Skip to content
Go to file


This repository includes all malware indicators that were found during the course of Citizen Lab investigations. Each directory corresponds to a single Citizen Lab report as seen below.


Directory Link Published
202006_DarkBasin Dark Basin: Uncovering a Massive Hack-For-Hire Operation June 9, 2020
201909_MissingLink MISSING LINK: Tibetan Groups Targeted with Mobile Exploits Sept 24, 2019
201905_EndlessMayfly Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign May 14, 2019
201810_TheKingdomCameToCanada The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil Oct 1, 2018
201808_FamiliarFeeling Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces Aug 8, 2018
201803_BadTraffic Bad Traffic: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? Mar 8, 2018
201801_SpyingOnABudget Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community Jan 30, 2018
201712_Cyberbit Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware Dec 6, 2017
201707_InsiderInfo Insider Information: An intrusion campaign targeting Chinese language news sites Jul 5, 2017
201706_RecklessRedux Reckless Redux: Senior Mexican Legislators and Politicians Targeted with NSO Spyware Jun 29, 2017
201706_RecklessExploit Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware Jun 19, 2017
201705_TaintedLeaks Tainted Leaks: Disinformation and Phishing With a Russian Nexus May 25, 2017
201702_NilePhish Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society Feb 2, 2017
201611_KeyBoy It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community Nov 11, 2016
201608_NSO_Group "The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender" Aug 24, 2016
201608_Group5 "Group5: Syria and the Iranian Connection" Aug 2, 2016
201605_Stealth_Falcon "Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents" May 29, 2016
201604_UP007_SLServer Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns Apr 18, 2016
201603_Shifting_Tactics Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans Mar 10, 2016
201512_PackRAT "Packrat: Seven Years of a South American Threat Actor" Dec 8, 2015
201510_NGO_Burma Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites Oct 16, 2015
201411_Communities@Risk Communities @ Risk: Targeted Digital Threats Against Civil Society. Nov 11, 2014

Yara signatures can be found here


The indicators are provided in the following formats.

  • CSV - plain text comma seperated value with the following columns:
    • uuid - A unique identifier for the indicator.
    • event_id - a number that corresponds to the event.
    • category - type of broad category for indicator (ex: network activity, payload)
    • type - type of indicator (ex: ip-dst, domain, url)
    • comment - text comment or annotation
    • to_ids - whether this indicator is applicable to be included in an IDS or not
    • date - the data when the indicator was added.
  • MISP JSON - Structured format used by the Malware Information Sharing Platform
  • OpenIOC - Format for OpenIOC an open framework for sharing threat intelligence.
  • STIX XML - Format used by the STIX project


All data is provided under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International and available in full here and summarized here

You can’t perform that action at this time.