Earthworm (Malware Family)

Earthworm

VTCollection
According to Cisco Talos, Earthworm is network tunneling tool that has extensively been used by Chinese-speaking threat actors in intrusions to expose internal endpoints to attacker-owned remote infrastructure.
References

2026-01-15 ⋅ Cisco Talos ⋅ Asheer Malhotra, Brandon White, Vitor Ventura
UAT-8837 targets critical infrastructure sectors in North America
Earthworm Rubeus SharpHound SharpWMI UAT-8837
Yara Rules

[TLP:WHITE] win_earthworm_auto (20260504 | Detects win.earthworm.)
rule win_earthworm_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.earthworm."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.earthworm"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41b99a010000 4c8d0543500500 ba02000000 b928020000 e8???????? 488bd0 488d4c2420 }
            // n = 7, score = 100
            //   41b99a010000         | dec                 eax
            //   4c8d0543500500       | mov                 dword ptr [esp + 0x20], 0
            //   ba02000000           | inc                 ecx
            //   b928020000           | mov                 ecx, 0x793
            //   e8????????           |                     
            //   488bd0               | dec                 esp
            //   488d4c2420           | lea                 eax, [0x94230]

        $sequence_1 = { 837c243800 753a 488d057c2a0c00 4889442428 488d0578980b00 4889442420 4533c9 }
            // n = 7, score = 100
            //   837c243800           | inc                 ecx
            //   753a                 | mov                 ecx, 0x79
            //   488d057c2a0c00       | dec                 esp
            //   4889442428           | lea                 eax, [0x80421]
            //   488d0578980b00       | jne                 0x668
            //   4889442420           | mov                 dword ptr [eax], 0x16
            //   4533c9               | dec                 eax

        $sequence_2 = { eb0f 488d05a5150a00 4889842480000000 488b842480000000 4889842488000000 48c744244800000000 48c744247800000000 }
            // n = 7, score = 100
            //   eb0f                 | mov                 eax, dword ptr [esp + 0x34]
            //   488d05a5150a00       | and                 eax, 0xfff
            //   4889842480000000     | nop                 
            //   488b842480000000     | dec                 eax
            //   4889842488000000     | mov                 eax, dword ptr [esp + 0x250]
            //   48c744244800000000     | mov    edx, 2
            //   48c744247800000000     | dec    eax

        $sequence_3 = { eba0 488b842498010000 488b4010 448b08 488b842498010000 4c8b4008 488d942428010000 }
            // n = 7, score = 100
            //   eba0                 | mov                 ecx, 7
            //   488b842498010000     | nop                 
            //   488b4010             | test                eax, eax
            //   448b08               | je                  0x697
            //   488b842498010000     | dec                 eax
            //   4c8b4008             | lea                 ecx, [0xffff2d10]
            //   488d942428010000     | nop                 

        $sequence_4 = { e8???????? eb1e 488d0de2680700 e8???????? eb10 488d0ddc680700 e8???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   eb1e                 | arpl                word ptr [esp + 0x38], ax
            //   488d0de2680700       | dec                 eax
            //   e8????????           |                     
            //   eb10                 | imul                eax, eax, 0x10
            //   488d0ddc680700       | dec                 eax
            //   e8????????           |                     

        $sequence_5 = { e8???????? 488bd0 488d8c24e0020000 e8???????? 90 e8???????? 85c0 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   488bd0               | lea                 ecx, [0x5cd1c]
            //   488d8c24e0020000     | mov                 dword ptr [eax], 0x16
            //   e8????????           |                     
            //   90                   | dec                 eax
            //   e8????????           |                     
            //   85c0                 | mov                 dword ptr [esp + 0x20], 0

        $sequence_6 = { 488b942418090000 488d4c2428 e8???????? 90 8b442420 2500800000 85c0 }
            // n = 7, score = 100
            //   488b942418090000     | dec                 eax
            //   488d4c2428           | cmp                 dword ptr [esp + 0x20], eax
            //   e8????????           |                     
            //   90                   | jne                 0x8e0
            //   8b442420             | jmp                 0x8ef
            //   2500800000           | mov                 edx, 2
            //   85c0                 | dec                 eax

        $sequence_7 = { 488b4008 4889442430 488b442470 488b4008 488b00 488b4018 4889442428 }
            // n = 7, score = 100
            //   488b4008             | dec                 eax
            //   4889442430           | lea                 ecx, [ebp - 0x30]
            //   488b442470           | dec                 eax
            //   488b4008             | lea                 edx, [0xebfdd]
            //   488b00               | dec                 eax
            //   488b4018             | mov                 eax, edi
            //   4889442428           | dec                 eax

        $sequence_8 = { 753a 488d057fa60900 4889442428 488d05ab910900 4889442420 4533c9 41b884060000 }
            // n = 7, score = 100
            //   753a                 | dec                 eax
            //   488d057fa60900       | lea                 eax, [0x4d805]
            //   4889442428           | dec                 eax
            //   488d05ab910900       | mov                 dword ptr [esp + 0x88], eax
            //   4889442420           | dec                 eax
            //   4533c9               | cmp                 dword ptr [esp + 0x78], 0
            //   41b884060000         | jne                 0xde7

        $sequence_9 = { 89442424 488b442470 8b00 39442424 7d5b 8b442478 39442424 }
            // n = 7, score = 100
            //   89442424             | mov                 eax, dword ptr [esp + 0x40]
            //   488b442470           | dec                 eax
            //   8b00                 | mov                 ecx, dword ptr [esp + 0x50f0]
            //   39442424             | cmp                 dword ptr [esp + 0x5110], 2
            //   7d5b                 | jne                 0xd69
            //   8b442478             | dec                 eax
            //   39442424             | cmp                 dword ptr [esp + 0x5138], 0

    condition:
        7 of them and filesize < 2659328
}
Download all Yara Rules
Earthworm Propose Change

References

Yara Rules

Earthworm
