Snap convert 1 by RavenTait · Pull Request #4015 · splunk/security_content

RavenTait · 2026-04-15T12:40:09Z

First Big chunk of detections from SnapAttack

Contains 109 new detections and some new malicious powershell strings.

nasbench · 2026-04-15T12:53:33Z

patel-bhavin · 2026-04-21T16:25:36Z

+
+    PowGoop is the primary loader used by MuddyWater (also tracked as SeedWorm, Static Kitten, and MERCURY) and has been their main initial access loader since at least 2020. It abuses DLL side-loading against a fake GoogleUpdate.exe to execute a multi-stage decoding chain, a fully functional PowerShell backdoor disguised with a benign extension. The config.txt contains a hardcoded C2 address and victim GUID, beacons via modified base64-encoded HTTP, and runs C2 traffic under the legitimate Google Update process to evade network detection.
+
+'


Can we update the script to remove this extra line from the description?

RavenTait added 11 commits April 15, 2026 08:33

Batch 1

db52f6a

Batch 2

571de20

Batch 3

6fc18ba

Batch 4

ac1429e

Batch 5

5de56b5

Batch 6

34b2073

Batch 7

20eb6fb

Batch 8

6ccfcb8

Batch 9

2bdfc11

Batch 10

6521d3a

Batch 11

78ab785

RavenTait requested review from ljstella, nasbench and patel-bhavin as code owners April 15, 2026 12:40

github-actions Bot added Detections Lookups labels Apr 15, 2026

patel-bhavin added this to the v5.27.0 milestone Apr 15, 2026

Merge branch 'develop' into snap_convert_1

e507e17

patel-bhavin reviewed Apr 21, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Snap convert 1#4015

Snap convert 1#4015
RavenTait wants to merge 12 commits intodevelopfrom
snap_convert_1

RavenTait commented Apr 15, 2026

Uh oh!

nasbench commented Apr 15, 2026

Uh oh!

patel-bhavin Apr 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants


		PowGoop is the primary loader used by MuddyWater (also tracked as SeedWorm, Static Kitten, and MERCURY) and has been their main initial access loader since at least 2020. It abuses DLL side-loading against a fake GoogleUpdate.exe to execute a multi-stage decoding chain, a fully functional PowerShell backdoor disguised with a benign extension. The config.txt contains a hardcoded C2 address and victim GUID, beacons via modified base64-encoded HTTP, and runs C2 traffic under the legitimate Google Update process to evade network detection.

		'

Conversation

RavenTait commented Apr 15, 2026

Uh oh!

nasbench commented Apr 15, 2026

Uh oh!

patel-bhavin Apr 21, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants