PhishingKit-Yara-Rules

PhishingKit-Yara-Rules – Open Source project

Clone Me

YARA repository for Phishing Kits zip files triage

Overview

This comprehensive repository is dedicated to providing YARA rules specifically designed for detecting phishing kit zip files. The detection methodology is based on raw zip format analysis, focusing on identifying characteristic directory structures and file names within compressed phishing kits. Notably, these rules do not require yara-extend, as they operate directly on the raw zip file format to examine internal file and directory naming patterns.

The repository embraces open-source collaboration and welcomes contributions from the cybersecurity community. We encourage security researchers, threat analysts, and cybersecurity professionals to submit pull requests with their own rule sets. By sharing knowledge and detection techniques, we collectively strengthen our defense capabilities against evolving phishing threats.

Project Origins and Development

The initial rule set was developed specifically for the PhishingKit-Yara-Search project, which provides a comprehensive framework for analyzing phishing kit zip files. This foundation has grown into one of the most extensive collections of phishing kit detection rules available to the security community.

For those interested in contributing to the project or developing custom rules, we recommend consulting the official YARA documentation for detailed guidance on rule syntax and best practices.

Current Statistics and Coverage

🔥 Major Milestone Achieved: As of June 2025, our repository has reached an impressive 8️⃣5️⃣0️⃣ YARA rules, representing significant growth from our previous milestone of 750 rules in September 2024.

These comprehensive detection rules provide coverage for phishing kits targeting over 3️⃣0️⃣0️⃣ of the world’s most recognizable brands and commercial entities. This extensive coverage includes major technology companies, financial institutions, social media platforms, e-commerce sites, and government organizations that are frequently targeted by phishing campaigns.

Technical Requirements and Implementation

Prerequisites

  • YARA Engine: The rules require a functional YARA installation for proper operation
  • Compatible Tools: Any tool capable of handling YARA rules can be used with this rule set. The PhishingKit-Yara-Search project was originally developed alongside these rules for phishing kit zip file analysis, but the rules are designed to work with any YARA-compatible platform
  • No Extended Dependencies: Unlike many YARA implementations, these rules do not require yara-extend, as they are designed to work directly with YARA’s native capability to analyze raw zip file formats and examine directory and file naming structures

Detection Methodology

The rules employ a straightforward yet effective approach to phishing kit identification by analyzing the internal structure of zip archives without requiring decompression. This method focuses on:

  • Directory naming conventions commonly used by phishing kit developers
  • File naming patterns that indicate specific phishing kit families
  • Structural characteristics unique to particular threat actor groups
  • Brand-specific artifacts embedded within phishing kit architectures

Community Contributions and Collaboration

We actively encourage participation from the global cybersecurity community. Contributing to this project helps strengthen collective defense capabilities against phishing threats. Here’s how you can get involved:

How to Contribute

  • Rule Submissions: Submit new YARA rules targeting previously undetected phishing kits
  • Rule Improvements: Enhance existing rules for better accuracy and reduced false positives
  • Documentation: Help improve rule documentation and usage examples
  • Testing and Validation: Assist with testing rules against known phishing kit samples

Contribution Guidelines

All contributions should follow our established guidelines outlined in CONTRIBUTING.md. We maintain high standards for rule quality, documentation, and testing to ensure the repository remains a reliable resource for the security community.

Industry Recognition and Adoption

Integration with VirusTotal

These rules have been integrated into VirusTotal’s threat detection engine, where they contribute to enhanced threat triage and detection capabilities. This integration demonstrates the rules’ effectiveness and reliability in production environments, as VirusTotal processes millions of samples daily from security researchers and organizations worldwide.

Powered by StalkPhish.io

The PhishingKit-Yara-Rules are also seamlessly integrated into StalkPhish.io, our comprehensive phishing threat intelligence platform. This integration enables security teams to automatically qualify and categorize phishing threats with unprecedented precision. When StalkPhish.io detects a phishing kit in the wild, these YARA rules provide instant attribution and classification, helping analysts quickly understand the threat’s origin, target brands, and potential impact. This automated threat qualification significantly reduces analysis time and enables faster response to emerging phishing campaigns, making StalkPhish.io an essential tool for proactive phishing defense and threat hunting operations.

Community Impact

The repository has become an essential resource for:

  • Security operations centers implementing proactive threat detection
  • Malware researchers conducting phishing campaign analysis
  • Threat intelligence teams tracking phishing trends and actor behaviors
  • Educational institutions teaching practical cybersecurity skills

Repository Access and Resources

🔗 GitHub Repository: https://github.com/t4d/PhishingKit-Yara-Rules

The repository is freely available under an open-source license, enabling widespread adoption and community collaboration. Regular updates ensure that the rule set evolves alongside emerging phishing threats and techniques.