← Back to SOC feed Coverage →

CORESHELL/SOURFACE Implant by APT28

yara CRITICAL Yara-Rules
aptcommunity
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Yara-Rules →
Retrieved: 2026-05-25T11:00:00Z · Confidence: medium

Hunt Hypothesis

The hypothesis is that the detection identifies potential APT28 activity involving the CORESHELL/SOURFACE implant, which is used for long-term persistence and command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before they exfiltrate data or escalate within the network.

YARA Rule

rule IMPLANT_2_v16 {
   meta:
      description = "CORESHELL/SOURFACE Implant by APT28"
      author = "US CERT"
      reference = "https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE"
      date = "2017-02-10"
      score = 85
   strings:
      $OBF_FUNCT = { 0F B6 1C 0B 8D 34 08 8D 04 0A 0F AF D8 33 D2 8D 41 FF F7
         75 F8 8B 45 0C C1 EB 07 8D 79 01 32 1C 02 33 D2 8B C7 89 5D E4 BB 06
         00 00 00 F7 F3 8B 45 0C 8D 59 FE 02 5D FF 32 1C 02 8B C1 33 D2 B9 06
         00 00 00 F7 F1 8B 45 0C 8B CF 22 1C 02 8B 45 E4 8B 55 E0 02 C3 30 06
         8B 5D F0 8D 41 FE 83 F8 06 8B 45 DC 72 9A }
   condition:
      (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or
      uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $OBF_FUNCT
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

This rule contains 1 string patterns in its detection logic.

References

False Positive Guidance

Original source: https://github.com/Yara-Rules/rules/blob/main/malware/APT_Grizzlybear_uscert.yar