Skip to content


Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.


This repository includes all malware indicators that were found during the course of Citizen Lab investigations. Each directory corresponds to a single Citizen Lab report as seen below.


Directory Link Published
202006_DarkBasin Dark Basin: Uncovering a Massive Hack-For-Hire Operation June 9, 2020
201909_MissingLink MISSING LINK: Tibetan Groups Targeted with Mobile Exploits Sept 24, 2019
201905_EndlessMayfly Burned After Reading: Endless Mayfly’s Ephemeral Disinformation Campaign May 14, 2019
201810_TheKingdomCameToCanada The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil Oct 1, 2018
201808_FamiliarFeeling Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces Aug 8, 2018
201803_BadTraffic Bad Traffic: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads? Mar 8, 2018
201801_SpyingOnABudget Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community Jan 30, 2018
201712_Cyberbit Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware Dec 6, 2017
201707_InsiderInfo Insider Information: An intrusion campaign targeting Chinese language news sites Jul 5, 2017
201706_RecklessRedux Reckless Redux: Senior Mexican Legislators and Politicians Targeted with NSO Spyware Jun 29, 2017
201706_RecklessExploit Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware Jun 19, 2017
201705_TaintedLeaks Tainted Leaks: Disinformation and Phishing With a Russian Nexus May 25, 2017
201702_NilePhish Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society Feb 2, 2017
201611_KeyBoy It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community Nov 11, 2016
201608_NSO_Group "The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender" Aug 24, 2016
201608_Group5 "Group5: Syria and the Iranian Connection" Aug 2, 2016
201605_Stealth_Falcon "Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents" May 29, 2016
201604_UP007_SLServer Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns Apr 18, 2016
201603_Shifting_Tactics Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans Mar 10, 2016
201512_PackRAT "Packrat: Seven Years of a South American Threat Actor" Dec 8, 2015
201510_NGO_Burma Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites Oct 16, 2015
201411_Communities@Risk Communities @ Risk: Targeted Digital Threats Against Civil Society. Nov 11, 2014

Yara signatures can be found here


The indicators are provided in the following formats.

  • CSV - plain text comma seperated value with the following columns:
    • uuid - A unique identifier for the indicator.
    • event_id - a number that corresponds to the event.
    • category - type of broad category for indicator (ex: network activity, payload)
    • type - type of indicator (ex: ip-dst, domain, url)
    • comment - text comment or annotation
    • to_ids - whether this indicator is applicable to be included in an IDS or not
    • date - the data when the indicator was added.
  • MISP JSON - Structured format used by the Malware Information Sharing Platform
  • OpenIOC - Format for OpenIOC an open framework for sharing threat intelligence.
  • STIX XML - Format used by the STIX project


All data is provided under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International and available in full here and summarized here