Valhalla Logo
currently serving 23091 YARA rules and 4263 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_MFTool_Oct25
Detects MFTool, a tool for direct access to NTFS volumes written in Rust
13.10.2025
HKTL_Windows_Kernel_Tools_Oct25
Detects WKTools, Windows Kernel Tools which can be used to stop EDRs
13.10.2025
HKTL_PhantomPipe_C2_Oct25
Detects PhantomPipe C2 a command and control framework using MCP (Model-Context-Protocol) and SSE (Server-Sent-Events) for communication.
10.10.2025
APT_RANSOM_Forensic_Artefacts_Oct25
Detects forensic artefacts related to Velociraptor abuse in ransomware attacks
10.10.2025
APT_RANSOM_PS1_Exfiltration_Oct25
Detects PowerShell scripts related to data exfiltration in ransomware attacks
10.10.2025
SUSP_PS1_Encryption_Indicators_Oct25
Detects suspicious PowerShell scripts with encryption routines
10.10.2025
MAL_AdaptixC2_Agent_Oct25
Detects AdaptixC2 Agent payloads.
10.10.2025
PUA_RMM_Nezha_Agent_Oct25
Detects Nezha agent - a remote management tool
10.10.2025
APT_CN_Nezha_Campaigns_Oct25
Detects forensic artifacts related to Nezha campaigns as described by Huntress.
10.10.2025
MAL_Thumtais_Shellcode_Loader_Oct25
Detects Thumtais DLL with embedded/loaded shellcode components
08.10.2025
MAL_AsmLoader_Shellcode_Oct25
Detects AsmLdr an x64 assembly shellcode loader that performs module stomping, in-memory decryption, stack-spoofed indirect syscalls, and ETW/anti-debug evasion.
07.10.2025
APT_MAL_CANONSTAGER_Downloader_Oct25
Detects CANONSTAGER downloader which is used to retrieve secondary payloads while evading detection via valid certificate abuse, seen being used by UNC6384 APT group
06.10.2025
MAL_Plugx_DLL_Oct25
Detects PlugX DLL, seen being used by UNC6384 APT group
06.10.2025
MAL_NET_Keylogger_Indicators_Oct25
Detects .NET Keylogger implementations found in various malware families like StormKitty, TelegramRAT etc.
06.10.2025
MAL_Privilege_Escalation_Tool_Oct25
Detects a custom privilege escalation tool
05.10.2025
MAL_ReadNimeLoader_Oct25
Detects ReadNimeLoader a loader for Cobalt Strike
05.10.2025
EXPL_CVE_2025_30727_Oracle_Oct25
Detects traces of a PoC exploit code allegedly targeting CVE-2025-30727 in Oracle E-Business Suite
03.10.2025
APT_MAL_MacOS_Clipboard_Logger_Oct25
Detects a clipboard logger, seen being used by Lazarus APT group
03.10.2025
MAL_DPAPILoader_Oct25
Detects DPAPILoader that uses Windows DPAPI to decrypt and load RemotePE RAT, seen being used by Lazarus APT group
03.10.2025
MAL_PerfhLoader_Oct25
Detects PerfhLoader that uses phantom DLL hijacking via SessionEnv/IKEEXT services to load encrypted payloads seen being used by Lazarus APT group
03.10.2025
HKTL_Proxymini_Oct25
Detects Proxymini tool which is an open-source SOCKS proxy tool often abused by threat actors to tunnel traffic and maintain covert access
03.10.2025
APT_MAL_Keylogger_Oct25
Detects Windows keylogger used by Lazarus APT group
02.10.2025
APT_MAL_Screenshotter_Oct25
Detects Windows screenshotter used by Lazarus APT group targeting DeFi organizations
02.10.2025
APT_MAL_MacOS_ThemeForestRAT_Oct25
Detects ThemeForestRAT which is a RAT used by Lazarus APT, runs exclusively in-memory, features 20+ commands including file operations, shellcode injection, and RDP session monitoring
02.10.2025
APT_MAL_MacOS_Keylogger_Oct25
Detects a keylogger that logs keystrokes, seen being used by Lazarus APT group
02.10.2025
APT_MAL_MacOS_Screenshotter_Oct25
Detects Screenshotter that stores screenshots, seen being used by Lazarus APT group
02.10.2025
MAL_RANSOM_Crypto24_Oct25
Detects Crypto24 ransomware
02.10.2025
MAL_Keylogger_Oct25
Detects a Keylogger seen used by Crypto24 ransomware
02.10.2025
MAL_RDP_Patcher_Oct25
Detects script that patches termsrv.dll which manages RDP sessions. This modification enabled multiple simultaneous RDP connections, further aiding lateral movement and remote administration.
02.10.2025
SUSP_BAT_Persistence_Oct25
Detects BAT file that mainly tries to persist it's payload
02.10.2025

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
Cobaltbaltstrike_Beacon_XORed_x64
12
e0876b779e3d53ad07898e52498bca6b67c72076ab49b84645d6067393e2c075
HKTL_DirtyClr_Injector_Jun24
2
da32ab27089d934259278cc243dd78220795e954fec47b816b945bec02d5b814
Empire_dumpCredStore
13
8f4621c50e89dde90d4e6764c2846076e729f3bc58cc172de6939ded7d8bb427
WEBSHELL_PHP_Gzinflated
6
0e8e6b754f1a8e5ba5cecb93a01c6d93c0688ded5f6d0db4bb367e683cc54cb6
WEBSHELL_PHP_Base64_Encoded_Payloads
6
0e8e6b754f1a8e5ba5cecb93a01c6d93c0688ded5f6d0db4bb367e683cc54cb6
SUSP_EXPL_ShellCode_Loader_Nov22_1
7
daed171e2e8200d983dcc9c5ac26de0cd59eef42c90d40f6466dd491f6133fbd
SUSP_EXPL_ShellCode_Loader_Nov22_1
4
33d2211a2b47e168643549c00325dd75ae660555698411dcfd42ad298b82ac9d
WEBSHELL_PHP_Dynamic
4
f7673572083c325faf98180b6d0063e72351dd97d0de1965708b628b39cbc456
Webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php
4
01a7ec395672794f75447a71821af5a3a14e81ba47099625d3465673d87af722
WEBSHELL_PHP_Generic
4
01a7ec395672794f75447a71821af5a3a14e81ba47099625d3465673d87af722
WEBSHELL_PHP_Generic_Eval
4
01a7ec395672794f75447a71821af5a3a14e81ba47099625d3465673d87af722
WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_2
4
01a7ec395672794f75447a71821af5a3a14e81ba47099625d3465673d87af722
WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit
4
01a7ec395672794f75447a71821af5a3a14e81ba47099625d3465673d87af722
Webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit
4
01a7ec395672794f75447a71821af5a3a14e81ba47099625d3465673d87af722
Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit
4
01a7ec395672794f75447a71821af5a3a14e81ba47099625d3465673d87af722
SUSP_EXPL_ShellCode_Loader_Nov22_1
6
45c2018b07708de08fc4afa46f0540c6174c23dcd36b7a56aa46ff6ed9a9bdbb
SUSP_EXPL_ShellCode_Loader_Nov22_1
6
f4d92666bb473093823c8d2fa26c1775688ea66332785e91d35ceaf8f2714eaf
SUSP_EXPL_ShellCode_Loader_Nov22_1
6
a0aaaa3bc9ab7a05d2c8bdefd172f2ecc2bd7c3528a58a72193b2b903e02aaae
WEBSHELL_PHP_Generic
1
9c33a290ac07af3b438365db351d0d5384eaacfce7056959bfbf671b832b5771
SUSP_EXPL_ShellCode_Loader_Nov22_1
6
588b88326bf9234731a21235a85c6a496235aee2d6f868919cfde07f4d15ef6f

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
7150
Threat Hunting (not subscribable, only in THOR scanner)
5615
APT
5027
Hacktools
4749
Webshells
2392
Exploits
694

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
PowerShell File Discovery Activity in User Directories
Detects PowerShell scripts that enumerate specific files and directories in common user document folders, which may indicate data discovery for exfiltration.
25.09.2025
Suspicious Process Suspension via WERFaultSecure through EDR-Freeze
Detects attempts to freeze a process likely an EDR or an antimalware service process through EDR-Freeze that abuses the WerFaultSecure.exe process to suspend security software.
23.09.2025
Service Permissions Change via SC.EXE
Detects attempts to modify service permissions using sc.exe command with privs parameter
17.09.2025
MacOS FileGrabber Infostealer
Detects execution of FileGrabber on macOS, which is associated with Amos infostealer campaigns targeting sensitive user files.
12.09.2025
TXT File Association Hijacking
Detects registry modifications that hijack the default handler for .txt files. This technique is used by attackers to establish persistence by executing malicious code whenever a user opens a text file.
08.09.2025
Suspicious Registry Modification by Python
Detects suspicious modification of windows registry commonly used for persistence by Python. This might indicate an attempt to establish persistence through malicious python scripts.
04.09.2025
Registry Modification via Python
Detects attempts to modify Windows registry using Python scripts which could indicate persistence mechanisms
04.09.2025
Suspicious Python Oneliner Execution
Detects execution of Python with suspicious oneliners that may indicate code execution, data exfiltration or other malicious activity.
04.09.2025
Suspicious Python Base64 One-liner Execution
Detects execution of Python one-liner command associated with invoking base64 module, potentially for obfuscation or evasion purposes.
03.09.2025
IIS WebServer Log Deletion via CommandLine Utilities
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
02.09.2025
Suspicious Velociraptor Child Process
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
29.08.2025
Suspicious Services Execution Pattern
Detects suspicious service execution patterns, which could be sign of persistence or lateral movement activity. Attackers may create or abuse existing services to execute malicious payloads or scripts with suspicious execution patterns.
29.08.2025
SC.EXE Query of Security Services
Detects the use of 'sc.exe' command to query information about registered security services on the system. Threat actors may use this technique to gather information about the status of security services on a system as part of their reconnaissance.
28.08.2025
Suspicious Uninstall of Windows Defender Feature via PowerShell
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
22.08.2025
PowerShell Creating Hidden File
Detects PowerShell commands that create hidden files in the Windows file system, which may indicate malicious activity or an attempt to hide persistence mechanisms. Threat actors may use PowerShell to create hidden files often containing malicious scripts or payloads, leveraging the 'Hidden' attribute.
13.08.2025
PowerShell Executing Base64 Code From Registry
Detects PowerShell command lines that retrieve base64-encoded content from the registry and execute it. Threat actors often stage their payloads in the registry in fileless attacks, using PowerShell to decode and execute the malicious code.
13.08.2025
Suspicious Hex-Encoded Values in Registry Keys
Detects suspicious registry modifications where LOLBins (Living Off The Land Binaries) write long hexadecimal-encoded strings to user-writable registry keys. This pattern is commonly observed in fileless malware attacks where threat actors store encoded payloads (shellcode, scripts, or commands) in the registry to evade detection and maintain persistence. The rule specifically monitors PowerShell, reg.exe, script engines, and other commonly abused Windows binaries that adversaries leverage for registry manipulation.
13.08.2025
FunkLocker Ransomware File Creation
Detects the creation of files with the ".funksec" extension, which is appended to encrypted files by the FunkLocker ransomware.
08.08.2025
Potential Hello-World Scraper Botnet Activity
Detects network traffic potentially associated with a scraper botnet variant that uses the "Hello-World/1.0" user-agent string.
02.08.2025
Windows MFA Tool Uninstallation via WMI
Detects the uninstallation of the Windows Multi-Factor Authentication (MFA) tool such as Duo Authentication for Windows Logon through Windows Management Instrumentation (WMI). These MFA tools are used to enhance security by requiring additional verification during the login process. Thus, threat actors may attempt to uninstall these tools to bypass mfa.
01.08.2025
Copy of Webshell Files to Suspicious Directories
Detects copying of webshell files to the suspicious directory, which is a common location for webshell placement that threat actors may visit easily through a web browser and execute malicious code. Threat actors may use this technique to establish persistence and maintain access to the compromised server.
01.08.2025
Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
Detects suspicious child processes created by CrushFTP. It could be an indication of exploitation of a RCE vulnerability such as CVE-2025-54309.
01.08.2025
Windows Recovery Environment Disabled Via Reagentc
Detects attempts to disable windows recovery environment using Reagentc. ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
31.07.2025
Password Set to Never Expire via WMI
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
30.07.2025
Registry Manipulation via WMI Stdregprov
Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
30.07.2025
Potential JLI.dll Side-Loading
Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.
25.07.2025
Suspicious File Write to SharePoint Layouts Directory
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
24.07.2025
SharePoint CVE-2025-53770 ToolShell Exploitation Commandline
Detects potential SharePoint exploitation (CVE-2025-53770) using ToolShell. This rule looks for suspicious command lines that may indicate the use of ToolShell to exploit SharePoint vulnerabilities. The detection is based on known patterns of exploitation, such as the presence of specific paths and commands related to SharePoint installations.
24.07.2025
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
22.07.2025
Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities. CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2705
20386
Sigma
3447
816

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1295
windows / registry_set
205
windows / file_event
202
windows / ps_script
165
windows / security
158
linux / process_creation
121
windows / image_load
112
webserver
82
windows / system
73
macos / process_creation
68
proxy
53
linux / auditd
53
windows / network_connection
52
aws / cloudtrail
46
azure / activitylogs
43
windows / registry_event
39
azure / auditlogs
38
windows / ps_module
33
windows / application
30
windows / dns_query
25
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
github / audit
13
m365 / threat_management
13
windows / file_delete
13
cisco / aaa
12
windows / create_remote_thread
12
linux / file_event
10
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / driver_load
10
windows / ps_classic_start
9
dns
9
windows / create_stream_hash
9
windows / registry_add
9
windows / registry_delete
8
windows / firewall-as
8
windows / msexchange-management
8
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / file_access
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / dns-client
6
zeek / dns
5
zeek / http
5
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
spring / application
2
linux / syslog
2
apache
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
qualys
2
firewall
2
windows / security-mitigations
2
windows / file_change
2
ruby_on_rails / application
1
windows / capi2
1
windows / shell-core
1
zeek / x509
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
velocity / application
1
m365 / exchange
1
linux / vsftpd
1
windows / file_executable_detected
1
sql / application
1
linux / sudo
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
m365 / threat_detection
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_status
1
database
1
windows / sysmon_error
1
zeek / kerberos
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows
1
windows / printservice-operational
1
nginx
1
windows / printservice-admin
1
netflow
1
cisco / bgp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
fortios / sslvpnd
1
linux / auth
1
windows / ldap
1
django / application
1
cisco / syslog
1
linux / clamav
1
cisco / ldp
1
windows / smbclient-connectivity
1
linux / cron
1
huawei / bgp
1
windows / appmodel-runtime
1
nodejs / application
1
paloalto / file_event / globalprotect
1
linux / guacamole
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
python / application
1
paloalto / appliance / globalprotect
1
cisco / duo
1
windows / appxpackaging-om
1
windows / raw_access_thread
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
385
windows / registry_set
78
windows / ps_script
75
windows / image_load
43
windows / file_event
38
linux / process_creation
33
windows / wmi
29
windows / security
22
proxy
12
windows / system
9
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / sense
4
windows / pipe_created
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / driver_load
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
windows / windefend
2
windows / process_access
2
windows / bits-client
2
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
windows / file_delete
1
linux / file_event
1
windows / file_rename
1
macos / process_creation
1
windows / application
1
windows / amsi
1
windows / firewall-as
1
windows / process-creation
1
windows / dns_query
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022