Kalambur Backdoor Curl TOR SOCKS Proxy Execution
Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
Sigma rule (View on GitHub)
1title: Kalambur Backdoor Curl TOR SOCKS Proxy Execution
2id: e99375eb-3ee0-407a-9f90-79569cc6a01c
3status: experimental
4description: Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
5references:
6 - https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns
7author: Arda Buyukkaya (EclecticIQ)
8date: 2025-02-11
9tags:
10 - attack.command-and-control
11 - attack.t1090
12 - attack.t1573
13 - attack.t1071.001
14 - attack.t1059.001
15 - attack.s0183
16 - detection.emerging-threats
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 Image|endswith: '\curl.exe'
23 selection_socks:
24 CommandLine|contains:
25 - 'socks5h://'
26 - 'socks5://'
27 - 'socks4a://'
28 selection_onion:
29 CommandLine|contains: '.onion'
30 condition: all of selection_*
31falsepositives:
32 - Unlikely
33level: high
References
-
Sandworm APT targets Ukrainian users with Trojanized Microsoft KMS tools for cyber espionage, leveraging pirated software to exfiltrate sensitive data and compromise critical infrastructure.
Read More
Related rules
- Potential Pikabot C2 Activity
- Greenbug Espionage Group Indicators
- Potential BlackByte Ransomware Activity
- Potential CSharp Streamer RAT Loading .NET Executable Image
- Exploit Framework User Agent