Dragon 威胁研究总部

综合威胁情报库
恶意软件分析 • IOC 源 • YARA 规则 • 狩猎查询 • STIX 包 • MITRE ATT&CK 映射

## 仓库结构 ``` Dragon-ThreatResearchHQ/ │ ├── APT-Groups/ # State-sponsored threat actor profiles & campaigns │ ├── APT29-CozyBear/ # Russia — 5,407 IOCs │ ├── APT39/ # Iran — 51 IOCs │ ├── BitterAPT/ # South Asia — 19 IOCs │ ├── DroppingElephant/ # India — 9 IOCs │ ├── EquationGroup/ # USA — 422 IOCs │ ├── FIN7/ # Russia — 3,272 IOCs │ ├── Kimsuky-APT43/ # North Korea — 11 IOCs │ ├── MuddyWater/ # Iran (MOIS) — 307 IOCs, 6 campaigns │ ├── RedDelta/ # China — 287 IOCs │ ├── ScatteredSpider/ # Multi — 214 IOCs │ ├── SideWinder/ # India — 364 IOCs │ ├── Storm-1811/ # Unknown — 15 IOCs │ ├── DragonFly-GhostBlizzard/ # Russia (FSB) — 8 IOCs, 2 YARA (DynoWiper) │ ├── PrinceOfPersia/ # Iran — 95 IOCs (Tornado, Foudre, Tonnerre) │ ├── UNC5221/ # China │ ├── VoidArachne-SilverFox/ # China — 6 IOCs (ValleyRAT/Winos 4.0) │ └── VoltTyphoon/ # China — 194 IOCs │ ├── Malware/ # Malware families by category │ ├── RATs/ # EtherRAT (92), MoonriseRAT │ ├── Stealers/ # LummaStealer (817), OdysseyStealer (51), ... │ ├── Backdoors/ # Brickstorm (35) │ ├── Loaders/ # AeternumLoader (63), Phoenix │ ├── Miners/ # XMRig-BYOVD (cryptojacking) │ └── Wipers/ # DynoWiper + RTU Wiper (ICS/OT) │ ├── C2-Frameworks/ # C2 framework analysis │ ├── CobaltStrike/ # 1,235 IOCs, beacon configs, YARA │ └── VenusC2/ # 5 IOCs │ ├── Campaigns/ # Standalone campaigns (not actor-specific) │ ├── 2024-06_RegreSSHion_CVE-2024-6387/ │ └── 2024-08_GhostTap-NFC/ # Chinese NFC payment relay fraud │ ├── Detection-Rules/ # Generic detection rules │ └── Yara/ # xor_hunter.yar, office_startup_anomaly.yar │ ├── feeds/ # Aggregated IOC feeds (SIEM-ready) │ ├── all_iocs.csv # 12,459 IOCs — master CSV │ ├── domains.txt # 2,398 domains │ ├── ips.txt # 2,679 IPs │ ├── hashes.txt # 6,608 hashes (SHA256/SHA1/MD5) │ ├── urls.txt # 413 URLs │ └── cves.txt # 119 CVEs │ ├── scripts/ # Automation │ └── aggregate_iocs.py # IOC aggregation & feed generation │ ├── Templates/ # Standardized templates for new entries ├── Resources/ # Reference material ├── index.json # Machine-readable threat index ├── CONTRIBUTING.md # Contribution guidelines ├── CODE_OF_CONDUCT.md # Code of conduct └── LICENSE # MIT License ``` ## 威胁索引 ### APT 组织 (17) | 组织 | 来源 | IOC | 活动 | YARA | 报告 | |-------|--------|-----:|:---------:|:----:|--------| | [MuddyWater](APT-Groups/MuddyWater/) | 伊朗 | 307 | 6 | — | [简介](APT-Groups/MuddyWater/README.md) | | [APT29 / Cozy Bear](APT-Groups/APT29-CozyBear/) | 俄罗斯 | 5,407 | — | — | — | | [FIN7](APT-Groups/FIN7/) | 俄罗斯 | 3,272 | — | — | — | | [Equation Group](APT-Groups/EquationGroup/) | 美国 | 422 | — | — | — | | [SideWinder](APT-Groups/SideWinder/) | 印度 | 364 | — | — | — | | [Red Delta](APT-Groups/RedDelta/) | 中国 | 287 | — | — | — | | [Scattered Spider](APT-Groups/ScatteredSpider/) | 多国 | 214 | — | — | — | | [Volt Typhoon](APT-Groups/VoltTyphoon/) | 中国 | 194 | — | — | — | | [APT39](APT-Groups/APT39/) | 伊朗 | 51 | — | — | — | | [Bitter APT](APT-Groups/BitterAPT/) | 南亚 | 19 | 1 | — | [简介](APT-Groups/BitterAPT/README.md) | | [Storm-1811](APT-Groups/Storm-1811/) | 未知 | 15 | — | — | — | | [Kimsuky / APT43](APT-Groups/Kimsuky-APT43/) | 朝鲜 | 11 | 1 | — | [简介](APT-Groups/Kimsuky-APT43/README.md) | | [DragonFly / Ghost Blizzard](APT-Groups/DragonFly-GhostBlizzard/) | 俄罗斯 | 8 | 1 | [2 条规则](APT-Groups/DragonFly-GhostBlizzard/Campaigns/2025-12_PolishGrid/yara/) | [简介](APT-Groups/DragonFly-GhostBlizzard/README.md) | | [Dropping Elephant](APT-Groups/DroppingElephant/) | 印度 | 9 | — | — | [简介](APT-Groups/DroppingElephant/README.md) | | [Prince of Persia](APT-Groups/PrinceOfPersia/) | 伊朗 | 95 | 1 | — | [简介](APT-Groups/PrinceOfPersia/README.md) | | [Void Arachne / Silver Fox](APT-Groups/VoidArachne-SilverFox/) | 中国 | 6 | — | — | [简介](APT-Groups/VoidArachne-SilverFox/README.md) | | [UNC5221](APT-Groups/UNC5221/) | 中国 | — | — | — | [简介](APT-Groups/UNC5221/README.md) | ### MuddyWater 活动（深度分析） | 活动 | 时间段 | 工具 | IOC | 报告 | |----------|--------|---------|-----:|--------| | [MuddyViper / Snakes by the Riverbank](APT-Groups/MuddyWater/Campaigns/2024-09_MuddyViper/) | 2024年9月 – 2025年3月 | Fooder, MuddyViper, CE-Notes, LP-Notes, Blub, go-socks5 | 75 | [README](APT-Groups/MuddyWater/Campaigns/2024-09_MuddyViper/README.md) | | [Operation Olalampo](APT-Groups/MuddyWater/Campaigns/2026-01_Olalampo/) | 2026年1月 – 2月 | CHAR, GhostFetch, GhostBackDoor, HTTP_VIP | 58 | [README](APT-Groups/MuddyWater/Campaigns/2026-01_Olalampo/README.md) | | [RustyWater](APT-Groups/MuddyWater/Campaigns/2026-01_RustyWater/) | 2026年1月 – | RUSTRIC / Archer RAT | 1 | [README](APT-Groups/MuddyWater/Campaigns/2026-01_RustyWater/README.md) | | [DHCSpy](APT-Groups/MuddyWater/Campaigns/2023-07_DHCSpy/) | 2023年7月 | DHCSpy Android 间谍软件 | 19 | [README](APT-Groups/MuddyWater/Campaigns/2023-07_DHCSpy/README.md) | | [2024年9月活动](APT-Groups/MuddyWater/Campaigns/2024-09_Campaign/) | 2024年9月 | 多种 | 75 | — | | [2025年活动](APT-Groups/MuddyWater/Campaigns/2025_MuddyWater/) | 2025年 | 多种 | 8 | — | ### 恶意软件家族 (13) | 恶意软件 | 类型 | IOC | YARA | 报告 | |---------|------|-----:|:----:|--------| | [Lumma Stealer](Malware/Stealers/LummaStealer/) | 窃密器 | 817 | [1 条规则](Malware/Stealers/LummaStealer/yara/) | — | | [EtherRAT](Malware/RATs/EtherRAT/) | RAT | 92 | — | [README](Malware/RATs/EtherRAT/README.md) | | [Aeternum Loader](Malware/Loaders/AeternumLoader/) | 加载器 | 63 | [1 条规则](Malware/Loaders/AeternumLoader/yara/) | [README](Malware/Loaders/AeternumLoader/README.md) | | [Odyssey Stealer](Malware/Stealers/OdysseyStealer/) | 窃密器/RAT | 51 | — | [README](Malware/Stealers/OdysseyStealer/README.md) | | [Brickstorm](Malware/Backdoors/Brickstorm/) | 后门 | 35 | [9 条规则](Malware/Backdoors/Brickstorm/yara/) | — | | [Snake Keylogger](Malware/Stealers/SnakeKeylogger/) | 键盘记录器 | 19 | — | — | | [Meduza Stealer](Malware/Stealers/MeduzaStealer/) | 窃密器 | 13 | — | — | | [BLX Stealer](Malware/Stealers/BLXStealer/) | 窃密器 | 2 | — | — | | [Moonrise RAT](Malware/RATs/MoonriseRAT/) | RAT | — | — | — | | [Phoenix](Malware/Loaders/Phoenix/) | 加载器/后门 | — | — | [README](Malware/Loaders/Phoenix/README.md) | | [XMRig BYOVD](Malware/Miners/XMRig-BYOVD/) | 挖矿程序 | 4 | — | [README](Malware/Miners/XMRig-BYOVD/README.md) | | [DynoWiper](Malware/Wipers/DynoWiper/) | 擦除器 (ICS) | 4 | [2 条规则](Malware/Wipers/DynoWiper/yara/) | [README](Malware/Wipers/DynoWiper/README.md) | ### C2 框架 (2) | 框架 | IOC | Beacon 配置 | YARA | C2 列表 | |-----------|-----:|:--------------:|:----:|---------| | [Cobalt Strike](C2-Frameworks/CobaltStrike/) | 1,235 | [configs/](C2-Frameworks/CobaltStrike/Beacon-Configs/) | [3 条规则](C2-Frameworks/CobaltStrike/yara/) | [c2_list.md](C2-Frameworks/CobaltStrike/c2_list.md) | | [Venus C2](C2-Frameworks/VenusC2/) | 5 | — | — | [README](C2-Frameworks/VenusC2/README.md) | ### 独立活动 (2) | 活动 | 日期 | IOC | 描述 | |----------|------|-----:|-------------| | [RegreSSHion CVE-2024-6387](Campaigns/2024-06_RegreSSHion_CVE-2024-6387/) | 2024年6月 | 31 | OpenSSH RCE 漏洞利用 | | [Ghost Tap NFC](Campaigns/2024-08_GhostTap-NFC/) | 2024年8月 – | 167 | 中文 NFC 支付中继欺诈 — 54 个 APK，5 个 C2 域名，损失超 35.5 万美元 | ### 检测规则 (YARA) | 规则 | 目标 | 路径 | |------|--------|------| | XOR Hunter | XOR 编码载荷 | [xor_hunter.yar](Detection-Rules/Yara/xor_hunter.yar) | | Office 启动异常 | 可疑 Office 启动文件 | [office_startup_anomaly.yar](Detection-Rules/Yara/office_startup_anomaly.yar) | | Cobalt Strike (3 条规则) | CS beacon、系统调用、混淆 | [yara/](C2-Frameworks/CobaltStrike/yara/) | | Brickstorm (9 条规则) | Brickstorm + Mandiant 狩猎 | [yara/](Malware/Backdoors/Brickstorm/yara/) | | Lumma Stealer | Lumma 变种 | [yara/](Malware/Stealers/LummaStealer/yara/) | | Aeternum Loader | Aeternum 面板/加载器 | [yara/](Malware/Loaders/AeternumLoader/yara/) | | DynoWiper Mersenne | 基于 Mersenne Twister PRNG 的擦除器 (HMI) | [yara/](APT-Groups/DragonFly-GhostBlizzard/Campaigns/2025-12_PolishGrid/yara/) | | RTU 固件擦除器 | 入口点为 0xFF 的 ELF 文件（固件擦除器） | [yara/](APT-Groups/DragonFly-GhostBlizzard/Campaigns/2025-12_PolishGrid/yara/) | ## IOC 源（SIEM 就绪） 仓库中的所有 IOC 均汇总为平面文件，可直接导入 SIEM、TIP、防火墙或 DNS 沉洞系统。 | 源 | 条目 | 格式 | 描述 | |------|--------:|--------|-------------| | [`feeds/all_iocs.csv`](feeds/all_iocs.csv) | 12,459 | CSV | 主文件 — 包含元数据的所有 IOC | | [`feeds/domains.txt`](feeds/domains.txt) | 2,398 | Flat | 每行一个域名 | | [`feeds/ips.txt`](feeds/ips.txt) | 2,679 | Flat | 每行一个 IP | | [`feeds/hashes.txt`](feeds/hashes.txt) | 6,608 | Flat | SHA256 / SHA1 / MD5 | | [`feeds/urls.txt`](feeds/urls.txt) | 413 | Flat | 恶意 URL | | [`feeds/cves.txt`](feeds/cves.txt) | 119 | Flat | CVE 标识符 | | [`index.json`](index.json) | 23 | JSON | 机器可读威胁索引 | 每个 APT 组织和恶意软件家族也有自己的 `iocs_all.csv`，合并了所有活动的 IOC。 ### 用法 ``` # 将域名导入 DNS 沉洞 curl -sL https://raw.githubusercontent.com//Dragon-ThreatResearchHQ/main/feeds/domains.txt # 将 IP 导入防火墙阻止列表 curl -sL https://raw.githubusercontent.com//Dragon-ThreatResearchHQ/main/feeds/ips.txt # 添加新 IOC 后重新生成所有情报源 python3 scripts/aggregate_iocs.py ``` ## 每个威胁的组织方式 每个威胁目录都遵循一致的结构： ``` ThreatName/ ├── README.md # Threat card — metadata, summary, quick links ├── report.md # Detailed analysis report ├── iocs.csv # IOCs (type, value, description, threat_actor, campaign, confidence, source, tags) ├── iocs.stix.json # STIX 2.1 bundle ├── mitre_attack.md # MITRE ATT&CK technique mapping ├── fingerprints.txt # Shodan / Censys / FOFA / Google Dork / SIEM queries ├── yara/ # Threat-specific YARA rules └── screenshots/ # Panel, sandbox, phishing page screenshots ``` ## 工作流：添加新威胁 ``` 1. Copy Templates/THREAT_TEMPLATE/ → appropriate category directory 2. Fill in README.md, report.md, iocs.csv, mitre_attack.md 3. Run: python3 scripts/aggregate_iocs.py 4. Feeds, iocs_all.csv, and index.json are auto-updated ``` 完整指南请参阅 [CONTRIBUTING.md](CONTRIBUTING.md)。 ## 目的 | 目标 | 描述 | |------|-------------| | **威胁情报** | 结构化的 IOC、STIX 包和狩猎查询，用于快速检测 | | **SOC 集成** | CSV 和平面文件源，可直接导入 SIEM / TIP / 防火墙 | | **研究与教育** | 详细的报告和 ATT&CK 映射，用于了解威胁行为者 | | **社区** | 标准化模板使贡献变得简单 | ## 免责声明 本仓库仅用于**教育和研究目的**。严禁将此处包含的任何信息滥用于恶意目的。处理威胁情报数据时，请始终遵守法律和道德准则。 ## 许可证 本项目采用 [MIT 许可证](LICENSE) 授权。

标签：ATT&CK映射, Cobalt Strike, DAST, DNS信息、DNS暴力破解, DNS 反向解析, Homebrew安装, HTTP工具, IOC指标, IP 地址批量处理, STIX标准, Suricata规则, YARA规则, 域名收集, 威胁情报, 安全运营, 开发者工具, 恶意软件分析, 扫描框架, 攻击诱捕, 样本分析, 红队对抗, 网络信息收集, 网络安全, 网络安全审计, 逆向工具, 速率限制处理, 防御加固, 隐私保护