From 3837aeaf783cec5c2b2d85347556835992e31071 Mon Sep 17 00:00:00 2001
From: enzok <7831008+enzok@users.noreply.github.com>
Date: Tue, 28 Oct 2025 09:49:02 -0400
Subject: [PATCH 1/7] Update AdaptixBeacon yara and add NitrogenBunnyDownloader
 yara

---
 data/yara/CAPE/AdaptixBeacon.yar        |  1 -
 data/yara/CAPE/NitroBunnyDownloader.yar | 17 +++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 data/yara/CAPE/NitroBunnyDownloader.yar

diff --git a/data/yara/CAPE/AdaptixBeacon.yar b/data/yara/CAPE/AdaptixBeacon.yar
index efa3c297850..b6f0ada26b0 100644
--- a/data/yara/CAPE/AdaptixBeacon.yar
+++ b/data/yara/CAPE/AdaptixBeacon.yar
@@ -4,7 +4,6 @@ rule AdaptixBeacon
         author = "enzok"
         description = "AdaptixBeacon Payload"
         cape_type = "AdaptixBeacon Payload"
-        hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d"
     strings:
         $conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04}
         $conf_2 = {E8 [3] 00 48 8B 4C 24 ?? 48 89 43 78 E8 [3] 00 48 8B 4C 24 ?? 89 83 80 00 00 00 E8 [3] 00 03 83 80 00 00 00 48 8B 4C 24}
diff --git a/data/yara/CAPE/NitroBunnyDownloader.yar b/data/yara/CAPE/NitroBunnyDownloader.yar
new file mode 100644
index 00000000000..c878bc3fb81
--- /dev/null
+++ b/data/yara/CAPE/NitroBunnyDownloader.yar
@@ -0,0 +1,17 @@
+rule NitroBunnyDownloader
+{
+    meta:
+        author = "enzok"
+        description = "NitroBunnyDownloader"
+        cape_type = "NitroBunnyDownloader Payload"
+        hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
+    strings:
+        $config = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $string1 = "X-Amz-User-Agent:" wide
+        $string2 = "Amz-Security-Flag:" wide
+        $string3 = "/cart" wide
+        $string4 = "Cookie: " wide
+        $string5 = "wishlist" wide
+    condition:
+        uint16(0) == 0x5A4D and $config and 2 of ($string*)
+}
\ No newline at end of file

From 378edda14f9a7b02e340fcc9ffe73939b10e6761 Mon Sep 17 00:00:00 2001
From: enzok <7831008+enzok@users.noreply.github.com>
Date: Tue, 28 Oct 2025 10:13:30 -0400
Subject: [PATCH 2/7] add missing hash

---
 data/yara/CAPE/AdaptixBeacon.yar | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/yara/CAPE/AdaptixBeacon.yar b/data/yara/CAPE/AdaptixBeacon.yar
index b6f0ada26b0..efa3c297850 100644
--- a/data/yara/CAPE/AdaptixBeacon.yar
+++ b/data/yara/CAPE/AdaptixBeacon.yar
@@ -4,6 +4,7 @@ rule AdaptixBeacon
         author = "enzok"
         description = "AdaptixBeacon Payload"
         cape_type = "AdaptixBeacon Payload"
+        hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d"
     strings:
         $conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04}
         $conf_2 = {E8 [3] 00 48 8B 4C 24 ?? 48 89 43 78 E8 [3] 00 48 8B 4C 24 ?? 89 83 80 00 00 00 E8 [3] 00 03 83 80 00 00 00 48 8B 4C 24}

From 26d76a53b8c6601202ed596f6fafe2ac65780cd3 Mon Sep 17 00:00:00 2001
From: enzok <7831008+enzok@users.noreply.github.com>
Date: Tue, 28 Oct 2025 10:20:28 -0400
Subject: [PATCH 3/7] add missing update

---
 data/yara/CAPE/AdaptixBeacon.yar | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/data/yara/CAPE/AdaptixBeacon.yar b/data/yara/CAPE/AdaptixBeacon.yar
index efa3c297850..0d507f3f0b2 100644
--- a/data/yara/CAPE/AdaptixBeacon.yar
+++ b/data/yara/CAPE/AdaptixBeacon.yar
@@ -6,11 +6,13 @@ rule AdaptixBeacon
         cape_type = "AdaptixBeacon Payload"
         hash = "f78f5803be5704420cbb2e0ac3c57fcb3d9cdf443fbf1233c069760bee115b5d"
     strings:
-        $conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04}
+        $conf_1 = {8D ?? ?? E8 [3] 00 4? 89 [1-2] 4? 8B 4C 24 ?? E8 [3] 00 4? 8B 53 48 66 [0-1] 89 04 ?? E8}
         $conf_2 = {E8 [3] 00 48 8B 4C 24 ?? 48 89 43 78 E8 [3] 00 48 8B 4C 24 ?? 89 83 80 00 00 00 E8 [3] 00 03 83 80 00 00 00 48 8B 4C 24}
         $conf_3 = {E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 58 E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 60 E8 [3] 00 4? 8B 4C 24 ?? 4? 89 ?? 4? 89 43 68}
-        $wininet_1 = {B9 77 00 00 00 4? 89 50 28 E8 [4] B9 69 00 00 00 88 44 24 ?? E8 [4] B9 6E 00 00 00 88 44 24}
-        $wininet_2 = {B9 69 00 00 00 88 44 24 ?? E8 [4] B9 6E 00 00 00 88 44 24 ?? E8 [4] B9 65 00 00 00 88 44 24}
+        $conf_4 = {8D ?? ?? 4? 89 ?? FF ?? 4? 89 ?? 4? 89 ?? 4? 8B ?? FF ?? ?? 4? 8B ?? 48 66 ?? 89 ?? ?? EB}
+        $conf_5 = {48 89 ?? 4? 89 ?? FF ?? 4? 89 ?? 4? 89 D9 4? 89 ?? ?? 4? 8B 03 FF ?? ?? 4? 89 ?? 4? 89 ?? 4? 89 ?? ?? 4? 8B 03 FF ?? ?? 4? 89}
+        $wininet_1 = {B9 77 00 00 00 [0-4] E8 [4] B9 69 00 00 00 88 ?4 24 [0-4] E8 [4] B9 6E 00 00 00 88 ?4 24}
+        $wininet_2 = {B9 69 00 00 00 88 ?4 24 [0-4] E8 [4] B9 6E 00 00 00 88 ?4 24 [0-4] E8 [4] B9 65 00 00 00 88 ?4 24}
     condition:
         1 of ($conf_*) and 1 of ($wininet_*)
 }
\ No newline at end of file

From 3b89448abbb2516a14ced36a0f94e2ffb6991b81 Mon Sep 17 00:00:00 2001
From: enzok <7831008+enzok@users.noreply.github.com>
Date: Tue, 28 Oct 2025 10:30:13 -0400
Subject: [PATCH 4/7] Gemini nags

---
 data/yara/CAPE/AdaptixBeacon.yar        | 2 +-
 data/yara/CAPE/NitroBunnyDownloader.yar | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/yara/CAPE/AdaptixBeacon.yar b/data/yara/CAPE/AdaptixBeacon.yar
index 0d507f3f0b2..4e68fcc7a8a 100644
--- a/data/yara/CAPE/AdaptixBeacon.yar
+++ b/data/yara/CAPE/AdaptixBeacon.yar
@@ -15,4 +15,4 @@ rule AdaptixBeacon
         $wininet_2 = {B9 69 00 00 00 88 ?4 24 [0-4] E8 [4] B9 6E 00 00 00 88 ?4 24 [0-4] E8 [4] B9 65 00 00 00 88 ?4 24}
     condition:
         1 of ($conf_*) and 1 of ($wininet_*)
-}
\ No newline at end of file
+}
diff --git a/data/yara/CAPE/NitroBunnyDownloader.yar b/data/yara/CAPE/NitroBunnyDownloader.yar
index c878bc3fb81..733efe3a41a 100644
--- a/data/yara/CAPE/NitroBunnyDownloader.yar
+++ b/data/yara/CAPE/NitroBunnyDownloader.yar
@@ -14,4 +14,4 @@ rule NitroBunnyDownloader
         $string5 = "wishlist" wide
     condition:
         uint16(0) == 0x5A4D and $config and 2 of ($string*)
-}
\ No newline at end of file
+}

From 281a70415a75ddbbcc00bee7d8946776b4b4525c Mon Sep 17 00:00:00 2001
From: Yung Binary <93540406+YungBinary@users.noreply.github.com>
Date: Fri, 31 Oct 2025 12:45:06 -0600
Subject: [PATCH 5/7] Additional Rhadamanthys patterns

---
 data/yara/CAPE/Rhadamanthys.yar | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/data/yara/CAPE/Rhadamanthys.yar b/data/yara/CAPE/Rhadamanthys.yar
index c5ca2677238..6b6a1b16940 100644
--- a/data/yara/CAPE/Rhadamanthys.yar
+++ b/data/yara/CAPE/Rhadamanthys.yar
@@ -1,13 +1,15 @@
 rule Rhadamanthys
 {
     meta:
-        author = "kevoreilly"
+        author = "kevoreilly, YungBinary"
         description = "Rhadamanthys Loader"
         cape_type = "Rhadamanthys Loader"
     strings:
         $rc4 = {88 4C 01 08 41 81 F9 00 01 00 00 7C F3 89 75 08 33 FF 8B 4D 08 3B 4D 10 72 04 83 65 08 00}
         $code = {8B 4D FC 3B CF 8B C1 74 0D 83 78 04 02 74 1C 8B 40 1C 3B C7 75 F3 3B CF 8B C1 74 57 83 78 04 17 74 09 8B 40 1C 3B C7 75 F3 EB}
         $conf = {46 BB FF 00 00 00 23 F3 0F B6 44 31 08 03 F8 23 FB 0F B6 5C 39 08 88 5C 31 08 88 44 39 08 02 C3 8B 5D 08 0F B6 C0 8A 44 08 08}
+        $beef = { 57 8D 44 33 FC 53 83 C6 FC 50 56 E8 ?? ?? ?? ?? 83 C4 10 66 81 3F EF BE 0F 85 E6 02 00 00 }
+        $config_2 = { 0F B6 4F 2A 8D 77 2A 33 C0 6A 03 89 ?? ?? 89 ?? ?? 89 ?? ?? 8B C1 }
         $cape_string = "cape_options"
     condition:
         2 of them and not $cape_string

From c462d0be55446583e4e7bd2148a93a7bd6ea90eb Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly <kevoreilly@gmail.com>
Date: Mon, 3 Nov 2025 09:56:10 +0000
Subject: [PATCH 6/7] Remove test_handle_process_invalid_data() from
 tests/test_analyzer.py

---
 analyzer/windows/tests/test_analyzer.py | 20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/analyzer/windows/tests/test_analyzer.py b/analyzer/windows/tests/test_analyzer.py
index bbe274844c4..783e21dd505 100644
--- a/analyzer/windows/tests/test_analyzer.py
+++ b/analyzer/windows/tests/test_analyzer.py
@@ -986,23 +986,3 @@ def test_handle_process(self, mock_process):
         self.assertIsNotNone(ana.LASTINJECT_TIME)
         mock_process.assert_called_once()
         self.assertEqual(1, ana.NUM_INJECTED)
-
-    @patch("analyzer.Process")
-    def test_handle_process_invalid_data(self, mock_process):
-        ana = self.analyzer
-        with self.assertRaises(ValueError):
-            data = bytes("does not have a colon".encode())
-            self.pipe_handler._handle_process(data=data)
-        with self.assertRaises(ValueError):
-            data = bytes("has:too:many:colons".encode())
-            self.pipe_handler._handle_process(data=data)
-
-        data = bytes("no_comma:non_digits".encode())
-        self.pipe_handler._handle_process(data=data)
-        self.assertIsNone(ana.LASTINJECT_TIME)
-        mock_process.assert_not_called()
-
-        data = bytes("with_comma:non_digits,non_digits".encode())
-        self.pipe_handler._handle_process(data=data)
-        self.assertIsNone(ana.LASTINJECT_TIME)
-        mock_process.assert_not_called()

From 6ea9ccaca59bde6b182ae0aa85ff6bba9f364b3f Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly <kevoreilly@gmail.com>
Date: Mon, 3 Nov 2025 13:16:31 +0000
Subject: [PATCH 7/7] Tweak Rhadamanthys patterns

- removed highly variable jump size in conditional jump (0x2e6 bytes code, size highly brittle)
- replaced eax register in nice characteristic pattern as it can only be eax, since pattern contains the xor eax, eax instruction by which the code zeroes)
---
 data/yara/CAPE/Rhadamanthys.yar | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/yara/CAPE/Rhadamanthys.yar b/data/yara/CAPE/Rhadamanthys.yar
index 6b6a1b16940..367d73f8b4c 100644
--- a/data/yara/CAPE/Rhadamanthys.yar
+++ b/data/yara/CAPE/Rhadamanthys.yar
@@ -8,8 +8,8 @@ rule Rhadamanthys
         $rc4 = {88 4C 01 08 41 81 F9 00 01 00 00 7C F3 89 75 08 33 FF 8B 4D 08 3B 4D 10 72 04 83 65 08 00}
         $code = {8B 4D FC 3B CF 8B C1 74 0D 83 78 04 02 74 1C 8B 40 1C 3B C7 75 F3 3B CF 8B C1 74 57 83 78 04 17 74 09 8B 40 1C 3B C7 75 F3 EB}
         $conf = {46 BB FF 00 00 00 23 F3 0F B6 44 31 08 03 F8 23 FB 0F B6 5C 39 08 88 5C 31 08 88 44 39 08 02 C3 8B 5D 08 0F B6 C0 8A 44 08 08}
-        $beef = { 57 8D 44 33 FC 53 83 C6 FC 50 56 E8 ?? ?? ?? ?? 83 C4 10 66 81 3F EF BE 0F 85 E6 02 00 00 }
-        $config_2 = { 0F B6 4F 2A 8D 77 2A 33 C0 6A 03 89 ?? ?? 89 ?? ?? 89 ?? ?? 8B C1 }
+        $beef = {57 8D 44 33 FC 53 83 C6 FC 50 56 E8 [4] 83 C4 10 66 81 3F EF BE 0F 85}
+        $config_2 = {0F B6 4F 2A 8D 77 2A 33 C0 6A 03 89 45 F8 89 45 FC 89 45 08 8B C1}
         $cape_string = "cape_options"
     condition:
         2 of them and not $cape_string