@elizaos/skills 2.0.0-alpha.3

package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Mac_ProtonRAT_Jan25.yar

@@ -0,0 +1,99 @@
+/*
+    Real YARA Rule: macOS Proton RAT Detection
+
+    This rule is adapted from Airbnb's BinaryAlert open-source YARA rules.
+    It demonstrates best practices for macOS malware detection:
+    - Mach-O magic bytes validation (including universal binaries)
+    - Multi-category string grouping ($a* for libraries, $b* for behaviors)
+    - Cross-category matching requirement
+
+    Original source: https://github.com/airbnb/binaryalert
+    Attribution: @mimeframe / Airbnb Security
+    Reference: https://objective-see.org/blog/blog_0x1D.html
+*/
+
+private rule MachO
+{
+    meta:
+        description = "Detects all Mach-O binary formats including 32-bit, 64-bit, and universal binaries"
+        author = "Airbnb BinaryAlert"
+        reference = "https://github.com/airbnb/binaryalert"
+        date = "2017-01-01"
+
+    condition:
+        // 32-bit Mach-O (little/big endian)
+        uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or
+        // 64-bit Mach-O (little/big endian)
+        uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or
+        // Universal binary / fat binary (little/big endian)
+        uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
+}
+
+rule MAL_Mac_ProtonRAT_Generic
+{
+    meta:
+        description = "Detects macOS Proton RAT via WebSocket library and SSH tunnel strings"
+        author = "@mimeframe (Airbnb Security, adapted)"
+        reference = "https://objective-see.org/blog/blog_0x1D.html"
+        date = "2017-05-04"
+        modified = "2025-01-30"
+        score = 80
+
+    strings:
+        // Category A: Library indicators
+        // SocketRocket is a WebSocket library - legitimate but rare in malware context
+        $a1 = "SRWebSocket" nocase ascii wide
+        $a2 = "SocketRocket" nocase ascii wide
+
+        // Category B: SSH tunnel behavioral indicators
+        // From joeroback/SSHTunnel - distinctive error/status messages
+        $b1 = "SSH tunnel not launched" nocase ascii wide
+        $b2 = "SSH tunnel still running" nocase ascii wide
+        $b3 = "SSH tunnel already launched" nocase ascii wide
+        $b4 = "Entering interactive session." nocase ascii wide
+
+    condition:
+        // File type validation
+        MachO and
+        filesize < 20MB and
+
+        // Require indicators from BOTH categories
+        // This reduces FPs: SocketRocket alone is legitimate
+        // SSH tunneling alone is legitimate
+        // BOTH together is suspicious for a GUI app
+        any of ($a*) and any of ($b*)
+}
+
+rule MAL_Mac_ProtonRAT_Keylogger
+{
+    meta:
+        description = "Detects macOS Proton RAT keylogger functionality via CoreGraphics event tap APIs"
+        author = "Trail of Bits (based on Objective-See research)"
+        reference = "https://objective-see.org/blog/blog_0x1D.html"
+        date = "2025-01-30"
+        score = 85
+
+    strings:
+        // Keylogger API usage (CoreGraphics event tap)
+        $key1 = "CGEventTapCreate" ascii
+        $key2 = "kCGEventKeyDown" ascii
+        $key3 = "kCGEventKeyUp" ascii
+
+        // Credential theft indicators
+        $cred1 = "security find-generic-password" ascii
+        $cred2 = "keychain" ascii nocase
+
+        // Persistence paths
+        $persist1 = "Library/LaunchAgents" ascii
+        $persist2 = "com.apple" ascii  // Masquerading as Apple
+
+    condition:
+        MachO and
+        filesize < 20MB and
+
+        // Need keylogger functionality
+        2 of ($key*) and
+
+        // Plus credential or persistence indicators
+        (any of ($cred*) or any of ($persist*))
+}

package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_NPM_SupplyChain_Jan25.yar

@@ -0,0 +1,170 @@
+/*
+    Real YARA Rules: npm Supply Chain Attack Detection
+
+    These rules detect patterns from documented npm supply chain attacks.
+    They demonstrate best practices for JavaScript/package detection:
+    - No magic bytes (text files)
+    - Combining behavioral patterns to reduce false positives
+    - Targeting specific attack artifacts, not generic JavaScript
+
+    Sources:
+    - chalk/debug compromise (Sept 2025): Stairwell Threat Research
+    - os-info-checker-es6: Veracode Security Research
+    - event-stream/flatmap-stream: npm security advisory
+
+    Attribution: Stairwell Threat Research, Veracode, npm Security
+*/
+
+rule MAL_NPM_ChalkDebug_Sept25
+{
+    meta:
+        description = "Detects malicious wallet-drainer code from chalk/debug npm supply-chain compromise"
+        author = "Stairwell Threat Research (adapted)"
+        reference = "https://stairwell.com/resources/how-to-detect-npm-package-manager-supply-chain-attacks-with-yara/"
+        date = "2025-09-11"
+        modified = "2025-01-30"
+        score = 95
+
+    strings:
+        // Unique function names from the malicious payload
+        $s1 = "runmask" ascii
+        $s2 = "checkethereumw" ascii
+
+        // Ethereum function selector for approve(address,uint256)
+        // This ERC-20 method grants token spending permission
+        $function_selector = "0x095ea7b3" ascii
+
+    condition:
+        filesize < 5MB and
+        all of them
+}
+
+rule MAL_NPM_ChalkDebug_ERC20Selectors
+{
+    meta:
+        description = "Detects malicious npm packages targeting ERC-20 token operations"
+        author = "Trail of Bits (based on Stairwell research)"
+        reference = "https://github.com/chalk/chalk/issues/656"
+        date = "2025-01-30"
+        score = 80
+
+    strings:
+        // ERC-20 function selectors (4-byte Keccak hashes)
+        // These appear in wallet-draining malware
+        $erc20_transfer = { 70 a0 82 31 }   // transfer(address,uint256)
+        $erc20_approve = { 09 5e a7 b3 }    // approve(address,uint256)
+        $erc20_transferFrom = { 23 b8 72 dd } // transferFrom(address,address,uint256)
+
+        // Context: must be in a JavaScript/npm context
+        $npm_context1 = "package.json" ascii
+        $npm_context2 = "node_modules" ascii
+        $js_context = "module.exports" ascii
+
+    condition:
+        filesize < 2MB and
+        // Need multiple ERC-20 selectors (legitimate code rarely has multiple)
+        2 of ($erc20_*) and
+        // Confirm npm/JS context
+        any of ($npm_context*, $js_context)
+}
+
+rule MAL_NPM_ZeroWidthSteganography
+{
+    meta:
+        description = "Detects hidden code using zero-width Unicode characters (os-info-checker-es6 technique)"
+        author = "Trail of Bits (based on Veracode research)"
+        reference = "https://www.veracode.com/blog/security-news/npm-package-uses-unicode-invisible-characters-hide-backdoor-code"
+        date = "2025-01-30"
+        score = 75
+
+    strings:
+        // Zero-width characters used to hide payloads
+        // These encode binary data as invisible Unicode
+        $zw_sequence = { E2 80 8B E2 80 8C E2 80 8D }  // ZWSP + ZWNJ + ZWJ
+        $zw_double = { E2 80 8B E2 80 8B }   // Double zero-width space
+        $zw_mixed = { E2 80 8C E2 80 8D }    // ZWNJ + ZWJ pair
+
+        // Typical decoding pattern
+        $eval_atob = /eval\s*\(\s*atob\s*\(/
+
+    condition:
+        filesize < 1MB and
+        // Need significant zero-width char density
+        (#zw_sequence > 3 or #zw_double > 5 or #zw_mixed > 5) and
+        // Plus execution mechanism
+        $eval_atob
+}
+
+rule MAL_NPM_EventStream_Pattern
+{
+    meta:
+        description = "Detects patterns similar to event-stream/flatmap-stream backdoor"
+        author = "Trail of Bits (based on npm security advisory)"
+        reference = "https://github.com/dominictarr/event-stream/issues/116"
+        date = "2025-01-30"
+        score = 70
+
+    strings:
+        // The attack targeted Copay Bitcoin wallet
+        $target1 = "copay" ascii nocase
+        $target2 = "bitpay" ascii nocase
+        $target3 = "bitcoin" ascii nocase
+
+        // Malicious dependency injection
+        $flatmap = "flatmap-stream" ascii
+        $pump = "pump" ascii
+
+        // Encrypted payload indicators
+        $aes = "createDecipher" ascii
+        $buffer_from = /Buffer\.from\s*\([^)]+,\s*['"]hex['"]\)/
+
+    condition:
+        filesize < 500KB and
+        // Bitcoin wallet targeting
+        any of ($target*) and
+        // Crypto/decode patterns
+        ($aes or $buffer_from) and
+        // One of the attack-specific patterns
+        ($flatmap or #pump > 2)
+}
+
+rule SUSP_NPM_PostinstallExfil
+{
+    meta:
+        description = "Detects suspicious npm packages with postinstall hooks accessing credentials and network"
+        author = "Trail of Bits"
+        reference = "https://blog.phylum.io/npm-supply-chain-attack-patterns/"
+        date = "2025-01-30"
+        score = 60
+
+    strings:
+        // Package.json install hooks
+        $hook1 = /"postinstall"\s*:\s*"[^"]+"/
+        $hook2 = /"preinstall"\s*:\s*"[^"]+"/
+
+        // Credential access patterns
+        $cred1 = /process\.env\.NPM_TOKEN/i
+        $cred2 = /process\.env\.GITHUB_TOKEN/i
+        $cred3 = /process\.env\.AWS_/
+
+        // Network exfiltration
+        $net1 = /fetch\s*\(\s*['"`]https?:\/\//
+        $net2 = /axios\.(post|put)\s*\(/
+        $net3 = /webhook/i
+
+        // False positive exclusions
+        $fp1 = "webpack" ascii
+        $fp2 = "electron-builder" ascii
+        $fp3 = "typescript" ascii
+
+    condition:
+        filesize < 5MB and
+        // Has install hook
+        any of ($hook*) and
+        // Accesses credentials
+        any of ($cred*) and
+        // Has network capability
+        any of ($net*) and
+        // Not a known build tool
+        not 2 of ($fp*)
+}

package/skills/yara-authoring/skills/yara-rule-authoring/examples/MAL_Win_Remcos_Jan25.yar

@@ -0,0 +1,103 @@
+/*
+    Real YARA Rule: Windows Remcos RAT Detection
+
+    This rule is adapted from Elastic Security's production rules for
+    detecting Remcos RAT. It demonstrates best practices for PE malware:
+    - Multiple rule versions targeting different indicators
+    - Proper metadata with attribution and references
+    - String selection based on unique behavioral markers
+    - Graduated string requirements (2 of, 3 of, 4 of)
+
+    Original source: https://github.com/elastic/protections-artifacts
+    License: Elastic License v2
+    Attribution: Elastic Security
+*/
+
+rule MAL_Win_Remcos_Watchdog
+{
+    meta:
+        description = "Detects Remcos RAT via unique watchdog mutex name and restart status strings"
+        author = "Elastic Security (adapted)"
+        reference = "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set"
+        date = "2021-06-10"
+        modified = "2025-01-30"
+        score = 90
+
+    strings:
+        // Unique watchdog-related strings
+        $a1 = "Remcos restarted by watchdog!" ascii fullword
+        $a2 = "Mutex_RemWatchdog" ascii fullword
+
+        // Version/logging format strings
+        $a3 = "%02i:%02i:%02i:%03i" ascii
+        $a4 = "* Remcos v" ascii fullword
+
+    condition:
+        // Filesize and magic bytes first (instant checks)
+        filesize < 5MB and
+        uint16(0) == 0x5A4D and
+
+        // Require 2 of these unique markers
+        2 of them
+}
+
+rule MAL_Win_Remcos_Features
+{
+    meta:
+        description = "Detects Remcos RAT via unique feature directory names and configuration file artifacts"
+        author = "Elastic Security (adapted)"
+        reference = "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set"
+        date = "2023-06-23"
+        modified = "2025-01-30"
+        score = 85
+
+    strings:
+        // Service/feature identifiers
+        $a1 = "ServRem" ascii fullword
+        $a2 = "Screenshots" ascii fullword
+        $a3 = "MicRecords" ascii fullword
+
+        // Binary/config names
+        $a4 = "remcos.exe" wide nocase fullword
+        $a5 = "Remcos" wide fullword
+        $a6 = "logs.dat" wide fullword
+
+    condition:
+        filesize < 5MB and
+        uint16(0) == 0x5A4D and
+
+        // Need 3 because individual strings are more common
+        3 of them
+}
+
+rule MAL_Win_Remcos_Agent
+{
+    meta:
+        description = "Detects Remcos RAT agent initialization messages and credential theft status strings"
+        author = "Elastic Security (adapted)"
+        reference = "https://github.com/elastic/protections-artifacts"
+        date = "2025-01-30"
+        score = 95
+
+    strings:
+        // Agent initialization and C2 communication
+        $a1 = "Remcos Agent initialized (" ascii fullword
+        $a2 = "Remcos v" ascii fullword
+        $a3 = "Uploading file to Controller: " ascii fullword
+
+        // Notification and logging artifacts
+        $a4 = "alarm.wav" ascii fullword
+        $a5 = "[%04i/%02i/%02i %02i:%02i:%02i " wide fullword
+        $a6 = "time_%04i%02i%02i_%02i%02i%02i" wide fullword
+
+        // Browser credential theft indicators
+        $a7 = "[Cleared browsers logins and cookies.]" ascii fullword
+        $a8 = "[Chrome StoredLogins found, cleared!]" ascii fullword
+
+    condition:
+        filesize < 10MB and
+        uint16(0) == 0x5A4D and
+
+        // Require 4 because some strings could appear elsewhere
+        4 of them
+}

package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_CRX_SuspiciousPermissions.yar

@@ -0,0 +1,134 @@
+/*
+    Example YARA-X Rule: Chrome Extension Analysis
+
+    This rule demonstrates the YARA-X crx module for detecting suspicious
+    Chrome extensions. Key features shown:
+    - `import "crx"` for module access
+    - `crx.is_crx` for file type validation
+    - Permission iteration with `for any perm in crx.permissions`
+    - `crx.permhash()` for threat hunting
+    - Red flag permission combinations
+
+    Requires YARA-X v1.5.0+ (crx module), v1.11.0+ (permhash)
+
+    Note: This is an educational example. Real rules should be tuned
+    based on your specific threat model and false positive tolerance.
+*/
+
+import "crx"
+
+rule SUSP_CRX_HighRiskPermissionCombo
+{
+    meta:
+        description = "Detects Chrome extensions with dangerous permission combinations that enable data exfiltration"
+        author = "YARA Skill Example <yara-authoring@example.com>"
+        reference = "https://developer.chrome.com/docs/extensions/reference/permissions-list"
+        date = "2025-01-29"
+        score = 70
+
+    condition:
+        // Validate file type first - crx module only works on CRX files
+        crx.is_crx and
+
+        // Red flag combination: native messaging + broad host access
+        // Allows extension to communicate with local executables
+        // while accessing data from many websites
+        (
+            for any perm in crx.permissions : (
+                perm == "nativeMessaging"
+            )
+        ) and
+        (
+            for any perm in crx.permissions : (
+                perm == "<all_urls>" or
+                perm == "*://*/*" or
+                perm == "http://*/*" or
+                perm == "https://*/*"
+            )
+        )
+}
+
+rule SUSP_CRX_DebuggerPermission
+{
+    meta:
+        description = "Detects Chrome extensions requesting debugger permission - can modify any page and intercept traffic"
+        author = "YARA Skill Example <yara-authoring@example.com>"
+        reference = "https://developer.chrome.com/docs/extensions/reference/api/debugger"
+        date = "2025-01-29"
+        score = 80
+
+    condition:
+        crx.is_crx and
+
+        // The debugger permission is extremely powerful:
+        // - Attach to any tab
+        // - Intercept/modify network requests
+        // - Execute scripts in page context
+        // - Access cookies and storage
+        // Legitimate uses exist (DevTools extensions) but rare
+        for any perm in crx.permissions : (
+            perm == "debugger"
+        )
+}
+
+rule SUSP_CRX_DataExfilPotential
+{
+    meta:
+        description = "Detects Chrome extensions with permissions enabling credential/data theft"
+        author = "YARA Skill Example <yara-authoring@example.com>"
+        reference = "https://example.com/crx-threat-research"
+        date = "2025-01-29"
+        score = 60
+
+    strings:
+        // Look for exfiltration patterns in extension code
+        // These appear in background scripts or content scripts
+        $fetch_post = /fetch\s*\([^)]+method\s*:\s*['"]POST['"]/
+        $xhr_send = /\.send\s*\(\s*JSON\.stringify/
+        $ws_send = /WebSocket[^;]+\.send\s*\(/
+
+        // Credential access patterns
+        $password_field = /document\.querySelector[^)]+type\s*=\s*['"]password['"]/
+        $form_data = /new\s+FormData\s*\(\s*document\./
+
+    condition:
+        crx.is_crx and
+
+        // Has storage access (for caching stolen data)
+        for any perm in crx.permissions : (
+            perm == "storage" or
+            perm == "unlimitedStorage"
+        ) and
+
+        // Has broad page access
+        for any perm in crx.permissions : (
+            perm == "<all_urls>" or
+            perm == "activeTab" or
+            perm == "tabs"
+        ) and
+
+        // Shows data collection + exfiltration behavior
+        (1 of ($fetch_post, $xhr_send, $ws_send)) and
+        (1 of ($password_field, $form_data))
+}
+
+rule SUSP_CRX_PermhashCluster
+{
+    meta:
+        description = "Detects extensions matching known malicious permission profile hash cluster"
+        author = "YARA Skill Example <yara-authoring@example.com>"
+        reference = "https://example.com/crx-permhash-research"
+        date = "2025-01-29"
+        score = 50
+
+    condition:
+        crx.is_crx and
+
+        // permhash() generates a hash of the extension's permissions
+        // Useful for clustering extensions with identical capability profiles
+        // These are fictional hashes for demonstration
+        (
+            crx.permhash() == "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4" or
+            crx.permhash() == "f6e5d4c3b2a1f6e5d4c3b2a1f6e5d4c3"
+        )
+}

package/skills/yara-authoring/skills/yara-rule-authoring/examples/SUSP_JS_Obfuscation_Jan25.yar

@@ -0,0 +1,185 @@
+/*
+    Real YARA Rules: JavaScript Obfuscation Detection
+
+    These rules detect common JavaScript obfuscation patterns used by malware.
+    They demonstrate best practices for JavaScript/browser malware:
+    - Targeting obfuscator-specific signatures
+    - Using occurrence counts for density-based detection
+    - Combining multiple weak indicators into strong detection
+
+    Sources:
+    - imp0rtp3/js-yara-rules: obfuscator.io patterns
+    - Nils Kuhnert: SocGholish patterns
+    - Josh Trombley: SocGholish inject patterns
+
+    Attribution: @imp0rtp3, Nils Kuhnert, Josh Trombley
+*/
+
+rule SUSP_JS_Obfuscator_IO
+{
+    meta:
+        description = "Detects JavaScript obfuscated by obfuscator.io (common in malware)"
+        author = "@imp0rtp3 (adapted)"
+        reference = "https://github.com/imp0rtp3/js-yara-rules"
+        date = "2021-01-01"
+        modified = "2025-01-30"
+        score = 60
+
+    strings:
+        // Beginning of obfuscated script - variable naming pattern
+        $start1 = "var a0_0x" ascii
+        $start2 = /var _0x[a-f0-9]{4}/ ascii
+
+        // Obfuscator.io specific function call patterns
+        $pattern1 = /a0_0x([a-f0-9]{2}){2,4}\('?0x[0-9a-f]{1,3}'?\)/
+        $pattern2 = /_0x([a-f0-9]{2}){2,4}\('?0x[0-9a-f]{1,3}'?\)/
+        $pattern3 = /_0x([a-f0-9]{2}){2,4}\['push'\]\(_0x([a-f0-9]{2}){2,4}\['shift'\]\(\)\)/
+
+        // Common obfuscator.io code patterns
+        $code1 = "))),function(){try{var _0x" ascii
+        $code2 = "['atob']=function(" ascii
+        $code3 = ")['replace'](/=+$/,'');var" ascii
+        $code4 = "return!![]" ascii
+        $code5 = "while(!![])" ascii
+
+    condition:
+        filesize < 1MB and
+        (
+            // Script starts with obfuscator pattern
+            $start1 at 0 or
+            $start2 at 0 or
+
+            // High density of obfuscated function calls
+            (#pattern1 + #pattern2) > (filesize \ 200) or
+            #pattern3 > 1 or
+
+            // Multiple obfuscator code patterns
+            3 of ($code*)
+        )
+}
+
+rule MAL_JS_SocGholish_Dropper
+{
+    meta:
+        description = "Detects SocGholish fake update JavaScript dropper via ActiveX and bracket notation patterns"
+        author = "Nils Kuhnert (adapted)"
+        reference = "https://github.com/imp0rtp3/js-yara-rules"
+        date = "2021-03-29"
+        modified = "2025-01-30"
+        hash1 = "7ccbdcde5a9b30f8b2b866a5ca173063dec7bc92034e7cf10e3eebff017f3c23"
+        score = 85
+
+    strings:
+        // Must start with try block (SocGholish signature)
+        // Note: Short string, but position-anchored in condition
+        $try_block = "try{" ascii
+
+        // ActiveX object creation (Windows-specific)
+        $ax1 = "new ActiveXObject('Scripting.FileSystemObject');" ascii
+        $ax2 = "new ActiveXObject('MSXML2.XMLHTTP')" ascii
+
+        // Bracket notation to evade detection
+        $brack1 = "['DeleteFile']" ascii
+        $brack2 = "['WScript']['ScriptFullName']" ascii
+        $brack3 = "['WScript']['Sleep'](1000)" ascii
+        $brack4 = "this['eval']" ascii
+        $brack5 = "String['fromCharCode']" ascii
+
+        // Magic numbers used in decoding
+        $magic1 = "2), 16)," ascii
+        $magic2 = "= 103," ascii
+        $magic3 = "'00000000'" ascii
+
+    condition:
+        // SocGholish starts with "try{" block
+        $try_block in (0..10) and
+
+        // Typical size range for SocGholish dropper
+        filesize > 3KB and filesize < 5KB and
+
+        // Need most of these patterns
+        8 of ($ax*, $brack*, $magic*)
+}
+
+rule SUSP_JS_Inject_ScriptLoader
+{
+    meta:
+        description = "Detects JavaScript injection patterns that load external scripts"
+        author = "Josh Trombley (adapted)"
+        reference = "https://github.com/imp0rtp3/js-yara-rules"
+        date = "2021-09-02"
+        modified = "2025-01-30"
+        score = 55
+
+    strings:
+        // Dynamic script element creation
+        $create = "document.createElement('script')" ascii
+        $type = "type = 'text/javascript'" ascii nocase
+
+        // DOM injection
+        $get_scripts = "document.getElementsByTagName('script')" ascii
+        $insert = ".parentNode.insertBefore(" ascii
+
+        // Decoding patterns
+        $atob = "=window.atob(" ascii
+        $regex = "new RegExp(" ascii
+
+    condition:
+        filesize < 500KB and
+        all of them
+}
+
+rule SUSP_JS_Base64Encoded_Payload
+{
+    meta:
+        description = "Detects JavaScript with base64-encoded payloads commonly used in injection attacks"
+        author = "Josh Trombley (adapted)"
+        reference = "https://github.com/imp0rtp3/js-yara-rules"
+        date = "2021-09-02"
+        modified = "2025-01-30"
+        score = 50
+
+    strings:
+        // Base64 strings commonly found in SocGholish injections
+        // These decode to browser detection/injection strings
+        $b64_referrer = "cmVmZXJyZXI=" ascii          // "referrer"
+        $b64_useragent = "dXNlckFnZW50" ascii         // "userAgent"
+        $b64_localStorage = "bG9jYWxTdG9yYWdl" ascii  // "localStorage"
+        $b64_windows = "V2luZG93cw==" ascii           // "Windows"
+        $b64_href = "aHJlZg==" ascii                  // "href"
+        $b64_android = "QW5kcm9pZA==" ascii           // "Android"
+
+    condition:
+        filesize < 500KB and
+        4 of them
+}
+
+rule SUSP_JS_EvalDecode_Chain
+{
+    meta:
+        description = "Detects eval + decode chains commonly used in JavaScript malware"
+        author = "Trail of Bits"
+        reference = "https://blog.malwarebytes.com/threat-analysis/2020/10/kraken-attack-uses-eval-to-execute-javascript/"
+        date = "2025-01-30"
+        score = 65
+
+    strings:
+        // eval + atob (base64 decode)
+        $eval_atob = /eval\s*\(\s*atob\s*\(/ nocase
+
+        // eval + fromCharCode
+        $eval_charcode = /eval\s*\(\s*String\.fromCharCode/ nocase
+
+        // eval + unescape
+        $eval_unescape = /eval\s*\(\s*unescape\s*\(/ nocase
+
+        // Function constructor (alternative to eval)
+        $func_constructor = /Function\s*\(\s*['"]return/ nocase
+
+        // Multiple decode stages
+        $multi_decode = /atob\s*\([^)]+atob\s*\(/ nocase
+
+    condition:
+        filesize < 1MB and
+        2 of them
+}