[ { "id": 4329189147, "indicator": "01e294c52ddfdf020f27bc8087cd0cba195c086b5c813ee6cd56dde3ba04c0ef", "type": "FileHash-SHA256", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189148, "indicator": "41f5cf259dcbd2f11f9e3ba7e69aa9321f779bdbec565f1c5a0ede228c6fa793", "type": "FileHash-SHA256", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189149, "indicator": "47e0b431759b881b2928d6944990107dfce28db982b1641eb410e75c0b0a3003", "type": "FileHash-SHA256", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189150, "indicator": "cd211c0f3bea9f37bea80d2cf0574348b3ae37b8008967e2d30bd0f9cabbd540", "type": "FileHash-SHA256", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189151, "indicator": "ff78ce69e42cdd4f4afe1b1e28eab1edf794473de3fc53fa92cf269e2b790c12", "type": "FileHash-SHA256", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189152, "indicator": "ff9dfa375086a0aa129ceda98f6cdefb4eef56ee044c013e6f8119c29ff56eaa", "type": "FileHash-SHA256", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189157, "indicator": "http://118.107.6.148:8081", "type": "URL", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4320904332, "indicator": "http://121.127.246.86:8081", "type": "URL", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189158, "indicator": "http://151.242.152.198/0.p.txt", "type": "URL", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4168107101, "indicator": "http://45.64.52.170:5000", "type": "URL", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189159, "indicator": "http://laohe1.myvnc.com:5000", "type": "URL", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189160, "indicator": "0f5be50e0152c25fa45c05a5489015ee1d9a3ad6", "type": "YARA", "created": "2026-04-26T14:21:07", "content": "rule GoLoader_VBS_Polymorphic_Dropper \n { \n meta: \n author = \"Breakglass Intelligence\" \n description = \"Detects polymorphic VBS droppers generated by GoLoader panels (behavioral pattern, not hash-based)\" \n date = \"2026-04-20\" \n reference = \"https://intel.breakglass.tech\" \n tlp = \"WHITE\" \n \n strings: \n // WMI process creation via VBS \n $wmi1 = \"winmgmts\" ascii wide nocase \n $wmi2 = \"Win32_Process\" ascii wide nocase \n \n // APPDATA persistence \n $appdata = \"APPDATA\" ascii wide nocase \n \n // Scheduled task creation \n $schtask1 = \"Schedule.Service\" ascii wide nocase \n $schtask2 = \"schtasks\" ascii wide nocase \n \n // PowerShell invocation patterns \n $ps1 = \"powershell\" ascii wide nocase \n $ps2 = \"-windowstyle hidden\" ascii wide nocase \n $ps3 = \"IEX\" ascii wide nocase \n \n // OSS bucket or custom domain references \n $oss1 = \"fi3.me\" ascii wide nocase \n $oss2 = \"oss-cn-hongkong\" ascii wide nocase \n $oss3 = \"jpginfo\" ascii wide nocase \n $oss4 = \"444444.png\" ascii wide nocase \n \n condition: \n ($wmi1 and $wmi2) and \n $appdata and \n ($schtask1 or $schtask2) and \n ($ps1 or $ps2 or $ps3) and \n any of ($oss*) \n }", "title": "", "description": "Detects polymorphic VBS droppers generated by GoLoader panels (behavioral pattern, not hash-based)", "expiration": null, "is_active": 1 }, { "id": 4329189161, "indicator": "42a08fda0b79c61b60df44983eb6c1a6eeb83efc", "type": "YARA", "created": "2026-04-26T14:21:07", "content": "rule GoLoader_Panel_HTML \n { \n meta: \n author = \"Breakglass Intelligence\" \n description = \"Detects GoLoader builder panel HTML served on port 8081\" \n date = \"2026-04-20\" \n reference = \"https://intel.breakglass.tech\" \n tlp = \"WHITE\" \n \n strings: \n $api1 = \"/api/oss/get\" ascii wide \n $api2 = \"/api/tasks/list\" ascii wide \n $api3 = \"/api/tasks/add\" ascii wide \n $api4 = \"/api/tasks/start\" ascii wide \n $api5 = \"/api/tasks/stop\" ascii wide \n $api6 = \"/api/tasks/delete\" ascii wide \n $font = \"Microsoft YaHei\" ascii wide \n $ver = \"v2.1\" ascii wide \n \n condition: \n 3 of ($api*) and ($font or $ver) \n }", "title": "", "description": "Detects GoLoader builder panel HTML served on port 8081", "expiration": null, "is_active": 1 }, { "id": 4329189162, "indicator": "e1f4221779b156b608d7f46bceafd5d58133ba69", "type": "YARA", "created": "2026-04-26T14:21:07", "content": "rule GoLoader_LNK_DeflateStream_Dropper \n { \n meta: \n author = \"Breakglass Intelligence\" \n description = \"Detects LNK files using PowerShell DeflateStream with ZZZ delimiter for payload delivery\" \n date = \"2026-04-20\" \n reference = \"https://intel.breakglass.tech\" \n tlp = \"WHITE\" \n \n strings: \n $lnk_magic = { 4C 00 00 00 01 14 02 00 } // LNK file header \n $deflate = \"DeflateStream\" ascii wide \n $zzz_delim = \"ZZZ\" ascii wide \n $ps_encoded = \"-e \" ascii wide \n $frombase64 = \"FromBase64String\" ascii wide \n \n condition: \n $lnk_magic at 0 and \n 2 of ($deflate, $zzz_delim, $ps_encoded, $frombase64) \n }", "title": "", "description": "Detects LNK files using PowerShell DeflateStream with ZZZ delimiter for payload delivery", "expiration": null, "is_active": 1 }, { "id": 363079, "indicator": "http.host", "type": "domain", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4143182315, "indicator": "c.fi3.me", "type": "hostname", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189163, "indicator": "laohe.myvnc.com", "type": "hostname", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189164, "indicator": "laohe1.myvnc.com", "type": "hostname", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189165, "indicator": "laohe2.myvnc.com", "type": "hostname", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189166, "indicator": "laohe3.myvnc.com", "type": "hostname", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189167, "indicator": "laohe4.myvnc.com", "type": "hostname", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 }, { "id": 4329189168, "indicator": "laohe5.myvnc.com", "type": "hostname", "created": "2026-04-26T14:21:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1 } ]