Download bundle index for the Destover (Sony-Signed Backdoor) write-up.

Primary public artefact repository:

• taogoldi/analysis_data/destover_apr_2026

Direct folders:

• scripts/ destover_config_extractor.py (pulls C2 IPs, decoded API list, version-info masquerade, and Authenticode signer in one static pass)
• detection/ two paired YARA rules: a behavior-and-fingerprint match on the binary and a stolen-certificate match on any PE still carrying the revoked SPE Authenticode chain. Also mirrored at YARA/backdoors/destover/.
• reports/json/ structured static + cross-reference report
• images/ Mermaid sources and rendered diagrams (kill chain, dot-space API obfuscation, C2 state machine)
• docs/ blog source markdown

Key external references:

• Securelist: Destover malware now digitally signed by Sony certificates
• Securelist: Sony/Destover, mystery North Korean actor’s destructive and past network activity
• SecurityAffairs: Damballa revealed the secrets behind the Destover malware
• ThreatPost: Details Emerge on Sony Wiper Malware Destover
• APTnotes: From Seoul to Sony

The Destover binary itself (SHA-256 4c2efe2f1253b94f16a1cab032f36c7883e4f6c8d9fc17d0ee553b5afb16330c) is not redistributed in this bundle. Analysts who want it can pull it from MalwareBazaar or VirusTotal.