PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.
rule win_cameleon_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.cameleon." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { 8b4004 c74408e0bc4b0510 8b41e0 8b5004 } // n = 4, score = 100 // 8b4004 | mov eax, dword ptr [eax + 4] // c74408e0bc4b0510 | mov dword ptr [eax + ecx - 0x20], 0x10054bbc // 8b41e0 | mov eax, dword ptr [ecx - 0x20] // 8b5004 | mov edx, dword ptr [eax + 4] $sequence_1 = { 56 e8???????? eb65 8b4db8 83f910 0f83d4000000 83c8ff } // n = 7, score = 100 // 56 | push esi // e8???????? | // eb65 | jmp 0x67 // 8b4db8 | mov ecx, dword ptr [ebp - 0x48] // 83f910 | cmp ecx, 0x10 // 0f83d4000000 | jae 0xda // 83c8ff | or eax, 0xffffffff $sequence_2 = { 8d41e0 3c5a 770f 0fbec1 0fb68018fb0410 83e00f eb02 } // n = 7, score = 100 // 8d41e0 | lea eax, [ecx - 0x20] // 3c5a | cmp al, 0x5a // 770f | ja 0x11 // 0fbec1 | movsx eax, cl // 0fb68018fb0410 | movzx eax, byte ptr [eax + 0x1004fb18] // 83e00f | and eax, 0xf // eb02 | jmp 4 $sequence_3 = { 8b08 8b4904 f644010c06 7539 0f1f00 8d8504ffffff 50 } // n = 7, score = 100 // 8b08 | mov ecx, dword ptr [eax] // 8b4904 | mov ecx, dword ptr [ecx + 4] // f644010c06 | test byte ptr [ecx + eax + 0xc], 6 // 7539 | jne 0x3b // 0f1f00 | nop dword ptr [eax] // 8d8504ffffff | lea eax, [ebp - 0xfc] // 50 | push eax $sequence_4 = { 57 8d1c8510d40510 33c0 f00fb10b 8b15???????? 83cfff 8bca } // n = 7, score = 100 // 57 | push edi // 8d1c8510d40510 | lea ebx, [eax*4 + 0x1005d410] // 33c0 | xor eax, eax // f00fb10b | lock cmpxchg dword ptr [ebx], ecx // 8b15???????? | // 83cfff | or edi, 0xffffffff // 8bca | mov ecx, edx $sequence_5 = { 8a90ac4c0510 e8???????? 0fbe06 83e00f 8a90ac4c0510 8d8dccfeffff } // n = 6, score = 100 // 8a90ac4c0510 | mov dl, byte ptr [eax + 0x10054cac] // e8???????? | // 0fbe06 | movsx eax, byte ptr [esi] // 83e00f | and eax, 0xf // 8a90ac4c0510 | mov dl, byte ptr [eax + 0x10054cac] // 8d8dccfeffff | lea ecx, [ebp - 0x134] $sequence_6 = { 8bc2 8bca 83e03f c1f906 6bc030 03048d50d60510 eb05 } // n = 7, score = 100 // 8bc2 | mov eax, edx // 8bca | mov ecx, edx // 83e03f | and eax, 0x3f // c1f906 | sar ecx, 6 // 6bc030 | imul eax, eax, 0x30 // 03048d50d60510 | add eax, dword ptr [ecx*4 + 0x1005d650] // eb05 | jmp 7 $sequence_7 = { 8365fc00 8b45e4 8b048550d60510 8b4de0 f644082801 } // n = 5, score = 100 // 8365fc00 | and dword ptr [ebp - 4], 0 // 8b45e4 | mov eax, dword ptr [ebp - 0x1c] // 8b048550d60510 | mov eax, dword ptr [eax*4 + 0x1005d650] // 8b4de0 | mov ecx, dword ptr [ebp - 0x20] // f644082801 | test byte ptr [eax + ecx + 0x28], 1 $sequence_8 = { 0f43559c 66833a00 7504 33c9 } // n = 4, score = 100 // 0f43559c | cmovae edx, dword ptr [ebp - 0x64] // 66833a00 | cmp word ptr [edx], 0 // 7504 | jne 6 // 33c9 | xor ecx, ecx $sequence_9 = { 0f8497040000 8b75a4 3b75a8 0f848b040000 660f1f840000000000 8d8db4feffff e8???????? } // n = 7, score = 100 // 0f8497040000 | je 0x49d // 8b75a4 | mov esi, dword ptr [ebp - 0x5c] // 3b75a8 | cmp esi, dword ptr [ebp - 0x58] // 0f848b040000 | je 0x491 // 660f1f840000000000 | nop word ptr [eax + eax] // 8d8db4feffff | lea ecx, [ebp - 0x14c] // e8???????? | condition: 7 of them and filesize < 824320 }
If your designated proposal does not fit in any other category, feel free to write a free-text in the comment field below. Changes regarding references should be proposed on the Malpedia library page.
Your suggestion will be reviewed before being published. Thank you for contributing!
YYYY-MM-DD
YYYY-MM
YYYY