Yara-Rules · PixelatedContinuum · Feb 14, 2026
diff --git a/malware/MALW_Arsenal237_BdApiUtil64.yar b/malware/MALW_Arsenal237_BdApiUtil64.yar
@@ -0,0 +1,116 @@
+/*
+   Yara Rule Set
+   Author: The Hunters Ledger
+   Date: 2026-01-26
+   Identifier: Arsenal-237 BdApiUtil64.sys BYOVD Component
+   Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-BdApiUtil64-sys/
+   License: https://creativecommons.org/licenses/by-nc/4.0/
+*/
+
+rule Arsenal237_BdApiUtil64_Hash {
+    meta:
+        description = "Detects Arsenal-237 BdApiUtil64.sys by file hash - BYOVD weaponized Baidu Antivirus kernel driver"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-BdApiUtil64-sys/"
+        hash_sha256 = "47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428"
+        hash_md5 = "ced47b89212f3260ebeb41682a4b95ec"
+        hash_sha1 = "148c0cde4f2ef807aea77d7368f00f4c519f47ef"
+        family = "Arsenal-237"
+
+    condition:
+        hash.sha256(0, filesize) == "47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428" or
+        hash.md5(0, filesize) == "ced47b89212f3260ebeb41682a4b95ec" or
+        hash.sha1(0, filesize) == "148c0cde4f2ef807aea77d7368f00f4c519f47ef"
+}
+
+rule Arsenal237_BdApiUtil_Signature {
+    meta:
+        description = "Detects BdApiUtil64.sys by Baidu signature strings and PDB path - BYOVD with legitimate expired certificate"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-BdApiUtil64-sys/"
+        family = "Arsenal-237"
+
+    strings:
+        $pdb = "D:\\jenkins\\workspace\\bav_5.0_workspace\\BavOutput\\Pdb\\Release\\BdApiUtil64.pdb" ascii wide
+        $signer = "Baidu Online Network Technology" ascii wide
+        $product = "Baidu Antivirus" ascii wide
+        $device = "\\Device\\BdApiUtil" ascii wide
+        $service = "Bprotect" ascii wide
+        $callback = "bdProtectExpCallBack" ascii wide
+
+    condition:
+        uint16(0) == 0x5A4D and
+        uint32(uint32(0x3C)) == 0x00004550 and
+        (2 of ($*))
+}
+
+rule Arsenal237_BdApiUtil_IOCTL_Abuse {
+    meta:
+        description = "Detects malware using BdApiUtil64.sys IOCTL codes for process termination and SSDT bypass"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-BdApiUtil64-sys/"
+        family = "Arsenal-237"
+
+    strings:
+        $ioctl1 = { B4 24 00 80 }
+        $ioctl2 = { B8 24 00 80 }
+        $ioctl3 = { 24 23 00 80 }
+        $ioctl4 = { 48 26 00 80 }
+        $ioctl5 = { 4C 26 00 80 }
+        $api = "DeviceIoControl" ascii wide
+        $device = "\\\\.\\BdApiUtil" ascii wide
+
+    condition:
+        uint16(0) == 0x5A4D and
+        $api and $device and
+        2 of ($ioctl*)
+}
+
+rule Arsenal237_BdApiUtil_SSDT_Bypass {
+    meta:
+        description = "Detects SSDT bypass implementation using KeServiceDescriptorTable resolution via BdApiUtil64.sys"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-BdApiUtil64-sys/"
+        family = "Arsenal-237"
+
+    strings:
+        $ssdt_string = "KeServiceDescriptorTable" ascii wide
+        $api1 = "MmGetSystemRoutineAddress" ascii wide
+        $api2 = "RtlInitUnicodeString" ascii wide
+        $hook_check = { 80 3? B8 }
+        $ssdt_lookup = { 8B ?? ?? C1 E? 02 }
+
+    condition:
+        uint16(0) == 0x5A4D and
+        $ssdt_string and
+        all of ($api*) and
+        1 of ($hook_check, $ssdt_lookup)
+}
+
+rule Arsenal237_BdApiUtil_Kernel_Termination {
+    meta:
+        description = "Detects kernel-mode process termination targeting security products via BdApiUtil64.sys"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-BdApiUtil64-sys/"
+        family = "Arsenal-237"
+
+    strings:
+        $api1 = "PsLookupProcessByProcessId" ascii
+        $api2 = "ZwTerminateProcess" ascii
+        $api3 = "ObOpenObjectByPointer" ascii
+        $api4 = "ObDereferenceObject" ascii
+        $target1 = "MsMpEng.exe" ascii wide nocase
+        $target2 = "CSFalconService.exe" ascii wide nocase
+        $target3 = "ekrn.exe" ascii wide nocase
+        $target4 = "avp.exe" ascii wide nocase
+
+    condition:
+        uint16(0) == 0x5A4D and
+        3 of ($api*) and
+        2 of ($target*)
+}
diff --git a/malware/MALW_Arsenal237_KillerDLL.yar b/malware/MALW_Arsenal237_KillerDLL.yar
@@ -0,0 +1,120 @@
+/*
+   Yara Rule Set
+   Author: The Hunters Ledger
+   Date: 2026-01-25
+   Identifier: Arsenal-237 killer.dll BYOVD Defense Evasion Module
+   Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-killer-dll/
+   License: https://creativecommons.org/licenses/by-nc/4.0/
+*/
+
+rule Arsenal237_Killer_DLL_BYOVD_Comprehensive {
+    meta:
+        description = "Detects Arsenal-237 killer.dll BYOVD defense evasion module with embedded BdApiUtil64.sys and ProcExpDriver.sys for security product termination"
+        author = "The Hunters Ledger"
+        date = "2026-01-25"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-killer-dll/"
+        hash_sha256 = "10eb1fbb2be3a09eefb3d97112e42bb06cf029e6cac2a9fb891b8b89a25c788d"
+        family = "Arsenal-237"
+
+    strings:
+        $baidu_driver1 = "BdApiUtil64.sys" ascii wide nocase
+        $baidu_driver2 = "Baidu Antivirus BdApi Driver" ascii wide
+        $baidu_company = "Baidu, Inc." ascii wide
+        $baidu_device = "\\\\.\\BdApiUtil" ascii wide
+        $procexp_driver1 = "ProcExpDriver.sys" ascii wide nocase
+        $procexp_driver2 = "PROCEXP152" ascii wide
+        $procexp_company = "Sysinternals - www.sysinternals.com" ascii wide
+        $procexp_device = "\\\\.\\PROCEXP152" ascii wide
+        $ioctl_baidu = { B4 24 00 80 }
+        $ioctl_procexp = { 3C 00 35 83 }
+        $target1 = "MsMpEng.exe" ascii wide nocase
+        $target2 = "ekrn.exe" ascii wide nocase
+        $target3 = "avp.exe" ascii wide nocase
+        $target4 = "MBAMService.exe" ascii wide nocase
+        $target5 = "bdservicehost.exe" ascii wide nocase
+        $svc1 = "CreateServiceW" ascii wide
+        $svc2 = "StartServiceW" ascii wide
+        $svc3 = "DeleteService" ascii wide
+        $svc4 = "NtUnloadDriver" ascii wide
+        $rust1 = "rustc" ascii
+        $rust2 = "/rustc/" ascii
+        $c2_ip = "109.230.231.37" ascii wide
+        $export_func = "get_hostfxr_path" ascii
+
+    condition:
+        uint16(0) == 0x5A4D and
+        (
+            hash.sha256(0, filesize) == "10eb1fbb2be3a09eefb3d97112e42bb06cf029e6cac2a9fb891b8b89a25c788d" or
+            (
+                (#mz >= 2) and
+                (2 of ($baidu_*)) and
+                (2 of ($procexp_*)) and
+                (1 of ($ioctl_*))
+            ) or
+            (
+                (3 of ($target*)) and
+                (2 of ($svc*)) and
+                (1 of ($ioctl_*)) and
+                (1 of ($baidu_*, $procexp_*))
+            ) or
+            (
+                ($c2_ip) and
+                ($export_func) and
+                (1 of ($rust*)) and
+                (2 of ($target*))
+            )
+        )
+}
+
+rule Arsenal237_Embedded_Vulnerable_Driver {
+    meta:
+        description = "Detects embedded BdApiUtil64.sys or ProcExpDriver.sys within files indicating BYOVD payload staging"
+        author = "The Hunters Ledger"
+        date = "2026-01-25"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-killer-dll/"
+        family = "Arsenal-237"
+
+    strings:
+        $baidu_full1 = "\\SystemRoot\\System32\\Drivers\\BdApiUtil64.sys" ascii wide nocase
+        $baidu_full2 = "Baidu Antivirus BdApi Driver" ascii wide
+        $baidu_version = "5.0.3.84333" ascii wide
+        $procexp_full1 = "\\SystemRoot\\System32\\Drivers\\PROCEXP152.SYS" ascii wide nocase
+        $procexp_full2 = "Process Explorer" ascii wide
+        $procexp_version = "17.0.7" ascii wide
+        $device_baidu = "\\\\.\\BdApiUtil" ascii wide
+        $device_procexp = "\\\\.\\PROCEXP152" ascii wide
+
+    condition:
+        #mz >= 2 and
+        (
+            (2 of ($baidu_*)) or
+            (2 of ($procexp_*)) or
+            (1 of ($device_*) and #mz >= 2)
+        )
+}
+
+rule Arsenal237_BYOVD_Service_Creation {
+    meta:
+        description = "Detects BYOVD service creation patterns for kernel driver deployment (memory scanning use case)"
+        author = "The Hunters Ledger"
+        date = "2026-01-25"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-killer-dll/"
+        family = "Arsenal-237"
+
+    strings:
+        $api1 = "OpenSCManagerW" ascii wide
+        $api2 = "CreateServiceW" ascii wide
+        $api3 = "StartServiceW" ascii wide
+        $api4 = "ControlService" ascii wide
+        $api5 = "DeleteService" ascii wide
+        $kernel_driver = "SERVICE_KERNEL_DRIVER" ascii wide
+        $driver_ext = ".sys" ascii wide nocase
+        $temp1 = "\\AppData\\Local\\Temp\\" ascii wide nocase
+        $temp2 = "\\Windows\\Temp\\" ascii wide nocase
+
+    condition:
+        uint16(0) == 0x5A4D and
+        4 of ($api*) and
+        $kernel_driver and
+        1 of ($temp*)
+}
diff --git a/malware/MALW_Arsenal237_LPE.yar b/malware/MALW_Arsenal237_LPE.yar
@@ -0,0 +1,111 @@
+/*
+   Yara Rule Set
+   Author: The Hunters Ledger
+   Date: 2026-01-25
+   Identifier: Arsenal-237 lpe.exe Privilege Escalation Module
+   Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-lpe-exe/
+   License: https://creativecommons.org/licenses/by-nc/4.0/
+*/
+
+rule Arsenal237_LPE_EXE_Hash {
+    meta:
+        description = "Detects Arsenal-237 lpe.exe by file hash - local privilege escalation wrapper with 5 independent escalation techniques"
+        author = "The Hunters Ledger"
+        date = "2026-01-25"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-lpe-exe/"
+        hash_sha256 = "c4dda7b5c5f6eab49efc86091377ab08275aa951d956a5485665954830d1267e"
+        hash_md5 = "47400a6b7c84847db0513e6dbc04e469"
+        family = "Arsenal-237"
+
+    condition:
+        hash.sha256(0, filesize) == "c4dda7b5c5f6eab49efc86091377ab08275aa951d956a5485665954830d1267e" or
+        hash.md5(0, filesize) == "47400a6b7c84847db0513e6dbc04e469"
+}
+
+rule Arsenal237_LPE_Token_Manipulation {
+    meta:
+        description = "Detects Arsenal-237 lpe.exe token impersonation API pattern targeting SYSTEM-level processes"
+        author = "The Hunters Ledger"
+        date = "2026-01-25"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-lpe-exe/"
+        family = "Arsenal-237"
+
+    strings:
+        $api1 = "CreateToolhelp32Snapshot" ascii wide
+        $api2 = "OpenProcessToken" ascii wide
+        $api3 = "DuplicateTokenEx" ascii wide
+        $api4 = "ImpersonateLoggedOnUser" ascii wide
+        $api5 = "Process32FirstW" ascii wide
+        $api6 = "Process32NextW" ascii wide
+        $process1 = "winlogon.exe" ascii wide nocase
+        $process2 = "lsass.exe" ascii wide nocase
+        $process3 = "services.exe" ascii wide nocase
+        $process4 = "csrss.exe" ascii wide nocase
+
+    condition:
+        uint16(0) == 0x5A4D and
+        all of ($api*) and
+        2 of ($process*)
+}
+
+rule Arsenal237_LPE_UAC_Bypass {
+    meta:
+        description = "Detects Arsenal-237 lpe.exe UAC bypass via fodhelper.exe registry hijack"
+        author = "The Hunters Ledger"
+        date = "2026-01-25"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-lpe-exe/"
+        family = "Arsenal-237"
+
+    strings:
+        $reg1 = "HKCU\\\\Software\\\\Classes\\\\ms-settings\\\\Shell\\\\Open\\\\command" ascii wide nocase
+        $reg2 = "DelegateExecute" ascii wide
+        $reg3 = "reg add" ascii wide nocase
+        $reg4 = "fodhelper.exe" ascii wide nocase
+        $reg5 = "reg delete" ascii wide nocase
+
+    condition:
+        uint16(0) == 0x5A4D and
+        all of ($reg*)
+}
+
+rule Arsenal237_LPE_Named_Pipe {
+    meta:
+        description = "Detects Arsenal-237 lpe.exe named pipe impersonation via Print Spooler exploitation"
+        author = "The Hunters Ledger"
+        date = "2026-01-25"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-lpe-exe/"
+        family = "Arsenal-237"
+
+    strings:
+        $pipe1 = "CreateNamedPipeW" ascii wide
+        $pipe2 = "ImpersonateNamedPipeClient" ascii wide
+        $pipe3 = "ConnectNamedPipe" ascii wide
+        $pipe4 = "\\\\\\\\.\\\\pipe\\\\" ascii wide
+        $pipe5 = "spoolss" ascii wide nocase
+        $ps = "powershell" ascii wide nocase
+        $ps_pipe = "NamedPipeClientStream" ascii wide
+
+    condition:
+        uint16(0) == 0x5A4D and
+        (all of ($pipe*) or ($ps and $ps_pipe))
+}
+
+rule Arsenal237_LPE_Schtasks {
+    meta:
+        description = "Detects Arsenal-237 lpe.exe scheduled task escalation using schtasks.exe with SYSTEM context"
+        author = "The Hunters Ledger"
+        date = "2026-01-25"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-lpe-exe/"
+        family = "Arsenal-237"
+
+    strings:
+        $schtasks1 = "schtasks" ascii wide nocase
+        $schtasks2 = "/create" ascii wide nocase
+        $schtasks3 = "/tn" ascii wide nocase
+        $schtasks4 = "/ru SYSTEM" ascii wide nocase
+        $schtasks5 = "/delete" ascii wide nocase
+
+    condition:
+        uint16(0) == 0x5A4D and
+        all of ($schtasks*)
+}