This repository includes all malware indicators that were found during the course of Citizen Lab investigations. Each directory corresponds to a single Citizen Lab report as seen below.
| Directory | Link | Published |
|---|
| 202006_DarkBasin | Dark Basin: Uncovering a Massive Hack-For-Hire Operation | June 9, 2020 |
| 201909_MissingLink | MISSING LINK: Tibetan Groups Targeted with Mobile Exploits | Sept 24, 2019 |
| 201905_EndlessMayfly | Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign | May 14, 2019 |
| 201810_TheKingdomCameToCanada | The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil | Oct 1, 2018 |
| 201808_FamiliarFeeling | Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces | Aug 8, 2018 |
| 201803_BadTraffic | Bad Traffic: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? | Mar 8, 2018 |
| 201801_SpyingOnABudget | Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community | Jan 30, 2018 |
| 201712_Cyberbit | Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware | Dec 6, 2017 |
| 201707_InsiderInfo | Insider Information: An intrusion campaign targeting Chinese language news sites | Jul 5, 2017 |
| 201706_RecklessRedux | Reckless Redux: Senior Mexican Legislators and Politicians Targeted with NSO Spyware | Jun 29, 2017 |
| 201706_RecklessExploit | Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware | Jun 19, 2017 |
| 201705_TaintedLeaks | Tainted Leaks: Disinformation and Phishing With a Russian Nexus | May 25, 2017 |
| 201702_NilePhish | Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society | Feb 2, 2017 |
| 201611_KeyBoy | It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community | Nov 11, 2016 |
| 201608_NSO_Group | "The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender" | Aug 24, 2016 |
| 201608_Group5 | "Group5: Syria and the Iranian Connection" | Aug 2, 2016 |
| 201605_Stealth_Falcon | "Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents" | May 29, 2016 |
| 201604_UP007_SLServer | Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns | Apr 18, 2016 |
| 201603_Shifting_Tactics | Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans | Mar 10, 2016 |
| 201512_PackRAT | "Packrat: Seven Years of a South American Threat Actor" | Dec 8, 2015 |
| 201510_NGO_Burma | Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites | Oct 16, 2015 |
| 201411_Communities@Risk | Communities @ Risk: Targeted Digital Threats Against Civil Society. | Nov 11, 2014 |
Yara signatures can be found here
The indicators are provided in the following formats.
- CSV - plain text comma seperated value with the following columns:
- uuid - A unique identifier for the indicator.
- event_id - a number that corresponds to the event.
- category - type of broad category for indicator (ex: network activity, payload)
- type - type of indicator (ex: ip-dst, domain, url)
- comment - text comment or annotation
- to_ids - whether this indicator is applicable to be included in an IDS or not
- date - the data when the indicator was added.
- MISP JSON - Structured format used by the Malware Information Sharing Platform
- OpenIOC - Format for OpenIOC an open framework for sharing threat intelligence.
- STIX XML - Format used by the STIX project
All data is provided under Creative Commons
Attribution-NonCommercial-ShareAlike 4.0 International and available in full
here and summarized
here