Skip to content
ATR-2026-00225highSkill Compromiseexperimental

Hardcoded Suspicious IP Address in Skill Content

Detects hardcoded IP addresses in skill content that may represent command and control (C2) servers, particularly when associated with suspicious network ranges or known malware infrastructure. The analyzed skill "sakaen736jih/youtube-watcher-p" contains reference to IP 91.92.242.30 identified as a known malware C2 server.

Severity
high
Category
Skill Compromise
Scan Target
skill
Author
ATR Threat Cloud Crystallization

Response Actions

alertblock tool

References

OWASP Agentic
ASI04:2026 - Unbounded Consumption
OWASP LLM
LLM09:2025 - Overreliance
MITRE ATLAS
AML.T0048

Detection Conditions

Combinator: any
  1. 01
    References to C2 server or malware actor with IP address
    field: contentop: regex
  2. 02
    Explicit identification of malicious infrastructure with IP
    field: contentop: regex
  3. 03
    IP address followed by malicious infrastructure terms
    field: contentop: regex
  4. 04
    Known malicious IP ranges commonly used for C2
    field: contentop: regex
  5. 05
    Structured threat intelligence findings format
    field: contentop: regex

Attack Examples (Rule Triggers)

  1. finding_0: Known malware actor: C2 server at 91.92.242.30
  2. Command control server identified at 185.159.158.42
  3. Malware actor using 194.87.95.123 for C2 communications
  4. Known C2 infrastructure: 91.92.241.15
  5. 203.45.67.89 - detected malware server

Real-world attack payloads (sanitized). Used for regression testing.

Benign Examples (Rule Doesn't Trigger)

  1. Connect to database at 192.168.1.100
  2. API endpoint: https://api.youtube.com/v3/videos
  3. Server configuration: bind to 0.0.0.0:8080
  4. Load balancer IP: 10.0.0.50
  5. Monitor health check to 172.16.0.1

Known False Positive Contexts

  • Security research documentation describing C2 patterns
  • Threat intelligence feeds in legitimate security tools
  • Network monitoring tools documenting suspicious activity

Documented Evasion Techniques

  1. Technique: IP defanging
    Server location: 91[.]92[.]242[.]30
    Brackets used to defang IP address in security documentation
  2. Technique: Base64 encoding
    Base64: OTEuOTIuMjQyLjMw (decodes to suspicious IP)
    IP address encoded in Base64 to evade plain text detection
  3. Technique: Hexadecimal encoding
    Hex encoded: 5b.5c.f2.1e (91.92.242.30 in hex)
    IP address represented in hexadecimal notation

Publicly documented bypasses. We disclose known limitations rather than pretend they don't exist.

Full YAML Definition

Edit on GitHub →
title: 'Hardcoded Suspicious IP Address in Skill Content'
id: ATR-2026-00225
rule_version: 1
status: experimental
description: >
  Detects hardcoded IP addresses in skill content that may represent command and control 
  (C2) servers, particularly when associated with suspicious network ranges or known 
  malware infrastructure. The analyzed skill "sakaen736jih/youtube-watcher-p" contains 
  reference to IP 91.92.242.30 identified as a known malware C2 server.
author: "ATR Threat Cloud Crystallization"
date: "2026/04/15"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: high
references:
  owasp_llm:
    - "LLM09:2025 - Overreliance"
  owasp_agentic:
    - "ASI04:2026 - Unbounded Consumption"
  mitre_atlas:
    - "AML.T0048"
compliance:
  nist_ai_rmf:
    - subcategory: "GV.6.1"
      context: "Hardcoded references to known malware C2 IP addresses inside third-party skill content directly evidence supplier/third-party AI risks; GV.6.1 requires policies that screen externally sourced skill artifacts for malicious infrastructure indicators before integration."
      strength: primary
    - subcategory: "MG.3.1"
      context: "Detection of embedded C2 IPs in a third-party skill triggers the third-party risk management activities required by MG.3.1, allowing the supplier-supplied component to be quarantined or removed before execution."
      strength: secondary
    - subcategory: "MS.2.7"
      context: "Identifying hardcoded malicious infrastructure in skill content contributes to continuous security/resilience evaluation under MS.2.7 by surfacing supply-chain compromise indicators that degrade system security posture."
      strength: secondary
    - subcategory: "MG.3.2"
      context: "NIST AI RMF MANAGE 3.2 (pre-trained models monitored as part of maintenance) is supported where this rule detects the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
      strength: secondary
  iso_42001:
    - clause: "8.1"
      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
      strength: primary
    - clause: "8.3"
      context: "ISO/IEC 42001 Clause 8.3 (AI risk treatment) is supported by this rule, which implements runtime detection of the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content) as a treatment control."
      strength: secondary
  eu_ai_act:
    - article: "15"
      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
      strength: primary
    - article: "9"
      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the skill supply-chain compromise (Hardcoded Suspicious IP Address in Skill Content)."
      strength: secondary
tags:
  category: skill-compromise
  subcategory: c2-communication
  scan_target: skill
  confidence: high
agent_source:
  type: mcp_exchange
  framework: [any]
  provider: [any]
detection:
  conditions:
    - field: content
      operator: regex
      value: '(C2\s+server|command\s+control|malware\s+actor)\s+[^\n]*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
      description: 'References to C2 server or malware actor with IP address'
    - field: content
      operator: regex
      value: '(known|identified|detected)\s+(malware|threat|actor|server)[^\n]*\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
      description: 'Explicit identification of malicious infrastructure with IP'
    - field: content
      operator: regex
      value: '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[^\n]*(C2|command|control|backdoor|malware)'
      description: 'IP address followed by malicious infrastructure terms'
    - field: content
      operator: regex
      value: '(91\.92\.24[0-9]\.|185\.159\.15[0-9]\.|194\.87\.9[0-9]\.)[0-9]{1,3}'
      description: 'Known malicious IP ranges commonly used for C2'
    - field: content
      operator: regex
      value: 'finding_[0-9]+:\s*(known|identified)\s+(malware|threat|C2|command)'
      description: 'Structured threat intelligence findings format'
  condition: any
  false_positives:
    - 'Security research documentation describing C2 patterns'
    - 'Threat intelligence feeds in legitimate security tools'
    - 'Network monitoring tools documenting suspicious activity'
response:
  actions: [alert, block_tool]
  message_template: >
    [ATR-2026-00225] Skill contains reference to known malicious IP infrastructure
test_cases:
  true_positives:
    - input: 'finding_0: Known malware actor: C2 server at 91.92.242.30'
      expected: triggered
    - input: 'Command control server identified at 185.159.158.42'
      expected: triggered
    - input: 'Malware actor using 194.87.95.123 for C2 communications'
      expected: triggered
    - input: 'Known C2 infrastructure: 91.92.241.15'
      expected: triggered
    - input: '203.45.67.89 - detected malware server'
      expected: triggered
  true_negatives:
    - input: 'Connect to database at 192.168.1.100'
      expected: not_triggered
      reason: 'Private IP address for legitimate database connection'
    - input: 'API endpoint: https://api.youtube.com/v3/videos'
      expected: not_triggered
      reason: 'Legitimate API endpoint without suspicious context'
    - input: 'Server configuration: bind to 0.0.0.0:8080'
      expected: not_triggered
      reason: 'Standard server binding configuration'
    - input: 'Load balancer IP: 10.0.0.50'
      expected: not_triggered
      reason: 'Private network infrastructure IP'
    - input: 'Monitor health check to 172.16.0.1'
      expected: not_triggered
      reason: 'Private IP range for internal monitoring'
evasion_tests:
  - input: 'Server location: 91[.]92[.]242[.]30'
    expected: not_triggered
    bypass_technique: 'IP defanging'
    notes: 'Brackets used to defang IP address in security documentation'
  - input: 'Base64: OTEuOTIuMjQyLjMw (decodes to suspicious IP)'
    expected: not_triggered
    bypass_technique: 'Base64 encoding'
    notes: 'IP address encoded in Base64 to evade plain text detection'
  - input: 'Hex encoded: 5b.5c.f2.1e (91.92.242.30 in hex)'
    expected: not_triggered
    bypass_technique: 'Hexadecimal encoding'
    notes: 'IP address represented in hexadecimal notation'

Revision History

Created
2026-04-15
Last modified
2026-06-06
View full commit history on GitHub →

More Skill Compromise Rules

ATR-2026-00060highMCP Skill Impersonation and Supply Chain AttackATR-2026-00120criticalSKILL.md Prompt InjectionATR-2026-00121criticalMalicious Code in Skill PackageATR-2026-00122highWeaponized Skill — Agent as Attack ToolATR-2026-00123highOver-Privileged Skill — Excessive Permissions