From a6b13c208db2a78d3c65b44e0fe813e4a38bd44c Mon Sep 17 00:00:00 2001
From: nyuuzyou <130591045+nyuuzyou@users.noreply.github.com>
Date: Mon, 20 May 2024 13:28:36 +0300
Subject: [PATCH] =?UTF-8?q?=F0=9F=9A=80=20Create=20IOK:=20steam-tu2yq4ic?=
 =?UTF-8?q?=20(#255)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* 🚀 Create IOK: steam-tu2yq4ic

* Update steam-tu2yq4ic.yml

Detection logic improvement

---------

Co-authored-by: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
---
 indicators/steam-tu2yq4ic.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 indicators/steam-tu2yq4ic.yml

diff --git a/indicators/steam-tu2yq4ic.yml b/indicators/steam-tu2yq4ic.yml
new file mode 100644
index 00000000..ca2b548e
--- /dev/null
+++ b/indicators/steam-tu2yq4ic.yml
@@ -0,0 +1,27 @@
+title: Steam Phishing Kit tu2yq4ic
+description: Steam Phishing Kit that uses a fake Steam login window to steal user credentials.
+
+references:
+  - https://urlscan.io/result/21e56cd4-f042-4856-86cb-192372b403b7
+  - https://urlscan.io/result/f77fb88a-d6cc-4355-92e5-0527ddd5cf00
+  - https://urlscan.io/result/0a4bd282-305a-47cc-b239-c251d53f7382
+
+detection:
+
+  warning:
+    html|contains: 
+      - '<div id="NotLoggedInWarning" class="modal_frame">'
+
+  breadcrumbs:
+    js|contains|all:
+      - 'vgywykkm.uq'
+      - 'lppfocvr.fo'
+      - '.oxisae'
+      - '.zooms'
+      - '#groobly'
+      
+  condition: warning and breadcrumbs
+
+tags:
+  - kit
+  - target.steam