| name | yara-malware-hunter |
| description | Scan target/ (source AND binaries/assets) with YARA / YARA-X against curated rulesets (Yara-Rules community + Neo23x0 signature-base) plus project-specific rules in rules/yara/. Also handles capa for binary capability extraction. |
| license | MIT (ZONOVA RESEARCH — coldvault.dev) |
| source_inspiration | trailofbits/skills/yara-authoring |
yara-malware-hunter
Inputs
target/ — full tree including any shipped binaries, node_modules/.bin/*,
pre-built wheels, vendored .jar, .dll, .so, .exe, .apk, .deb…
- Ruleset roots:
$YARA_RULES_DIR/yara-rules (community)
$YARA_RULES_DIR/signature-base (Neo23x0, APT/malware families)
rules/yara/ (project-specific)
Run
find target -type f \( \
-name '*.exe' -o -name '*.dll' -o -name '*.so' -o -name '*.dylib' \
-o -name '*.apk' -o -name '*.jar' -o -name '*.wasm' -o -name '*.bin' \
-o -name '*.deb' -o -name '*.rpm' -o -name '*.pyz' \
\) > reports/binary-inventory.txt
yara -r -w \
$YARA_RULES_DIR/yara-rules \
$YARA_RULES_DIR/signature-base \
rules/yara/ \
target/ 2> reports/yara-errors.log \
> reports/yara-matches.txt
while read -r bin; do
capa "$bin" --json > "reports/capa-$(basename "$bin").json" 2>/dev/null || true
done < reports/binary-inventory.txt
clamscan -r -i --detect-pua=yes --max-filesize=100M \
--log=reports/clamav.log target/
find target -type f \( -name '*.doc*' -o -name '*.xls*' -o -name '*.ppt*' \
-o -name '*.rtf' \) -exec olevba -j {} \; > reports/oletools.json 2>/dev/null || true
Triage
yara match on a file → read the matching rule's metadata, classify as
LOW/MEDIUM/HIGH based on the rule family (APT_*, RAT_*, Miner_* →
HIGH).
capa capabilities that include launch process, encode data using base64,
exfiltrate data, persistence → HIGH attention.
- ClamAV detections → treat as HIGH; verify not a false positive (hash check
against VirusTotal — do this manually from the analyst laptop, not the
Codespace).
Writing a custom YARA rule
// rules/yara/zonova-node-ipc-sabotage.yar
rule zonova_node_ipc_sabotage {
meta:
author = "ZONOVA RESEARCH"
date = "2026-04-20"
description = "node-ipc sabotage pattern (peacenotwar, 2022)"
reference = "https://github.com/advisories/GHSA-97m3-w2cp-4xx6"
severity = "HIGH"
strings:
$a = "./ssl-geospec.js" ascii
$b = "PEACE!=WAR" ascii wide
$c = { 68 65 61 72 74 73 } // "hearts"
condition:
2 of them
}
Output
Convert YARA hits into the finding schema:
{
"file": "target/.../suspicious.js",
"line": 1,
"severity": "HIGH",
"category": "malware_signature",
"description": "YARA rule zonova_node_ipc_sabotage matched (2/3 strings)",
"exploit_scenario": "Known node-ipc sabotage payload (peacenotwar).",
"recommendation": "Remove the dependency; pin to the last safe version.",
"confidence": 0.95,
"source_tool": "yara"
}