Yara-Rules · PixelatedContinuum · Feb 14, 2026
diff --git a/malware/MALW_Arsenal237_ChromeElevator.yar b/malware/MALW_Arsenal237_ChromeElevator.yar
@@ -0,0 +1,96 @@
+/*
+   Yara Rule Set
+   Author: The Hunters Ledger
+   Date: 2026-01-26
+   Identifier: Arsenal-237 chromelevator.exe Browser Credential Theft Tool
+   Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-chromelevator-exe/
+   License: https://creativecommons.org/licenses/by-nc/4.0/
+*/
+
+rule Chromelevator_Browser_Credential_Extraction {
+    meta:
+        description = "Detects Arsenal-237 chromelevator.exe browser credential extraction tool targeting Chrome, Brave, and Edge via reflective DLL injection"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-chromelevator-exe/"
+        family = "Arsenal-237"
+
+    strings:
+        $filename = "chromelevator.exe" nocase ascii
+        $payload = "PAYLOAD_DLL" nocase ascii
+        $chrome = "chrome.exe" nocase ascii
+        $brave = "brave.exe" nocase ascii
+        $edge = "msedge.exe" nocase ascii
+        $named_pipe = "Named pipe server created" nocase ascii
+        $reflective = "ReflectiveLoader" nocase ascii
+        $extraction = "Extracted" nocase ascii
+        $cookies = "cookies" nocase ascii
+        $passwords = "passwords" nocase ascii
+        $payments = "payments" nocase ascii
+        $verbose = "--verbose" nocase ascii
+        $fingerprint = "--fingerprint" nocase ascii
+        $output = "--output-path" nocase ascii
+        $create_pipe = "CreateNamedPipeW" nocase ascii
+        $connect_pipe = "ConnectNamedPipe" nocase ascii
+        $find_resource = "FindResourceW" nocase ascii
+        $load_resource = "LoadResource" nocase ascii
+
+    condition:
+        ($filename and $payload and ($extraction or ($cookies and $passwords))) or
+        (3 of ($chrome, $brave, $edge) and 2 of ($extraction, $cookies, $passwords)) or
+        ($reflective and $named_pipe and any of ($chrome, $brave, $edge)) or
+        (2 of ($verbose, $fingerprint, $output) and any of ($chrome, $brave, $edge))
+}
+
+rule Arsenal237_Direct_Syscall_Framework {
+    meta:
+        description = "Detects Arsenal-237 direct syscall EDR bypass framework using Zw* Native API calls to avoid EDR hooking"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-chromelevator-exe/"
+        family = "Arsenal-237"
+
+    strings:
+        $zw_alloc = "ZwAllocateVirtualMemory" nocase ascii
+        $zw_write = "ZwWriteVirtualMemory" nocase ascii
+        $zw_read = "ZwReadVirtualMemory" nocase ascii
+        $zw_protect = "ZwProtectVirtualMemory" nocase ascii
+        $zw_create_thread = "ZwCreateThreadEx" nocase ascii
+        $zw_open_proc = "ZwOpenProcess" nocase ascii
+        $zw_query_proc = "ZwQueryInformationProcess" nocase ascii
+        $zw_context = "ZwGetContextThread" nocase ascii
+        $zw_set_context = "ZwSetContextThread" nocase ascii
+        $zw_resume = "ZwResumeThread" nocase ascii
+        $zw_pattern = /Zw[A-Z][a-zA-Z]+/
+
+    condition:
+        (5 of ($zw_alloc, $zw_write, $zw_protect, $zw_create_thread, $zw_open_proc)) or
+        (all of them and #zw_pattern >= 10)
+}
+
+rule Reflective_DLL_Injection_Framework {
+    meta:
+        description = "Detects reflective DLL injection implementation using ReflectiveLoader with direct syscall or Win32 API injection pattern"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-chromelevator-exe/"
+        family = "Arsenal-237"
+
+    strings:
+        $dos_header = "MZ" at 0
+        $reflective_loader = "ReflectiveLoader" nocase ascii
+        $reflective_export = "reflective" nocase ascii wide
+        $alloc = "VirtualAllocEx" nocase ascii
+        $write = "WriteProcessMemory" nocase ascii
+        $protect = "VirtualProtectEx" nocase ascii
+        $create_remote = "CreateRemoteThread" nocase ascii
+        $zw_alloc = "ZwAllocateVirtualMemory" nocase ascii
+        $zw_write = "ZwWriteVirtualMemory" nocase ascii
+        $zw_protect = "ZwProtectVirtualMemory" nocase ascii
+        $zw_create = "ZwCreateThreadEx" nocase ascii
+
+    condition:
+        ($reflective_loader and $dos_header) or
+        ($reflective_loader and all of ($zw_alloc, $zw_write, $zw_protect, $zw_create)) or
+        ($reflective_loader and all of ($alloc, $write, $protect, $create_remote))
+}
diff --git a/malware/MALW_Arsenal237_dec_fixed.yar b/malware/MALW_Arsenal237_dec_fixed.yar
@@ -0,0 +1,102 @@
+/*
+   Yara Rule Set
+   Author: The Hunters Ledger
+   Date: 2026-01-26
+   Identifier: Arsenal-237 dec_fixed.exe Ransomware Decryptor
+   Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/
+   License: https://creativecommons.org/licenses/by-nc/4.0/
+*/
+
+rule Arsenal237_dec_fixed_FileHash {
+    meta:
+        description = "Detects Arsenal-237 dec_fixed.exe per-victim ransomware decryptor by exact cryptographic hash - recovery tool not an attack tool"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/"
+        hash_sha256 = "d73c4f127c5c0a7f9bf0f398e95dd55c7e8f6f6a5783c8cb314bd99c2d1c9802"
+        hash_sha1 = "29014d4d6fc42219cd9cdc130b868382cf2c14c2"
+        hash_md5 = "7c5493a0a5df52682a5c2ba433634601"
+        family = "Arsenal-237"
+        malware_type = "Ransomware Decryptor"
+
+    condition:
+        hash.sha256(0, filesize) == "d73c4f127c5c0a7f9bf0f398e95dd55c7e8f6f6a5783c8cb314bd99c2d1c9802" or
+        hash.md5(0, filesize) == "7c5493a0a5df52682a5c2ba433634601" or
+        hash.sha1(0, filesize) == "29014d4d6fc42219cd9cdc130b868382cf2c14c2"
+}
+
+rule Arsenal237_Victim_Key_Decryptor {
+    meta:
+        description = "Detects Arsenal-237 dec_fixed.exe victim-specific hardcoded ChaCha20 decryption key matching new_enc.exe encryption key"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/"
+        family = "Arsenal-237"
+        malware_type = "Ransomware Decryptor"
+
+    strings:
+        $key1 = "1e0d8597856270d1926cfcf252af1b14a776c20b3b50168df9311314202e73ba" nocase ascii
+        $key2 = "67e6096a85ae67bb72f36e3c3af54fa57f520e518c68059babd9831f19cde05b" nocase ascii
+
+    condition:
+        1 of them
+}
+
+rule Arsenal237_ChaCha20_Decryption {
+    meta:
+        description = "Detects Arsenal-237 dec_fixed.exe ChaCha20-Poly1305 AEAD decryption implementation with key validation error strings"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/"
+        family = "Arsenal-237"
+        malware_type = "Ransomware Decryptor"
+
+    strings:
+        $constant1 = "expand 32-byte k" ascii nocase
+        $error1 = "Decryption failed - wrong key or corrupted file" ascii
+        $error2 = "File corrupted - encrypted size mismatch" ascii
+
+    condition:
+        $constant1 and any of ($error1, $error2)
+}
+
+rule Arsenal237_Decryptor_Tool {
+    meta:
+        description = "Detects Arsenal-237 dec_fixed.exe batch file decryptor with --folder-a parameter and characteristic error message strings"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/"
+        family = "Arsenal-237"
+        malware_type = "Ransomware Decryptor"
+
+    strings:
+        $cmd1 = "--folder-a" ascii
+        $error1 = "File too small" ascii
+        $error2 = "Could not find filename" ascii
+        $error3 = "Invalid victim key hex" ascii
+        $cleanup = "readme.txt" ascii nocase
+
+    condition:
+        $cmd1 and 2 of ($error1, $error2, $error3) and $cleanup
+}
+
+rule Arsenal237_Rust_Compiled_Tools {
+    meta:
+        description = "Detects Arsenal-237 Rust-compiled ransomware tools (encryptors and decryptors) by ChaCha20-Poly1305 library strings and file size"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-dec_fixed-exe/"
+        family = "Arsenal-237"
+        malware_type = "Ransomware"
+
+    strings:
+        $chacha20_lib = "chacha20" ascii nocase
+        $poly1305_lib = "poly1305" ascii nocase
+        $rust_constant = "expand 32-byte k" ascii
+        $rust_error = "Decryption failed" ascii nocase
+
+    condition:
+        filesize > 900KB and filesize < 1MB and
+        $chacha20_lib and $poly1305_lib and
+        $rust_constant
+}
diff --git a/malware/MALW_Arsenal237_nethost.yar b/malware/MALW_Arsenal237_nethost.yar
@@ -0,0 +1,102 @@
+/*
+   Yara Rule Set
+   Author: The Hunters Ledger
+   Date: 2026-01-26
+   Identifier: Arsenal-237 nethost.dll DLL Hijacking C2 Communication Module
+   Reference: https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/
+   License: https://creativecommons.org/licenses/by-nc/4.0/
+*/
+
+rule Arsenal237_nethost_FileHash {
+    meta:
+        description = "Detects Arsenal-237 nethost.dll C2 communication module by file hash - Rust DLL hijacking persistence targeting .NET host library"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/"
+        hash_sha256 = "158f61b6d10ea2ce78769703a2ffbba9c08f0172e37013de960d9efe5e9fde14"
+        hash_sha1 = "622ddbacaf769aef383435162a203489c08c8468"
+        hash_md5 = "f91ff1bb5699524524fff0e2587af040"
+        family = "Arsenal-237"
+        malware_type = "C2 Communication Module"
+
+    condition:
+        hash.sha256(0, filesize) == "158f61b6d10ea2ce78769703a2ffbba9c08f0172e37013de960d9efe5e9fde14" or
+        hash.md5(0, filesize) == "f91ff1bb5699524524fff0e2587af040" or
+        hash.sha1(0, filesize) == "622ddbacaf769aef383435162a203489c08c8468"
+}
+
+rule Arsenal237_nethost_C2_Strings {
+    meta:
+        description = "Detects Arsenal-237 nethost.dll by hardcoded C2 target strings and environment variable discovery concatenation artifact"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/"
+        family = "Arsenal-237"
+        malware_type = "C2 Communication Module"
+
+    strings:
+        $c2_targets = "8.8.8.8:53127.0.0.1ntdll.dll" ascii
+        $env_discovery = "COMPUTERNAMEUSERNAME" ascii
+        $rust_panic = "runtime error" ascii
+        $winsock_init = "WSAStartup" ascii
+
+    condition:
+        ($c2_targets or $env_discovery) and uint16(0) == 0x5A4D
+}
+
+rule Arsenal237_nethost_PowerShell_Templates {
+    meta:
+        description = "Detects Arsenal-237 nethost.dll embedded PowerShell command templates for service enumeration, file download, and C2 response parsing"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/"
+        family = "Arsenal-237"
+        malware_type = "C2 Communication Module"
+
+    strings:
+        $ps_service = "Get-Service|?{$_.Status -eq ''}" ascii
+        $ps_download = "Invoke-WebRequest -Uri '' -OutFile ''" ascii
+        $upload_prefix = "pathB64:" ascii
+        $response_keywords = "resultmachine_idsuccess" ascii
+
+    condition:
+        3 of them and uint16(0) == 0x5A4D
+}
+
+rule Arsenal237_nethost_Winsock_Init {
+    meta:
+        description = "Detects Arsenal-237 nethost.dll Winsock 2.2 initialization pattern with WSASocket and environment variable enumeration"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/"
+        family = "Arsenal-237"
+        malware_type = "C2 Communication Module"
+
+    strings:
+        $ws_startup = { C7 ?? ?? 02 02 00 }
+        $wsa_socket = "WSASocket" ascii
+        $connect_api = "connect" ascii
+        $env_vars = "COMPUTERNAME" ascii
+
+    condition:
+        all of them and uint16(0) == 0x5A4D
+}
+
+rule Arsenal237_nethost_Rust_Indicators {
+    meta:
+        description = "Detects Arsenal-237 nethost.dll Rust compilation indicators including panic handler and standard library artifacts"
+        author = "The Hunters Ledger"
+        date = "2026-01-26"
+        reference = "https://pixelatedcontinuum.github.io/Threat-Intel-Reports/hunting-detections/arsenal-237-nethost-dll/"
+        family = "Arsenal-237"
+        malware_type = "C2 Communication Module"
+
+    strings:
+        $rust_panic = "rust_panic" ascii
+        $rustc_artifact = ".rustc_artifact" ascii
+        $rust_std = "std::panic" ascii
+        $assertion_fail = "assertion `left  right` failed" ascii
+
+    condition:
+        2 of them and uint16(0) == 0x5A4D
+}