{ "id": "8a42ecaa-5409-4fde-bbc2-cdea81cbb36c", "created_at": "2026-04-06T01:29:38.413889Z", "updated_at": "2026-04-10T03:35:28.823717Z", "deleted_at": null, "sha1_hash": "6975e2a8602c2a13f6884d2d52255f48e8e5f3b7", "title": "Tracking StrongPity with Yara", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5555761, "plain_text": "Tracking StrongPity with Yara\r\nBy RJM\r\nPublished: 2022-02-12 · Archived: 2026-04-06 00:26:32 UTC\r\nDisclaimer: The views, methods, and opinions expressed at Anchored Narratives are those of the author and do\r\nnot necessarily reflect the official policy or position of my employer.\r\nhttps://anchorednarratives.substack.com/p/tracking-strongpity-with-yara\r\nPage 1 of 8\n\nCover: Turkish delight\r\nHere’s the latest Anchored Narrative with a follow-up story on the alleged Turkish nation-state actor StrongPity.\r\nThanks for being a subscriber, and welcome to the new subscribers. As always, if you have any tips, comments, or\r\ngreat examples of disputed threat intelligence narratives for me, send them to\r\nrobertjanm@anchorednarratives.com. Anchored Narratives is now also on Twitter @AnchoredNarrat1.\r\nhttps://anchorednarratives.substack.com/p/tracking-strongpity-with-yara\r\nPage 2 of 8\n\nIn the previous article about StrongPity, their history of used malware and their preferred malware infection\r\nmethod were covered. This article will outline how you can track a nation-state actor by leveraging the power of\r\nYara. Yara is called the pattern matching Swiss army knife for malware researchers and is under constant\r\ndevelopment providing new features. After the last article in April 2021 on StrongPity, I developed a custom Yara\r\nsignature (rule) to determine if it could track new campaigns or activity used by this nation-state actor. In this\r\narticle, I will cover the creation of custom Yara rules with the well-known IDA disassembler, test them, implement\r\nthem on VirusTotal Intelligence or Malpedia and perform a retrohunt. I will not cover the basics of Yara or how\r\nbasic rules are constructed. Let’s go!\r\nAs explained in one of the first articles on Anchored Narratives is that you can implement threat intelligence on\r\nmany different sources. One of these sources is newly submitted malware samples on VirusTotal or Malpedia that\r\nare matched against custom Yara rules implemented by malware or threat analysts that track ransomware or\r\nnation-state actors. VirusTotal Intelligence (hereafter: VTI) is a paid service. The platform provides access to a\r\nlarge corpus of submitted malware or viruses by users or companies. The samples are stored for a longer period of\r\ntime. VTI is being used by security researchers for threat hunting or finding similar files or known exploits.\r\nResearchers can basically implement alarms with Yara rules on known exploits, ransomware, or malware used by\r\nnation-state actors.\r\nSo after a period of StrongPity silence since the end of April 2021, last week, I received an alert on a new sample\r\nthat matched my custom, Yara rule. The details of the malware sample can be seen in the figure below.\r\nFigure 1: Screenshot VirusTotal Intelligence on StrongPity\r\nSHA256:debf8937623397e35359cd8e758283857eb0e161a5038f3637f496838ddeadd0\r\nC2: https://informationserviceslab.com/parse_ini_file.php IP:45.153.243.141\r\nThis time the malware sample reached out to the command and control server\r\n” https://informationserviceslab.com ”, which was not known by me yet. But what triggered the Yara rule, and\r\nhow was the rule built? VirusTotal provides functionality that highlights the matched context of the Yara rule. As\r\nyou might recall from the last article, the StrongPity malware has quite some interesting ‘strings’ that could be\r\nleveraged in a Yara rule and XOR routines to decrypt the encoded domain name, etc. Figure 2 highlights a specific\r\nhex pattern below that starts with “66 31 BC 45”, reflecting such a routine. The Yara rule was triggered because of\r\nthe three matching elements in the rule.\r\nhttps://anchorednarratives.substack.com/p/tracking-strongpity-with-yara\r\nPage 3 of 8\n\nFigure 2: Screenshot of the matched context with the XOR-routine 66 31 BC 45\r\nThe Yara rule was triggered because of the three matching elements in the rule. But how was this high-fidelity\r\nYara rule build? Let’s dive into that.\r\nAs mentioned earlier, VirusTotal Intelligence provides powerful functionality to search for similar samples. Based\r\non earlier StrongPity reporting by ESET and CitizenLab, multiple samples were downloaded with the intent to\r\ntrack StrongPity.\r\nIn an in-company Yara training delivered by well-known security researcher Andreas Schuster many years ago, his\r\nadvice was to focus on custom implementations of algorithms or routines by actors as a way to track adversaries.\r\nHe demonstrated great examples back then to track specific Chinese nation-state actors. With that advice in mind,\r\nI started building the Yara rule to see if there was an additional way to track them. One way to assess these\r\ndiscriminating artifacts is by leveraging IDA in this example. Before we start, make sure you enabled the amount\r\nof opcodes bytes (machine code) displayed in IDA7 (free). This is a method to highlight potential repetitive or\r\ncertain uniqueness in relevant malware samples.\r\nhttps://anchorednarratives.substack.com/p/tracking-strongpity-with-yara\r\nPage 4 of 8\n\nFigure 3: Screenshot of the Options tab in IDA\r\nIn this article, only several of the many StrongPity samples are covered and explained below.\r\nStrongpity:b9f9fb303bc605410bc1a7095da6f77d5880a1a233f849375c1aa652f9d52e1a\r\nStrongPity usually holds several XOR-routines with different XOR values to decode different information stored\r\nin each sample. This was covered in the earlier piece on StrongPity. So open the malware sample in IDA and\r\ndetermine if you could distinguish a unique routine from the actor. One of the XOR decoding routines is\r\nhighlighted below.\r\nFigure 4: Screenshot XOR decoding routine\r\nCould we make a Yara pattern of this routine? In the screenshot above, you can see an opcode byte pattern that\r\nstarts with “66 83 B4 45 FC FE” and ends with the bytes “72 F1”. Let’s examine the next sample.\r\nStrongPity:8a7c9c4e80292bed56980d0d0fdf7c0e9693e05e3051392d5820f5037fd8f02c\r\nhttps://anchorednarratives.substack.com/p/tracking-strongpity-with-yara\r\nPage 5 of 8\n\nFigure 5: Screenshot another XOR decoding routine\r\nIn this different sample, you notice a similar sequence of opcode byte patterns. After this, I examined some other\r\nsamples and came up with the following Yara patterns to match StrongPity samples.\r\nText within this block will maintain its original spacing when published\r\n$opcodexor1 = {66 31 ?? ?5 ?? F? FF FF 4? 83 F? ?? 72 F?} $opcodexor2 = {66 83 B4 ?5 ?? F? FF\r\nWithin Yara, you can match on strings “text” or patterns in its hexadecimal form. So with the above instructions,\r\nYara will match against the routine found in the StrongPity malware samples. The “??” values are a wildcard and\r\nmatch any value. The values between the square brackets separated by a hyphen [-], are seen as a jump and match\r\nan arbitrary sequence from 4 to 5 bytes. By themselves, only those XOR patterns would trigger too many false\r\npositives. So, normally you would also leverage some telling strings found in malware samples to strengthen the\r\nYara rule and really zoom in on a certain actor. This will reduce the number of false positives or false negatives.\r\nThe StrongPity samples that I analyzed hold many of those telling strings. A very nice tool developed by Florian\r\nRoth called YarGen was leveraged to find those patterns automatically. After a bit of testing, the following\r\nStrongPity Yara rule was created, listed below, and implemented on VTI.\r\nText within this block will maintain its original spacing when published\r\nrule log_strongpity {\r\n meta:\r\n description = \"Strongpity - xor routine.txt\"\r\n author = \"RJM\"\r\n date = \"2021-04-20\"\r\n strings:\r\n $s1 = \"Content-Disposition: form-data; name=\\\"file\\\"; \" fullword ascii\r\n $s2 = \"Content-Type: multipart/form-data; boundary=----Boundary%08X\" fullword wide\r\n $s3 = \"SecurityHost.exe\" fullword wide\r\n $s4 = \"-CreateMutexW\" fullword ascii\r\n $s5 = \"name=%ls\u0026delete=WinHttpWriteDataWinHttpQueryHeadWinHttpCloseHandWinHttpReceiveReWinHttpO\r\n $s6 = \"Windows Security Host\" fullword wide\r\n $opcodexor1 = {66 31 ?? ?5 ?? F? FF FF 4? 83 F? ?? 72 F?}\r\n $opcodexor2 = {66 83 B4 ?5 ?? F? FF FF [2-5] 72 F?}\r\n \r\n condition:\r\n ( uint16(0) == 0x5a4d and filesize \u003c 200KB and ( 3 of them )\r\n ) or ( all of them )\r\n}\r\nAs I wrote earlier, I downloaded 29 StrongPity samples previously via the similarity search functionality in\r\nVirusTotal Intelligence. So let’s test if the rule is reliable enough to detect the samples. All the samples are stored\r\nin different directories underneath the “apt/Turkey/Strongpity” folder.\r\nhttps://anchorednarratives.substack.com/p/tracking-strongpity-with-yara\r\nPage 6 of 8\n\nFigure 5: Screenshot of matching opcodes in StrongPity samples\r\nFigure 5 highlights Yara matches on the decoding routines found in the IDA disassembler. Now let’s see how\r\nmany samples are detected with the manually created Yara rule.\r\nFigure 6: Screenshot all the malware samples\r\nThe StrongPity Yara rule matched exactly 29 samples. After testing it on other malware samples, the rule seems\r\nsolid and did not produce any false positives. So basically, the next step is to implement the Yara rule as a live\r\nhunt rule in VirusTotal Intelligence. This resulted in the match of a brand new StrongPity sample covered in the\r\nintroduction of this article. The reason for implementing it first as a live hunt rule is to assess if it generates false\r\npositives or false negatives on that platform. I have made many mistakes in the past where I deployed a too\r\ngeneric rule. So testing and validating are very important.\r\nFor paid subscribers or researchers, VirusTotal Intelligence provides a capability to search across multiple\r\nsamples. For regular users, the corpus of malware samples that are searched is 3 months. If you are a pro user, you\r\ncan search the entire corpus for the past 12 months. Retrohunts are usually limited and expensive searches. Similar\r\nsearches can be conducted on Malpedia or other platforms supporting Yara rules and storing historical malware\r\nsamples.\r\nSo after I verified the rule, the StrongPity retrohunt was executed. After a while, the rule matched 127 StrongPity\r\nsamples in the past 12 months. Only 9 in the past 3 months.\r\nFigure 7: Screenshot of the StongPity Retrohunt and hits\r\nhttps://anchorednarratives.substack.com/p/tracking-strongpity-with-yara\r\nPage 7 of 8\n\nUpon inspection, none of the 9 samples that matched were false positives. Maybe someone with VTI pro access\r\ncan run the StrongPity retrohunt to obtain the full results for further assessment? Reach out if you were able to\r\nobtain all samples and if there were any false positives.\r\nYara is a good way to distinguish between malware of a given family and other files based on known patterns and\r\nobtain intelligence on relevant nation-state actors or ransomware actors. In this article, I outlined a method to\r\nbuild a discriminating Yara rule that was leveraged to track a known nation-state adversary, in this case, the\r\nalleged Turkish actor group StrongPity. The rule was also used to perform a successful retrohunt. With the\r\nStrongPity Yara rule, we can track new malware samples of the actor and collect many historical samples for the\r\npast year(s). There could also be other routines leveraged by StrongPity that discriminate and provide even better\r\ninsights into how big their spyware campaigns are. That said, finding 127 malware samples submitted to\r\nVirusTotal in the past 12 months with a custom build Yara rule indicates the rule has high fidelity and that the\r\nactors behind StrongPity must be collecting massive amounts of personal data. I’m curious about how this data\r\ncollected from different victims in countries around the globe is processed.\r\nThe StrongPity actor remains very active and obtains new infrastructure per campaign, it seems. The next threat\r\nactor that will be covered as an Anchored Narrative is from the Asia-Pacific region. Until next time and reach out\r\nif you want to share different or additional insights or feedback.\r\nSource: https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara\r\nhttps://anchorednarratives.substack.com/p/tracking-strongpity-with-yara\r\nPage 8 of 8\n\nsamples. So after I verified the rule, the StrongPity retrohunt was executed. After a while, the rule matched 127 StrongPity\nsamples in the past 12 months. Only 9 in the past 3 months. \nFigure 7: Screenshot of the StongPity Retrohunt and hits\n Page 7 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara" ], "report_names": [ "tracking-strongpity-with-yara" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438978, "ts_updated_at": 1775792128, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6975e2a8602c2a13f6884d2d52255f48e8e5f3b7.pdf", "text": "https://archive.orkl.eu/6975e2a8602c2a13f6884d2d52255f48e8e5f3b7.txt", "img": "https://archive.orkl.eu/6975e2a8602c2a13f6884d2d52255f48e8e5f3b7.jpg" } }