███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

SHELBY

backdoor1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

SHELBY

CATEGORY:

BACKDOOR

DESCRIPTION:

SHELBY is a sophisticated backdoor malware family that abuses GitHub for command-and-control operations. It consists of two main components: SHELBYLOADER and SHELBYC2. The malware employs advanced sandbox detection techniques, uses obfuscation with Obfuscar, and establishes persistence through Windows Registry. It targets telecommunications companies and airports, particularly in Iraq and UAE regions.

ALIASES:

SHELBYLOADERSHELBYC2

TAGS:

github_c2sandbox_evasionobfuscationpersistencereflective_loadingtargeted_attack

[MUTEX_SIGNATURES](1)

[MUTEX_01]

Global\GHS<UniqueID>

ANALYST: @adhikara13 DATE: 2025-01-15

REFERENCES:

https://www.elastic.co/security-labs/the-shelby-strategy

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠REF8685

FIRST_OBSERVED:

2025

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:1

THREAT_ACTORS:1

ALIASES:2

TAGS:6

CATEGORY:BACKDOOR

Malware profile loaded successfully