From 004da597ebb742ed84d58937ca5e62f0c96ce30a Mon Sep 17 00:00:00 2001
From: Anurag <anurag@malwr-analysis.com>
Date: Thu, 25 Dec 2025 00:36:34 +0530
Subject: [PATCH] :rocket: Stable Genesis Airdrop Scam site

---
 .../crypto-stable-genesis-airdrop-drainer.yml | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 indicators/crypto-stable-genesis-airdrop-drainer.yml

diff --git a/indicators/crypto-stable-genesis-airdrop-drainer.yml b/indicators/crypto-stable-genesis-airdrop-drainer.yml
new file mode 100644
index 00000000..ee1650fa
--- /dev/null
+++ b/indicators/crypto-stable-genesis-airdrop-drainer.yml
@@ -0,0 +1,22 @@
+ title: Fake Stable Genesis Airdrop
+ description: |
+   Fake Stable Genesis Airdrop Site, cryptocurrency phishing
+   The Phishing site is behing Cloudflare Captcha
+ references: 
+   - "https://x.com/Malwarehunterr/status/2003517025071824925?s=20"
+ level: potentially_malicious
+
+ detection:
+    StableGenesisAirdrophtml:
+     html|contains|all:
+      - "airdrop.stablereward.claims"
+      - "Verify you are human by completing the action below"
+      - "airdrop.stablereward.claims needs to review the security of your connection before proceeding."
+    mySubdomain:
+      hostname|endswith: ".stablereward.claims"
+    hotlinkAsset:
+      requests|startswith: "https://airdrop.stablereward.claims/"
+ 
+    condition: StableGenesisAirdrophtml and mySubdomain and hotlinkAsset
+ tag: |
+  - "crypto wallet drainer", "test"