SYMBOLCOMMON_NAMEaka. SYNONYMS
win.minibike (Back to overview)

MINIBIKE

VTCollection    

According to Mandiant, this is a custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features compared to MINIBIKE.

References
2025-09-22Check Point ResearchCheck Point Research
Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures
MINIBIKE MiniJunk UNC1549
2025-09-22Check Point ResearchCheck Point Research
Nimbus Manticore Deploys New Malware Targeting Europe
MINIBIKE MiniJunk UNC1549
2025-09-17PRODAFTPRODAFT
Modus Operandi of Subtle Snail
MINIBIKE
2024-02-27MandiantChen Evgi, Jonathan Leathery, Ofir Rozmann
When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors
LIGHTRAIL MINIBIKE MINIBUS UNC1549
Yara Rules
[TLP:WHITE] win_minibike_auto (20260504 | Detects win.minibike.)
rule win_minibike_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.minibike."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.minibike"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c645fc03 8bd8 83781408 7202 8b18 8b5010 8b45d4 }
            // n = 7, score = 100
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8bd8                 | mov                 ebx, eax
            //   83781408             | cmp                 dword ptr [eax + 0x14], 8
            //   7202                 | jb                  4
            //   8b18                 | mov                 ebx, dword ptr [eax]
            //   8b5010               | mov                 edx, dword ptr [eax + 0x10]
            //   8b45d4               | mov                 eax, dword ptr [ebp - 0x2c]

        $sequence_1 = { 72dc 8b75e4 85ff 7437 8b45e0 2bc7 c1f802 }
            // n = 7, score = 100
            //   72dc                 | jb                  0xffffffde
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]
            //   85ff                 | test                edi, edi
            //   7437                 | je                  0x39
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   2bc7                 | sub                 eax, edi
            //   c1f802               | sar                 eax, 2

        $sequence_2 = { 83c123 2bc7 83c0fc 83f81f 0f87a6130000 51 57 }
            // n = 7, score = 100
            //   83c123               | add                 ecx, 0x23
            //   2bc7                 | sub                 eax, edi
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   0f87a6130000         | ja                  0x13ac
            //   51                   | push                ecx
            //   57                   | push                edi

        $sequence_3 = { b8abaaaa2a c7858cfeffff00000000 f7e9 c78584feffff00000000 c1fa02 8bc2 c78588feffff00000000 }
            // n = 7, score = 100
            //   b8abaaaa2a           | mov                 eax, 0x2aaaaaab
            //   c7858cfeffff00000000     | mov    dword ptr [ebp - 0x174], 0
            //   f7e9                 | imul                ecx
            //   c78584feffff00000000     | mov    dword ptr [ebp - 0x17c], 0
            //   c1fa02               | sar                 edx, 2
            //   8bc2                 | mov                 eax, edx
            //   c78588feffff00000000     | mov    dword ptr [ebp - 0x178], 0

        $sequence_4 = { 8d4da8 c745bc07000000 668945a8 e8???????? c645fc11 807ef800 }
            // n = 6, score = 100
            //   8d4da8               | lea                 ecx, [ebp - 0x58]
            //   c745bc07000000       | mov                 dword ptr [ebp - 0x44], 7
            //   668945a8             | mov                 word ptr [ebp - 0x58], ax
            //   e8????????           |                     
            //   c645fc11             | mov                 byte ptr [ebp - 4], 0x11
            //   807ef800             | cmp                 byte ptr [esi - 8], 0

        $sequence_5 = { 57 ff95d8fdffff 83bdd4fdffff00 8bb508feffff 0f85d8fdffff 53 e8???????? }
            // n = 7, score = 100
            //   57                   | push                edi
            //   ff95d8fdffff         | call                dword ptr [ebp - 0x228]
            //   83bdd4fdffff00       | cmp                 dword ptr [ebp - 0x22c], 0
            //   8bb508feffff         | mov                 esi, dword ptr [ebp - 0x1f8]
            //   0f85d8fdffff         | jne                 0xfffffdde
            //   53                   | push                ebx
            //   e8????????           |                     

        $sequence_6 = { 83c123 2bc3 83c0fc 83f81f 0f874c010000 51 }
            // n = 6, score = 100
            //   83c123               | add                 ecx, 0x23
            //   2bc3                 | sub                 eax, ebx
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   0f874c010000         | ja                  0x152
            //   51                   | push                ecx

        $sequence_7 = { 83f81f 0f877e080000 51 56 e8???????? 83c408 }
            // n = 6, score = 100
            //   83f81f               | cmp                 eax, 0x1f
            //   0f877e080000         | ja                  0x884
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8

        $sequence_8 = { 50 51 8d8dc4fdffff 0f1185b4fcffff }
            // n = 4, score = 100
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8d8dc4fdffff         | lea                 ecx, [ebp - 0x23c]
            //   0f1185b4fcffff       | movups              xmmword ptr [ebp - 0x34c], xmm0

        $sequence_9 = { 0f2805???????? 50 51 8d8df4f3ffff c78568f3ffff05000000 0f118558f3ffff e8???????? }
            // n = 7, score = 100
            //   0f2805????????       |                     
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8d8df4f3ffff         | lea                 ecx, [ebp - 0xc0c]
            //   c78568f3ffff05000000     | mov    dword ptr [ebp - 0xc98], 5
            //   0f118558f3ffff       | movups              xmmword ptr [ebp - 0xca8], xmm0
            //   e8????????           |                     

    condition:
        7 of them and filesize < 574464
}
Download all Yara Rules