EXPLORE
← Back to Explore
sigmacriticalHunting

Antivirus - APT Malware Signature

Detects a highly relevant Antivirus alert that reports APT malware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

MITRE ATT&CK

executioncommand-and-control

Detection Query

selection:
  - Signature|re:
      - APT\d
      - ATK\d
      - UNC\d
      - UAC\d
  - Signature|contains:
      - "[APT]"
      - APT_
      - APT-
      - BackOrder
      - BlindingCan
      - Blizzard
      - Chollima
      - Cleaver
      - Cobra
      - DarkHotel
      - Dragon
      - DTrack
      - Equation
      - GiftedCrook
      - GraphSteel
      - GreyEnergy
      - GEnergy
      - GrimPlant
      - Hydra
      - Jackal
      - Kitten
      - Kimsuky
      - Lazar
      - LightRail
      - Lotus
      - Luminous
      - LumiMoth
      - Nimbus
      - Manticore
      - MiniBike
      - MiniBrowse
      - MiniBus
      - MiniFast
      - MiniJuke
      - MiniUpdate
      - MuddyWater
      - NukeSped
      - OilRig
      - Panda
      - Sandstorm
      - SandWorm
      - Seamonkey
      - Sleet
      - SlugResin
      - SnailResin
      - Snake
      - Tempest
      - Tsunami
      - Turla
      - Typhoon
      - UAC_
      - UAC-
      - UNC_
      - UNC-
      - VinoSiren
      - Winnti
condition: selection

Author

Arnim Rupp (Nextron Systems)

Created

2026-06-15

Data Sources

antivirus

Tags

attack.executionattack.t1203attack.command-and-controlattack.t1219.002
Raw Content
title: Antivirus - APT Malware Signature
id: 101a1877-2cf4-474d-abfd-7f6ac4788d1a
status: experimental
description: |
    Detects a highly relevant Antivirus alert that reports APT malware.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
author: Arnim Rupp (Nextron Systems)
date: 2026-06-15
tags:
    - attack.execution
    - attack.t1203
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: antivirus
detection:
    selection:
        - Signature|re:
              - 'APT\d'
              - 'ATK\d'
              - 'UNC\d'
              - 'UAC\d'
        - Signature|contains:
              - "[APT]"
              - 'APT_'
              - 'APT-'
              - 'BackOrder'
              - 'BlindingCan'
              - 'Blizzard'
              - 'Chollima'
              - 'Cleaver'
              - 'Cobra'
              - 'DarkHotel'
              - 'Dragon'
              - 'DTrack'
              - 'Equation'
              - 'GiftedCrook'
              - 'GraphSteel'
              - 'GreyEnergy'
              - 'GEnergy'
              - 'GrimPlant'
              - 'Hydra'
              - 'Jackal'
              - 'Kitten'
              - 'Kimsuky'
              - 'Lazar'  # Lazarus
              - 'LightRail'
              - 'Lotus'
              - 'Luminous'
              - 'LumiMoth'
              - 'Nimbus'
              - 'Manticore'
              - 'MiniBike'
              - 'MiniBrowse'
              - 'MiniBus'
              - 'MiniFast'
              - 'MiniJuke'
              - 'MiniUpdate'
              - 'MuddyWater'
              - 'NukeSped'
              - 'OilRig'
              - 'Panda'
              - 'Sandstorm'
              - 'SandWorm'
              - 'Seamonkey'
              - 'Sleet'
              - 'SlugResin'
              - 'SnailResin'
              - 'Snake'
              - 'Tempest'
              - 'Tsunami'
              - 'Turla'
              - 'Typhoon'
              - 'UAC_'
              - 'UAC-'
              - 'UNC_'
              - 'UNC-'
              - 'VinoSiren'
              - 'Winnti'
    condition: selection
falsepositives:
    - Unlikely
level: critical