From c6bd5184f347552f2d473b3813cc5e8acb4ae387 Mon Sep 17 00:00:00 2001
From: Pierre-Henri Pezier <pierre-henri.pezier@nextron-systems.com>
Date: Fri, 20 Mar 2026 12:29:16 +0100
Subject: [PATCH] new: RegPhantom rule

---
 yara/mal_kernel_regphantom_mar26.yar | 31 ++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 yara/mal_kernel_regphantom_mar26.yar

diff --git a/yara/mal_kernel_regphantom_mar26.yar b/yara/mal_kernel_regphantom_mar26.yar
new file mode 100644
index 00000000..43ea952f
--- /dev/null
+++ b/yara/mal_kernel_regphantom_mar26.yar
@@ -0,0 +1,31 @@
+rule MAL_Kernel_RegPhantom_Mar26 {
+   meta:
+      description = "Detects RegPhantom, a kernel-mode rootkit that allow attacker to inject arbitrary code from unprivileged user-mode into kernel-mode and execute it."
+      author = "Pezier Pierre-Henri (Nextron Systems)"
+      date = "2026-03-19"
+      reference = "Internal Research"
+      hash = "006e08f1b8cad821f7849c282dc11d317e76ce66a5bcd84053dd5e7752e0606f"
+      score = 80
+   strings:
+      $s1 = "CmRegisterCallback" fullword
+      $s2 = "PsSetCreateThreadNotifyRoutine" fullword
+
+      $o1 = {
+         // xor decrypt
+         48 8b 09     // mov     rcx, [rcx]
+         0f b6 14 08  // movzx   edx, byte ptr [rax+rcx]
+         4c 31 c2     // xor     rdx, r8
+         88 14 08     // mov     [rax+rcx], dl
+      }
+      $o2 = {
+         // Command selector
+         c6 01 01     // mov     byte ptr [rcx], 1
+         48 83 38 77  // cmp     qword ptr [rax], 77h
+         0f 94 c0     // setz    al
+         24 01        // and     al, 1
+      }
+   condition:
+      uint16(0) == 0x5a4d
+      and all of them
+}
+