Comprehensive Threat Intelligence Repository
Malware Analysis • IOC Feeds • YARA Rules • Hunting Queries • STIX Bundles • MITRE ATT&CK Mappings
Dragon-ThreatResearchHQ/
│
├── APT-Groups/ # State-sponsored threat actor profiles & campaigns
│ ├── APT29-CozyBear/ # Russia — 5,407 IOCs
│ ├── APT39/ # Iran — 51 IOCs
│ ├── BitterAPT/ # South Asia — 19 IOCs
│ ├── DroppingElephant/ # India — 9 IOCs
│ ├── EquationGroup/ # USA — 422 IOCs
│ ├── FIN7/ # Russia — 3,272 IOCs
│ ├── Kimsuky-APT43/ # North Korea — 11 IOCs
│ ├── MuddyWater/ # Iran (MOIS) — 307 IOCs, 6 campaigns
│ ├── RedDelta/ # China — 287 IOCs
│ ├── ScatteredSpider/ # Multi — 214 IOCs
│ ├── SideWinder/ # India — 364 IOCs
│ ├── Storm-1811/ # Unknown — 15 IOCs
│ ├── DragonFly-GhostBlizzard/ # Russia (FSB) — 8 IOCs, 2 YARA (DynoWiper)
│ ├── PrinceOfPersia/ # Iran — 95 IOCs (Tornado, Foudre, Tonnerre)
│ ├── UNC5221/ # China
│ ├── VoidArachne-SilverFox/ # China — 6 IOCs (ValleyRAT/Winos 4.0)
│ └── VoltTyphoon/ # China — 194 IOCs
│
├── Malware/ # Malware families by category
│ ├── RATs/ # EtherRAT (92), MoonriseRAT
│ ├── Stealers/ # LummaStealer (817), OdysseyStealer (51), ...
│ ├── Backdoors/ # Brickstorm (35)
│ ├── Loaders/ # AeternumLoader (63), Phoenix
│ ├── Miners/ # XMRig-BYOVD (cryptojacking)
│ └── Wipers/ # DynoWiper + RTU Wiper (ICS/OT)
│
├── C2-Frameworks/ # C2 framework analysis
│ ├── CobaltStrike/ # 1,235 IOCs, beacon configs, YARA
│ └── VenusC2/ # 5 IOCs
│
├── Campaigns/ # Standalone campaigns (not actor-specific)
│ ├── 2024-06_RegreSSHion_CVE-2024-6387/
│ └── 2024-08_GhostTap-NFC/ # Chinese NFC payment relay fraud
│
├── Detection-Rules/ # Generic detection rules
│ └── Yara/ # xor_hunter.yar, office_startup_anomaly.yar
│
├── feeds/ # Aggregated IOC feeds (SIEM-ready)
│ ├── all_iocs.csv # 12,459 IOCs — master CSV
│ ├── domains.txt # 2,398 domains
│ ├── ips.txt # 2,679 IPs
│ ├── hashes.txt # 6,608 hashes (SHA256/SHA1/MD5)
│ ├── urls.txt # 413 URLs
│ └── cves.txt # 119 CVEs
│
├── scripts/ # Automation
│ └── aggregate_iocs.py # IOC aggregation & feed generation
│
├── Templates/ # Standardized templates for new entries
├── Resources/ # Reference material
├── index.json # Machine-readable threat index
├── CONTRIBUTING.md # Contribution guidelines
├── CODE_OF_CONDUCT.md # Code of conduct
└── LICENSE # MIT License
| Group | Origin | IOCs | Campaigns | YARA | Report |
|---|---|---|---|---|---|
| MuddyWater | Iran | 307 | 6 | — | Profile |
| APT29 / Cozy Bear | Russia | 5,407 | — | — | — |
| FIN7 | Russia | 3,272 | — | — | — |
| Equation Group | USA | 422 | — | — | — |
| SideWinder | India | 364 | — | — | — |
| Red Delta | China | 287 | — | — | — |
| Scattered Spider | Multi | 214 | — | — | — |
| Volt Typhoon | China | 194 | — | — | — |
| APT39 | Iran | 51 | — | — | — |
| Bitter APT | South Asia | 19 | 1 | — | Profile |
| Storm-1811 | Unknown | 15 | — | — | — |
| Kimsuky / APT43 | N. Korea | 11 | 1 | — | Profile |
| DragonFly / Ghost Blizzard | Russia | 8 | 1 | 2 rules | Profile |
| Dropping Elephant | India | 9 | — | — | Profile |
| Prince of Persia | Iran | 95 | 1 | — | Profile |
| Void Arachne / Silver Fox | China | 6 | — | — | Profile |
| Silver Dragon | China (APT41) | 44 | 1 | — | Profile |
| UNC5221 | China | — | — | — | Profile |
| Campaign | Period | Tooling | IOCs | Report |
|---|---|---|---|---|
| MuddyViper / Snakes by the Riverbank | Sep 2024 – Mar 2025 | Fooder, MuddyViper, CE-Notes, LP-Notes, Blub, go-socks5 | 75 | README |
| Operation Olalampo | Jan – Feb 2026 | CHAR, GhostFetch, GhostBackDoor, HTTP_VIP | 58 | README |
| RustyWater | Jan 2026 – | RUSTRIC / Archer RAT | 1 | README |
| DHCSpy | Jul 2023 | DHCSpy Android Spyware | 19 | README |
| Sep 2024 Campaign | Sep 2024 | Various | 75 | — |
| 2025 Campaign | 2025 | Various | 8 | — |
| Malware | Type | IOCs | YARA | Report |
|---|---|---|---|---|
| Lumma Stealer | Stealer | 817 | 1 rule | — |
| EtherRAT | RAT | 92 | — | README |
| Aeternum Loader | Loader | 63 | 1 rule | README |
| Odyssey Stealer | Stealer/RAT | 51 | — | README |
| Brickstorm | Backdoor | 35 | 9 rules | — |
| Snake Keylogger | Keylogger | 19 | — | — |
| Meduza Stealer | Stealer | 13 | — | — |
| AMOS / Atomic Stealer | Stealer (macOS) | 9 | — | README |
| BLX Stealer | Stealer | 2 | — | — |
| Moonrise RAT | RAT | — | — | — |
| Phoenix | Loader/Backdoor | — | — | README |
| XMRig BYOVD | Miner | 4 | — | README |
| DynoWiper | Wiper (ICS) | 4 | 2 rules | README |
| Framework | IOCs | Beacon Configs | YARA | C2 List |
|---|---|---|---|---|
| Cobalt Strike | 1,235 | configs/ | 3 rules | c2_list.md |
| Venus C2 | 5 | — | — | README |
| Campaign | Date | IOCs | Description |
|---|---|---|---|
| RegreSSHion CVE-2024-6387 | Jun 2024 | 31 | OpenSSH RCE vulnerability exploitation |
| Ghost Tap NFC | Aug 2024 – | 167 | Chinese NFC payment relay fraud — 54 APKs, 5 C2 domains, $355K+ losses |
| Rule | Target | Path |
|---|---|---|
| XOR Hunter | XOR-encoded payloads | xor_hunter.yar |
| Office Startup Anomaly | Suspicious Office startup files | office_startup_anomaly.yar |
| Cobalt Strike (3 rules) | CS beacons, syscalls, obfuscation | yara/ |
| Brickstorm (9 rules) | Brickstorm + Mandiant hunting | yara/ |
| Lumma Stealer | Lumma variants | yara/ |
| Aeternum Loader | Aeternum panel/loader | yara/ |
| DynoWiper Mersenne | Mersenne Twister PRNG-based wiper (HMI) | yara/ |
| RTU Firmware Wiper | ELF with 0xFF entry point (firmware wiper) | yara/ |
All IOCs across the repository are aggregated into flat files for direct import into SIEM, TIP, firewall, or DNS sinkhole systems.
| Feed | Entries | Format | Description |
|---|---|---|---|
feeds/all_iocs.csv |
12,459 | CSV | Master file — all IOCs with metadata |
feeds/domains.txt |
2,398 | Flat | One domain per line |
feeds/ips.txt |
2,679 | Flat | One IP per line |
feeds/hashes.txt |
6,608 | Flat | SHA256 / SHA1 / MD5 |
feeds/urls.txt |
413 | Flat | Malicious URLs |
feeds/cves.txt |
119 | Flat | CVE identifiers |
index.json |
23 | JSON | Machine-readable threat index |
Each APT group and malware family also has its own iocs_all.csv that merges all campaign IOCs.
# Import domains into DNS sinkhole
curl -sL https://raw.githubusercontent.com/<org>/Dragon-ThreatResearchHQ/main/feeds/domains.txt
# Import IPs into firewall blocklist
curl -sL https://raw.githubusercontent.com/<org>/Dragon-ThreatResearchHQ/main/feeds/ips.txt
# Regenerate all feeds after adding new IOCs
python3 scripts/aggregate_iocs.pyEvery threat directory follows a consistent structure:
ThreatName/
├── README.md # Threat card — metadata, summary, quick links
├── report.md # Detailed analysis report
├── iocs.csv # IOCs (type, value, description, threat_actor, campaign, confidence, source, tags)
├── iocs.stix.json # STIX 2.1 bundle
├── mitre_attack.md # MITRE ATT&CK technique mapping
├── fingerprints.txt # Shodan / Censys / FOFA / Google Dork / SIEM queries
├── yara/ # Threat-specific YARA rules
└── screenshots/ # Panel, sandbox, phishing page screenshots
See Templates/THREAT_TEMPLATE/ for ready-to-use templates. See Templates/IOC_CSV_HEADER.md for IOC CSV column definitions.
1. Copy Templates/THREAT_TEMPLATE/ → appropriate category directory
2. Fill in README.md, report.md, iocs.csv, mitre_attack.md
3. Run: python3 scripts/aggregate_iocs.py
4. Feeds, iocs_all.csv, and index.json are auto-updated
See CONTRIBUTING.md for full guidelines.
| Goal | Description |
|---|---|
| Threat Intelligence | Structured IOCs, STIX bundles, and hunting queries for rapid detection |
| SOC Integration | CSV and flat-file feeds ready for SIEM / TIP / firewall import |
| Research & Education | Detailed reports and ATT&CK mappings for understanding threat actors |
| Community | Standardized templates make contribution straightforward |
This repository is maintained for educational and research purposes only. The misuse of any information contained herein for malicious purposes is strictly prohibited. Always follow legal and ethical guidelines when handling threat intelligence data.
This project is licensed under the MIT License.