Add rule for UniCraft Launcher Spyware

[koder-cog]

Adds a rule targeting the unpacked ASAR/JS payloads of the UniCraft spyware.

Context

UniCraft acts as a functional, trojanized game launcher. The outer compressed installers (NSIS, SquashFS, DMG) successfully evade most static engines (see VT links). However, dynamic analysis of the extracted payload confirms spyware behavior.

Malicious Capabilities (ASAR/JS payload)

• Harvests HWIDs via WMI/CIM and extracts authentication sessions (unicraft-session.enc, hwid-cache.json).
• Modifies registry (reg delete), alters permissions (icacls), and monitors for analysis tools (cheat_process_detected, tasklist).
• Communicates with custom endpoints (e.g., api.unicraftmc.com, 213.146.165.119), occasionally using Base64 obfuscation.

Rule Logic

To prevent false-positives on legitimate game files, the rule requires a strict combination:
Identity Strings AND C2 Infrastructure AND (1+ Theft Action OR 2+ Evasion Actions)

References

Behavior (Tria.ge - Recorded Future):

• v2.4.3: https://tria.ge/260417-w68nlsfw9j
• v2.4.5: https://tria.ge/260418-mhgqjscy5y
• v2.4.7: https://tria.ge/260419-n2c25shv5p

Static (VirusTotal):

• v2.2.7: https://www.virustotal.com/gui/file/a4f665013fb380fc3936c5837351a1b8340359fe6023166b2d9e930193f89007
• v2.4.9: https://www.virustotal.com/gui/file/2447653155fe0e6fc9b3dfb43fe1abfd20b18b6115ddca77bbc045580650548d