This repository includes all malware indicators that were found during the course of Citizen Lab investigations. Each directory corresponds to a single Citizen Lab report as seen below.
Yara signatures can be found here
The indicators are provided in the following formats.
- CSV - plain text comma seperated value with the following columns:
- uuid - A unique identifier for the indicator.
- event_id - a number that corresponds to the event.
- category - type of broad category for indicator (ex: network activity, payload)
- type - type of indicator (ex: ip-dst, domain, url)
- comment - text comment or annotation
- to_ids - whether this indicator is applicable to be included in an IDS or not
- date - the data when the indicator was added.
- MISP JSON - Structured format used by the Malware Information Sharing Platform
- OpenIOC - Format for OpenIOC an open framework for sharing threat intelligence.
- STIX XML - Format used by the STIX project