bazaar.abuse.ch/sample/eb12c198fc1b6ec79ea4b457988db4478ee6bc9aca128aa24a85b76a57add459/) |
### 备注
请注意,存在一个名为 "Async Rust RAT" 的开源项目;然而,其源代码与 G DATA 报告中描述的样本 `eb12c198fc1b6ec79ea4b457988db4478ee6bc9aca128aa24a85b76a57add459` 内的字符串和 panic 元数据不匹配。
## Banshee (Rust 变种)
### 文章
- [2025-01-31 - Kandji - Banshee Rust Rewrite?](https://the-sequence.com/banshee-rust-rewrite)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `dea72cdd7c9dfc49f0a19581086c8e6e99b000dc33f461ece8b9f37c1bd7068d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/dea72cdd7c9dfc49f0a19581086c8e6e99b000dc33f461ece8b9f37c1bd7068d/) |
## BlackCat 勒索软件
### 别名
ALPHV, Noberus
### 文章
- [2022-01-26 - Varonis - BlackCat Ransomware (ALPHV)](https://www.varonis.com/blog/blackcat-ransomware)
### Malpedia
- [win.blackcat](https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat)
- [elf.blackcat](https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83` | [MalwareBazaar](https://bazaar.abuse.ch/sample/3d7cf20ca6476e14e0a026f9bdd8ff1f26995cdc5854c3adb41a6135ef11ba83/) |
## BlackCat 勒索软件
### 别名
ALPHV Sphynx
### 文章
- [2023-05-30 - IBM X-Force - BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration](https://securityintelligence.com/x-force/blackcat-ransomware-levels-up-stealth-speed-exfiltration/)
### Malpedia
- [win.blackcat](https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcat)
- [elf.blackcat](https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackcat)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `c0e70e69d8f7432383fa37528cd42db764b73dd08eb75d72229c2a0d02e538cc` | [MalwareBazaar](https://bazaar.abuse.ch/sample/c0e70e69d8f7432383fa37528cd42db764b73dd08eb75d72229c2a0d02e538cc/) |
## CargoBay
### 文章
- [2022-11-29 - IBM X-Force - CargoBay BlackHat Backdoor Analysis Report (IRIS-14738)](https://exchange.xforce.ibmcloud.com/malware-analysis/guid:87abff769352d8208e403331c86eb95f) (大部分需付费)
- 2023-02-17 - BushidoToken - 关于暂定为 CargoBay 的 Rust 恶意软件的推文串 [1](https:///twitter.com/BushidoToken/status/1626538453989990402) [2](https://twitter.com/BushidoToken/status/1626538456859004928) [3](https://twitter.com/BushidoToken/status/1626538458427670529) [4](https://twitter.com/BushidoToken/status/1626538460243808256) [5](https://twitter.com/BushidoToken/status/1626538461908897793)
### Malpedia
- [win.cargobay](https://malpedia.caad.fkie.fraunhofer.de/details/win.cargobay)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `a963a8a8e1583081daa43638744eef6c410d1a410c11eb9413da15a26e802de5` | [MalwareBazaar](https://bazaar.abuse.ch/sample/a963a8a8e1583081daa43638744eef6c410d1a410c11eb9413da15a26e802de5/) |
### 备注
很难确切识别 _CargoBay_ 样本,因为关于它的公开信息有限。根据 2022-11-29 IBM X-Force 报告的公开内容,_CargoBay_ 的源代码基于书籍 _Black Hat Rust_ 的源代码:https://github.com/skerkour/black-hat-rust
## ChaosBot
### 文章
- [2025-10-09 - eSentire - New Rust Malware "ChaosBot" Uses Discord for Command and Control](https://www.esentire.com/blog/new-rust-malware-chaosbot-uses-discord-for-command-and-control)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `4d5f3690cdff840ceba70c1b1630ceadd0d3dcf23c8e0add0257cba2f166f5e6` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4d5f3690cdff840ceba70c1b1630ceadd0d3dcf23c8e0add0257cba2f166f5e6/) |
| `cdc73afb92617d9e2e0b6f2f22587f5f57316250a25b7bb8477a80628703e7b7` | [MalwareBazaar](https://bazaar.abuse.ch/sample/cdc73afb92617d9e2e0b6f2f22587f5f57316250a25b7bb8477a80628703e7b7/) |
## Cicada3301 勒索软件
### 文章
- [2024-08-30 - TrueSec - Dissecting the Cicada](https://www.truesec.com/hub/blog/dissecting-the-cicada)
- [2024-09-03 - MorphiSec - Cicada3301 Ransomware (archived version)](https://cyberscoop.com/wp-content/uploads/sites/3/2024/08/20240829-morphisec-cicada3301-ransomware-final__doc.pdf)
- [2024-10-18 - Group-IB - Encrypted Symphony: Infiltrating the Cicada3301 Ransomware-as-a-Service Group](https://www.group-ib.com/blog/cicada3301/)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `7b3022437b637c44f42741a92c7f7ed251845fd02dda642c0a47fde179bd984e` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7b3022437b637c44f42741a92c7f7ed251845fd02dda642c0a47fde179bd984e/) |
| `56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7` | [MalwareBazaar](https://bazaar.abuse.ch/sample/56e1d092c07322d9dad7d85d773953573cc3294b9e428b3bbbaf935ca4d2f7e7/) |
## Convuster
### 文章
- [2021-03-18 - Kaspersky - Convuster: macOS adware now in Rust](https://securelist.com/convuster-macos-adware-in-rust/101258/)
### Malpedia
- [osx.convuster](https://malpedia.caad.fkie.fraunhofer.de/details/osx.convuster)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `947ae8f075fd0d1e5be0341b922c0173f0c5cfd771314ebe220207f3ed53466a` | [MalShare](https://malshare.com/sample.php?action=detail&hash=947ae8f075fd0d1e5be0341b922c0173f0c5cfd771314ebe220207f3ed53466a) |
### 备注
严格来说这不是恶意软件 —— 它是广告软件。
## CosmicRust
### 文章
- [2024-01-04 - Greg Lesnewich - 100DaysofYARA - CosmicRust](https://g-les.github.io/yara/2024/01/04/100DaysofYARA-CosmicRust.html)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a` | [MalShare](https://malshare.com/sample.php?action=detail&hash=3315e5a4590e430550a4d85d0caf5f521d421a2966b23416fcfc275a5fd2629a) |
## DeltaStealer
### 文章
- [2023-05-19 - Trend Micro - Rust-Based Info Stealers Abuse GitHub Codespaces](https://www.trendmicro.com/en_us/research/23/e/rust-based-info-stealers-abuse-github-codespaces.html)
### Malpedia
- [win.deltastealer](https://malpedia.caad.fkie.fraunhofer.de/details/win.deltastealer)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `c92a7425959121ff49970c53b78e714b9e450e4b214ac85deb878d0bedf82a70` | [MalwareBazaar](https://bazaar.abuse.ch/sample/c92a7425959121ff49970c53b78e714b9e450e4b214ac85deb878d0bedf82a70/) |
## EDDIESTEALER
### 文章
- [2025-05-29 - Elastic - Chasing Eddies: New Rust- based InfoStealer used in CAPTCHA campaigns](https://www.elastic.co/security-labs/eddiestealer)
### 样本
| SHA-256 Hash | Download Link |
| --- | |
| `5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5330cf6a8f4f297b9726f37f47cffac38070560cbac37a8e561e00c19e995f42/) |
## Embargo 勒索软件
### 文章
- [2024-05-24 - Cyble - The Rust Revolution: New Embargo Ransomware Steps In](https://cyble.com/blog/the-rust-revolution-new-embargo-ransomware-steps-in/)
- [2024-10-23 - ESET - Embargo ransomware: Rock'n'Rust](https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrust/)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `ebffc9ced2dba66db9aae02c7ccd2759a36c5167df5cd4adb151b20e7eab173c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/ebffc9ced2dba66db9aae02c7ccd2759a36c5167df5cd4adb151b20e7eab173c/) |
## evm-units
### 文章
- [2025-12-02 - Socket - Malicious Rust Crate evm-units Serves Cross-Platform Payloads for Silent Execution](https://socket.dev/blog/malicious-rust-crate-evm-units-serves-cross-platform-payloads)
### 样本
这是 Rust crate 内部的恶意 Rust 代码,如果 Rust 开发人员将其用作项目的一部分,该代码就会被编译;如果 Rust 开发人员调用了恶意代码,该代码就会被执行。恶意代码的存档版本可以在 [Socket.dev package archive](https://socket.dev/cargo/package/evm-units/files/1.3.0/evm-units-1.3.0/src/lib.rs#L210) 找到。
## ExeWho2
### 文章
- [2023-12-04 - Alex Perotti - ExeWho2 - A Tool from the Wild](https://cyb3rkitties.github.io/posts/exewho2-download-execution-payload-red-teaming/)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/a36967a40dcff74c04b5dd80f1aa685925912df8ff6cb63c14059439e08d5f8d/) |
### 备注
_ExecWho2_ 二进制文件附带了源代码;可在 https://github.com/cyb3rkitties/exewho2 获取
## FickerStealer
### 文章
- [2020-10-27 - 3xp0rtblog - Tweet on FickerStealer](https://twitter.com/3xp0rtblog/status/1321209656774135810)
- [2021-07-19 - CyberArk - FickerStealer: A New Rust Player in the Market](https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market)
### Malpedia
- [win.fickerstealer](https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/dc021a0ca0bb3f66d54d15d2b236422c0b90399ea762c7d7aa6d727b9bd5b46c/) |
另请参阅 [Malware Bazaar 上标记为 `FickerStealer` 签名](https://bazaar.abuse.ch/browse/signature/FickerStealer/) 的所有样本。
## Fickle Stealer
### 文章
- [2024-06-19 - Fortinet - Fickle Stealer Distributed via Multiple Attack Chain](https://www.fortinet.com/blog/threat-research/fickle-stealer-distributed-via-multiple-attack-chain)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c/) |
## Freeze.rs
### 文章
- [2023-08-09 - Fortinet - Attackers Distribute Malware via Freeze.rs And SYK Crypter](https://www.fortinet.com/blog/threat-research/malware-distributed-via-freezers-and-syk-crypter)
- [2023-09-07 - Gi7w0rm - Uncovering DDGroup — A long-time threat actor](https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `afd38445e5249ac5ac66addd18c20d271f41c3ffb056ca49c8c02f9fecb4afcb` | [MalShare](https://malshare.com/sample.php?action=detail&hash=afd38445e5249ac5ac66addd18c20d271f41c3ffb056ca49c8c02f9fecb4afcb) |
### 备注
生成实际 payload 的工具源代码可在 https://github.com/optiv/Freeze.rs 获取
## FunkSec 勒索软件
### 别名
FunkLocker
### 文章
- [2025-01-10 - Check Point - FunkSec – Alleged Top Ransomware Group Powered by AI](https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/)
### 样本
| SHA-256 Hash | Download Link |
| ------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------- |
| `c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/c233aec7917cf34294c19dd60ff79a6e0fac5ed6f0cb57af98013c08201a7a1c) |
| `66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd` | [MalwareBazaar](https://bazaar.abuse.ch/sample/66dbf939c00b09d8d22c692864b68c4a602e7a59c4b925b2e2bef57b1ad047bd) |
| `dcf536edd67a98868759f4e72bcbd1f4404c70048a2a3257e77d8af06cb036ac` | [MalwareBazaar](https://bazaar.abuse.ch/sample/dcf536edd67a98868759f4e72bcbd1f4404c70048a2a3257e77d8af06cb036ac) |
| `b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b1ef7b267d887e34bf0242a94b38e7dc9fd5e6f8b2c5c440ce4ec98cc74642fb) |
| `5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5226ea8e0f516565ba825a1bbed10020982c16414750237068b602c5b4ac6abd) |
| `e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e622f3b743c7fc0a011b07a2e656aa2b5e50a4876721bcf1f405d582ca4cda22) |
| `20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/20ed21bfdb7aa970b12e7368eba8e26a711752f1cc5416b6fd6629d0e2a44e5d) |
| `dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966` | [MalwareBazaar](https://bazaar.abuse.ch/sample/dd15ce869aa79884753e3baad19b0437075202be86268b84f3ec2303e1ecd966) |
### 备注
据称的 _FunkSec_ 勒索软件源代码原型可在此处获取:`7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603` ([MalwareBazaar](https://bazaar.abuse.ch/sample/7e223a685d5324491bcacf3127869f9f3ec5d5100c5e7cb5af45a227e6ab4603/))
## GlassWorm 交付的基于 Rust 的 Payload
### 文章
- [2025-11-29 - Nextron Systems - Analysis of the Rust implants found in the malicious VS Code extension](https://www.nextron-systems.com/2025/11/29/analysis-of-the-rust-implants-found-in-the-malicious-vs-code-extension/)
- [2025-12-10 - Koi - GlassWorm Goes Native: Same Infrastructure, Hardened Delivery](https://www.koi.ai/blog/glassworm-goes-native-same-infrastructure-hardened-delivery)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `6ebeb188f3cc3b647c4460c0b8e41b75d057747c662f4cd7912d77deaccfd2f2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/6ebeb188f3cc3b647c4460c0b8e41b75d057747c662f4cd7912d77deaccfd2f2/) |
| `fb07743d139f72fca4616b01308f1f705f02fda72988027bc68e9316655eadda` | [MalwareBazaar](https://bazaar.abuse.ch/sample/fb07743d139f72fca4616b01308f1f705f02fda72988027bc68e9316655eadda/) |
## 模仿 GoToMeeting DLL 的基于 Rust 的加载器
### 文章
- [2024-05-13 - G Data - GoTo Meeting loads Remcos RAT via Rust Shellcode Loader](https://blog.gdatasoftware.com/2024/05/37906-gotomeeting-loads-remcos)
### 样本
| SHA-256 Hash | Download Link |
| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- |
| `93439fe9b45d7b6e9fcdc5e68fd47677ea17025e4eabb6f1468cb9ae98ee8a5b` | [MalwareBazaar](https://bazaar.abuse.ch/sample/93439fe9b45d7b6e9fcdc5e68fd47677ea17025e4eabb6f1468cb9ae98ee8a5b/) |
## Hive 勒索软件 (Rust 变种)
### 文章
- [2022-07-05 - Microsoft - Hive ransomware gets upgrades in Rust](https://www.microsoft.com/en-us/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/)
### Malpedia
- [win.hive](https://malpedia.caad.fkie.fraunhofer.de/details/win.hive)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3` | [MalwareBazaar](https://bazaar.abuse.ch/sample/f4a39820dbff47fa1b68f83f575bc98ed33858b02341c5c0464a49be4e6c76d3/) |
## Hunters International 勒索软件
### 文章
- [2023-11-09 - Bitdefender - Hive Ransomware's Offspring: Hunters International Takes the Stage](https://www.bitdefender.com.au/blog/businessinsights/hive-ransomwares-offspring-hunters-international-takes-the-stage/)
### 样本
| SHA-256 Hash | Download Link |
| --- | --- |
| `c4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e` | [MalwareBazaar](https://bazaar.abuse.ch/sample/c4d39db132b92514085fe269db90511484b7abe4620286f6b0a30aa475f64c3e/) |
## JLORAT
### 文章
- [2023-04-34 - Kaspersky - Tomiris called, they want their Turla malware back > Tomiris's polyglot toolset > JLORAT](https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/#jlorat)
### Malpedia
- [win.jlorat](https://malpedia.caad.fkie.fraunhofer.de/details/win.jlorat)
### 样本
| SHA-256 Hash | Download Link |
| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- |
| `69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29` | [MalwareBazaar](https://bazaar.abuse.ch/sample/69bb729ff354cd9651f99a05f74f3ea20d483dc8e6e5838e4dd48858fd500d29/) |
## KCVY OSLOCK
### 文章
- 2025-09-25 - Yogesh Londhe - [Tweet regarding KCVY OSLOCK Ransomware (archived version)](https://archive.is/IVFKD)
### 样本
| SHA-256 Hash | Download Link |
| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- |
| `0ae6570d9e659ffd5efc1e3f9faca696bd12b66b8d125b1159aee9e5251a4d79` | [MalwareBazaar](https://bazaar.abuse.ch/sample/0ae6570d9e659ffd5efc1e3f9faca696bd12b66b8d125b1159aee9e5251a4d79/) |
## KrustyLoader
### 文章
- [2024-01-29 - Synacktiv - KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises](https://www.synacktiv.com/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises)
- [2024-02-10 - N0fix - KrustyLoader - About stripped Rust symbol recovery (archived version)](https://archive.is/YXkYt)
- [2024-08-03 - N0fix - KrustyLoader - Leveraging rust compilation artifacts to obtain reliable compilation timestamps and pivoting (archived version)](https://archive.is/6WGRv)
- [2025-05-13 - EclecticIQ - China-Nexus Nation State Actors Exploit SAP NetWeaver (CVE-2025-31324) to Target Critical Infrastructures](https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-infrastructures)
### Malpedia
- [elf.krustyloader](https://malpedia.caad.fkie.fraunhofer.de/details/elf.krustyloader)
### 样本
| SHA-256 Hash | Download Link |
| ---------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- |
| `030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0`
| [MalwareBazaar](https://bazaar.abuse.ch/sample/030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0/) | | `47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04` | [MalwareBazaar](https://bazaar.abuse.ch/sample/47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04/) | ## Luca Stealer ### 文章 - [2022-08-18 - BlackBerry - Luca Stealer Targets Password Managers and Cryptocurrency Wallets](https://blogs.blackberry.com/en/2022/08/luca-stealer-targets-password-managers-and-cryptocurrency-wallets) - [Binary Defense - Digging through Rust to find Gold: Extracting Secrets from Rust Malware](https://www.binarydefense.com/resources/blog/digging-through-rust-to-find-gold-extracting-secrets-from-rust-malware/) ### Malpedia - [win.lucastealer](https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `9931a27afa84009e140880a8739d96f97baa1676d67ba7a3278fe61bfb79022` | [MalShare](https://malshare.com/sample.php?action=detail&hash=99331a27afa84009e140880a8739d96f97baa1676d67ba7a3278fe61bfb79022) | ### 备注 源代码可在 https://web.archive.org/web/20220725203750/https://github.com/luca364/rust-stealer/archive/refs/heads/master.zip 获取 ## Luna 勒索软件 ### 文章 - [2022-08-30 - Elastic - LUNA Ransomware Attack Pattern Analysis](https://www.elastic.co/security-labs/luna-ransomware-attack-pattern) - [2023-01-13 - Nikhil "Kaido" Hegde - Getting Rusty and Stringy with Luna Ransomware](https://nikhilh-20.github.io/blog/luna_ransomware/) ### Malpedia - [elf.luna](https://malpedia.caad.fkie.fraunhofer.de/details/elf.luna) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51` | [MalShare](https://malshare.com/sample.php?action=detail&hash=1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51) | ## Marabu 勒索软件 ### 文章 - [2025-12-22 - Gameel Ali - Tweet regarding Marabu Ransomware (archived version)](https://archive.is/Q1SK2) ### 样本 | SHA-256 Hash | Download Link | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | `fcfec2dc084c222e90ba7a860de6395ad819c46764fc37e0891308eff65510d5` | [MalwareBazaar](https://bazaar.abuse.ch/sample/fcfec2dc084c222e90ba7a860de6395ad819c46764fc37e0891308eff65510d5/) | ## Myth Stealer ### 文章 - [2025-06-05 - Trellix - Demystifying Myth Stealer: A Rust Based InfoStealer](https://www.trellix.com/blogs/research/demystifying-myth-stealer-a-rust-based-infostealer/) - [2025-08-17 - cxiao.net - Reversing a (not-so-) Simple Rust Loader](https://cxiao.net/posts/2025-08-17-not-so-simple-rust-loader/) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2/) | | `2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b` | [MalwareBazaar](https://bazaar.abuse.ch/sample/2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b/) | | `66054607f38481ee7e39e002b58fe950966c4c0203df39f46acfe5c0e857c89a` | [MalwareBazaar](https://bazaar.abuse.ch/sample/66054607f38481ee7e39e002b58fe950966c4c0203df39f46acfe5c0e857c89a/) | ## Nokoyawa 勒索软件 (Rust 变种) ### 文章 - [2022-12-20 - Zscaler - Nokoyawa Ransomware: Rust or Bust](https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust) ### Malpedia - [win.nokoyawa](https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6/) | ## P2PInfect ### 文章 - [2023-07-19 - Palo Alto Networks - P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm](https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/) - [2023-07-31 - Cado Security - Cado Security Labs Encounter Novel Malware, Redis P2Pinfect (archived version)](https://web.archive.org/web/20250527051235/https://www.cadosecurity.com/blog/redis-p2pinfect) - [2023-09-20 - Cado Security - Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic (archived version)](https://web.archive.org/web/20250812081523/https://www.cadosecurity.com/blog/cado-security-labs-researchers-witness-a-600x-increase-in-p2pinfect-traffic) - [2023-12-04 - Cado Security - P2Pinfect - New Variant Targets MIPS Devices (archived version)](https://web.archive.org/web/20250702212318/https://www.cadosecurity.com/blog/p2pinfect-new-variant-targets-mips-devices) - [2024-01-16 - Nozomi Networks - P2PInfect Worm Evolves to Target a New Platform](https://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform) - [2024-06-25 - Cado Security - From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer (archived version)](https://web.archive.org/web/20250812064127/https://www.cadosecurity.com/blog/from-dormant-to-dangerous-p2pinfect-evolves-to-deploy-new-ransomware-and-cryptominer) ### Malpedia - [elf.p2pinfect](https://malpedia.caad.fkie.fraunhofer.de/details/elf.p2pinfect) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f/) | ### 备注 此样本 (`3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f`) 并非链接报告中提到的哈希值之一;然而,由于该恶意软件的性质,存在大量独特的样本,经过一番搜寻我找到了这个。 ## RALord 勒索软件 ### 文章 - [2025-04 - ISH Tecnologia - RALord: Novo grupo de Ransomware-as-a-Service](https://ish.com.br/wp-content/uploads/2025/04/RALord-Novo-grupo-de-Ransomware-as-a-Service-1.pdf) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `456b9adaabae9f3dce2207aa71410987f0a571cd8c11f2e7b41468501a863606` | [MalwareBazaar](https://bazaar.abuse.ch/sample/456b9adaabae9f3dce2207aa71410987f0a571cd8c11f2e7b41468501a863606/) | ## RansomExx2 ### 别名 Defray, Defray777 ### 文章 - [2022-11-22 - IBM X-Force - RansomExx upgrades to rust](https://securityintelligence.com/x-force/ransomexx-upgrades-rust/) ### Malpedia - [elf.ransomexx](https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `a7ea1e33c548182b8e56e32b547afb4b384ebe257ca0672dbf72569a54408c5c` | [MalShare](https://malshare.com/sample.php?action=detail&hash=a7ea1e33c548182b8e56e32b547afb4b384ebe257ca0672dbf72569a54408c5c) | ## Realst Stealer ### 文章 - [2023-07-06 - Iamdeadlyz - Fake Blockchain Games Deliver RedLine Stealer & Realst Stealer - A New macOS Infostealer Malware](https://iamdeadlyz.gitbook.io/malware-research/july-2023/fake-blockchain-games-deliver-redline-stealer-and-realst-stealer-a-new-macos-infostealer-malware#realst-stealer-macos) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2/) | 另请参阅 [Malware Bazaar 上标记为 `RealstStealer` 标签](https://bazaar.abuse.ch/browse/tag/RealstStealer/) 的所有样本。 ## 用于 Rilide 的基于 Rust 的加载器 ### 别名 BRAINSTORM ### 文章 - [2023-04-04 - Trustwave - Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-new-malicious-browser-extension-for-stealing-cryptocurrencies/) - [2023-05-01 - Mandiant - A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors](https://www.mandiant.com/resources/blog/lnk-between-browsers) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `0f11aeecbde1f355d26c9d406dad80cb0ae8536aea31fdddaf915d4afd434f3f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/0f11aeecbde1f355d26c9d406dad80cb0ae8536aea31fdddaf915d4afd434f3f/) | ## RusticWeb 活动中使用的基于 Rust 的窃密软件 ### 文章 - [2023-12-21 - Seqrite - Operation RusticWeb targets Indian Govt: From Rust-based malware to Web-service exfiltration](https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/) ### Malpedia - [win.unidentified_112](https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_112) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32` | [MalShare](https://malshare.com/sample.php?action=detail&hash=db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32) | ## RustBucket ### 文章 - [2023-04-21 - Jamf - BlueNoroff APT group targets macOS with ‘RustBucket’ Malware](https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/) - [2023-07-13 - Elastic - The DPRK strikes using a new variant of RUSTBUCKET](https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket) ### Malpedia - [osx.rustbucket](https://malpedia.caad.fkie.fraunhofer.de/details/osx.rustbucket) - [win.rustbucket](https://malpedia.caad.fkie.fraunhofer.de/details/win.rustbucket) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747` | [MalShare](https://malshare.com/sample.php?action=detail&hash=9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747) | | `de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500` | [MalwareBazaar](https://bazaar.abuse.ch/sample/de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500/) | ## RustDoor ### 别名 Thiefbucket ### 文章 - [2024-02-08 - Bitdefender - New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group](https://www.bitdefender.com/en-us/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group) - [2024-02-19 - S2W - RustDoor and GateDoor: A New Pair of Weapons Disguised as Legitimate Software by Suspected Cybercriminal](https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40) - [2024-09-16 - Jamf - Jamf Threat Labs observes targeted attacks amid FBI Warnings](https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/) - [2025-02-26 - Palo Alto Networks - RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector](https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5` | [MalwareBazaar](https://bazaar.abuse.ch/sample/a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5/) | | `4a59e2fe11ed9136d96a985448b34957ee5861adc9c1a52de4ad65880875dfdb` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4a59e2fe11ed9136d96a985448b34957ee5861adc9c1a52de4ad65880875dfdb/) | | `238b546e2a1afc230f88b98dce1be6bf442b0b807e364106c0b28fe18db2ce66` | [MalwareBazaar](https://bazaar.abuse.ch/sample/238b546e2a1afc230f88b98dce1be6bf442b0b807e364106c0b28fe18db2ce66/) | ## Rustic Crypter ### 文章 - [2022-05-19 - IBM X-Force - ITG23 crypters highlight cooperation between cyber criminal groups](https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `45aa8efb6b1a9a0e0091040bb99a7c37d346aaf306fa4e31e9d5d9f0fef56676` | [MalwareBazaar](https://bazaar.abuse.ch/sample/45aa8efb6b1a9a0e0091040bb99a7c37d346aaf306fa4e31e9d5d9f0fef56676/) | ## RustoBot ### 文章 - [2025-04-21 - Fortinet - New Rust Botnet "RustoBot" is Routed via Routers](https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `114b460012412411363c9a3ab0246e48a584ce86fc6c0b7855495ec531dd05a1` | [MalwareBazaar](https://bazaar.abuse.ch/sample/114b460012412411363c9a3ab0246e48a584ce86fc6c0b7855495ec531dd05a1/) | | `1697fd5230f7f09a7b43fee1a1693013ed98beeb7a182cd3f0393d93dd1b7576` | [MalwareBazaar](https://bazaar.abuse.ch/sample/1697fd5230f7f09a7b43fee1a1693013ed98beeb7a182cd3f0393d93dd1b7576/) | | `44a526f20c592fd95b4f7d61974c6f87701e337b68a5d0b44ccd2fa3f48c5d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/44a526f20c592fd95b4f7d61974c6f87701e33776b68a5d0b44ccd2fa3f48c5d/) | | `5dc90cbb0f69f283ccf52a2a79b3dfe94ee8b3474cf6474cfcbe9f66f245a55d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5dc90cbb0f69f283ccf52a2a79b3dfe94ee8b3474cf6474cfcbe9f66f245a55d/) | | `9a9b5bdeb1f23736ceffba623c8950d627a791a0b40c4d44ae2f80e02a43955d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9a9b5bdeb1f23736ceffba623c8950d627a791a0b40c4d44ae2f80e02a43955d/) | | `9e660ce74e1bdb0a75293758200b03efd5f807e7896665addb684e0ffb53afd2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9e660ce74e1bdb0a75293758200b03efd5f807e7896665addb684e0ffb53afd2/) | | `9f098920613bd0390d6485936256a67ae310b633124cfbf503936904e69a81bf` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9f098920613bd0390d6485936256a67ae310b633124cfbf503936904e69a81bf/) | | `b68e2d852ad157fc01da34e11aa24a5ab30845b706d7827b8119a3e648ce2cf1` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b68e2d852ad157fc01da34e11aa24a5ab30845b706d7827b8119a3e648ce2cf1/) | | `b910e77ee686d7d6769fab8cb8f9b17a4609c4e164bb4ed80d9717d9ddad364f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b910e77ee686d7d6769fab8cb8f9b17a4609c4e164bb4ed80d9717d9ddad364f/) | | `c0abb19b3a72bd2785e8b567e82300423da672a463eefdeda6dd60872ff0e072` | [MalwareBazaar](https://bazaar.abuse.ch/sample/c0abb19b3a72bd2785e8b567e82300423da672a463eefdeda6dd60872ff0e072/) | | `e547306d6dee4b5b2b6ce3e989b9713a5c21ebe3fefa0f5c1a1ea37cec37e20f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e547306d6dee4b5b2b6ce3e989b9713a5c21ebe3fefa0f5c1a1ea37cec37e20f/) | | `ec9e77f1185f644462305184cf8afcf5d12c7eb524a2d3f4090a658a198c20ce` | [MalwareBazaar](https://bazaar.abuse.ch/sample/ec9e77f1185f644462305184cf8afcf5d12c7eb524a2d3f4090a658a198c20ce/) | | `efb0153047b08aa1876e1e4e97a082f6cb05af75479e1e9069b77d98473a11f4` | [MalwareBazaar](https://bazaar.abuse.ch/sample/efb0153047b08aa1876e1e4e97a082f6cb05af75479e1e9069b77d98473a11f4/) | ## Rustonotto ### 别名 CHILLYCHINO ### 文章 - [2025-08-07 - S2W - ScarCruft's New Language: Whispering in PubNub, Crafting Backdoor in Rust, Striking with Ransomware](https://github.com/S2W-TALON/Threat-Intelligence-Report/blob/df953af93d3634885bbfc5a0a2f2e1b2aeef58c1/250807_ScarCruft's%20New%20Language%3A%20Whispering%20in%20PubNub%2C%20Crafting%20Backdoor%20in%20Rust%2C%20Striking%20with%20Ransomware/%5BS2W%5D%20ScarCruft%E2%80%99s%20New%20Language_%20Whispering%20in%20PubNub%2C%20Crafting%20Backdoor%20in%20Rust%2C%20Striking%20with%20Ransomware.pdf) - [2025-09-08 - Zscaler - APT37 Targets Windows with Rust Backdoor and Python Loader](https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader) ### Malpedia - [win.rustonotto](https://malpedia.caad.fkie.fraunhofer.de/details/win.rustonotto) ### 样本 | SHA-256 Hash | Download Link | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | `67ad959e8af25a48928c28ca9a38a6f2a61ea4935fe60dfed79061214e840b15` | [MalwareBazaar](https://bazaar.abuse.ch/sample/67ad959e8af25a48928c28ca9a38a6f2a61ea4935fe60dfed79061214e840b15/) | | `738a31e7a0d96fe1b0ad6778db39425160835a80ac33ce8a84f26b71c00c26b9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/738a31e7a0d96fe1b0ad6778db39425160835a80ac33ce8a84f26b71c00c26b9/) | ## RustyAttr ### 文章 - [2024-11-13 - Group-IB - Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes](https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/) ### 样本 | SHA-256 Hash | Download Link | 备注 | | --- | --- | --- | | `9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018c2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018c2) | Gzip'd CPIO archive containing files and extended attributes required for payload delivery | | `176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d) | Rust payload, but without the required extended attribute | ## RustyBuer ### 文章 - [2021-05-03 - Proofpoint - New Variant of Buer Loader Written in Rust](https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust) ### Malpedia - [win.buer](https://malpedia.caad.fkie.fraunhofer.de/details/win.buer) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac` | [MalwareBazaar](https://bazaar.abuse.ch/sample/3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac/) | ## RustyClaw ### 文章 - [2024-10-17 - Cisco - UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants](https://blog.talosintelligence.com/uat-5647-romcom/) - [2025-06-30 - Proofpoint - 10 Things I Hate About Attribution: RomCom vs. TransferLoader](https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader) ### Malpedia - [win.rusty_claw](https://malpedia.caad.fkie.fraunhofer.de/details/win.rusty_claw) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c/) | | `7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4/) | | `b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df/) | ## RustyFlag ### 文章 - [2023-09-14 - Deep Instinct - Operation Rusty Flag – A Malicious Campaign Against Azerbaijanian Targets](https://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets) ### Malpedia - [win.unidentified_110](https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_110) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `5327308fee51fc6bb95996c4185c4cfcbac580b747d79363c7cf66505f3ff6db` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5327308fee51fc6bb95996c4185c4cfcbac580b747d79363c7cf66505f3ff6db/) | ## RustyPages ### 文章 - [2025-08-19 - Kandji - Threat Detected: RustyPages Malware - Part I](https://the-sequence.com/rustypages-malware-part-i) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `e98756472404aeef70ba4d403339962989d9ed733fa0f6a23bdf4c2900d7e877` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e98756472404aeef70ba4d403339962989d9ed733fa0f6a23bdf4c2900d7e877/) | | `7ab47b7b14f4d6848b9f4d410d1315ccc68e9a6714d94a2e870b6ba77d28e828` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7ab47b7b14f4d6848b9f4d410d1315ccc68e9a6714d94a2e870b6ba77d28e828/) | | `5cee6368c6a9922a81a03831979947db8e5365986b4ad725c552ab6018a083b3` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5cee6368c6a9922a81a03831979947db8e5365986b4ad725c552ab6018a083b3/) | | `d2c48f4fa4b0285889ef6c7667e12a1c0eda1393632ef2eac67b32777bf096f7` | [MalwareBazaar](https://bazaar.abuse.ch/sample/d2c48f4fa4b0285889ef6c7667e12a1c0eda1393632ef2eac67b32777bf096f7/) | | `f4c41111960771e0d7558ec2453b76ba9c422fcb9408e09a8de1fd611c272846` | [MalwareBazaar](https://bazaar.abuse.ch/sample/f4c41111960771e0d7558ec2453b76ba9c422fcb9408e09a8de1fd611c272846/) | ## RustyWater ### 别名 RUSTRIC, Archer RAT ### 文章 - [2025-12-22 - Seqrite - UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel](https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/) - [2026-01-08 - CloudSEK - Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant](https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant) ### 样本 | SHA-256 Hash | Download Link | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | `a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79` | [MalwareBazaar](https://bazaar.abuse.ch/sample/a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79/) | | `7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58/) | ## SloppyLemming 使用的基于 Rust 的键盘记录器 ### 文章 - [2026-03-02 - Arctic Wolf - SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh](https://arcticwolf.com/resources/blog/sloppylemming-deploys-burrowshell-and-rust-based-rat-to-target-pakistan-and-bangladesh/) ### 样本 | SHA-256 Hash | Download Link | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | `4f1628821c13cc27fd4134301cc93a1ad32b2a3f7066c3d90f7ba89e02180754` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4f1628821c13cc27fd4134301cc93a1ad32b2a3f7066c3d90f7ba89e02180754/) | ## SnowFlake Stealer ### 文章 - [2022-02-14 - Finch4 - SnowFlake Stealer Analysis](https://github.com/Finch4/Malware-Analysis-Reports/blob/4f3baae07575e799db97ec22cb271d89c0fb0879/SnowFlake%20Stealer/SnowFlake%20Stealer%20Analysis.pdf) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `1ae99a454f6c11e30c346ca825e2d20bc5450ddb808f25dd20a4d952604d34f0` | [MalwareBazaar](https://bazaar.abuse.ch/sample/1ae99a454f6c11e30c346ca825e2d20bc5450ddb808f25dd20a4d952604d34f0/) | | `4f10f503422560da8a332c30323401af59a914af940716d06e139ed7371be53f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4f10f503422560da8a332c30323401af59a914af940716d06e139ed7371be53f/) | | `5e1626ac3140548619efba38a154b98234080908158378ad2e7e4af9e92cfbb8` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5e1626ac3140548619efba38a154b98234080908158378ad2e7e4af9e92cfbb8/) | | `674f31aed8544f2f54423de908559f3d1964ef4f3391d2bf989915766b8c42e9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/674f31aed8544f2f54423de908559f3d1964ef4f3391d2bf989915766b8c42e9/) | | `8441c5d0d5ee30f94f54459ba89a3a2d20677d98313c120f32bf98015214049f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/8441c5d0d5ee30f94f54459ba89a3a2d20677d98313c120f32bf98015214049f/) | | `b44db0bf0992d55c7353fe368322fe0b1e912b2a381c4bf8b7c56c9fcd2a86ff` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b44db0bf0992d55c7353fe368322fe0b1e912b2a381c4bf8b7c56c9fcd2a86ff/) | ## SPICA ### 文章 - [2024-01-18 - Google TAG - Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware](https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `37c52481711631a5c73a634bd8bea302ad57f02199db7624b580058547fb5a9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9/) | ## SSLoad ### 文章 - [2024-04-11 - Palo Alto Networks - Contact Forms Campaign Pushes SSLoad Malware](https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-15-IOC-for-Contact-Forms-campaign-SSLoad-activity.txt) ### Malpedia - [win.ssload](https://malpedia.caad.fkie.fraunhofer.de/details/win.ssload) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `09ffc4188bf11bf059b616491fcb8a09a474901581f46ec7f2c350fbda4e1e1c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/09ffc4188bf11bf059b616491fcb8a09a474901581f46ec7f2c350fbda4e1e1c/) | ## SysJoker (Rust 变种) ### 别名 RustDown ### 文章 - [2023-11-23 - Check Point - Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker](https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/) - [2023-11-27 - Intezer - WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel](https://intezer.com/blog/research/wildcard-evolution-of-sysjoker-cyber-threat/) ### Malpedia - [win.sysjoker](https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72` | [MalShare](https://malshare.com/sample.php?action=detail&hash=d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72) | ## Tetra Loader ### 文章 - [2025-05-22 - Cisco - UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware](https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/) ### Malpedia - [win.tetra_loader](https://malpedia.caad.fkie.fraunhofer.de/details/win.tetra_loader) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f/) | | `1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901` | [MalwareBazaar](https://bazaar.abuse.ch/sample/1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901/) | | `4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9/) | ### 备注 据 Cisco Talos 称,_Tetra Loader_ 是使用名为 _MaLoader_ 的开源 Rust payload 构建器框架 (https://github.com/lv183037/MaLoader/) 构建的。 ## 未命名的 Rust DDoS 僵尸网络 ### 文章 - [2025-11-30 - Beelzebub - How I Reverse Engineered a Rust Botnet and Built a C2 Honeypot to Monitor Its Targets](https://beelzebub.ai/blog/rust-ddos-botnet-honeypot-c2-decoding/) ### 样本 | SHA-256 Hash | Download Link | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | `fd6ec293c37abd2d832659697d42c781727b0d32ba6bba3f0387b0dedaabe74e` | [MalwareBazaar](https://bazaar.abuse.ch/sample/fd6ec293c37abd2d832659697d42c781727b0d32ba6bba3f0387b0dedaabe74e/) | ## Zeon 勒索软件 (Rust 变种) ### 文章 - [2022-06-22 - SentinelOne - From the Front Lines | 3 New and Emerging Ransomware Threats Striking Businesses in 2022](https://www.sentinelone.com/blog/from-the-front-lines-3-new-and-emerging-ransomware-threats-striking-businesses-in-2022/) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590` | [MalShare](https://malshare.com/sample.php?action=detail&hash=fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590) | ### 备注 关于 _Zeon Ransomware_ 缺乏高质量的公开报告,因此我在此备注中澄清一些潜在的混淆点。 有些样本被识别为 _Zeon Ransomware_,但它们是用 Python 而非 Rust 编写的。这些样本通过 PyInstaller 打包,并使用 PyArmor 进行混淆。例如,`c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a` ([MalShare](https://malshare.com/sample.php?action=detail&hash=c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a)) 是一个 PyInstaller 文件,它释放的勒索信与上面强调的 Rust 样本 `fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590` 几乎完全相同。两个样本的勒索信都写着 "All of your files are currently encrypted by ZEON strain",并链接到同一个 Tor 站点 (`http[:]//zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd[.]onion`),供受害者开始支付流程。 有报告指出 _Zeon Ransomware_ 与 _[Royal Ransomware](https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom)_ 有关,例如 [CISA 关于 Royal Ransomware 的公告](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a)。然而,我未能找到任何报告指出 Royal Ransomware 是用 Rust 编写的,也未找到任何 Royal Ransomware 的 Rust 样本。
| [MalwareBazaar](https://bazaar.abuse.ch/sample/030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0/) | | `47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04` | [MalwareBazaar](https://bazaar.abuse.ch/sample/47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04/) | ## Luca Stealer ### 文章 - [2022-08-18 - BlackBerry - Luca Stealer Targets Password Managers and Cryptocurrency Wallets](https://blogs.blackberry.com/en/2022/08/luca-stealer-targets-password-managers-and-cryptocurrency-wallets) - [Binary Defense - Digging through Rust to find Gold: Extracting Secrets from Rust Malware](https://www.binarydefense.com/resources/blog/digging-through-rust-to-find-gold-extracting-secrets-from-rust-malware/) ### Malpedia - [win.lucastealer](https://malpedia.caad.fkie.fraunhofer.de/details/win.luca_stealer) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `9931a27afa84009e140880a8739d96f97baa1676d67ba7a3278fe61bfb79022` | [MalShare](https://malshare.com/sample.php?action=detail&hash=99331a27afa84009e140880a8739d96f97baa1676d67ba7a3278fe61bfb79022) | ### 备注 源代码可在 https://web.archive.org/web/20220725203750/https://github.com/luca364/rust-stealer/archive/refs/heads/master.zip 获取 ## Luna 勒索软件 ### 文章 - [2022-08-30 - Elastic - LUNA Ransomware Attack Pattern Analysis](https://www.elastic.co/security-labs/luna-ransomware-attack-pattern) - [2023-01-13 - Nikhil "Kaido" Hegde - Getting Rusty and Stringy with Luna Ransomware](https://nikhilh-20.github.io/blog/luna_ransomware/) ### Malpedia - [elf.luna](https://malpedia.caad.fkie.fraunhofer.de/details/elf.luna) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51` | [MalShare](https://malshare.com/sample.php?action=detail&hash=1cbbf108f44c8f4babde546d26425ca5340dccf878d306b90eb0fbec2f83ab51) | ## Marabu 勒索软件 ### 文章 - [2025-12-22 - Gameel Ali - Tweet regarding Marabu Ransomware (archived version)](https://archive.is/Q1SK2) ### 样本 | SHA-256 Hash | Download Link | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | `fcfec2dc084c222e90ba7a860de6395ad819c46764fc37e0891308eff65510d5` | [MalwareBazaar](https://bazaar.abuse.ch/sample/fcfec2dc084c222e90ba7a860de6395ad819c46764fc37e0891308eff65510d5/) | ## Myth Stealer ### 文章 - [2025-06-05 - Trellix - Demystifying Myth Stealer: A Rust Based InfoStealer](https://www.trellix.com/blogs/research/demystifying-myth-stealer-a-rust-based-infostealer/) - [2025-08-17 - cxiao.net - Reversing a (not-so-) Simple Rust Loader](https://cxiao.net/posts/2025-08-17-not-so-simple-rust-loader/) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/55a418f8562684607ee0acd745595e297ab7e586d0a5d3f8328643b29c72dfa2/) | | `2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b` | [MalwareBazaar](https://bazaar.abuse.ch/sample/2f2b93d37d67b80b4faaf25bebe4e3cbaf7aca35328aeb66da6a1a9b44316f5b/) | | `66054607f38481ee7e39e002b58fe950966c4c0203df39f46acfe5c0e857c89a` | [MalwareBazaar](https://bazaar.abuse.ch/sample/66054607f38481ee7e39e002b58fe950966c4c0203df39f46acfe5c0e857c89a/) | ## Nokoyawa 勒索软件 (Rust 变种) ### 文章 - [2022-12-20 - Zscaler - Nokoyawa Ransomware: Rust or Bust](https://www.zscaler.com/blogs/security-research/nokoyawa-ransomware-rust-or-bust) ### Malpedia - [win.nokoyawa](https://malpedia.caad.fkie.fraunhofer.de/details/win.nokoyawa) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6/) | ## P2PInfect ### 文章 - [2023-07-19 - Palo Alto Networks - P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm](https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/) - [2023-07-31 - Cado Security - Cado Security Labs Encounter Novel Malware, Redis P2Pinfect (archived version)](https://web.archive.org/web/20250527051235/https://www.cadosecurity.com/blog/redis-p2pinfect) - [2023-09-20 - Cado Security - Cado Security Labs Researchers Witness a 600X Increase in P2Pinfect Traffic (archived version)](https://web.archive.org/web/20250812081523/https://www.cadosecurity.com/blog/cado-security-labs-researchers-witness-a-600x-increase-in-p2pinfect-traffic) - [2023-12-04 - Cado Security - P2Pinfect - New Variant Targets MIPS Devices (archived version)](https://web.archive.org/web/20250702212318/https://www.cadosecurity.com/blog/p2pinfect-new-variant-targets-mips-devices) - [2024-01-16 - Nozomi Networks - P2PInfect Worm Evolves to Target a New Platform](https://www.nozominetworks.com/blog/p2pinfect-worm-evolves-to-target-a-new-platform) - [2024-06-25 - Cado Security - From Dormant to Dangerous: P2Pinfect Evolves to Deploy New Ransomware and Cryptominer (archived version)](https://web.archive.org/web/20250812064127/https://www.cadosecurity.com/blog/from-dormant-to-dangerous-p2pinfect-evolves-to-deploy-new-ransomware-and-cryptominer) ### Malpedia - [elf.p2pinfect](https://malpedia.caad.fkie.fraunhofer.de/details/elf.p2pinfect) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f/) | ### 备注 此样本 (`3a43116d507d58f3c9717f2cb0a3d06d0c5a7dc29f601e9c2b976ee6d9c8713f`) 并非链接报告中提到的哈希值之一;然而,由于该恶意软件的性质,存在大量独特的样本,经过一番搜寻我找到了这个。 ## RALord 勒索软件 ### 文章 - [2025-04 - ISH Tecnologia - RALord: Novo grupo de Ransomware-as-a-Service](https://ish.com.br/wp-content/uploads/2025/04/RALord-Novo-grupo-de-Ransomware-as-a-Service-1.pdf) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `456b9adaabae9f3dce2207aa71410987f0a571cd8c11f2e7b41468501a863606` | [MalwareBazaar](https://bazaar.abuse.ch/sample/456b9adaabae9f3dce2207aa71410987f0a571cd8c11f2e7b41468501a863606/) | ## RansomExx2 ### 别名 Defray, Defray777 ### 文章 - [2022-11-22 - IBM X-Force - RansomExx upgrades to rust](https://securityintelligence.com/x-force/ransomexx-upgrades-rust/) ### Malpedia - [elf.ransomexx](https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `a7ea1e33c548182b8e56e32b547afb4b384ebe257ca0672dbf72569a54408c5c` | [MalShare](https://malshare.com/sample.php?action=detail&hash=a7ea1e33c548182b8e56e32b547afb4b384ebe257ca0672dbf72569a54408c5c) | ## Realst Stealer ### 文章 - [2023-07-06 - Iamdeadlyz - Fake Blockchain Games Deliver RedLine Stealer & Realst Stealer - A New macOS Infostealer Malware](https://iamdeadlyz.gitbook.io/malware-research/july-2023/fake-blockchain-games-deliver-redline-stealer-and-realst-stealer-a-new-macos-infostealer-malware#realst-stealer-macos) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/2af0e212ad70eaf8b96a645045ef2764700b5adf7b1187ae3d82240f96f613e2/) | 另请参阅 [Malware Bazaar 上标记为 `RealstStealer` 标签](https://bazaar.abuse.ch/browse/tag/RealstStealer/) 的所有样本。 ## 用于 Rilide 的基于 Rust 的加载器 ### 别名 BRAINSTORM ### 文章 - [2023-04-04 - Trustwave - Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-new-malicious-browser-extension-for-stealing-cryptocurrencies/) - [2023-05-01 - Mandiant - A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors](https://www.mandiant.com/resources/blog/lnk-between-browsers) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `0f11aeecbde1f355d26c9d406dad80cb0ae8536aea31fdddaf915d4afd434f3f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/0f11aeecbde1f355d26c9d406dad80cb0ae8536aea31fdddaf915d4afd434f3f/) | ## RusticWeb 活动中使用的基于 Rust 的窃密软件 ### 文章 - [2023-12-21 - Seqrite - Operation RusticWeb targets Indian Govt: From Rust-based malware to Web-service exfiltration](https://www.seqrite.com/blog/operation-rusticweb-targets-indian-govt-from-rust-based-malware-to-web-service-exfiltration/) ### Malpedia - [win.unidentified_112](https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_112) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32` | [MalShare](https://malshare.com/sample.php?action=detail&hash=db91e23d9715464511057f2e15c9adc97d3f27fcfa308f05ac7e2de7275fdd32) | ## RustBucket ### 文章 - [2023-04-21 - Jamf - BlueNoroff APT group targets macOS with ‘RustBucket’ Malware](https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/) - [2023-07-13 - Elastic - The DPRK strikes using a new variant of RUSTBUCKET](https://www.elastic.co/security-labs/DPRK-strikes-using-a-new-variant-of-rustbucket) ### Malpedia - [osx.rustbucket](https://malpedia.caad.fkie.fraunhofer.de/details/osx.rustbucket) - [win.rustbucket](https://malpedia.caad.fkie.fraunhofer.de/details/win.rustbucket) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747` | [MalShare](https://malshare.com/sample.php?action=detail&hash=9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747) | | `de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500` | [MalwareBazaar](https://bazaar.abuse.ch/sample/de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd500/) | ## RustDoor ### 别名 Thiefbucket ### 文章 - [2024-02-08 - Bitdefender - New macOS Backdoor Written in Rust Shows Possible Link with Windows Ransomware Group](https://www.bitdefender.com/en-us/blog/labs/new-macos-backdoor-written-in-rust-shows-possible-link-with-windows-ransomware-group) - [2024-02-19 - S2W - RustDoor and GateDoor: A New Pair of Weapons Disguised as Legitimate Software by Suspected Cybercriminal](https://medium.com/s2wblog/rustdoor-and-gatedoor-a-new-pair-of-weapons-disguised-as-legitimate-software-by-suspected-34c94e558b40) - [2024-09-16 - Jamf - Jamf Threat Labs observes targeted attacks amid FBI Warnings](https://www.jamf.com/blog/jamf-threat-labs-observes-targeted-attacks-amid-fbi-warnings/) - [2025-02-26 - Palo Alto Networks - RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency Sector](https://unit42.paloaltonetworks.com/macos-malware-targets-crypto-sector/) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5` | [MalwareBazaar](https://bazaar.abuse.ch/sample/a900ec81363358ef26bcdf7827f6091af44c3f1001bc8f52b766c9569b56faa5/) | | `4a59e2fe11ed9136d96a985448b34957ee5861adc9c1a52de4ad65880875dfdb` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4a59e2fe11ed9136d96a985448b34957ee5861adc9c1a52de4ad65880875dfdb/) | | `238b546e2a1afc230f88b98dce1be6bf442b0b807e364106c0b28fe18db2ce66` | [MalwareBazaar](https://bazaar.abuse.ch/sample/238b546e2a1afc230f88b98dce1be6bf442b0b807e364106c0b28fe18db2ce66/) | ## Rustic Crypter ### 文章 - [2022-05-19 - IBM X-Force - ITG23 crypters highlight cooperation between cyber criminal groups](https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `45aa8efb6b1a9a0e0091040bb99a7c37d346aaf306fa4e31e9d5d9f0fef56676` | [MalwareBazaar](https://bazaar.abuse.ch/sample/45aa8efb6b1a9a0e0091040bb99a7c37d346aaf306fa4e31e9d5d9f0fef56676/) | ## RustoBot ### 文章 - [2025-04-21 - Fortinet - New Rust Botnet "RustoBot" is Routed via Routers](https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `114b460012412411363c9a3ab0246e48a584ce86fc6c0b7855495ec531dd05a1` | [MalwareBazaar](https://bazaar.abuse.ch/sample/114b460012412411363c9a3ab0246e48a584ce86fc6c0b7855495ec531dd05a1/) | | `1697fd5230f7f09a7b43fee1a1693013ed98beeb7a182cd3f0393d93dd1b7576` | [MalwareBazaar](https://bazaar.abuse.ch/sample/1697fd5230f7f09a7b43fee1a1693013ed98beeb7a182cd3f0393d93dd1b7576/) | | `44a526f20c592fd95b4f7d61974c6f87701e337b68a5d0b44ccd2fa3f48c5d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/44a526f20c592fd95b4f7d61974c6f87701e33776b68a5d0b44ccd2fa3f48c5d/) | | `5dc90cbb0f69f283ccf52a2a79b3dfe94ee8b3474cf6474cfcbe9f66f245a55d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5dc90cbb0f69f283ccf52a2a79b3dfe94ee8b3474cf6474cfcbe9f66f245a55d/) | | `9a9b5bdeb1f23736ceffba623c8950d627a791a0b40c4d44ae2f80e02a43955d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9a9b5bdeb1f23736ceffba623c8950d627a791a0b40c4d44ae2f80e02a43955d/) | | `9e660ce74e1bdb0a75293758200b03efd5f807e7896665addb684e0ffb53afd2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9e660ce74e1bdb0a75293758200b03efd5f807e7896665addb684e0ffb53afd2/) | | `9f098920613bd0390d6485936256a67ae310b633124cfbf503936904e69a81bf` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9f098920613bd0390d6485936256a67ae310b633124cfbf503936904e69a81bf/) | | `b68e2d852ad157fc01da34e11aa24a5ab30845b706d7827b8119a3e648ce2cf1` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b68e2d852ad157fc01da34e11aa24a5ab30845b706d7827b8119a3e648ce2cf1/) | | `b910e77ee686d7d6769fab8cb8f9b17a4609c4e164bb4ed80d9717d9ddad364f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b910e77ee686d7d6769fab8cb8f9b17a4609c4e164bb4ed80d9717d9ddad364f/) | | `c0abb19b3a72bd2785e8b567e82300423da672a463eefdeda6dd60872ff0e072` | [MalwareBazaar](https://bazaar.abuse.ch/sample/c0abb19b3a72bd2785e8b567e82300423da672a463eefdeda6dd60872ff0e072/) | | `e547306d6dee4b5b2b6ce3e989b9713a5c21ebe3fefa0f5c1a1ea37cec37e20f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e547306d6dee4b5b2b6ce3e989b9713a5c21ebe3fefa0f5c1a1ea37cec37e20f/) | | `ec9e77f1185f644462305184cf8afcf5d12c7eb524a2d3f4090a658a198c20ce` | [MalwareBazaar](https://bazaar.abuse.ch/sample/ec9e77f1185f644462305184cf8afcf5d12c7eb524a2d3f4090a658a198c20ce/) | | `efb0153047b08aa1876e1e4e97a082f6cb05af75479e1e9069b77d98473a11f4` | [MalwareBazaar](https://bazaar.abuse.ch/sample/efb0153047b08aa1876e1e4e97a082f6cb05af75479e1e9069b77d98473a11f4/) | ## Rustonotto ### 别名 CHILLYCHINO ### 文章 - [2025-08-07 - S2W - ScarCruft's New Language: Whispering in PubNub, Crafting Backdoor in Rust, Striking with Ransomware](https://github.com/S2W-TALON/Threat-Intelligence-Report/blob/df953af93d3634885bbfc5a0a2f2e1b2aeef58c1/250807_ScarCruft's%20New%20Language%3A%20Whispering%20in%20PubNub%2C%20Crafting%20Backdoor%20in%20Rust%2C%20Striking%20with%20Ransomware/%5BS2W%5D%20ScarCruft%E2%80%99s%20New%20Language_%20Whispering%20in%20PubNub%2C%20Crafting%20Backdoor%20in%20Rust%2C%20Striking%20with%20Ransomware.pdf) - [2025-09-08 - Zscaler - APT37 Targets Windows with Rust Backdoor and Python Loader](https://www.zscaler.com/blogs/security-research/apt37-targets-windows-rust-backdoor-and-python-loader) ### Malpedia - [win.rustonotto](https://malpedia.caad.fkie.fraunhofer.de/details/win.rustonotto) ### 样本 | SHA-256 Hash | Download Link | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | `67ad959e8af25a48928c28ca9a38a6f2a61ea4935fe60dfed79061214e840b15` | [MalwareBazaar](https://bazaar.abuse.ch/sample/67ad959e8af25a48928c28ca9a38a6f2a61ea4935fe60dfed79061214e840b15/) | | `738a31e7a0d96fe1b0ad6778db39425160835a80ac33ce8a84f26b71c00c26b9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/738a31e7a0d96fe1b0ad6778db39425160835a80ac33ce8a84f26b71c00c26b9/) | ## RustyAttr ### 文章 - [2024-11-13 - Group-IB - Stealthy Attributes of Lazarus APT Group: Evading Detection with Extended Attributes](https://www.group-ib.com/blog/stealthy-attributes-of-apt-lazarus/) ### 样本 | SHA-256 Hash | Download Link | 备注 | | --- | --- | --- | | `9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018c2` | [MalwareBazaar](https://bazaar.abuse.ch/sample/9111d458d5665b1bf463859792e950fe8d8186df9a6a3241360dc11f34d018c2) | Gzip'd CPIO archive containing files and extended attributes required for payload delivery | | `176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d` | [MalwareBazaar](https://bazaar.abuse.ch/sample/176e8a5a7b6737f8d3464c18a77deef778ec2b9b42b7e7eafc888aeaf2758c2d) | Rust payload, but without the required extended attribute | ## RustyBuer ### 文章 - [2021-05-03 - Proofpoint - New Variant of Buer Loader Written in Rust](https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust) ### Malpedia - [win.buer](https://malpedia.caad.fkie.fraunhofer.de/details/win.buer) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac` | [MalwareBazaar](https://bazaar.abuse.ch/sample/3abed86f46c8be754239f8c878f035efaae91c33b8eb8818c5bbed98c4d9a3ac/) | ## RustyClaw ### 文章 - [2024-10-17 - Cisco - UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants](https://blog.talosintelligence.com/uat-5647-romcom/) - [2025-06-30 - Proofpoint - 10 Things I Hate About Attribution: RomCom vs. TransferLoader](https://www.proofpoint.com/us/blog/threat-insight/10-things-i-hate-about-attribution-romcom-vs-transferloader) ### Malpedia - [win.rusty_claw](https://malpedia.caad.fkie.fraunhofer.de/details/win.rusty_claw) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c/) | | `7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4/) | | `b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df/) | ## RustyFlag ### 文章 - [2023-09-14 - Deep Instinct - Operation Rusty Flag – A Malicious Campaign Against Azerbaijanian Targets](https://www.deepinstinct.com/blog/operation-rusty-flag-a-malicious-campaign-against-azerbaijanian-targets) ### Malpedia - [win.unidentified_110](https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_110) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `5327308fee51fc6bb95996c4185c4cfcbac580b747d79363c7cf66505f3ff6db` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5327308fee51fc6bb95996c4185c4cfcbac580b747d79363c7cf66505f3ff6db/) | ## RustyPages ### 文章 - [2025-08-19 - Kandji - Threat Detected: RustyPages Malware - Part I](https://the-sequence.com/rustypages-malware-part-i) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `e98756472404aeef70ba4d403339962989d9ed733fa0f6a23bdf4c2900d7e877` | [MalwareBazaar](https://bazaar.abuse.ch/sample/e98756472404aeef70ba4d403339962989d9ed733fa0f6a23bdf4c2900d7e877/) | | `7ab47b7b14f4d6848b9f4d410d1315ccc68e9a6714d94a2e870b6ba77d28e828` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7ab47b7b14f4d6848b9f4d410d1315ccc68e9a6714d94a2e870b6ba77d28e828/) | | `5cee6368c6a9922a81a03831979947db8e5365986b4ad725c552ab6018a083b3` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5cee6368c6a9922a81a03831979947db8e5365986b4ad725c552ab6018a083b3/) | | `d2c48f4fa4b0285889ef6c7667e12a1c0eda1393632ef2eac67b32777bf096f7` | [MalwareBazaar](https://bazaar.abuse.ch/sample/d2c48f4fa4b0285889ef6c7667e12a1c0eda1393632ef2eac67b32777bf096f7/) | | `f4c41111960771e0d7558ec2453b76ba9c422fcb9408e09a8de1fd611c272846` | [MalwareBazaar](https://bazaar.abuse.ch/sample/f4c41111960771e0d7558ec2453b76ba9c422fcb9408e09a8de1fd611c272846/) | ## RustyWater ### 别名 RUSTRIC, Archer RAT ### 文章 - [2025-12-22 - Seqrite - UNG0801: Tracking Threat Clusters obsessed with AV Icon Spoofing targeting Israel](https://www.seqrite.com/blog/ung0801-tracking-threat-clusters-obsessed-with-av-icon-spoofing-targeting-israel/) - [2026-01-08 - CloudSEK - Reborn in Rust: Muddy Water Evolves Tooling with RustyWater Implant](https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant) ### 样本 | SHA-256 Hash | Download Link | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | `a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79` | [MalwareBazaar](https://bazaar.abuse.ch/sample/a2001892410e9f34ff0d02c8bc9e7c53b0bd10da58461e1e9eab26bdbf410c79/) | | `7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58` | [MalwareBazaar](https://bazaar.abuse.ch/sample/7523e53c979692f9eecff6ec760ac3df5b47f172114286e570b6bba3b2133f58/) | ## SloppyLemming 使用的基于 Rust 的键盘记录器 ### 文章 - [2026-03-02 - Arctic Wolf - SloppyLemming Deploys BurrowShell and Rust-Based RAT to Target Pakistan and Bangladesh](https://arcticwolf.com/resources/blog/sloppylemming-deploys-burrowshell-and-rust-based-rat-to-target-pakistan-and-bangladesh/) ### 样本 | SHA-256 Hash | Download Link | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | `4f1628821c13cc27fd4134301cc93a1ad32b2a3f7066c3d90f7ba89e02180754` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4f1628821c13cc27fd4134301cc93a1ad32b2a3f7066c3d90f7ba89e02180754/) | ## SnowFlake Stealer ### 文章 - [2022-02-14 - Finch4 - SnowFlake Stealer Analysis](https://github.com/Finch4/Malware-Analysis-Reports/blob/4f3baae07575e799db97ec22cb271d89c0fb0879/SnowFlake%20Stealer/SnowFlake%20Stealer%20Analysis.pdf) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `1ae99a454f6c11e30c346ca825e2d20bc5450ddb808f25dd20a4d952604d34f0` | [MalwareBazaar](https://bazaar.abuse.ch/sample/1ae99a454f6c11e30c346ca825e2d20bc5450ddb808f25dd20a4d952604d34f0/) | | `4f10f503422560da8a332c30323401af59a914af940716d06e139ed7371be53f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4f10f503422560da8a332c30323401af59a914af940716d06e139ed7371be53f/) | | `5e1626ac3140548619efba38a154b98234080908158378ad2e7e4af9e92cfbb8` | [MalwareBazaar](https://bazaar.abuse.ch/sample/5e1626ac3140548619efba38a154b98234080908158378ad2e7e4af9e92cfbb8/) | | `674f31aed8544f2f54423de908559f3d1964ef4f3391d2bf989915766b8c42e9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/674f31aed8544f2f54423de908559f3d1964ef4f3391d2bf989915766b8c42e9/) | | `8441c5d0d5ee30f94f54459ba89a3a2d20677d98313c120f32bf98015214049f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/8441c5d0d5ee30f94f54459ba89a3a2d20677d98313c120f32bf98015214049f/) | | `b44db0bf0992d55c7353fe368322fe0b1e912b2a381c4bf8b7c56c9fcd2a86ff` | [MalwareBazaar](https://bazaar.abuse.ch/sample/b44db0bf0992d55c7353fe368322fe0b1e912b2a381c4bf8b7c56c9fcd2a86ff/) | ## SPICA ### 文章 - [2024-01-18 - Google TAG - Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware](https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `37c52481711631a5c73a634bd8bea302ad57f02199db7624b580058547fb5a9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9/) | ## SSLoad ### 文章 - [2024-04-11 - Palo Alto Networks - Contact Forms Campaign Pushes SSLoad Malware](https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-04-15-IOC-for-Contact-Forms-campaign-SSLoad-activity.txt) ### Malpedia - [win.ssload](https://malpedia.caad.fkie.fraunhofer.de/details/win.ssload) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `09ffc4188bf11bf059b616491fcb8a09a474901581f46ec7f2c350fbda4e1e1c` | [MalwareBazaar](https://bazaar.abuse.ch/sample/09ffc4188bf11bf059b616491fcb8a09a474901581f46ec7f2c350fbda4e1e1c/) | ## SysJoker (Rust 变种) ### 别名 RustDown ### 文章 - [2023-11-23 - Check Point - Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker](https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/) - [2023-11-27 - Intezer - WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel](https://intezer.com/blog/research/wildcard-evolution-of-sysjoker-cyber-threat/) ### Malpedia - [win.sysjoker](https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72` | [MalShare](https://malshare.com/sample.php?action=detail&hash=d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72) | ## Tetra Loader ### 文章 - [2025-05-22 - Cisco - UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware](https://blog.talosintelligence.com/uat-6382-exploits-cityworks-vulnerability/) ### Malpedia - [win.tetra_loader](https://malpedia.caad.fkie.fraunhofer.de/details/win.tetra_loader) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f` | [MalwareBazaar](https://bazaar.abuse.ch/sample/14ed3878b6623c287283a8a80020f68e1cb6bfc37b236f33a95f3a64c4f4611f/) | | `1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901` | [MalwareBazaar](https://bazaar.abuse.ch/sample/1c38e3cda8ac6d79d9da40834367697a209c6b07e6b3ab93b3a4f375b161a901/) | | `4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9` | [MalwareBazaar](https://bazaar.abuse.ch/sample/4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9/) | ### 备注 据 Cisco Talos 称,_Tetra Loader_ 是使用名为 _MaLoader_ 的开源 Rust payload 构建器框架 (https://github.com/lv183037/MaLoader/) 构建的。 ## 未命名的 Rust DDoS 僵尸网络 ### 文章 - [2025-11-30 - Beelzebub - How I Reverse Engineered a Rust Botnet and Built a C2 Honeypot to Monitor Its Targets](https://beelzebub.ai/blog/rust-ddos-botnet-honeypot-c2-decoding/) ### 样本 | SHA-256 Hash | Download Link | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------- | | `fd6ec293c37abd2d832659697d42c781727b0d32ba6bba3f0387b0dedaabe74e` | [MalwareBazaar](https://bazaar.abuse.ch/sample/fd6ec293c37abd2d832659697d42c781727b0d32ba6bba3f0387b0dedaabe74e/) | ## Zeon 勒索软件 (Rust 变种) ### 文章 - [2022-06-22 - SentinelOne - From the Front Lines | 3 New and Emerging Ransomware Threats Striking Businesses in 2022](https://www.sentinelone.com/blog/from-the-front-lines-3-new-and-emerging-ransomware-threats-striking-businesses-in-2022/) ### 样本 | SHA-256 Hash | Download Link | | --- | --- | | `fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590` | [MalShare](https://malshare.com/sample.php?action=detail&hash=fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590) | ### 备注 关于 _Zeon Ransomware_ 缺乏高质量的公开报告,因此我在此备注中澄清一些潜在的混淆点。 有些样本被识别为 _Zeon Ransomware_,但它们是用 Python 而非 Rust 编写的。这些样本通过 PyInstaller 打包,并使用 PyArmor 进行混淆。例如,`c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a` ([MalShare](https://malshare.com/sample.php?action=detail&hash=c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a)) 是一个 PyInstaller 文件,它释放的勒索信与上面强调的 Rust 样本 `fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590` 几乎完全相同。两个样本的勒索信都写着 "All of your files are currently encrypted by ZEON strain",并链接到同一个 Tor 站点 (`http[:]//zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd[.]onion`),供受害者开始支付流程。 有报告指出 _Zeon Ransomware_ 与 _[Royal Ransomware](https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_ransom)_ 有关,例如 [CISA 关于 Royal Ransomware 的公告](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a)。然而,我未能找到任何报告指出 Royal Ransomware 是用 Rust 编写的,也未找到任何 Royal Ransomware 的 Rust 样本。
标签:BlackCat, DAST, Malware Bazaar, Rust语言, 二进制分析, 云安全运维, 云资产清单, 勒索软件, 可视化界面, 威胁情报, 开发者工具, 恶意软件, 恶意软件分析, 恶意软件样本, 样本库, 编程语言安全, 网络安全, 逆向工程, 防御加固, 隐私保护