@trailofbits/vsix-audit 0.1.0

package/zoo/signatures/yara/rat_capabilities.yar

@@ -0,0 +1,243 @@
+/*
+    GlassWorm RAT Capabilities Detection
+    Detects Remote Access Trojan patterns including SOCKS proxy, VNC, and remote execution
+    Based on GlassWorm RAT capabilities for persistent access
+*/
+
+rule RAT_JS_GlassWorm_SOCKS_Proxy_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style SOCKS proxy server deployment for network tunneling and pivoting"
+    severity    = "high"
+    score       = "85"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // SOCKS proxy patterns
+    $socks_proxy        = "socks" nocase ascii wide
+    $socks_server       = "socksServer" ascii wide
+    $socks_proxy_server = "socksProxyServer" ascii wide
+    $socks5             = "socks5" nocase ascii wide
+    $socks4             = "socks4" nocase ascii wide
+
+    // Network server creation
+    $create_server       = "createServer" ascii wide
+    $net_create_server   = "net.createServer" ascii wide
+    $http_create_server  = "http.createServer" ascii wide
+    $https_create_server = "https.createServer" ascii wide
+
+    // Proxy configuration
+    $proxy_config = "proxyConfig" ascii wide
+    $proxy_server = "proxyServer" ascii wide
+    $proxy_port   = "proxyPort" ascii wide
+    $proxy_host   = "proxyHost" ascii wide
+
+    // Network binding
+    $listen = "listen" ascii wide
+    $bind   = "bind" ascii wide
+    $port   = "port" ascii wide
+    $host   = "host" ascii wide
+
+    // SOCKS protocol
+    $socks_auth    = "socksAuth" ascii wide
+    $socks_connect = "socksConnect" ascii wide
+    $socks_relay   = "socksRelay" ascii wide
+
+  condition:
+    // High confidence: SOCKS proxy + server creation + network binding
+    (any of ($socks_proxy, $socks_server, $socks_proxy_server, $socks5, $socks4)) and
+    (any of ($create_server, $net_create_server, $http_create_server, $https_create_server)) and
+    (any of ($listen, $bind, $port, $host, $proxy_config, $proxy_server, $proxy_port, $proxy_host, $socks_auth, $socks_connect, $socks_relay))
+}
+
+rule RAT_JS_GlassWorm_VNC_Install_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style VNC or HVNC installation for remote desktop access and control"
+    severity    = "high"
+    score       = "90"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // VNC patterns
+    $vnc      = "vnc" nocase ascii wide
+    $hvnc     = "hvnc" nocase ascii wide
+    $tightvnc = "tightvnc" nocase ascii wide
+    $ultravnc = "ultravnc" nocase ascii wide
+    $realvnc  = "realvnc" nocase ascii wide
+
+    // VNC installation
+    $vnc_install   = "vncInstall" ascii wide
+    $vnc_setup     = "vncSetup" ascii wide
+    $vnc_configure = "vncConfigure" ascii wide
+    $vnc_start     = "vncStart" ascii wide
+
+    // VNC server
+    $vnc_server  = "vncServer" ascii wide
+    $vnc_daemon  = "vncDaemon" ascii wide
+    $vnc_service = "vncService" ascii wide
+
+    // Remote desktop access
+    $remote_desktop  = "remoteDesktop" ascii wide
+    $desktop_sharing = "desktopSharing" ascii wide
+    $screen_sharing  = "screenSharing" ascii wide
+    $remote_access   = "remoteAccess" ascii wide
+
+    // VNC configuration
+    $vnc_password = "vncPassword" ascii wide
+    $vnc_port     = "vncPort" ascii wide
+    $vnc_display  = "vncDisplay" ascii wide
+
+  condition:
+    // High confidence: VNC installation + server setup + remote access
+    (any of ($vnc, $hvnc, $tightvnc, $ultravnc, $realvnc)) and
+    (any of ($vnc_install, $vnc_setup, $vnc_configure, $vnc_start, $vnc_server, $vnc_daemon, $vnc_service)) and
+    (any of ($remote_desktop, $desktop_sharing, $screen_sharing, $remote_access, $vnc_password, $vnc_port, $vnc_display))
+}
+
+rule RAT_JS_GlassWorm_Remote_Exec_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style remote command execution infrastructure with network-triggered shell access"
+    severity    = "critical"
+    score       = "95"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Command execution patterns
+    $exec     = "exec" ascii wide
+    $spawn    = "spawn" ascii wide
+    $execFile = "execFile" ascii wide
+    $execSync = "execSync" ascii wide
+
+    // Child process creation
+    $child_process = "child_process" ascii wide
+    $fork          = "fork" ascii wide
+    $spawn_process = "spawnProcess" ascii wide
+
+    // Remote command execution
+    $remote_exec    = "remoteExec" ascii wide
+    $remote_command = "remoteCommand" ascii wide
+    $remote_shell   = "remoteShell" ascii wide
+    $remote_cmd     = "remoteCmd" ascii wide
+
+    // Command and control
+    $command_control = "commandControl" ascii wide
+    $cmd_control     = "cmdControl" ascii wide
+    $shell_control   = "shellControl" ascii wide
+
+    // Network command execution
+    $net_exec    = "netExec" ascii wide
+    $socket_exec = "socketExec" ascii wide
+    $tcp_exec    = "tcpExec" ascii wide
+
+    // Command parsing
+    $parse_command   = "parseCommand" ascii wide
+    $execute_command = "executeCommand" ascii wide
+    $run_command     = "runCommand" ascii wide
+
+  condition:
+    // Critical: Command execution + remote capabilities + network communication
+    (any of ($exec, $spawn, $execFile, $execSync, $child_process, $fork, $spawn_process)) and
+    (any of ($remote_exec, $remote_command, $remote_shell, $remote_cmd, $command_control, $cmd_control, $shell_control)) and
+    (any of ($net_exec, $socket_exec, $tcp_exec, $parse_command, $execute_command, $run_command))
+}
+
+rule RAT_JS_GlassWorm_Persistent_Backdoor_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style persistent backdoor using registry, services, or scheduled tasks"
+    severity    = "high"
+    score       = "90"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Persistence mechanisms
+    $persistence    = "persistence" ascii wide
+    $backdoor       = "backdoor" ascii wide
+    $persistent     = "persistent" ascii wide
+    $survive_reboot = "surviveReboot" ascii wide
+
+    // Registry persistence (Windows)
+    $reg_run      = "regRun" ascii wide
+    $registry_run = "registryRun" ascii wide
+    $startup_key  = "startupKey" ascii wide
+    $auto_start   = "autoStart" ascii wide
+
+    // Service installation
+    $service_install = "serviceInstall" ascii wide
+    $service_create  = "serviceCreate" ascii wide
+    $service_start   = "serviceStart" ascii wide
+    $service_auto    = "serviceAuto" ascii wide
+
+    // Scheduled tasks
+    $scheduled_task = "scheduledTask" ascii wide
+    $cron_job       = "cronJob" ascii wide
+    $task_scheduler = "taskScheduler" ascii wide
+
+    // Startup folder
+    $startup_folder   = "startupFolder" ascii wide
+    $startup_shortcut = "startupShortcut" ascii wide
+    $startup_link     = "startupLink" ascii wide
+
+    // Hidden files
+    $hidden_file = "hiddenFile" ascii wide
+    $system_file = "systemFile" ascii wide
+    $temp_file   = "tempFile" ascii wide
+
+  condition:
+    // High confidence: Persistence + registry/service manipulation + hidden files
+    (any of ($persistence, $backdoor, $persistent, $survive_reboot)) and
+    (any of ($reg_run, $registry_run, $startup_key, $auto_start, $service_install, $service_create, $service_start, $service_auto, $scheduled_task, $cron_job, $task_scheduler)) and
+    (any of ($startup_folder, $startup_shortcut, $startup_link, $hidden_file, $system_file, $temp_file))
+}
+
+rule RAT_JS_GlassWorm_Network_Recon_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style network reconnaissance with port scanning and lateral movement capabilities"
+    severity    = "medium"
+    score       = "75"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Network scanning
+    $network_scan      = "networkScan" ascii wide
+    $port_scan         = "portScan" ascii wide
+    $host_scan         = "hostScan" ascii wide
+    $network_discovery = "networkDiscovery" ascii wide
+
+    // Network enumeration
+    $enumerate_hosts = "enumerateHosts" ascii wide
+    $discover_hosts  = "discoverHosts" ascii wide
+    $scan_network    = "scanNetwork" ascii wide
+    $map_network     = "mapNetwork" ascii wide
+
+    // Lateral movement
+    $lateral_movement = "lateralMovement" ascii wide
+    $pivot            = "pivot" ascii wide
+    $jump_host        = "jumpHost" ascii wide
+    $relay            = "relay" ascii wide
+
+    // Network tools
+    $nmap       = "nmap" ascii wide
+    $ping       = "ping" ascii wide
+    $traceroute = "traceroute" ascii wide
+    $netstat    = "netstat" ascii wide
+
+    // Network protocols
+    $tcp_scan  = "tcpScan" ascii wide
+    $udp_scan  = "udpScan" ascii wide
+    $icmp_scan = "icmpScan" ascii wide
+
+  condition:
+    // Detect network reconnaissance with scanning tools
+    (any of ($network_scan, $port_scan, $host_scan, $network_discovery, $enumerate_hosts, $discover_hosts, $scan_network, $map_network)) and
+    (any of ($lateral_movement, $pivot, $jump_host, $relay, $nmap, $ping, $traceroute, $netstat)) and
+    (any of ($tcp_scan, $udp_scan, $icmp_scan))
+}

package/zoo/signatures/yara/self_propagation.yar

@@ -0,0 +1,239 @@
+/*
+    GlassWorm Self-Propagation Detection
+    Detects worm self-propagation patterns including automated publishing and credential reuse
+    Based on GlassWorm worm behavior for autonomous spread
+*/
+
+rule MAL_JS_GlassWorm_Auto_Publish_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style automated package publishing using stolen credentials for worm propagation"
+    severity    = "high"
+    score       = "85"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Package publishing
+    $npm_publish     = "npm publish" ascii wide
+    $yarn_publish    = "yarn publish" ascii wide
+    $publish_package = "publishPackage" ascii wide
+    $auto_publish    = "autoPublish" ascii wide
+
+    // Extension publishing
+    $vsce_publish        = "vsce publish" ascii wide
+    $extension_publish   = "extensionPublish" ascii wide
+    $marketplace_publish = "marketplacePublish" ascii wide
+    $openvsx_publish     = "openvsxPublish" ascii wide
+
+    // Automated publishing
+    $automated_publish = "automatedPublish" ascii wide
+    $auto_upload       = "autoUpload" ascii wide
+    $batch_publish     = "batchPublish" ascii wide
+    $mass_publish      = "massPublish" ascii wide
+
+    // Credential usage
+    $use_credentials    = "useCredentials" ascii wide
+    $auth_publish       = "authPublish" ascii wide
+    $token_publish      = "tokenPublish" ascii wide
+    $credential_publish = "credentialPublish" ascii wide
+
+    // Publishing APIs
+    $npm_api         = "npmApi" ascii wide
+    $github_api      = "githubApi" ascii wide
+    $openvsx_api     = "openvsxApi" ascii wide
+    $marketplace_api = "marketplaceApi" ascii wide
+
+  condition:
+    // High confidence: Automated publishing + credential usage + API access
+    (any of ($npm_publish, $yarn_publish, $publish_package, $auto_publish, $vsce_publish, $extension_publish, $marketplace_publish, $openvsx_publish)) and
+    (any of ($automated_publish, $auto_upload, $batch_publish, $mass_publish)) and
+    (any of ($use_credentials, $auth_publish, $token_publish, $credential_publish, $npm_api, $github_api, $openvsx_api, $marketplace_api))
+}
+
+rule MAL_JS_GlassWorm_Credential_Reuse_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style credential reuse pattern for compromising multiple accounts"
+    severity    = "high"
+    score       = "80"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Credential validation
+    $validate_credentials = "validateCredentials" ascii wide
+    $test_credentials     = "testCredentials" ascii wide
+    $check_credentials    = "checkCredentials" ascii wide
+    $verify_credentials   = "verifyCredentials" ascii wide
+
+    // Credential reuse
+    $reuse_credentials = "reuseCredentials" ascii wide
+    $credential_reuse  = "credentialReuse" ascii wide
+    $reuse_auth        = "reuseAuth" ascii wide
+    $reuse_token       = "reuseToken" ascii wide
+
+    // Multiple account access
+    $multi_account = "multiAccount" ascii wide
+    $batch_account = "batchAccount" ascii wide
+    $bulk_account  = "bulkAccount" ascii wide
+    $mass_account  = "massAccount" ascii wide
+
+    // Account enumeration
+    $enumerate_accounts = "enumerateAccounts" ascii wide
+    $list_accounts      = "listAccounts" ascii wide
+    $scan_accounts      = "scanAccounts" ascii wide
+    $discover_accounts  = "discoverAccounts" ascii wide
+
+    // Credential rotation
+    $rotate_credentials  = "rotateCredentials" ascii wide
+    $credential_rotation = "credentialRotation" ascii wide
+    $auth_rotation       = "authRotation" ascii wide
+
+  condition:
+    // Detect credential validation with reuse patterns
+    (any of ($validate_credentials, $test_credentials, $check_credentials, $verify_credentials)) and
+    (any of ($reuse_credentials, $credential_reuse, $reuse_auth, $reuse_token)) and
+    (any of ($multi_account, $batch_account, $bulk_account, $mass_account, $enumerate_accounts, $list_accounts, $scan_accounts, $discover_accounts, $rotate_credentials, $credential_rotation, $auth_rotation))
+}
+
+rule MAL_JS_GlassWorm_Git_Automation_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style automated git operations for spreading malicious code to repositories"
+    severity    = "high"
+    score       = "85"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Git automation
+    $git_automation = "gitAutomation" ascii wide
+    $auto_git       = "autoGit" ascii wide
+    $git_bot        = "gitBot" ascii wide
+    $automated_git  = "automatedGit" ascii wide
+
+    // Git operations
+    $git_commit = "git commit" ascii wide
+    $git_push   = "git push" ascii wide
+    $git_pull   = "git pull" ascii wide
+    $git_clone  = "git clone" ascii wide
+
+    // Automated git workflow
+    $git_workflow = "gitWorkflow" ascii wide
+    $auto_commit  = "autoCommit" ascii wide
+    $auto_push    = "autoPush" ascii wide
+    $batch_git    = "batchGit" ascii wide
+
+    // Repository manipulation
+    $repo_manipulate  = "repoManipulate" ascii wide
+    $repo_inject      = "repoInject" ascii wide
+    $repo_contaminate = "repoContaminate" ascii wide
+    $repo_infect      = "repoInfect" ascii wide
+
+    // Git hooks
+    $git_hooks   = "gitHooks" ascii wide
+    $pre_commit  = "preCommit" ascii wide
+    $post_commit = "postCommit" ascii wide
+    $pre_push    = "prePush" ascii wide
+
+  condition:
+    // Detect git automation with repository manipulation
+    (any of ($git_automation, $auto_git, $git_bot, $automated_git, $git_commit, $git_push, $git_pull, $git_clone)) and
+    (any of ($git_workflow, $auto_commit, $auto_push, $batch_git)) and
+    (any of ($repo_manipulate, $repo_inject, $repo_contaminate, $repo_infect, $git_hooks, $pre_commit, $post_commit, $pre_push))
+}
+
+rule MAL_JS_GlassWorm_Worm_Propagation_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style worm self-replication and autonomous propagation mechanisms"
+    severity    = "critical"
+    score       = "95"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Worm patterns
+    $worm      = "worm" ascii wide
+    $propagate = "propagate" ascii wide
+    $spread    = "spread" ascii wide
+    $infect    = "infect" ascii wide
+
+    // Self-replication
+    $self_replicate = "selfReplicate" ascii wide
+    $self_copy      = "selfCopy" ascii wide
+    $self_propagate = "selfPropagate" ascii wide
+    $auto_replicate = "autoReplicate" ascii wide
+
+    // Propagation vectors
+    $propagation_vector = "propagationVector" ascii wide
+    $spread_vector      = "spreadVector" ascii wide
+    $infection_vector   = "infectionVector" ascii wide
+    $attack_vector      = "attackVector" ascii wide
+
+    // Autonomous behavior
+    $autonomous      = "autonomous" ascii wide
+    $self_sustaining = "selfSustaining" ascii wide
+    $self_contained  = "selfContained" ascii wide
+    $independent     = "independent" ascii wide
+
+    // Worm lifecycle
+    $worm_lifecycle    = "wormLifecycle" ascii wide
+    $infection_cycle   = "infectionCycle" ascii wide
+    $propagation_cycle = "propagationCycle" ascii wide
+    $spread_cycle      = "spreadCycle" ascii wide
+
+  condition:
+    // Critical: Worm behavior + self-replication + autonomous operation
+    (any of ($worm, $propagate, $spread, $infect)) and
+    (any of ($self_replicate, $self_copy, $self_propagate, $auto_replicate)) and
+    (any of ($propagation_vector, $spread_vector, $infection_vector, $attack_vector, $autonomous, $self_sustaining, $self_contained, $independent, $worm_lifecycle, $infection_cycle, $propagation_cycle, $spread_cycle))
+}
+
+rule MAL_JS_GlassWorm_Supply_Chain_Abuse_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style supply chain abuse through package ecosystem and dependency injection"
+    severity    = "high"
+    score       = "90"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // Supply chain patterns
+    $supply_chain     = "supplyChain" ascii wide
+    $package_chain    = "packageChain" ascii wide
+    $dependency_chain = "dependencyChain" ascii wide
+    $repo_chain       = "repoChain" ascii wide
+
+    // Package ecosystem abuse
+    $ecosystem_abuse   = "ecosystemAbuse" ascii wide
+    $package_abuse     = "packageAbuse" ascii wide
+    $registry_abuse    = "registryAbuse" ascii wide
+    $marketplace_abuse = "marketplaceAbuse" ascii wide
+
+    // Dependency injection
+    $dependency_inject = "dependencyInject" ascii wide
+    $package_inject    = "packageInject" ascii wide
+    $repo_inject       = "repoInject" ascii wide
+    $chain_inject      = "chainInject" ascii wide
+
+    // Automated compromise
+    $auto_compromise  = "autoCompromise" ascii wide
+    $batch_compromise = "batchCompromise" ascii wide
+    $mass_compromise  = "massCompromise" ascii wide
+    $bulk_compromise  = "bulkCompromise" ascii wide
+
+    // Trust exploitation
+    $trust_exploit    = "trustExploit" ascii wide
+    $trust_abuse      = "trustAbuse" ascii wide
+    $reputation_abuse = "reputationAbuse" ascii wide
+    $legitimacy_abuse = "legitimacyAbuse" ascii wide
+
+  condition:
+    // Detect supply chain abuse with automated compromise
+    (any of ($supply_chain, $package_chain, $dependency_chain, $repo_chain)) and
+    (any of ($ecosystem_abuse, $package_abuse, $registry_abuse, $marketplace_abuse)) and
+    (any of ($dependency_inject, $package_inject, $repo_inject, $chain_inject, $auto_compromise, $batch_compromise, $mass_compromise, $bulk_compromise, $trust_exploit, $trust_abuse, $reputation_abuse, $legitimacy_abuse))
+}

package/zoo/signatures/yara/unicode_stealth.yar

@@ -0,0 +1,48 @@
+/*
+    GlassWorm Unicode Stealth Detection
+    Detects invisible Unicode variation selectors used to hide malicious code
+
+    IMPORTANT: This rule requires MANY variation selectors plus eval/Function.
+    A few zero-width characters are normal in i18n bundles.
+*/
+
+rule MAL_JS_GlassWorm_Unicode_Stealth_Jan25 {
+  meta:
+    description = "Detects GlassWorm-style invisible Unicode variation selectors used to hide malicious code"
+    severity    = "critical"
+    score       = "95"
+    author      = "vsix-audit"
+    date        = "2025-01-29"
+    reference   = "https://www.koi.security/blog/glassworm-first-self-propagating-worm-using-invisible-code-hits-openvsx-marketplace"
+
+  strings:
+    // UTF-8 encoded variation selectors (U+FE00-U+FE0F)
+    // Note: These are 3-byte UTF-8 sequences EF B8 80 through EF B8 8F
+    $vs_utf8 = { EF B8 (80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 8A | 8B | 8C | 8D | 8E | 8F) }
+
+    // Code execution patterns - must have eval or Function
+    $eval     = "eval(" ascii wide
+    $function = "new Function(" ascii wide
+
+    // Decode patterns that are used to extract the hidden code
+    $decode1 = "String.fromCharCode" ascii wide
+    $decode2 = "charCodeAt" ascii wide
+
+    // Zero-width space (U+200B) - used in obfuscation
+    $zws = { E2 80 8B }
+
+    // Zero-width non-joiner (U+200C) and joiner (U+200D)
+    $zwc = { E2 80 (8C | 8D) }
+
+  condition:
+    // Require VERY MANY variation selectors (50+) for standalone detection
+    // Normal i18n/emoji bundles have < 30, malware has hundreds
+    (#vs_utf8 > 50 and any of ($eval, $function)) or
+    // Or: moderate VS count + both eval AND decode (full chain)
+    (#vs_utf8 > 20 and any of ($eval, $function) and any of ($decode*)) or
+    // Or: many zero-width chars + eval (different obfuscation style)
+    ((#zws + #zwc) > 30 and any of ($eval, $function))
+}
+
+// REMOVED: GlassWorm_Suspicious_Code_Gaps
+// This rule was removed earlier - it matched any code with whitespace.

package/zoo/signatures/yara/websocket_c2.yar

@@ -0,0 +1,83 @@
+/*
+    WebSocket C2 Detection
+    Detects WebSocket-based command and control patterns
+*/
+
+rule C2_JS_WebSocket_Command_Exec_Jan25 {
+  meta:
+    description = "Detects WebSocket C2 pattern with message handler triggering child_process command execution"
+    severity    = "high"
+    score       = 80
+    author      = "vsix-audit"
+    date        = "2025-01-30"
+
+  strings:
+    // WebSocket creation
+    $ws1 = "new WebSocket(" ascii wide
+    $ws2 = "WebSocket(" ascii wide
+    $ws3 = "ws://" ascii wide
+    $ws4 = "wss://" ascii wide
+
+    // Message handling (specific patterns)
+    $msg1 = ".onmessage" ascii wide
+    $msg2 = ".on('message'" ascii wide
+    $msg3 = ".on(\"message\"" ascii wide
+
+    // Command execution via child_process (not just setTimeout)
+    $exec_cp      = "child_process" ascii wide
+    $exec_method1 = ".exec(" ascii wide
+    $exec_method2 = ".spawn(" ascii wide
+    $exec_sync1   = "execSync" ascii wide
+    $exec_sync2   = "spawnSync" ascii wide
+
+    // Eval from message (dangerous pattern)
+    $eval_msg = "eval(" ascii wide
+
+    // C2-specific patterns
+    $c2_cmd   = "command" ascii wide
+    $c2_shell = "shell" ascii wide nocase
+    $c2_run   = "runCommand" ascii wide
+
+  condition:
+    // WebSocket + message handler + child_process execution
+    any of ($ws*) and any of ($msg*) and
+    (
+      // Direct child_process usage with exec/spawn method
+      ($exec_cp and any of ($exec_method*, $exec_sync*)) or
+      // Eval from WebSocket (rare in legit code)
+      ($eval_msg and any of ($c2_cmd, $c2_shell, $c2_run))
+    )
+}
+
+rule RAT_JS_WebSocket_Reverse_Shell_Jan25 {
+  meta:
+    description = "Detects WebSocket reverse shell with shell process stdin/stdout piped through socket"
+    severity    = "critical"
+    score       = 95
+    author      = "vsix-audit"
+    date        = "2025-01-30"
+
+  strings:
+    // WebSocket creation
+    $ws1 = "new WebSocket(" ascii wide
+    $ws2 = "WebSocket(" ascii wide
+    $ws3 = "ws://" ascii wide
+    $ws4 = "wss://" ascii wide
+
+    // Shell paths
+    $shell1 = "/bin/sh" ascii wide
+    $shell2 = "/bin/bash" ascii wide
+    $shell3 = "/bin/zsh" ascii wide
+    $shell4 = "cmd.exe" ascii wide
+    $shell5 = "powershell" ascii wide nocase
+
+    // Stream piping (connecting shell to socket)
+    $pipe1 = ".pipe(" ascii wide
+    $pipe2 = "stdin" ascii wide
+    $pipe3 = "stdout" ascii wide
+    $pipe4 = "stderr" ascii wide
+    $pipe5 = ".send(" ascii wide
+
+  condition:
+    any of ($ws*) and any of ($shell*) and 2 of ($pipe*)
+}