Antivirus - APT Malware Signature

Original Source: [Sigma source]
Title: Antivirus - APT Malware Signature
Status: experimental
Description:Detects a highly relevant Antivirus alert that reports APT malware. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
References:
  -https://www.nextron-systems.com/?s=antivirus
Author: Arnim Rupp (Nextron Systems)
Date: 2026-06-15
modified:None
Tags:
  • -'attack.execution'
  • -'attack.t1203'
  • -'attack.command-and-control'
  • -'attack.t1219.002'
Logsource:
  • category: antivirus
Detection:
  selection:
    - Signature|re:
      - 'APT\d'
      - 'ATK\d'
      - 'UNC\d'
      - 'UAC\d'
    - Signature|contains:
      - '[APT]'
      - 'APT_'
      - 'APT-'
      - 'BackOrder'
      - 'BlindingCan'
      - 'Blizzard'
      - 'Chollima'
      - 'Cleaver'
      - 'Cobra'
      - 'DarkHotel'
      - 'Dragon'
      - 'DTrack'
      - 'Equation'
      - 'GiftedCrook'
      - 'GraphSteel'
      - 'GreyEnergy'
      - 'GEnergy'
      - 'GrimPlant'
      - 'Hydra'
      - 'Jackal'
      - 'Kitten'
      - 'Kimsuky'
      - 'Lazar'
      - 'LightRail'
      - 'Lotus'
      - 'Luminous'
      - 'LumiMoth'
      - 'Nimbus'
      - 'Manticore'
      - 'MiniBike'
      - 'MiniBrowse'
      - 'MiniBus'
      - 'MiniFast'
      - 'MiniJuke'
      - 'MiniUpdate'
      - 'MuddyWater'
      - 'NukeSped'
      - 'OilRig'
      - 'Panda'
      - 'Sandstorm'
      - 'SandWorm'
      - 'Seamonkey'
      - 'Sleet'
      - 'SlugResin'
      - 'SnailResin'
      - 'Snake'
      - 'Tempest'
      - 'Tsunami'
      - 'Turla'
      - 'Typhoon'
      - 'UAC_'
      - 'UAC-'
      - 'UNC_'
      - 'UNC-'
      - 'VinoSiren'
      - 'Winnti'
  condition:selection
Falsepositives:
  -Unlikely
Level: critical