threatcode · pull · Nov 19, 2025 · Nov 3, 2025 · Nov 19, 2025 · Nov 19, 2025
diff --git a/.github/workflows/auto_answer.yml b/.github/workflows/auto_answer.yml
@@ -22,14 +22,15 @@ jobs:
         with:
           enable-cache: true
 
-      - name: Install the project
-        run: uv run pip install -r requirements.txt
-
       - name: Run the answer bot with uv run
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           ISSUE_NUMBER: ${{ github.event.issue.number }}
           REPO_NAME: ${{ github.repository }}
-        # This single step installs dependencies (if needed) and runs the script
-        run: cd KnowledgeBaseBot && uv run python auto_answer_bot.py
+        run: |
+          cd KnowledgeBaseBot && \
+          uv run \
+          --with-requirements ../requirements.txt \
+          --with-requirements requirements.txt \
+          python auto_answer_bot.py
diff --git a/analyzer/windows/data/yara/SmokeLoader.yar b/analyzer/windows/data/yara/SmokeLoader.yar
@@ -1,11 +1,11 @@
-rule SmokeLoader
+rule SmokeInjector
 {
     meta:
         author = "kevoreilly"
-        description = "SmokeLoader Payload"
-        cape_options = "bp0=$gate+19,action0=DumpSectionViews,count=1"
+        cape_options = "monitor=explorer"
+        packed = "d38f9ab81a054203e5b5940e6d34f3c8766f4f4104b14840e4695df511feaa30"
     strings:
-        $gate = {68 [2] 00 00 50 E8 [4] 8B 45 ?? 89 F1 8B 55 ?? 9A [2] 40 00 33 00 89 F9 89 FA 81 C1 [2] 00 00 81 C2 [2] 00 00 89 0A 8B 46 ?? 03 45 ?? 8B 4D ?? 8B 55 ?? 9A [2] 40 00 33 00}
+        $dec1 = {80 04 08 [0-7] (49|83 E9 01) [0-7] 41 [0-7] 81 F1 [2] 00 00 [0-7] 01 D9 [0-7] FF E1}
     condition:
         uint16(0) == 0x5A4D and any of them
 }
diff --git a/data/yara/CAPE/NitroBunnyDownloader.yar b/data/yara/CAPE/NitroBunnyDownloader.yar
@@ -6,12 +6,13 @@ rule NitroBunnyDownloader
         cape_type = "NitroBunnyDownloader Payload"
         hash = "960e59200ec0a4b5fb3b44e6da763f5fec4092997975140797d4eec491de411b"
     strings:
-        $config = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $config1 = {E8 [3] 00 41 B8 ?? ?? 00 00 48 8D 15 [3] 00 48 89 C1 48 89 ?? E8 [3] 00}
+        $config2 = {E8 [3] 00 48 8D 15 [3] 00 41 B8 ?? ?? 00 00 48 89 C1 48 89 ?? E8 [3] 00}
         $string1 = "X-Amz-User-Agent:" wide
         $string2 = "Amz-Security-Flag:" wide
         $string3 = "/cart" wide
         $string4 = "Cookie: " wide
         $string5 = "wishlist" wide
     condition:
-        uint16(0) == 0x5A4D and $config and 2 of ($string*)
+        uint16(0) == 0x5A4D and 1 of ($config*) and 2 of ($string*)
 }
diff --git a/data/yara/CAPE/SmokeLoader.yar b/data/yara/CAPE/SmokeLoader.yar
@@ -5,10 +5,12 @@ rule SmokeLoader
         description = "SmokeLoader Payload"
         cape_type = "SmokeLoader Payload"
     strings:
-        $rc4_decrypt64 = {41 8D 41 01 44 0F B6 C8 42 0F B6 [2] 41 8D 04 12 44 0F B6 D0 42 8A [2] 42 88 [2] 42 88 [2] 42 0F B6 [2] 03 CA 0F B6 C1 8A [2] 30 0F 48 FF C7 49 FF CB 75}
+        $rc4_decrypt64_1 = {41 8D 41 01 44 0F B6 C8 42 0F B6 [2] 41 8D 04 12 44 0F B6 D0 42 8A [2] 42 88 [2] 42 88 [2] 42 0F B6 [2] 03 CA 0F B6 C1 8A [2] 30 0F 48 FF C7 49 FF CB 75}
+        $rc4_decrypt64_2 = {03 C8 8B C1 89 44 [2] 0F B6 8C [2] 01 00 00 33 D2 8B 04 24 F7 F1 8B C2 8B C0 48 8B 8C [2] 01 00 00 0F B6 04 01 8B 4C [2] 03 C8 8B C1 25 FF 00 00 00}
+        $rc4_decrypt64_3 = {8B 04 ?? FF C0 25 FF 00 00 00 89 04 ?? 8B 04 ?? 0F B6 44 [2] 8B 4C [2] 03 C8 8B C1 25 FF 00 00 00}
         $rc4_decrypt32 = {47 B9 FF 00 00 00 23 F9 8A 54 [2] 0F B6 C2 03 F0 23 F1 8A 44 [2] 88 44 [2] 88 54 [2] 0F B6 4C [2] 0F B6 C2 03 C8 81 E1 FF 00 00 00 8A 44 [2] 30 04 2B 43 3B 9C 24 [4] 72 C0}
-        $fetch_c2_64 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 FF C? 75 F0 [6-10] 48 8D 05}
+        $fetch_c2_64 = {74 ?? B? E8 03 00 00 B9 58 02 00 00 FF [5] 48 (FF C?|83 EF 01) 75 (F0|EF)}
         $fetch_c2_32 = {8B 96 [2] (00|01) 00 8B CE 5E 8B 14 95 [4] E9}
     condition:
-        2  of them
+        2 of them
 }
diff --git a/poetry.lock b/poetry.lock
diff --git a/requirements.txt b/requirements.txt
@@ -1908,15 +1908,18 @@ stpyv8==13.1.201.22 ; python_version >= "3.10" and python_version < "4.0" \
     --hash=sha256:4d737935167c52ed72e5a78264d9adfeaf089bf54693b88f12cbdb439a36a102 \
     --hash=sha256:6cb5e8751aee2487cc3b5f21eac6d459041a7180a779941b64db5736e27276ee \
     --hash=sha256:6dc40b656cea7fe541f6bdbad83b6b4ed51e5ead985b54c139319a731253a55e \
+    --hash=sha256:6fdbc3a8b1aa941064ec0976a5a85761f50e9090468ce275c22d0774293d2668 \
     --hash=sha256:8019f19b29621ccde85125d86f60f5814175b17670f5949d2671cf22cf453ea6 \
     --hash=sha256:834b9761bb7f49da8b887847c7647495a2cf6c45f69e2124ae0e3f024493bc15 \
     --hash=sha256:90568ff08dfaf0ebd3bf1c79f7d21db06d82eada412a6e914b995bead7c78666 \
     --hash=sha256:b2a660a331e82fa89d5938ec8418743ebfb544733269f24cd8461a18472701c2 \
     --hash=sha256:b53df6114a88698ee6f3820cf46476e83ee09c9a67dd9f7cf58ca6a2928238b0 \
     --hash=sha256:b9d9499ed2007cc097a5d2ae0cb18226b2bf3ca429301811b2e12a787a8f137e \
     --hash=sha256:bf51578ec84dba6519d75ca81a154a070910e638da0ec384f4bf6d535f9b5218 \
+    --hash=sha256:c0b258c7c5a79c5f19e636b93eece90d3cf9109af9a11c5394bdb807ed68e04a \
     --hash=sha256:c24aa4215c64db7d67fc6c42c0d7731cabcf300596bf9c826ae74f426fe3b771 \
     --hash=sha256:c4292843c8133fc99833aceef25925a97edf01031e186335582deb077b99d2bf \
+    --hash=sha256:c4bf3048c96a6a1561861da0c74be842c79a71373d3bec0d53c4e8f6eaa7b6e8 \
     --hash=sha256:c8189b8c4d87579f353705441757f11e2f2260578b82000925dadf0ed59a47e3 \
     --hash=sha256:d00a220268d63d68490682b571d082d5b197de1f19d6f478a88357c61da94f7a \
     --hash=sha256:da6d8f2945bd057057c64bc93ea3c064cc848b75f55d6d651120ee5d115e0761 \