{ "Event": { "analysis": "1", "date": "2022-04-12", "extends_uuid": "", "info": "[Threat Intel] Industroyer2: Industroyer reloaded", "protected": false, "publish_timestamp": "1772407531", "published": true, "threat_level_id": "2", "timestamp": "1772407527", "uuid": "ec5d4523-8311-46c4-aa73-a4eafd38fb02", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"ESET\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"INDUSTROYER2\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Ukraine\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-groups=\"Sandworm\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Sandworm\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"CaddyWiper\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#f63636", "local": false, "name": "ICS-specific", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772335877", "to_ids": false, "type": "link", "uuid": "194172f0-4420-46f9-8f0e-621c0ad55578", "value": "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" }, { "category": "Payload delivery", "comment": "Industroyer2 No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772352083", "to_ids": true, "type": "sha1", "uuid": "984d3142-3b0e-4421-b225-aea41071a86e", "value": "fd9c17c35a68fc505235e20c6e50c622aed8dea0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Script which enumerates GPO No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772352084", "to_ids": true, "type": "sha1", "uuid": "f7ceeb03-95fd-4eb7-aeac-f636bafc435f", "value": "0090cb4de31d2d3bca55fd4a36859921b5fc5dae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "OrcShred (Linux worm) No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772352086", "to_ids": true, "type": "sha1", "uuid": "3806a783-a967-474e-b458-0491e03c0580", "value": "d27d0b9bb57b2bab881e0efb97c740b7e81405df", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "SoloShred (Solaris wiper) No sample in VT\r\nLast check:01/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772352086", "to_ids": true, "type": "sha1", "uuid": "9ae0931f-5d5d-4ac0-a8e5-c7372eeaba6f", "value": "8fc7646fa14667d07e3110fe754f61a78cfde6bc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772352127", "uuid": "0c496e61-407a-447c-a417-8f157bc02679", "Attribute": [ { "category": "Payload delivery", "comment": "ArguePatch", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772352127", "to_ids": true, "type": "md5", "uuid": "1ef72bbd-0039-4943-b84f-e8cea79ebc7c", "value": "9ec8468dd4a81b0b35c499b31e67375e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ArguePatch", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772352079", "to_ids": true, "type": "sha1", "uuid": "ad012216-05bb-4e14-b10c-1d272c8c0491", "value": "6fa04992c0624c7aa3ca80da6a30e6de91226a16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ArguePatch", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772352079", "to_ids": true, "type": "sha256", "uuid": "8ab16b05-e01d-49ef-85be-e23b797117c2", "value": "cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772351331", "to_ids": true, "type": "ssdeep", "uuid": "7e973125-a55f-4772-9a7d-ae13497a759f", "value": "12288:CpCB9AVqhPDUHvOdO21ai1m2Y+o1mQR5LaVfnkBUxarLIN8Wah5/wodPdv7PVTFe:Cp12UPQkBUO/B5/lzTVTFH+" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772351331", "to_ids": false, "type": "size-in-bytes", "uuid": "9553564e-428d-41e0-b365-df52e49071b4", "value": "639488" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772351331", "to_ids": true, "type": "vhash", "uuid": "4cdd2f59-247f-43e4-8276-70c389f469c8", "value": "065046655d1565z12z7d7z5023z95z14z1c7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772351331", "to_ids": true, "type": "filename", "uuid": "52e66cc1-5593-41e0-92e6-d44bbd0bf5cb", "value": "cda9310715b7a12f47b7c134260d5ff9200c147fc1d05f030e507e57e3582327.exe" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772351331", "to_ids": false, "type": "text", "uuid": "209d549a-79a6-46f3-a61a-f1a8a1b7810b", "value": "ArguePatch\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/AprilAxe.B!dha\nVT Total Detection:59/72\nFirst Submission:2022-04-11T17:14:03.000000+00:00\nLast Submission:2025-12-15T13:19:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772352150", "uuid": "432b3379-429c-4145-81f6-23895626923d", "Attribute": [ { "category": "Payload delivery", "comment": "TailJump (Encrypted CaddyWiper)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772352150", "to_ids": true, "type": "md5", "uuid": "15825812-a126-455c-822c-f45df6c67e39", "value": "1938380a81a23b8b1100de8403b583a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TailJump (Encrypted CaddyWiper)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772352081", "to_ids": true, "type": "sha1", "uuid": "276c3e85-4ab0-4be4-9794-670796d290b8", "value": "9ce1491ce69809f92ae1fe8d4c0783bd1d11fbe7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TailJump (Encrypted CaddyWiper)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772352081", "to_ids": true, "type": "sha256", "uuid": "b6dabc0a-3f2e-4c76-88f4-17854e27de0c", "value": "1724a0a3c9c73f4d8891f988b5035effce8d897ed42336a92e2c9bc7d9ee7f5a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772351353", "to_ids": true, "type": "ssdeep", "uuid": "c029ca95-8805-42a4-b636-768394511824", "value": "96:6vWh+Y890aCVtXugDPkriXR4RmGM+nqi3nr/:6T0VduD4tG9r/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772351353", "to_ids": false, "type": "size-in-bytes", "uuid": "ae711af1-3989-43da-85a1-e75ebbc66318", "value": "3734" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772351353", "to_ids": true, "type": "filename", "uuid": "b8dc1d83-727c-4821-b6ce-5816d41a4a8a", "value": "1724a0a3c9c73f4d8891f988b5035effce8d897ed42336a92e2c9bc7d9ee7f5a.unknown" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 09/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772351353", "to_ids": false, "type": "text", "uuid": "593405be-1eb2-401c-84a3-c0e0d6210676", "value": "TailJump (Encrypted CaddyWiper)\r\nType Description: unknown\nMicrosoft: None\nVT Total Detection:30/62\nFirst Submission:2022-04-11T17:15:15.000000+00:00\nLast Submission:2026-02-26T01:17:34.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772352171", "uuid": "384cfbf4-48f2-4261-923a-3a1ab3aeb981", "Attribute": [ { "category": "Payload delivery", "comment": "AwfulShred (Linux wiper)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772352171", "to_ids": true, "type": "md5", "uuid": "c87440b1-a6b5-4950-93d3-f82a769dc27a", "value": "73561d9a331c1d8a334ec48dfd94db99", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AwfulShred (Linux wiper)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772352082", "to_ids": true, "type": "sha1", "uuid": "9a58188e-a407-4bb7-ae2d-d7bf694ad35b", "value": "3cdbc19bc4f12d8d00b81380f7a2504d08074c15", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AwfulShred (Linux wiper)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772352082", "to_ids": true, "type": "sha256", "uuid": "143e4870-85bf-415c-b44d-6300aaf8712f", "value": "bcdf0bd8142a4828c61e775686c9892d89893ed0f5093bdc70bde3e48d04ab99", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772351417", "to_ids": true, "type": "ssdeep", "uuid": "3932f675-e58a-4838-ae14-71ae63bc5fc3", "value": "192:jNhE21baNxtrilGAL4WDnEHgCyLslERTJx+f4:jNS4OxtOlTE6EAJsp4" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772351417", "to_ids": false, "type": "size-in-bytes", "uuid": "e9039500-7aa8-486c-bb9b-24160a670e2e", "value": "10046" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772351417", "to_ids": true, "type": "filename", "uuid": "35b11d0d-16ce-4f7d-b693-7208faea999f", "value": "bcdf0bd8142a4828c61e775686c9892d89893ed0f5093bdc70bde3e48d04ab99.sh" }, { "category": "Other", "comment": "Checked: 01/03/2026\nLast-scan\t: 11/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772351417", "to_ids": false, "type": "text", "uuid": "bd6b5b04-5e58-40c0-9ea5-5180985174be", "value": "AwfulShred (Linux wiper)\r\nType Description: Shell script\nMicrosoft: Trojan:Linux/ShellAgent.AC!MTB\nVT Total Detection:34/62\nFirst Submission:2022-05-04T04:52:12.000000+00:00\nLast Submission:2025-06-28T09:24:06.000000+00:00" } ] } ] } }