Important
This repository intentionally contains only this README. The actual Sigurd sample is not published here. Sigurd is a research/forensics artifact with capabilities that could be harmful if misused. Access is restricted and provided only to vetted researchers, instructors, incident responders, and authorized learners under formal agreements.
Sigurd is a research-oriented malware sample, specifically a Remote Access Trojan (RAT), used to support digital forensics, incident response training, and CTF-style forensic challenges. It appeared in the ITSEC Asia Cyber Security SUMMIT CTF event. The first known sample of Sigurd was submitted to VirusTotal by CTF participants, which may be relevant to analysts studying its behavior.
For defensive analysts and instructors, the artifact demonstrates patterns commonly seen in threats and red-team tooling, including (descriptive only):
- Discord-based command-and-control style communications.
- Remote command execution capability guarded by an authorization check.
- A file transformation/encryption pipeline that marks modified files.
- Clipboard capture and remote exfiltration of clipboard contents.
- Keystroke capture (keylogger) with local and remote logging.
- Windows persistence via Registry-key modification.
- Cleanup routines and multiple stealth measures.
Tip
This list is intentionally high-level and non-actionable β it does not provide build/run instructions, configuration values, or operational guidance.
Access is intended for legitimate defenders and educators: university instructors running isolated labs, DFIR teams performing analysis, security researchers validating detections, and CTF/competition organizers who need controlled challenge artifacts. Requests from individuals or groups without a verifiable institutional affiliation will be subject to stricter vetting or denied.
Approved recipients will get a secure, logged transfer of materials tailored to their needs. Typical deliverables include:
- An encrypted sample archive (delivered only after vetting and signed agreements).
- A DFIR lab package (VM snapshot or disk image) that contains the artifact in a contained environment suitable for hands-on analysis.
- A sanitized forensic guide and IOCs to support teaching and detection work.
- Used in: ITSEC CTF Competition 2025 (forensics final round).
- Public trace: The first version of Sigurd was submitted to VirusTotal by CTF participants.
Sigurd is an active research artifact and may be enhanced over time for defensive research and teaching. Distribution policy and access controls will remain governed by the maintainers
E-mail baycorp22@gmail.com with:
- Full name, affiliation, and role.
- Intended use (training / research / CTF).
- Short containment plan (VM provider or snapshot/rollback).
After initial review for 2 weeks, weβll provide details about agreements and secure transfer.