Using Phishing-Kit-Yara-Rules project for phishing kits detection and triage

No comments

Since some months now, we maintain specific Yara rules to detect phishing kit sources (.zip files). Phishing kits sources are sometimes left on the host serving phishing pages.

Using the StalkPhish project (see we used to collect phishing kits in order to extract e-mails addresses, Telegram channels (see, and so on.

In order to sort our zip files collection we use our phishing kit Yara rules (see

About these Yara rules

Today the repository count 211 Yara rules for several threats and brands, all these rules are free of use and are published under the GNU GPLv3 licence.

You can find these rules on GitHub:

For rule analysis we use the VirusTotal YARA-CI plugin on the GitHub repository, this permit to control if rules are correct and don’t contain mistakes before being used.

These rules are created using phishing kit sources we grab every day and are named with the brand name and a actor/team name we can obtain from the sources:

A phishing kit Yara rules

These rules go to parse the Zip file to find specific names of files and directories, in the example above, all specified files and directories must exist for the file to be considered as matching the Yara rule.

Of course you can participate to the project, creating your own Yara rule and making a pull request on the repository. Please try to respect the contribution rules, you can find here:

Using phishing kit Yara rules

Using official yara binary (apt install yara, for example), you can use each phishing kit Yara rule on your file/directory, like this:

$ yara PK_impots_gouv_fr_azubi.yar /data/dl
PK_impots_gouv_fr_azubi /data/dl/
PK_impots_gouv_fr_azubi /data/dl/
PK_impots_gouv_fr_azubi /data/dl/

You can create a unique .yar file with all phishing kit Yara rules inside and use it in the same command. By default Yara can’t use a directory containing .yar files as an argument.

Also you can use the python tool we called PhishingKit-Yara-Search made to use a directory containing all the rules as a argument:

You can use it to scan 1 file with all yourYara rules:

$ /data/tools/yara-phishing/ -f /tmp/ -r /data/tools/yara-phishing/rules/

Scan 1 file with all your Yara rules

Or use all your Yara rules to fully scan a directory:

$ /data/tools/yara-phishing/ -D /tmp/ -r /data/tools/yara-phishing/rules/

Scan all files of a directory with all your Yara rules


Since some months now these Yara rules from our project are implemented in VirusTotal‘s analysis. Dropping a file to VT for analysis will, if a PhishingKit Yara rule exists, give you this information as crowdsourced YARA Rules into the detection section (you have to be logged in to see this part):

VirusTotal using Phishing-Kit-Yara-Rules project for analysis

You can check the matching rule for further details:

Yara rule details

Keep in touch

For all our news about these rules our other projects you can follow us on Twitter or our blog! As we told you above: don’t hesitate to particpate to this open source project, you know, to make Internet a safer place 🙂