detection ruleyara

DockerPwn_v2_Universal_Persistence_Script

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

YARADockerPwn_v2_Universal_Persistence_Script

import "hash"

rule DockerPwn_v2_Universal_Persistence_Script
{
    meta:
        description = "Universal Docker Pwn Script v2 - SSH-key implant + 2375/2376 closure (both builds)"
        author      = "Cyfar / boredchilada"
        date        = "2026-05-28"
        ref         = "Engagement 45.92.1[.]231 against Docker Engine API"
        sha256_v1   = "ae93e852a0a7aba60258582806c4f36885609016954a31ff6ce4fefcbbb14e17"
        sha256_v2   = "a6e8eca1a19d804836968dea1e4e30f9abbc455be7751d10e2b066fc146c7e39"

    strings:
        $marker1 = "Universal Docker Pwn Script v2"
        $marker2 = "by Polly for"
        $marker3 = "BEGIN dockerpwn managed ssh"
        $marker4 = "AAAAC3NzaC1lZDI1NTE5AAAAIMhfiGeykxXnvdARJXQSCouFsIHeG"
        $marker5 = "daemon.json.disabled-by-dockerpwn"
        $marker6 = "strip_tcp_2375_hosts"
        $marker7 = "Install VoidLink botnet agent"

    condition:
        // Exact-file match on either build OR any 2 of the corpus markers (script may be re-tagged).
        hash.sha256(0, filesize) == "ae93e852a0a7aba60258582806c4f36885609016954a31ff6ce4fefcbbb14e17"
        or hash.sha256(0, filesize) == "a6e8eca1a19d804836968dea1e4e30f9abbc455be7751d10e2b066fc146c7e39"
        or 2 of ($marker*)
}

Posts using this rule

highSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Host / EDR
YARA rule for the persistence-script body, suitable for endpoint EDR rule packs and dropped-file inspection. Matches either exact build by SHA-256, or any two corpus markers (the script may be re-tagged).
2026-06-10