rule SetupCheck_AppDomainManager_Loader {
    meta:
        description  = ".NET AppDomainManager CLR hijack loader (SetupCheck.dll)"
        date         = "2026-06-03"
        hash_md5     = "9394ce05097730d25958f19731582d76"
        hash_sha1    = "6a2e051d96b5b51db1ba0b44620896023ca54423"
        hash_sha256  = "8b089163edb36e7a65baccb8ab317895162057a1acb2a5dc59dffd3d03c7cdb5"
        threat       = "Loader/AppDomainHijack"
        mitre        = "T1574.014"

    strings:
        $mvid        = { 1E D5 7D D9 CA 92 EE 41 BC 7B A0 4B 8D 1A 32 EA }
        $payload_w   = { 53 00 65 00 74 00 75 00 70 00 43 00 68 00 6B 00 2E 00 65 00 78 00 65 00 }
        $classname   = "DetachedChecker"
        $setuputils  = "SetupUtils"
        $copyright   = "2025,JSC Infotecs"
        $il_wait     = { 20 30 75 00 00 6F }
        $il_exit     = { 16 28 10 00 00 0A }

    condition:
        uint16(0) == 0x5A4D and
        filesize < 10KB and
        $mvid and $payload_w and
        ($classname or $setuputils or $copyright) and
        ($il_wait or $il_exit)
}

rule SetupChk_VipNet_Stealer {
    meta:
        description  = "Credential stealer with ITCS exfil (SetupChk.exe)"
        date         = "2026-06-03"
        hash_sha256  = "7d0e3efe656a28251e6460af1baa489ea6a07053a4bc6578edba659ab28afd5d"
        threat       = "Trojan/VipNetStealer"
        mitre        = "T1552.002,T1005,T1041"

    strings:
        $enc_blk_A   = { 17 17 B0 B4 A7 25 9D 5F D2 94 DD C4 76 19 39 31 }
        $enc_blk_D   = { 16 1E B4 B7 A7 25 9D 2C E2 A4 ED F6 76 19 39 31 }
        $itcs_magic  = { C7 ?? 49 54 43 53 }
        $itcs_ver    = { 66 C7 ?? 04 03 01 }
        $ipc_path    = "\\tmp\\processing"
        $lock_file   = "C:\\Windows\\Temp\\sfaere.lock"
        $mftp_db     = "mftpenv.db"
        $auth_reg    = "ITCSShared\\AuthInfo"

    condition:
        uint16(0) == 0x5A4D and
        ($enc_blk_A or $enc_blk_D) and
        (($itcs_magic and $itcs_ver) or $ipc_path) and
        ($auth_reg or $lock_file or $mftp_db)
}

rule SetupChk_ITCS_Protocol_HUNT {
    meta:
        description  = "ITCS v1.3 exfil packet builder (SetupChk.exe)"
        date         = "2026-06-03"
        hash_sha256  = "7d0e3efe656a28251e6460af1baa489ea6a07053a4bc6578edba659ab28afd5d"
        threat       = "Trojan/VipNetExfil"
        mitre        = "T1041"

    strings:
        $magic       = { C7 ?? 49 54 43 53 }
        $ver         = { 66 C7 ?? 04 03 01 }
        $pkt_type    = { 66 C7 ?? 0F 13 00 }
        $build_id    = { C7 ?? 11 00 03 4D 00 }
        $port_field  = { 66 C7 ?? 15 10 DC }

    condition:
        uint16(0) == 0x5A4D and
        $magic and $ver and
        ($pkt_type or $build_id or $port_field)
}

rule Rngsdkcfg_Packed_UPX {
    meta:
        description  = "Rust WSS backdoor UPX-packed (Rngsdkcfg.Exe)"
        date         = "2026-06-03"
        hash_md5     = "1bfe2b9493128574907a8279256a8bcc"
        hash_sha1    = "c1f6ca815b6395ee1ec8d749065c7e9018a9fc9a"
        hash_sha256  = "68b4c76a2280e3c31130d4de12b12dfd479a476f347f5b4a58cb2483d74aba7e"
        threat       = "Backdoor/RustWSS"
        mitre        = "T1571,T1573,T1070.004"

    strings:
        $upx0        = "UPX0"
        $upx1        = "UPX1"
        $cargo_frag  = ".cargo\\registry\\src\\"
        $tokio_ver   = "tokio-1.50.0"

    condition:
        uint16(0) == 0x5A4D and
        $upx0 and $upx1 and
        ($cargo_frag or $tokio_ver) and
        filesize > 1130000
}

rule Rngsdkcfg_Unpacked_Strings {
    meta:
        description  = "Rust WSS backdoor unpacked strings (Rngsdkcfg.Exe)"
        date         = "2026-06-03"
        hash_sha256  = "cb765f1eeac9a7e0bbf49137af26e74d5ea8dd1f6d4dfd4c0cfece20517483ed"
        threat       = "Backdoor/RustWSS"

    strings:
        $token       = "47c6235b4d2611184"
        $checked     = "Checked!"
        $ports443    = "0.0.0.0:443"
        $ports5003   = "0.0.0.0:5003"
        $iplir_stop  = "sc stop iplircontrol"
        $cert_rcgen  = "rcgen self signed cert"
        $batcmd_ext  = ".batcmd.exe"
        $san_cert    = "hello.world.example"
        $surv_timer  = "Survival Time: "
        $addlife_err = "Must Less than 30"
        $ustc_mirror = "mirrors.ustc.edu.cn"

    condition:
        uint16(0) == 0x5A4D and
        5 of them
}

rule Rngsdkcfg_SelfDestruct {
    meta:
        description  = "Rngsdkcfg self-destruct BAT + VipNet service restart"
        date         = "2026-06-03"
        threat       = "Backdoor/RustWSS"
        mitre        = "T1070.004,T1543.003"

    strings:
        $bat1        = "sc stop iplircontrol >nul"
        $bat2        = "sc start iplircontrol > nul"
        $bat3        = "(goto) 2>nul & del /F /Q %0"
        $bat4        = ".batcmd.exe"

    condition:
        uint16(0) == 0x5A4D and
        ($bat1 or $bat2) and
        ($bat3 or $bat4)
}

rule Campaign_Rust_USTC_Mirror_HUNT {
    meta:
        description  = "Chinese USTC cargo mirror artifact in Rust binary"
        date         = "2026-06-03"
        threat       = "Campaign/m1x6"

    strings:
        $ustc        = "mirrors.ustc.edu.cn"
        $cargo_path  = ".cargo\\registry\\src"
        $tokio       = "tokio-"
        $tungstenite = "tungstenite"

    condition:
        uint16(0) == 0x5A4D and
        $ustc and
        ($cargo_path or $tokio or $tungstenite)
}

rule VipNet_Trojanized_Config_HUNT {
    meta:
        description  = "Setup.exe.config with AppDomainManager hijack"
        date         = "2026-06-03"
        threat       = "Config/AppDomainHijack"
        mitre        = "T1574.014"

    strings:
        $apdomain_t  = "SetupCheck.DetachedChecker"
        $apdomain_a  = "appDomainManagerAssembly"
        $clr_key     = "appDomainManagerType"

    condition:
        filesize < 5KB and
        all of them
}