From 5455ecc816bef7d01d615b2a2d9335d116483008 Mon Sep 17 00:00:00 2001
From: PCPisChill <22227370+PCPisChill@users.noreply.github.com>
Date: Sat, 29 Jul 2023 19:11:25 -0400
Subject: [PATCH 01/30] Create csgo2beta-videos.yml

---
 indicators/csgo2beta-videos.yml | 45 +++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 indicators/csgo2beta-videos.yml

diff --git a/indicators/csgo2beta-videos.yml b/indicators/csgo2beta-videos.yml
new file mode 100644
index 00000000..d281b0eb
--- /dev/null
+++ b/indicators/csgo2beta-videos.yml
@@ -0,0 +1,45 @@
+title: Steam CSGO2 Beta Phishing Kit
+
+description: |
+  Steam Phishing Kit that uses a fake Steam login window to steal user credentials and CSGO2 Beta Access as bait.
+
+references:
+  - https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
+  - https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
+  - https://urlscan.io/result/558a4fb2-8e16-4176-9a16-ebfe2fe64d2b
+  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
+  - https://urlscan.io/result/950664a4-aaf8-4d2d-8761-c0b2fa11ab7a
+  - https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4
+  - https://urlscan.io/result/6f719b9d-0ded-4f3c-ba3f-682b1afd015f
+  - https://urlscan.io/result/bd1cef80-59d3-43cb-bfb3-b71a9cc411b0
+  - https://urlscan.io/result/5c36ed3f-3efe-43a9-a669-f13f4ff0cdcb
+  - https://urlscan.io/result/ed5b5e51-109f-4dec-b886-6a49b44e8fe8
+
+detection:
+  realDomain:
+    hostname:
+      - counter-strike.net
+
+  csgo2PageTitle:
+    html|contains:
+      - '<title>Counter-Strike 2 | Limited Test</title>'
+
+  csgo2Youtube:
+    requests|contains|all:
+      - 'youtube.com/embed/_y9MpNcAitQ'
+      - 'youtube.com/embed/GqhhFl5zgA0'
+      - 'youtube.com/embed/ExZtISgOxEQ'
+
+  csgo2mp4s:
+    requests|contains|all:
+      - '/apps/csgo/videos/csgo_react/cs2/video_smokes.mp4'
+      - '/apps/csgo/videos/csgo_react/cs2/smokes_vid2.mp4'
+      - '/apps/csgo/videos/csgo_react/cs2/smokes_vid1.mp4'
+      - '/apps/csgo/videos/csgo_react/cs2/smokes_vid3.mp4'
+      - '/apps/csgo/videos/csgo_react/cs2/video_ticks.mp4'
+
+  condition: csgo2PageTitle and (csgo2Youtube or csgo2mp4s) and not realDomain
+
+tags:
+  - target.steam
+  - threat_actor_country.russia

From 0a6649fea4f9785dbd07f54ba42b14339a6790ae Mon Sep 17 00:00:00 2001
From: PCPisChill <22227370+PCPisChill@users.noreply.github.com>
Date: Sat, 29 Jul 2023 19:13:36 -0400
Subject: [PATCH 02/30] Create steam-auronplay.yml

---
 indicators/steam-auronplay.yml | 35 ++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 indicators/steam-auronplay.yml

diff --git a/indicators/steam-auronplay.yml b/indicators/steam-auronplay.yml
new file mode 100644
index 00000000..f65c141c
--- /dev/null
+++ b/indicators/steam-auronplay.yml
@@ -0,0 +1,35 @@
+title: Steam Auronplay Gift Card Phishing Kit
+
+description: |
+  Steam Phishing Kit that uses a fake Steam login window to steal user credentials and 50/100$ gift cards as bait.
+
+references:
+  - https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
+  - https://urlscan.io/result/ee34fa99-6cf8-4b16-8cf5-e617e238dea0
+  - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
+  - https://urlscan.io/result/23b2c035-4daa-405e-98cd-0f3cdddcd5ca
+  - https://urlscan.io/result/0b26dcba-e480-4690-a856-f8b3577194ec
+  - https://urlscan.io/result/5d409d0e-4f1d-4a8f-b076-b473c9398a43
+
+detection:
+
+  giftFromAuronplay:
+    html|contains:
+      - '<p style="margin-top: 6px;">A gi<span style="display:none;">cqg</span>ft fr<span style="display:none;">ged</span>om <span style="font-weight: bold; color: white;">auronplay</span>'
+
+  steamGiftPageFooter:
+    html|contains|all:
+      - '<a href="#" target="_blank" rel="" class="showAuthWin">Privacy Policy</a>'
+      - '<a href="#" target="_blank" rel="" class="showAuthWin">Legal</a>'
+      - '<a href="#" target="_blank" rel="" class="showAuthWin">Refunds</a>'
+      - '<a href="#" target="_blank" rel="" class="showAuthWin">Cookies</a>'
+
+  showAuthWinJS:
+    js|contains:
+      - "Array.from(document.getElementsByClassName('showAuthWin')).forEach((showAuthWin)"
+
+  condition: giftFromAuronplay or steamGiftPageFooter or showAuthWinJS
+
+tags:
+  - target.steam
+  - threat_actor_country.russia

From 36a05c02e76a6055e7c4fa239c051638f408f339 Mon Sep 17 00:00:00 2001
From: PCPisChill <22227370+PCPisChill@users.noreply.github.com>
Date: Sat, 29 Jul 2023 19:14:35 -0400
Subject: [PATCH 03/30] Create steam-getsiteconfig.yml

---
 indicators/steam-getsiteconfig.yml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 indicators/steam-getsiteconfig.yml

diff --git a/indicators/steam-getsiteconfig.yml b/indicators/steam-getsiteconfig.yml
new file mode 100644
index 00000000..3980af3c
--- /dev/null
+++ b/indicators/steam-getsiteconfig.yml
@@ -0,0 +1,29 @@
+title: Steam Phishing Kit getsiteconfig
+
+description: |
+  Steam Phishing Kit with obfuscated javascript pages that use a fake Steam login window to steal user credentials and free 50/100$ gift cards, csgo skins, csgo2 beta or discord nitro as bait.
+
+references:
+  - https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
+  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
+  - https://urlscan.io/result/01e4685b-9001-4843-a50f-a41ad126fc8c
+  - https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
+  - https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
+  - https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
+  - https://urlscan.io/result/5988575a-6cc7-4e5b-ac87-22fb5e29b6e6
+
+detection:
+
+  getSiteConfigJson:
+    requests|contains: '/api/getsiteconfig/'
+
+  viewportAndScriptElems:
+    html|contains|all:
+      - '<meta name="viewport" content="width=device-width, initial-scale=1">'
+      - '<script type="module" crossorigin src="/assets/'
+
+  condition: getSiteConfigJson and viewportAndScriptElems
+
+tags:
+  - target.steam
+  - threat_actor_country.russia

From bd9c2691aa8f9330d3af0ad6a6c23daf7a70d6cd Mon Sep 17 00:00:00 2001
From: PCPisChill <22227370+PCPisChill@users.noreply.github.com>
Date: Sat, 29 Jul 2023 19:17:18 -0400
Subject: [PATCH 04/30] Create steam-metrica.yml

---
 indicators/steam-metrica.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 indicators/steam-metrica.yml

diff --git a/indicators/steam-metrica.yml b/indicators/steam-metrica.yml
new file mode 100644
index 00000000..aec9f215
--- /dev/null
+++ b/indicators/steam-metrica.yml
@@ -0,0 +1,27 @@
+title: Steam Phishing Kit metrica.php
+
+description: |
+  Steam Phishing Kit that uses a fake Steam login window to steal user credentials and free 50/100$ gift cards, csgo skins, csgo2 beta or discord nitro as bait.
+
+references:
+  - https://urlscan.io/result/d7243f7d-e10a-4309-8450-869229ac286d
+  - https://urlscan.io/result/1ec85742-f31e-4d45-a37b-8c91d94996df
+  - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
+  - https://urlscan.io/result/0eb7900f-dd6e-4491-ad69-e9f4b14e0e41
+  - https://urlscan.io/result/19b11718-4018-449f-8829-3365a10c812a
+  - https://urlscan.io/result/8690e751-6bb9-4bd7-a7b9-34ce3b719fef
+
+detection:
+
+  getSiteConfigJson:
+    requests|contains: 'metrica.php?method=LoadedCount'
+
+  aShowAuthWin:
+    html|contains:
+      - '<a href="#" class="showAuthWin">'
+
+
+  condition: getSiteConfigJson and aShowAuthWin
+
+tags:
+  - target.steam

From 0a28cca9008c48064c35a5e6d6a39a46d2b707bd Mon Sep 17 00:00:00 2001
From: PCPisChill <22227370+PCPisChill@users.noreply.github.com>
Date: Wed, 16 Aug 2023 12:22:26 -0400
Subject: [PATCH 05/30] Update steam-metrica.yml

Fixed detection field name
---
 indicators/steam-metrica.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/indicators/steam-metrica.yml b/indicators/steam-metrica.yml
index aec9f215..c5b8541a 100644
--- a/indicators/steam-metrica.yml
+++ b/indicators/steam-metrica.yml
@@ -13,7 +13,7 @@ references:
 
 detection:
 
-  getSiteConfigJson:
+  metricaLoadedCount:
     requests|contains: 'metrica.php?method=LoadedCount'
 
   aShowAuthWin:

From 70e1971a9a9d5ea2f5110db2e68a8cbbc780e145 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Thu, 14 Sep 2023 12:27:37 +0100
Subject: [PATCH 06/30] Update steam-getsiteconfig.yml

Remove overlapping reference
---
 indicators/steam-getsiteconfig.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/indicators/steam-getsiteconfig.yml b/indicators/steam-getsiteconfig.yml
index 3980af3c..f251fad7 100644
--- a/indicators/steam-getsiteconfig.yml
+++ b/indicators/steam-getsiteconfig.yml
@@ -10,7 +10,6 @@ references:
   - https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
   - https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
   - https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
-  - https://urlscan.io/result/5988575a-6cc7-4e5b-ac87-22fb5e29b6e6
 
 detection:
 

From 43060fb2a12d32ffa91364b99dd0baf75cba95f9 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Tue, 19 Sep 2023 00:27:36 +0100
Subject: [PATCH 07/30] Update csgo2beta-videos.yml

Remove invalid reference
---
 indicators/csgo2beta-videos.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/indicators/csgo2beta-videos.yml b/indicators/csgo2beta-videos.yml
index d281b0eb..c525a160 100644
--- a/indicators/csgo2beta-videos.yml
+++ b/indicators/csgo2beta-videos.yml
@@ -6,7 +6,6 @@ description: |
 references:
   - https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
   - https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
-  - https://urlscan.io/result/558a4fb2-8e16-4176-9a16-ebfe2fe64d2b
   - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
   - https://urlscan.io/result/950664a4-aaf8-4d2d-8761-c0b2fa11ab7a
   - https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4

From 3a6fa0dd91e439311baeba2b857a66f8a2cb85cd Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Tue, 19 Sep 2023 00:27:53 +0100
Subject: [PATCH 08/30] Update steam-auronplay.yml

Remove invalid reference
---
 indicators/steam-auronplay.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/indicators/steam-auronplay.yml b/indicators/steam-auronplay.yml
index f65c141c..1481858f 100644
--- a/indicators/steam-auronplay.yml
+++ b/indicators/steam-auronplay.yml
@@ -4,7 +4,6 @@ description: |
   Steam Phishing Kit that uses a fake Steam login window to steal user credentials and 50/100$ gift cards as bait.
 
 references:
-  - https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
   - https://urlscan.io/result/ee34fa99-6cf8-4b16-8cf5-e617e238dea0
   - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
   - https://urlscan.io/result/23b2c035-4daa-405e-98cd-0f3cdddcd5ca

From d1dd5a2d20e1558f474f09529b521ebc46c20aa1 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Tue, 19 Sep 2023 00:28:17 +0100
Subject: [PATCH 09/30] Update steam-metrica.yml

Remove invalid reference
---
 indicators/steam-metrica.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/indicators/steam-metrica.yml b/indicators/steam-metrica.yml
index c5b8541a..053affa9 100644
--- a/indicators/steam-metrica.yml
+++ b/indicators/steam-metrica.yml
@@ -4,7 +4,6 @@ description: |
   Steam Phishing Kit that uses a fake Steam login window to steal user credentials and free 50/100$ gift cards, csgo skins, csgo2 beta or discord nitro as bait.
 
 references:
-  - https://urlscan.io/result/d7243f7d-e10a-4309-8450-869229ac286d
   - https://urlscan.io/result/1ec85742-f31e-4d45-a37b-8c91d94996df
   - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
   - https://urlscan.io/result/0eb7900f-dd6e-4491-ad69-e9f4b14e0e41

From 903ac2dec4fa7259a561fb3c719edbbeec806098 Mon Sep 17 00:00:00 2001
From: PCPisChill <22227370+PCPisChill@users.noreply.github.com>
Date: Sat, 25 Nov 2023 16:06:12 -0500
Subject: [PATCH 10/30] Update csgo2beta-videos.yml

Fix failed to match (added case insensitive title check) https://urlscan.io/result/5c36ed3f-3efe-43a9-a669-f13f4ff0cdcb
---
 indicators/csgo2beta-videos.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/indicators/csgo2beta-videos.yml b/indicators/csgo2beta-videos.yml
index c525a160..ae83e5e5 100644
--- a/indicators/csgo2beta-videos.yml
+++ b/indicators/csgo2beta-videos.yml
@@ -20,8 +20,7 @@ detection:
       - counter-strike.net
 
   csgo2PageTitle:
-    html|contains:
-      - '<title>Counter-Strike 2 | Limited Test</title>'
+    html|re: '/<title>Counter-Strike 2 \| Limited Test<\/title>/i'
 
   csgo2Youtube:
     requests|contains|all:

From 4755cc7b33caf9cf95e276dbe6016231f5fdaeb1 Mon Sep 17 00:00:00 2001
From: PCPisChill <22227370+PCPisChill@users.noreply.github.com>
Date: Sat, 25 Nov 2023 16:51:59 -0500
Subject: [PATCH 11/30] Update steam-metrica.yml

Fix metrica.php request
---
 indicators/steam-metrica.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/indicators/steam-metrica.yml b/indicators/steam-metrica.yml
index 053affa9..30922849 100644
--- a/indicators/steam-metrica.yml
+++ b/indicators/steam-metrica.yml
@@ -13,7 +13,7 @@ references:
 detection:
 
   metricaLoadedCount:
-    requests|contains: 'metrica.php?method=LoadedCount'
+    requests|contains: 'metrica.php'
 
   aShowAuthWin:
     html|contains:

From 229a9b384512aa3e5984ea1695af66e1f98496a6 Mon Sep 17 00:00:00 2001
From: PCPisChill <22227370+PCPisChill@users.noreply.github.com>
Date: Sat, 25 Nov 2023 18:00:38 -0500
Subject: [PATCH 12/30] Update csgo2beta-videos.yml

Use (?i) instead of /i
---
 indicators/csgo2beta-videos.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/indicators/csgo2beta-videos.yml b/indicators/csgo2beta-videos.yml
index ae83e5e5..dec01584 100644
--- a/indicators/csgo2beta-videos.yml
+++ b/indicators/csgo2beta-videos.yml
@@ -20,7 +20,7 @@ detection:
       - counter-strike.net
 
   csgo2PageTitle:
-    html|re: '/<title>Counter-Strike 2 \| Limited Test<\/title>/i'
+    html|re: '(?i)<title>Counter-Strike 2 \| Limited Test<\/title>'
 
   csgo2Youtube:
     requests|contains|all:

From 9f48b7fa09c3c1ced131f13d221394b494e636f7 Mon Sep 17 00:00:00 2001
From: PCPisChill <22227370+PCPisChill@users.noreply.github.com>
Date: Sun, 26 Nov 2023 03:06:46 -0500
Subject: [PATCH 13/30] Update steam-auronplay.yml

Updated 'giftFromAuronplay' to regex ignoring "<span></span>"s between string.
---
 indicators/steam-auronplay.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/indicators/steam-auronplay.yml b/indicators/steam-auronplay.yml
index 1481858f..82883112 100644
--- a/indicators/steam-auronplay.yml
+++ b/indicators/steam-auronplay.yml
@@ -13,8 +13,7 @@ references:
 detection:
 
   giftFromAuronplay:
-    html|contains:
-      - '<p style="margin-top: 6px;">A gi<span style="display:none;">cqg</span>ft fr<span style="display:none;">ged</span>om <span style="font-weight: bold; color: white;">auronplay</span>'
+    html|re: '(?i)A ((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)g((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)i((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)f((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)t((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|) ((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)f((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)r((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)o((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)m ((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>)|)auronplay'
 
   steamGiftPageFooter:
     html|contains|all:

From 4f82b3ef46a0b723fe4e9c3779ca177270f127b0 Mon Sep 17 00:00:00 2001
From: PCPisChill <22227370+PCPisChill@users.noreply.github.com>
Date: Sun, 26 Nov 2023 03:08:08 -0500
Subject: [PATCH 14/30] Update steam-getsiteconfig.yml

Added new example
---
 indicators/steam-getsiteconfig.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/indicators/steam-getsiteconfig.yml b/indicators/steam-getsiteconfig.yml
index f251fad7..7b95bdfb 100644
--- a/indicators/steam-getsiteconfig.yml
+++ b/indicators/steam-getsiteconfig.yml
@@ -10,6 +10,7 @@ references:
   - https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
   - https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
   - https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
+  - https://urlscan.io/result/2acf7249-7864-4148-aa3a-161286fce118
 
 detection:
 

From 8273e1cfc6ea4bdd9b6bc30922259c019dec5eeb Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Sun, 26 Nov 2023 11:51:01 +0000
Subject: [PATCH 15/30] =?UTF-8?q?=E2=9C=A8Update=20and=20rename=20steam-au?=
 =?UTF-8?q?ronplay.yml=20to=20steam-ee34fa99.yml?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Update rule detection logic & name
---
 indicators/steam-auronplay.yml | 33 ---------------------------------
 indicators/steam-ee34fa99.yml  | 29 +++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 33 deletions(-)
 delete mode 100644 indicators/steam-auronplay.yml
 create mode 100644 indicators/steam-ee34fa99.yml

diff --git a/indicators/steam-auronplay.yml b/indicators/steam-auronplay.yml
deleted file mode 100644
index 82883112..00000000
--- a/indicators/steam-auronplay.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-title: Steam Auronplay Gift Card Phishing Kit
-
-description: |
-  Steam Phishing Kit that uses a fake Steam login window to steal user credentials and 50/100$ gift cards as bait.
-
-references:
-  - https://urlscan.io/result/ee34fa99-6cf8-4b16-8cf5-e617e238dea0
-  - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
-  - https://urlscan.io/result/23b2c035-4daa-405e-98cd-0f3cdddcd5ca
-  - https://urlscan.io/result/0b26dcba-e480-4690-a856-f8b3577194ec
-  - https://urlscan.io/result/5d409d0e-4f1d-4a8f-b076-b473c9398a43
-
-detection:
-
-  giftFromAuronplay:
-    html|re: '(?i)A ((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)g((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)i((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)f((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)t((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|) ((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)f((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)r((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)o((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>[^>]*>)|)m ((?:<([^\s]+)(\s[^>]*?)?(?<!\/)>)|)auronplay'
-
-  steamGiftPageFooter:
-    html|contains|all:
-      - '<a href="#" target="_blank" rel="" class="showAuthWin">Privacy Policy</a>'
-      - '<a href="#" target="_blank" rel="" class="showAuthWin">Legal</a>'
-      - '<a href="#" target="_blank" rel="" class="showAuthWin">Refunds</a>'
-      - '<a href="#" target="_blank" rel="" class="showAuthWin">Cookies</a>'
-
-  showAuthWinJS:
-    js|contains:
-      - "Array.from(document.getElementsByClassName('showAuthWin')).forEach((showAuthWin)"
-
-  condition: giftFromAuronplay or steamGiftPageFooter or showAuthWinJS
-
-tags:
-  - target.steam
-  - threat_actor_country.russia
diff --git a/indicators/steam-ee34fa99.yml b/indicators/steam-ee34fa99.yml
new file mode 100644
index 00000000..19bca10d
--- /dev/null
+++ b/indicators/steam-ee34fa99.yml
@@ -0,0 +1,29 @@
+title: Steam Phishing Kit ee34fa99
+description: |
+  A Steam phishing kit that uses a fake Steam login 
+  window to steal user credentials and 50/100$ gift 
+  cards as bait.
+
+references:
+  - https://urlscan.io/result/ee34fa99-6cf8-4b16-8cf5-e617e238dea0
+  - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
+  - https://urlscan.io/result/23b2c035-4daa-405e-98cd-0f3cdddcd5ca
+  - https://urlscan.io/result/0b26dcba-e480-4690-a856-f8b3577194ec
+  - https://urlscan.io/result/5d409d0e-4f1d-4a8f-b076-b473c9398a43
+
+detection:
+
+  saleBannerGif:
+    requests|contains: 'https://s12.gifyu.com/images/SWtIF.gif'
+
+  siteMetrics:
+    requests|contains: 'metrica.php'
+
+  giftFrom:
+    html|contains: 'auronplay'
+ 
+  condition: siteMetrics and saleBannerGif and giftFrom
+
+tags:
+  - target.steam
+  - threat_actor_country.russia

From 8e2d0ea85274284c6a51fce957d76232c2eee2e3 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Sun, 26 Nov 2023 11:55:55 +0000
Subject: [PATCH 16/30] =?UTF-8?q?=E2=9C=A8Update=20steam-ee34fa99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove dynamic filename from sale banner GIF detection string
---
 indicators/steam-ee34fa99.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/indicators/steam-ee34fa99.yml b/indicators/steam-ee34fa99.yml
index 19bca10d..8f87d63f 100644
--- a/indicators/steam-ee34fa99.yml
+++ b/indicators/steam-ee34fa99.yml
@@ -14,7 +14,7 @@ references:
 detection:
 
   saleBannerGif:
-    requests|contains: 'https://s12.gifyu.com/images/SWtIF.gif'
+    requests|contains: 'https://s12.gifyu.com/images/'
 
   siteMetrics:
     requests|contains: 'metrica.php'

From 0d992dfd2b7ddb53e685d30214e305027f66e4eb Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 09:57:41 +0100
Subject: [PATCH 17/30] Update and rename csgo2beta-videos.yml to
 steam-de077e20.yml

Simplify rule logic, fix rule and file name
---
 indicators/csgo2beta-videos.yml | 43 ---------------------------------
 indicators/steam-de077e20.yml   | 30 +++++++++++++++++++++++
 2 files changed, 30 insertions(+), 43 deletions(-)
 delete mode 100644 indicators/csgo2beta-videos.yml
 create mode 100644 indicators/steam-de077e20.yml

diff --git a/indicators/csgo2beta-videos.yml b/indicators/csgo2beta-videos.yml
deleted file mode 100644
index dec01584..00000000
--- a/indicators/csgo2beta-videos.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-title: Steam CSGO2 Beta Phishing Kit
-
-description: |
-  Steam Phishing Kit that uses a fake Steam login window to steal user credentials and CSGO2 Beta Access as bait.
-
-references:
-  - https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
-  - https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
-  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
-  - https://urlscan.io/result/950664a4-aaf8-4d2d-8761-c0b2fa11ab7a
-  - https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4
-  - https://urlscan.io/result/6f719b9d-0ded-4f3c-ba3f-682b1afd015f
-  - https://urlscan.io/result/bd1cef80-59d3-43cb-bfb3-b71a9cc411b0
-  - https://urlscan.io/result/5c36ed3f-3efe-43a9-a669-f13f4ff0cdcb
-  - https://urlscan.io/result/ed5b5e51-109f-4dec-b886-6a49b44e8fe8
-
-detection:
-  realDomain:
-    hostname:
-      - counter-strike.net
-
-  csgo2PageTitle:
-    html|re: '(?i)<title>Counter-Strike 2 \| Limited Test<\/title>'
-
-  csgo2Youtube:
-    requests|contains|all:
-      - 'youtube.com/embed/_y9MpNcAitQ'
-      - 'youtube.com/embed/GqhhFl5zgA0'
-      - 'youtube.com/embed/ExZtISgOxEQ'
-
-  csgo2mp4s:
-    requests|contains|all:
-      - '/apps/csgo/videos/csgo_react/cs2/video_smokes.mp4'
-      - '/apps/csgo/videos/csgo_react/cs2/smokes_vid2.mp4'
-      - '/apps/csgo/videos/csgo_react/cs2/smokes_vid1.mp4'
-      - '/apps/csgo/videos/csgo_react/cs2/smokes_vid3.mp4'
-      - '/apps/csgo/videos/csgo_react/cs2/video_ticks.mp4'
-
-  condition: csgo2PageTitle and (csgo2Youtube or csgo2mp4s) and not realDomain
-
-tags:
-  - target.steam
-  - threat_actor_country.russia
diff --git a/indicators/steam-de077e20.yml b/indicators/steam-de077e20.yml
new file mode 100644
index 00000000..594cb253
--- /dev/null
+++ b/indicators/steam-de077e20.yml
@@ -0,0 +1,30 @@
+title: Steam Phishing Kit de077e20
+description: |
+  Detects a Steam phishing kit that uses a fake Steam login window 
+  to steal user credentials and Counter Strike 2 Beta Access as bait.
+references:
+  - https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
+  - https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
+  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
+  - https://urlscan.io/result/950664a4-aaf8-4d2d-8761-c0b2fa11ab7a
+  - https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4
+  - https://urlscan.io/result/6f719b9d-0ded-4f3c-ba3f-682b1afd015f
+  - https://urlscan.io/result/bd1cef80-59d3-43cb-bfb3-b71a9cc411b0
+  - https://urlscan.io/result/5c36ed3f-3efe-43a9-a669-f13f4ff0cdcb
+  - https://urlscan.io/result/ed5b5e51-109f-4dec-b886-6a49b44e8fe8
+
+detection:
+
+  title:
+    title: "Counter-Strike 2 | Limited Test"
+
+  assets:
+    requests|endswith|all:
+      - '9d7ecea.js'
+      - 'c9d2021.js'
+
+  condition: title and assets
+
+tags:
+  - target.steam
+  - threat_actor_country.russia

From cb18c20112404d7dab519d8abd5b65648c983115 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:03:17 +0100
Subject: [PATCH 18/30] Update and rename steam-getsiteconfig.yml to
 steam-732d40f3.yml

Modify detection logic to use more robust flags
---
 indicators/steam-732d40f3.yml      | 29 +++++++++++++++++++++++++++++
 indicators/steam-getsiteconfig.yml | 29 -----------------------------
 2 files changed, 29 insertions(+), 29 deletions(-)
 create mode 100644 indicators/steam-732d40f3.yml
 delete mode 100644 indicators/steam-getsiteconfig.yml

diff --git a/indicators/steam-732d40f3.yml b/indicators/steam-732d40f3.yml
new file mode 100644
index 00000000..d13416b5
--- /dev/null
+++ b/indicators/steam-732d40f3.yml
@@ -0,0 +1,29 @@
+title: Steam Phishing Kit 732d40f3
+description: |
+    Detects Steam phishing pages that obtain their template
+    configuration from `/api/getsiteconfig` 
+references:
+  - https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
+  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
+  - https://urlscan.io/result/01e4685b-9001-4843-a50f-a41ad126fc8c
+  - https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
+  - https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
+  - https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
+  - https://urlscan.io/result/2acf7249-7864-4148-aa3a-161286fce118
+
+detection:
+
+    siteConfiguration:
+        requests|contains: "/api/getsiteconfig/"
+        
+    loadedIFrame:
+        dom|contains: '<iframe id="iframe" title="main" name="site" style="height: 0px; width: 0px; border: 0px; outline: none; z-index: 1000;"></iframe>'
+        
+    footerMessage:
+        dom|contains: '<div style="font-size: 1px; font-family: &quot;Support Assets&quot;; color: rgba(0, 0, 0, 0.01);">Hello</div>'
+
+  condition: siteConfiguration and loadedIFrame and footerMessage
+
+tags:
+  - target.steam
+  - threat_actor_country.russia
diff --git a/indicators/steam-getsiteconfig.yml b/indicators/steam-getsiteconfig.yml
deleted file mode 100644
index 7b95bdfb..00000000
--- a/indicators/steam-getsiteconfig.yml
+++ /dev/null
@@ -1,29 +0,0 @@
-title: Steam Phishing Kit getsiteconfig
-
-description: |
-  Steam Phishing Kit with obfuscated javascript pages that use a fake Steam login window to steal user credentials and free 50/100$ gift cards, csgo skins, csgo2 beta or discord nitro as bait.
-
-references:
-  - https://urlscan.io/result/732d40f3-c113-44da-bcd4-5f39ff173e83
-  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
-  - https://urlscan.io/result/01e4685b-9001-4843-a50f-a41ad126fc8c
-  - https://urlscan.io/result/64c8c423-5e1e-4779-a4b0-66c9e0beb8d7
-  - https://urlscan.io/result/02d78cc5-5035-490d-ade3-8043a1d29d29
-  - https://urlscan.io/result/65902fde-168e-4492-a039-b678cedc23c8
-  - https://urlscan.io/result/2acf7249-7864-4148-aa3a-161286fce118
-
-detection:
-
-  getSiteConfigJson:
-    requests|contains: '/api/getsiteconfig/'
-
-  viewportAndScriptElems:
-    html|contains|all:
-      - '<meta name="viewport" content="width=device-width, initial-scale=1">'
-      - '<script type="module" crossorigin src="/assets/'
-
-  condition: getSiteConfigJson and viewportAndScriptElems
-
-tags:
-  - target.steam
-  - threat_actor_country.russia

From 29dc4ee242ec33c1768b7cc36e256ab0cb0352f9 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:05:41 +0100
Subject: [PATCH 19/30] Delete indicators/steam-metrica.yml

Remove redundant rule
---
 indicators/steam-metrica.yml | 26 --------------------------
 1 file changed, 26 deletions(-)
 delete mode 100644 indicators/steam-metrica.yml

diff --git a/indicators/steam-metrica.yml b/indicators/steam-metrica.yml
deleted file mode 100644
index 30922849..00000000
--- a/indicators/steam-metrica.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-title: Steam Phishing Kit metrica.php
-
-description: |
-  Steam Phishing Kit that uses a fake Steam login window to steal user credentials and free 50/100$ gift cards, csgo skins, csgo2 beta or discord nitro as bait.
-
-references:
-  - https://urlscan.io/result/1ec85742-f31e-4d45-a37b-8c91d94996df
-  - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
-  - https://urlscan.io/result/0eb7900f-dd6e-4491-ad69-e9f4b14e0e41
-  - https://urlscan.io/result/19b11718-4018-449f-8829-3365a10c812a
-  - https://urlscan.io/result/8690e751-6bb9-4bd7-a7b9-34ce3b719fef
-
-detection:
-
-  metricaLoadedCount:
-    requests|contains: 'metrica.php'
-
-  aShowAuthWin:
-    html|contains:
-      - '<a href="#" class="showAuthWin">'
-
-
-  condition: getSiteConfigJson and aShowAuthWin
-
-tags:
-  - target.steam

From 77cb5e0d0528cc478662bf203cbf02b9823b446e Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:08:41 +0100
Subject: [PATCH 20/30] Update steam-732d40f3.yml

---
 indicators/steam-732d40f3.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/indicators/steam-732d40f3.yml b/indicators/steam-732d40f3.yml
index d13416b5..3374212e 100644
--- a/indicators/steam-732d40f3.yml
+++ b/indicators/steam-732d40f3.yml
@@ -21,7 +21,7 @@ detection:
         
     footerMessage:
         dom|contains: '<div style="font-size: 1px; font-family: &quot;Support Assets&quot;; color: rgba(0, 0, 0, 0.01);">Hello</div>'
-
+ 
   condition: siteConfiguration and loadedIFrame and footerMessage
 
 tags:

From 9899e6630763348dea90e959ae97b2c64aac2b25 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:10:12 +0100
Subject: [PATCH 21/30] Update steam-732d40f3.yml

---
 indicators/steam-732d40f3.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/indicators/steam-732d40f3.yml b/indicators/steam-732d40f3.yml
index 3374212e..d13416b5 100644
--- a/indicators/steam-732d40f3.yml
+++ b/indicators/steam-732d40f3.yml
@@ -21,7 +21,7 @@ detection:
         
     footerMessage:
         dom|contains: '<div style="font-size: 1px; font-family: &quot;Support Assets&quot;; color: rgba(0, 0, 0, 0.01);">Hello</div>'
- 
+
   condition: siteConfiguration and loadedIFrame and footerMessage
 
 tags:

From a7dce314ca01a4371d58bc4dab3509906671b8c6 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:11:34 +0100
Subject: [PATCH 22/30] Update steam-732d40f3.yml

---
 indicators/steam-732d40f3.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/indicators/steam-732d40f3.yml b/indicators/steam-732d40f3.yml
index d13416b5..eca94f12 100644
--- a/indicators/steam-732d40f3.yml
+++ b/indicators/steam-732d40f3.yml
@@ -22,7 +22,7 @@ detection:
     footerMessage:
         dom|contains: '<div style="font-size: 1px; font-family: &quot;Support Assets&quot;; color: rgba(0, 0, 0, 0.01);">Hello</div>'
 
-  condition: siteConfiguration and loadedIFrame and footerMessage
+    condition: siteConfiguration and loadedIFrame and footerMessage
 
 tags:
   - target.steam

From cdfacb5167c8747a8b765a3c14db40ed3e581354 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:14:17 +0100
Subject: [PATCH 23/30] Update steam-de077e20.yml

---
 indicators/steam-de077e20.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/indicators/steam-de077e20.yml b/indicators/steam-de077e20.yml
index 594cb253..1971c1cf 100644
--- a/indicators/steam-de077e20.yml
+++ b/indicators/steam-de077e20.yml
@@ -5,7 +5,6 @@ description: |
 references:
   - https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
   - https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
-  - https://urlscan.io/result/0712a363-be77-4482-960a-886738d7f882
   - https://urlscan.io/result/950664a4-aaf8-4d2d-8761-c0b2fa11ab7a
   - https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4
   - https://urlscan.io/result/6f719b9d-0ded-4f3c-ba3f-682b1afd015f

From 2afe5f596f287bc37f1833573c9f73e48e36bf7e Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:14:33 +0100
Subject: [PATCH 24/30] Update steam-ee34fa99.yml

---
 indicators/steam-ee34fa99.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/indicators/steam-ee34fa99.yml b/indicators/steam-ee34fa99.yml
index 8f87d63f..097c70e0 100644
--- a/indicators/steam-ee34fa99.yml
+++ b/indicators/steam-ee34fa99.yml
@@ -7,7 +7,6 @@ description: |
 references:
   - https://urlscan.io/result/ee34fa99-6cf8-4b16-8cf5-e617e238dea0
   - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
-  - https://urlscan.io/result/23b2c035-4daa-405e-98cd-0f3cdddcd5ca
   - https://urlscan.io/result/0b26dcba-e480-4690-a856-f8b3577194ec
   - https://urlscan.io/result/5d409d0e-4f1d-4a8f-b076-b473c9398a43
 

From bacd1e3b98ba2e87a370c95cd0e56212cde46676 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:16:28 +0100
Subject: [PATCH 25/30] Update steam-de077e20.yml

---
 indicators/steam-de077e20.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/indicators/steam-de077e20.yml b/indicators/steam-de077e20.yml
index 1971c1cf..f5add632 100644
--- a/indicators/steam-de077e20.yml
+++ b/indicators/steam-de077e20.yml
@@ -5,7 +5,6 @@ description: |
 references:
   - https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
   - https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
-  - https://urlscan.io/result/950664a4-aaf8-4d2d-8761-c0b2fa11ab7a
   - https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4
   - https://urlscan.io/result/6f719b9d-0ded-4f3c-ba3f-682b1afd015f
   - https://urlscan.io/result/bd1cef80-59d3-43cb-bfb3-b71a9cc411b0

From 440d5b44e6e3e8247c04b20fdc0369564489ce6d Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:16:44 +0100
Subject: [PATCH 26/30] Update steam-ee34fa99.yml

---
 indicators/steam-ee34fa99.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/indicators/steam-ee34fa99.yml b/indicators/steam-ee34fa99.yml
index 097c70e0..c3c3eb0a 100644
--- a/indicators/steam-ee34fa99.yml
+++ b/indicators/steam-ee34fa99.yml
@@ -7,7 +7,6 @@ description: |
 references:
   - https://urlscan.io/result/ee34fa99-6cf8-4b16-8cf5-e617e238dea0
   - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
-  - https://urlscan.io/result/0b26dcba-e480-4690-a856-f8b3577194ec
   - https://urlscan.io/result/5d409d0e-4f1d-4a8f-b076-b473c9398a43
 
 detection:

From 998ce8537e3626628584473addaf9e264a9512d1 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:18:44 +0100
Subject: [PATCH 27/30] Update steam-de077e20.yml

---
 indicators/steam-de077e20.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/indicators/steam-de077e20.yml b/indicators/steam-de077e20.yml
index f5add632..8d208571 100644
--- a/indicators/steam-de077e20.yml
+++ b/indicators/steam-de077e20.yml
@@ -6,7 +6,6 @@ references:
   - https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
   - https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
   - https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4
-  - https://urlscan.io/result/6f719b9d-0ded-4f3c-ba3f-682b1afd015f
   - https://urlscan.io/result/bd1cef80-59d3-43cb-bfb3-b71a9cc411b0
   - https://urlscan.io/result/5c36ed3f-3efe-43a9-a669-f13f4ff0cdcb
   - https://urlscan.io/result/ed5b5e51-109f-4dec-b886-6a49b44e8fe8

From c8bc8e6dddffe31ebeac0145a99bb695dbd9d14e Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:19:44 +0100
Subject: [PATCH 28/30] Update steam-ee34fa99.yml

---
 indicators/steam-ee34fa99.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/indicators/steam-ee34fa99.yml b/indicators/steam-ee34fa99.yml
index c3c3eb0a..9234e156 100644
--- a/indicators/steam-ee34fa99.yml
+++ b/indicators/steam-ee34fa99.yml
@@ -7,7 +7,6 @@ description: |
 references:
   - https://urlscan.io/result/ee34fa99-6cf8-4b16-8cf5-e617e238dea0
   - https://urlscan.io/result/d09c1f36-773f-437c-b533-4dced6cecc1f
-  - https://urlscan.io/result/5d409d0e-4f1d-4a8f-b076-b473c9398a43
 
 detection:
 

From c5807f47b4358b3575f8acebbc27b7c1a0bc1de1 Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:22:34 +0100
Subject: [PATCH 29/30] Update steam-de077e20.yml

---
 indicators/steam-de077e20.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/indicators/steam-de077e20.yml b/indicators/steam-de077e20.yml
index 8d208571..e6445f1e 100644
--- a/indicators/steam-de077e20.yml
+++ b/indicators/steam-de077e20.yml
@@ -6,7 +6,6 @@ references:
   - https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
   - https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
   - https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4
-  - https://urlscan.io/result/bd1cef80-59d3-43cb-bfb3-b71a9cc411b0
   - https://urlscan.io/result/5c36ed3f-3efe-43a9-a669-f13f4ff0cdcb
   - https://urlscan.io/result/ed5b5e51-109f-4dec-b886-6a49b44e8fe8
 

From 8369d6e7b4c178e5998ac10ace5128232ba3830b Mon Sep 17 00:00:00 2001
From: IlluminatiFish <45714340+IlluminatiFish@users.noreply.github.com>
Date: Mon, 20 May 2024 10:24:44 +0100
Subject: [PATCH 30/30] Update steam-de077e20.yml

---
 indicators/steam-de077e20.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/indicators/steam-de077e20.yml b/indicators/steam-de077e20.yml
index e6445f1e..cbf57a3f 100644
--- a/indicators/steam-de077e20.yml
+++ b/indicators/steam-de077e20.yml
@@ -6,8 +6,6 @@ references:
   - https://urlscan.io/result/de077e20-ab89-494b-af4c-df49f72d1e8b
   - https://urlscan.io/result/2fca4b90-38da-4880-9b09-14e3a94c68e6
   - https://urlscan.io/result/1daf0866-8168-4efe-9f37-067b89b886b4
-  - https://urlscan.io/result/5c36ed3f-3efe-43a9-a669-f13f4ff0cdcb
-  - https://urlscan.io/result/ed5b5e51-109f-4dec-b886-6a49b44e8fe8
 
 detection: