From 4b849e1fe417227b3cdf7cb47af55deb23d052a8 Mon Sep 17 00:00:00 2001
From: Arnim Rupp <46819580+ruppde@users.noreply.github.com>
Date: Mon, 4 May 2026 18:12:01 +0200
Subject: [PATCH 1/4] fix NitrogenLoader YARA
---
data/yara/CAPE/NitrogenLoader.yar | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/data/yara/CAPE/NitrogenLoader.yar b/data/yara/CAPE/NitrogenLoader.yar
index d51906c18bf..31e21818fec 100644
--- a/data/yara/CAPE/NitrogenLoader.yar
+++ b/data/yara/CAPE/NitrogenLoader.yar
@@ -31,5 +31,6 @@ rule NitrogenLoader
$rc4decrypt_1 = {48 89 ?? 4? 89 ?? E8 [4] 4? 8B ?? 24 [1-4] 4? 89 ?? 4? 89 ?? 4? 89 C1 [0-1] 89 ?? E8 [4] 4? 89}
$rc4decrypt_2 = {E8 [4] 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 E8 [3] FF}
condition:
- (2 of ($string*) and any of ($syscall*)) or 4 of ($decrypt*) or ((3 of ($taskman_*) or 3 of ($installers*)) and all of ($rc4decrypt_*))
+ ((2 of ($string*) and any of ($syscall*)) or 4 of ($decrypt*) or ((3 of ($taskman_*) or 3 of ($installers*)) and all of ($rc4decrypt_*)))
+ and uint16(0) == 0x5a4d
}
From 6379581ac13d1cde198a0f38207d6fc17d2636a2 Mon Sep 17 00:00:00 2001
From: Arnim Rupp <46819580+ruppde@users.noreply.github.com>
Date: Mon, 4 May 2026 19:40:20 +0200
Subject: [PATCH 2/4] Reorder condition in NitrogenLoader.yar
---
data/yara/CAPE/NitrogenLoader.yar | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/data/yara/CAPE/NitrogenLoader.yar b/data/yara/CAPE/NitrogenLoader.yar
index 31e21818fec..62ca0ce830f 100644
--- a/data/yara/CAPE/NitrogenLoader.yar
+++ b/data/yara/CAPE/NitrogenLoader.yar
@@ -31,6 +31,6 @@ rule NitrogenLoader
$rc4decrypt_1 = {48 89 ?? 4? 89 ?? E8 [4] 4? 8B ?? 24 [1-4] 4? 89 ?? 4? 89 ?? 4? 89 C1 [0-1] 89 ?? E8 [4] 4? 89}
$rc4decrypt_2 = {E8 [4] 8B ?? 24 [1-4] 4? 89 ?? 48 89 ?? 4? 89 C1 E8 [3] FF}
condition:
- ((2 of ($string*) and any of ($syscall*)) or 4 of ($decrypt*) or ((3 of ($taskman_*) or 3 of ($installers*)) and all of ($rc4decrypt_*)))
- and uint16(0) == 0x5a4d
+ uint16(0) == 0x5a4d and
+ ((2 of ($string*) and any of ($syscall*)) or 4 of ($decrypt*) or ((3 of ($taskman_*) or 3 of ($installers*)) and all of ($rc4decrypt_*)))
}
From de31ada12ce03e2ef9dbb12b3a3704c8cc1a3d59 Mon Sep 17 00:00:00 2001
From: Josh Feather <142008135+josh-feather@users.noreply.github.com>
Date: Fri, 15 May 2026 16:26:38 +0000
Subject: [PATCH 3/4] Restore FA icons in guac session-ended dialog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Extends the dialog rendering in guac-main.js so the heading shows a
Font Awesome icon alongside the title, replacing the previous static
'Session Error' heading that was retained verbatim regardless of why
the session ended.
- Introduce _showDialog(title, detail, icon) and thin _showError /
_showWarning / _showSuccess wrappers around it. Each wrapper passes
its corresponding module-level ICON_* constant.
- Route 514 (server timeout) and the default branch to _showError
(red exclamation-circle), 522 (idle timeout) to _showWarning (amber
exclamation-triangle), and 515 (backing VM disconnected = normal
completion) to _showSuccess (green check-circle).
- Simplify the dialog markup: drop the unused .message paragraph and
the dead error_msg class; give the surviving body paragraph an
id (#dialog-message) to mirror #dialog-heading.
- Keep 'Session Ended' as a neutral static heading so the dialog still
reads sensibly if JS fails to populate it before the dialog is shown.
- Drive-by: remove a duplicate `var apiUrl` declaration in stopTask()
left over from the master merge in 1230fa0f — it was a SyntaxError
under strict mode.
---
web/guac/templates/guac/index.html | 5 ++---
web/static/js/guac-main.js | 28 ++++++++++++++++++++++------
2 files changed, 24 insertions(+), 9 deletions(-)
diff --git a/web/guac/templates/guac/index.html b/web/guac/templates/guac/index.html
index 41a633d663b..87ba55825e6 100644
--- a/web/guac/templates/guac/index.html
+++ b/web/guac/templates/guac/index.html
@@ -33,9 +33,8 @@
-
Session Error
-
-
+
Session Ended
+
View Task
diff --git a/web/static/js/guac-main.js b/web/static/js/guac-main.js
index ec708431fd8..bd96e92b0db 100644
--- a/web/static/js/guac-main.js
+++ b/web/static/js/guac-main.js
@@ -17,6 +17,10 @@ const PASTE_DELAY_MS = 50;
const NON_FATAL_STATUS_CODES = new Set([0, 256]);
+const ICON_ERROR = 'fas fa-exclamation-circle text-danger';
+const ICON_WARNING = 'fas fa-exclamation-triangle text-warning';
+const ICON_SUCCESS = 'fas fa-check-circle text-success';
+
class GuacSession {
constructor(element, config) {
this.config = config;
@@ -153,14 +157,27 @@ class GuacSession {
});
}
- _showError(title, detail) {
+ _showDialog(title, detail, icon) {
const dialog = $('#launch_error');
- dialog.find('.message').html(title);
- dialog.find('.error_msg').html(detail);
+ const iconHtml = icon ? `` : '';
+ dialog.find('#dialog-heading').html(`${iconHtml}${title}`);
+ dialog.find('#dialog-message').html(detail);
dialog.dialog({ dialogClass: 'no-close' });
dialog.dialog(this.dialogContainer);
}
+ _showError(title, detail) {
+ this._showDialog(title, detail, ICON_ERROR);
+ }
+
+ _showWarning(title, detail) {
+ this._showDialog(title, detail, ICON_WARNING);
+ }
+
+ _showSuccess(title, detail) {
+ this._showDialog(title, detail, ICON_SUCCESS);
+ }
+
_setupErrorHandler() {
const handler = (error) => {
console.log(`guac error ${error.code}: ${error.message}`);
@@ -174,9 +191,9 @@ class GuacSession {
if (error.code === 514) {
this._showError("Connection error", "Server timeout.");
} else if (error.code === 515) {
- this._showError("Session complete", "Backing VM has disconnected.");
+ this._showSuccess("Session complete", "Backing VM has disconnected.");
} else if (error.code === 522) {
- this._showError("Session ended", "Session timed out due to inactivity.");
+ this._showWarning("Session ended", "Session timed out due to inactivity.");
} else {
const _msg = `An unexpected error occurred: ${error.message}`;
this._showError("Connection error", _msg);
@@ -228,7 +245,6 @@ function stopTask(taskId, onSuccess, onError) {
const apiUrl = location.origin + "/apiv2/tasks/status/" + taskId + "/";
- var apiUrl = location.origin + "/apiv2/tasks/status/" + taskId + "/";
fetch(apiUrl, {
method: 'POST',
headers: {
From 0d90954f6132182ce5ed3aa3e3a0e6725f734493 Mon Sep 17 00:00:00 2001
From: Kevin O'Reilly
Date: Mon, 18 May 2026 14:39:05 +0100
Subject: [PATCH 4/4] Fix mongo error from recent PR 3018
---
web/analysis/views.py | 1 -
1 file changed, 1 deletion(-)
diff --git a/web/analysis/views.py b/web/analysis/views.py
index 29df40d88c5..4eb2c6b73d7 100644
--- a/web/analysis/views.py
+++ b/web/analysis/views.py
@@ -288,7 +288,6 @@ def get_analysis_info(db, id=-1, task=None):
# by sha256; the denormalize_files mongo hook restores
# them — but only if file_ref is in the projection. Pull
# it explicitly so the hook can follow the reference.
- "target.file.yara.name": 1,
"target.file.file_ref": 1,
"suri_tls_cnt": 1,
"suri_alert_cnt": 1,