{ "Event": { "analysis": "1", "date": "2026-02-05", "extends_uuid": "", "info": "[Threat Intel] The Shadow Campaigns: Uncovering Global Espionage", "protected": false, "publish_timestamp": "1780041984", "published": true, "threat_level_id": "1", "timestamp": "1780041984", "uuid": "14c1cdc4-4306-4f92-9f44-7d6b5ea0d20e", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0afe32", "local": false, "name": "misp-galaxy:producer=\"Palo Alto\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#50e94f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1584.003\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#82eae0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1583.001\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server - T1583.004\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#91649a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#6fe7f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server - T1584.004\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#5884a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1584.001\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#ce59f1", "local": false, "name": "misp-galaxy:target-information=\"United Kingdom\"", "relationship_type": "" }, { "colour": "#7dbb86", "local": false, "name": "misp-galaxy:target-information=\"Singapore\"", "relationship_type": "" }, { "colour": "#c94db5", "local": false, "name": "misp-galaxy:target-information=\"Brazil\"", "relationship_type": "" }, { "colour": "#d52b43", "local": false, "name": "misp-galaxy:target-information=\"Mexico\"", "relationship_type": "" }, { "colour": "#69061f", "local": false, "name": "misp-galaxy:target-information=\"Panama\"", "relationship_type": "" }, { "colour": "#8b035d", "local": false, "name": "misp-galaxy:target-information=\"Cyprus\"", "relationship_type": "" }, { "colour": "#74d147", "local": false, "name": "misp-galaxy:target-information=\"Czech Republic\"", "relationship_type": "" }, { "colour": "#5ed128", "local": false, "name": "misp-galaxy:target-information=\"Germany\"", "relationship_type": "" }, { "colour": "#9d320e", "local": false, "name": "misp-galaxy:target-information=\"Greece\"", "relationship_type": "" }, { "colour": "#4cea11", "local": false, "name": "misp-galaxy:target-information=\"Italy\"", "relationship_type": "" }, { "colour": "#809a25", "local": false, "name": "misp-galaxy:target-information=\"Poland\"", "relationship_type": "" }, { "colour": "#c70b8f", "local": false, "name": "misp-galaxy:target-information=\"Portugal\"", "relationship_type": "" }, { "colour": "#199542", "local": false, "name": "misp-galaxy:target-information=\"Serbia\"", "relationship_type": "" }, { "colour": "#86e845", "local": false, "name": "misp-galaxy:target-information=\"Afghanistan\"", "relationship_type": "" }, { "colour": "#b32a63", "local": false, "name": "misp-galaxy:target-information=\"Bangladesh\"", "relationship_type": "" }, { "colour": "#098efb", "local": false, "name": "misp-galaxy:target-information=\"British Indian Ocean Territory\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#f9cdc4", "local": false, "name": "misp-galaxy:target-information=\"Indonesia\"", "relationship_type": "" }, { "colour": "#5887a6", "local": false, "name": "misp-galaxy:target-information=\"Japan\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#d9dfae", "local": false, "name": "misp-galaxy:target-information=\"Mongolia\"", "relationship_type": "" }, { "colour": "#cbf48a", "local": false, "name": "misp-galaxy:target-information=\"Papua New Guinea\"", "relationship_type": "" }, { "colour": "#3b9849", "local": false, "name": "misp-galaxy:target-information=\"Saudi Arabia\"", "relationship_type": "" }, { "colour": "#09ea0d", "local": false, "name": "misp-galaxy:target-information=\"Sri Lanka\"", "relationship_type": "" }, { "colour": "#2613b0", "local": false, "name": "misp-galaxy:target-information=\"Taiwan\"", "relationship_type": "" }, { "colour": "#33360c", "local": false, "name": "misp-galaxy:target-information=\"Thailand\"", "relationship_type": "" }, { "colour": "#aad0dc", "local": false, "name": "misp-galaxy:target-information=\"Uzbekistan\"", "relationship_type": "" }, { "colour": "#57ece2", "local": false, "name": "misp-galaxy:target-information=\"Djibouti\"", "relationship_type": "" }, { "colour": "#997689", "local": false, "name": "misp-galaxy:target-information=\"Ethiopia\"", "relationship_type": "" }, { "colour": "#453bd5", "local": false, "name": "misp-galaxy:target-information=\"Namibia\"", "relationship_type": "" }, { "colour": "#2ea969", "local": false, "name": "misp-galaxy:target-information=\"Niger\"", "relationship_type": "" }, { "colour": "#bedb1f", "local": false, "name": "misp-galaxy:target-information=\"Nigeria\"", "relationship_type": "" }, { "colour": "#5e8ca8", "local": false, "name": "misp-galaxy:target-information=\"Zambia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Bolivia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Venezuela\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Finance\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Cobalt Strike\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"4605654f-8487-4d17-bfbb-bbcc223281d5\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"3b16bb5a-eb4f-4603-a909-bebc5df4a46d\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Havoc\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Sliver\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"SparkRAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Vshell\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#3a00dd", "local": false, "name": "rectifyq:action-taken=\"diamond-model\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770346825", "to_ids": false, "type": "link", "uuid": "9762104a-c776-40a6-88c1-13fbe1bfa382", "value": "https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1770346825", "to_ids": false, "type": "text", "uuid": "175b98fd-a10f-45c6-8a2d-35ed7f19cf54", "value": "This investigation reveals a new cyberespionage group tracked as TGR-STA-1030, believed to be a state-aligned actor operating from Asia. Over the past year, the group has compromised government and critical infrastructure organizations in 37 countries, targeting ministries, law enforcement agencies, and departments related to economic, trade, and diplomatic functions. The group employs sophisticated phishing and exploitation techniques, leveraging various tools and infrastructure to maintain persistent access. Their activities span across the Americas, Europe, Asia, Oceania, and Africa, with a focus on countries exploring certain economic partnerships. The group's operations often coincide with significant geopolitical events and economic interests, particularly in sectors like rare earth minerals and international trade agreements." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1770346825", "to_ids": false, "type": "text", "uuid": "f7ac7ba8-4b7f-4602-bccb-426df23f4944", "value": "Name: The Shadow Campaigns: Uncovering Global Espionage\nAuthor: AlienVault\nAdversary: TGR-STA-1030\nTags: [\"infrastructure\", \"cyberespionage\", \"global\", \"phishing\", \"cobalt strike\", \"sparkrat\", \"government\", \"shadowguard\", \"sliver\", \"godzilla\", \"neo-regeorg\", \"diaoyu loader\", \"vshell\", \"cve-2019-11580\", \"behinder\", \"havoc\", \"exploitation\", \"asia\"]\nTgtd countries: [\"United States of America\", \"United Kingdom of Great Britain and Northern Ireland\", \"Singapore\", \"Bolivia, Plurinational State of\", \"Brazil\", \"Mexico\", \"Panama\", \"Venezuela, Bolivarian Republic of\", \"Cyprus\", \"Czechia\", \"Germany\", \"Greece\", \"Italy\", \"Poland\", \"Portugal\", \"Serbia\", \"Afghanistan\", \"Bangladesh\", \"British Indian Ocean Territory\", \"India\", \"Indonesia\", \"Japan\", \"Malaysia\", \"Mongolia\", \"Papua New Guinea\", \"Saudi Arabia\", \"Sri Lanka\", \"Taiwan\", \"Thailand\", \"Uzbekistan\", \"Djibouti\", \"Ethiopia\", \"Namibia\", \"Niger\", \"Nigeria\", \"Nigeria\", \"Zambia\"]\nMlwr families: [\"Diaoyu Loader\", \"Cobalt Strike - S0154\", \"VShell\", \"Havoc - S1229\", \"SparkRat\", \"Sliver\", \"Behinder\", \"Neo-reGeorg - S1189\", \"Godzilla\", \"ShadowGuard\"]\nAttack_ids: [\"T1204.002\", \"T1584.003\", \"T1190\", \"T1583.001\", \"T1021.002\", \"T1505.003\", \"T1583.004\", \"T1090\", \"T1059\", \"T1583.003\", \"T1102\", \"T1588.002\", \"T1566\", \"T1078\", \"T1027\", \"T1584.004\", \"T1105\", \"T1021.001\", \"T1204.001\", \"T1584.001\"]\nIndustries: [\"Government\", \"Defense\", \"Energy\", \"Telecommunications\", \"Finance\", \"Transportation\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1770346825", "to_ids": false, "type": "threat-actor", "uuid": "1a858253-558c-43d8-b950-9dd3032abaaa", "value": "TGR-STA-1030" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041966", "to_ids": true, "type": "ip-dst", "uuid": "c694dc75-3bbe-493a-89b1-890a264319b3", "value": "138.197.44.208", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041968", "to_ids": true, "type": "ip-dst", "uuid": "1737587b-248d-45de-bb5c-6164f8e481f8", "value": "157.230.34.45", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041970", "to_ids": true, "type": "ip-dst", "uuid": "4be5fa63-8ff9-494f-80c3-6d30648285d2", "value": "188.127.251.171", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#57fb9f", "local": false, "name": "asn:asn=\"56694\"", "relationship_type": "" }, { "colour": "#3e3478", "local": false, "name": "asn:as-owner=\"SMARTAPE\"", "relationship_type": "" }, { "colour": "#fdd220", "local": false, "name": "asn:as-country=\"RU\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"russia\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041971", "to_ids": true, "type": "ip-dst", "uuid": "a28ba89f-1444-4eca-8a30-fc70a72bbceb", "value": "188.166.210.146", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770346825", "to_ids": false, "type": "vulnerability", "uuid": "c4609c71-6363-4808-9436-d3ba4edf04a2", "value": "CVE-2019-11580" }, { "category": "Payload delivery", "comment": "ShadowGuard No sample in VT\r\nLast check:07/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779535815", "to_ids": true, "type": "sha256", "uuid": "46ec9697-40aa-49b3-a649-b86f6cdca6f7", "value": "7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041973", "to_ids": true, "type": "ip-dst", "uuid": "cbf4da4b-cf4e-473e-83aa-2b66005eff87", "value": "142.91.105.172", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#dd9023", "local": false, "name": "asn:asn=\"134351\"", "relationship_type": "" }, { "colour": "#e0ee97", "local": false, "name": "asn:as-owner=\"LEASEWEB-AS-AP Leaseweb Japan K.K.\"", "relationship_type": "" }, { "colour": "#bab83b", "local": false, "name": "asn:as-country=\"JP\"", "relationship_type": "" }, { "colour": "#e8b447", "local": false, "name": "misp-galaxy:country=\"japan\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041974", "to_ids": true, "type": "ip-dst", "uuid": "074f2ae4-5409-48fe-b912-cc2d74856c8b", "value": "146.190.152.219", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041976", "to_ids": true, "type": "ip-dst", "uuid": "903f14a3-c641-495f-ae21-32a5e39ac740", "value": "157.245.194.54", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041977", "to_ids": true, "type": "ip-dst", "uuid": "1b485dc9-fffc-476c-8817-d4d129850ec2", "value": "159.203.164.101", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041979", "to_ids": true, "type": "ip-dst", "uuid": "4efe654d-3dbe-4d05-a091-fef67d2b615c", "value": "178.128.109.37", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041981", "to_ids": true, "type": "ip-dst", "uuid": "826cbe0b-531f-48a8-af8f-578fdcebdaff", "value": "178.128.60.22", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041982", "to_ids": true, "type": "ip-dst", "uuid": "15821d0a-a1b5-4f46-afce-c6a3cb997efe", "value": "208.85.21.30", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440309", "to_ids": true, "type": "domain", "uuid": "3fb181ae-329d-4f65-9679-3949f1c48f7c", "value": "888910.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440331", "to_ids": true, "type": "domain", "uuid": "75e110a1-5ebf-4db0-90ae-2e3d23bb0b6e", "value": "abwxjp5.me", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440353", "to_ids": true, "type": "domain", "uuid": "415b3e4f-ba06-49ab-9814-7d0e1b5d617f", "value": "brackusi0n.live", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440374", "to_ids": true, "type": "domain", "uuid": "51870fb0-9ec0-4765-8a26-f994eb0771a6", "value": "dog3rj.tech", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440396", "to_ids": true, "type": "domain", "uuid": "6396faa9-eeef-4d64-a99c-dd3b9c884ae9", "value": "emezonhe.me", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440417", "to_ids": true, "type": "domain", "uuid": "73d5ac34-51b2-430a-9354-f446f169e3b8", "value": "gouvn.me", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440438", "to_ids": true, "type": "domain", "uuid": "acb43449-cca1-424b-965b-742ae30a794d", "value": "msonline.help", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440459", "to_ids": true, "type": "domain", "uuid": "5a28dff6-074d-4cf1-938d-2379c06afed3", "value": "pickupweb.me", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440481", "to_ids": true, "type": "domain", "uuid": "4c95f835-ef55-4ac0-88b4-4aec867bd3d0", "value": "pr0fu5a.me", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440502", "to_ids": true, "type": "domain", "uuid": "c0d88a69-c82c-4d4c-a77e-0c59212ce505", "value": "q74vn.live", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440523", "to_ids": true, "type": "domain", "uuid": "a2c2e58d-dea5-404c-ad22-f33c40c3f412", "value": "servgate.me", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440544", "to_ids": true, "type": "domain", "uuid": "46fea656-41ff-4b83-8b35-7ae32a6397c3", "value": "zamstats.me", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770440566", "to_ids": true, "type": "domain", "uuid": "66707a9b-a2d2-47e3-8e14-ab027a2e1d0f", "value": "zrheblirsy.me", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770388004", "to_ids": false, "type": "datetime", "uuid": "0e0f25eb-4971-425b-bf9c-170bd5942c3b", "value": "2025-11-01T00:00:00+00:00" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780041984", "to_ids": true, "type": "ip-dst", "uuid": "e44d5b0a-6a98-442d-bf34-1264e0d6c226", "value": "159.65.156.200", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#c2074e", "local": false, "name": "asn:asn=\"14061\"", "relationship_type": "" }, { "colour": "#d7952a", "local": false, "name": "asn:as-owner=\"DIGITALOCEAN-ASN\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "the malware downloads the following files from GitHub", "deleted": false, "disable_correlation": false, "timestamp": "1770440609", "to_ids": true, "type": "url", "uuid": "4d59e37b-0ea6-4e7f-b8fe-a647c49aa94e", "value": "https://raw.githubusercontent.com/padeqav/WordPress/refs/heads/master/wp-includes/images/admin-bar-sprite.png", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "the malware downloads the following files from GitHub", "deleted": false, "disable_correlation": false, "timestamp": "1770440630", "to_ids": true, "type": "url", "uuid": "a25fd5c8-baf3-411f-a1bf-dd1a88565193", "value": "https://raw.githubusercontent.com/padeqav/WordPress/refs/heads/master/wp-includes/images/Linux.jpg", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "the malware downloads the following files from GitHub", "deleted": false, "disable_correlation": false, "timestamp": "1770440651", "to_ids": true, "type": "url", "uuid": "941d3f7e-3431-4d38-ba4a-9e8a25b977df", "value": "https://raw.githubusercontent.com/padeqav/WordPress/refs/heads/master/wp-includes/images/Windows.jpg", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770867079", "to_ids": false, "type": "comment", "uuid": "db6daa20-3fc7-4b64-afb1-48fd7340dd22", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2026/260208-ShadowCampaign/260208-ShadowCampaign.png" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779535788", "uuid": "9682e5c5-f226-4053-bf18-e37bef3fa8bf", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779535787", "to_ids": true, "type": "md5", "uuid": "c6f48e68-6869-4277-abf9-e2b7ec31b7d4", "value": "96051c7d592bcb71d5defdf51f237507", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779535787", "to_ids": true, "type": "sha1", "uuid": "9a203a3e-e27d-4aab-9ce8-8d237ea6a8e9", "value": "810753df130ec0f54abe100e3e35978a8bc533b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779535788", "to_ids": true, "type": "sha256", "uuid": "d9ff698d-99e7-4628-b7de-dad5ec6a1d89", "value": "5ddeff4028ec407ffdaa6c503dd4f82fa294799d284b986e1f4181f49d18c9f3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770396812", "to_ids": true, "type": "ssdeep", "uuid": "a2b7ef30-0e19-48ae-abfd-0e053465d035", "value": "24576:b/4N44kgLpGKR4+7nKHB9jtN5UZDa/FkaVuP26FL9xKOMNRr6LpGKR4+7nKHB9jO:z4k2UKR4oUKR42" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770396812", "to_ids": false, "type": "size-in-bytes", "uuid": "67b4c2cf-0b6d-4d46-8186-c5db2fcfd488", "value": "2097152" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770396812", "to_ids": true, "type": "vhash", "uuid": "fba9017f-7218-4bd8-bba4-c79a7fc9b132", "value": "126096551d15551d15151088z56?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770396812", "to_ids": true, "type": "filename", "uuid": "fb344fc6-8bb6-44ed-9d96-4919dac53378", "value": "DllSafeCheck64.dll" }, { "category": "Other", "comment": "Checked: 07/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770396812", "to_ids": false, "type": "text", "uuid": "a4bb0221-4c2a-4c84-bed5-a99ff1d8714e", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win64/CobaltStrike.IQ!MTB\nVT Total Detection:34/72\nFirst Submission:2024-03-18T11:51:10.000000+00:00\nLast Submission:2024-03-26T11:39:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779535790", "uuid": "344b3f57-8756-4cd3-80fa-4f9432767fe8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779535789", "to_ids": true, "type": "md5", "uuid": "6f619d6e-c41d-4ec8-ba24-e9c242bcdb1e", "value": "b9c350a7f6ef64e2d0fb3e1361683ca4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779535790", "to_ids": true, "type": "sha1", "uuid": "b8ad5bd7-115a-4a55-a30a-26f81018e9b6", "value": "8784e151e3410d36d128021a6ce3b49fa91d047a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779535790", "to_ids": true, "type": "sha256", "uuid": "7ba07f96-8d03-4c8a-8330-cbbd923e6bea", "value": "182a427cc9ec22ed22438126a48f1a6cd84bf90fddb6517973bcb0bac58c4231", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770396834", "to_ids": true, "type": "ssdeep", "uuid": "e7e817dc-40c3-4fe6-be1c-a6124f8b976d", "value": "6144:R/rSVUg5U+7RopiWK1J0hAJTGM7gZYV5urvHCfb0aIGvdJH/bIs:NrruRkkChAJLCYSrviAaIGvdJHzv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770396834", "to_ids": false, "type": "size-in-bytes", "uuid": "1a47ccb2-3a4c-4e37-a592-099fa8014076", "value": "318464" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770396834", "to_ids": true, "type": "vhash", "uuid": "4a4e9bdc-1c6f-453a-92a1-e6a44123c97f", "value": "0350976d7515151c0d1d1az211a=z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770396834", "to_ids": true, "type": "filename", "uuid": "69b7202a-b6cd-4263-b219-ccf4d2e7170d", "value": "zea65554.exe" }, { "category": "Other", "comment": "Checked: 07/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770396834", "to_ids": false, "type": "text", "uuid": "d53d2c8f-d244-4b1a-9241-2ed739b5f06b", "value": "Type Description: Win32 EXE\nMicrosoft: Backdoor:Win64/CobaltStrike.NP!dha\nVT Total Detection:58/72\nFirst Submission:2025-09-21T06:35:31.000000+00:00\nLast Submission:2025-09-21T06:35:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779535793", "uuid": "6ac81761-67d3-4ea5-a909-cdcce4e6d387", "Attribute": [ { "category": "Payload delivery", "comment": "Phishing/Downloader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779535792", "to_ids": true, "type": "md5", "uuid": "78688072-01b1-4310-8d3b-c8d382d472c3", "value": "a20e887f5f353a44b2054415fa9d5985", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Phishing/Downloader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779535793", "to_ids": true, "type": "sha1", "uuid": "971d05da-1373-4133-96f1-cf1589392daa", "value": "8fff81911ae6900a6170014f3fb337a9f6763f62", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Phishing/Downloader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779535793", "to_ids": true, "type": "sha256", "uuid": "54efbf1e-d4b7-40a9-8871-b9b6c8ac011d", "value": "23ee251df3f9c46661b33061035e9f6291894ebe070497ff9365d6ef2966f7fe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770396856", "to_ids": true, "type": "ssdeep", "uuid": "f83f5db0-5854-4988-b311-237ebbac6042", "value": "1536:kCFBR2Lbd53PnoC0NFpumYYyEkSgdP3pjAqYCsWPdd09dljRb+VwCSu4:H2LD3foTjpOYbkLdP3dADA3Mn+Vd4" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770396856", "to_ids": false, "type": "size-in-bytes", "uuid": "853c6c6d-3fca-4af7-ae4b-55cd5e0e8f65", "value": "148200" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770396856", "to_ids": true, "type": "vhash", "uuid": "0e0284f2-4ef5-4787-9765-486c1080f241", "value": "015076655d155515557az5iz13z1fz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770396856", "to_ids": true, "type": "filename", "uuid": "762a41f3-e829-42be-a946-6c3acb863e18", "value": "DiaoYu.exe" }, { "category": "Other", "comment": "Checked: 07/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770396856", "to_ids": false, "type": "text", "uuid": "22c0d2dd-f805-477c-aba0-d5bd26e1c9e8", "value": "Phishing/Downloader\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:37/72\nFirst Submission:2025-02-14T10:32:01.000000+00:00\nLast Submission:2025-02-14T10:32:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779535796", "uuid": "20debe80-1ed3-4c93-b056-3565abbbde0c", "Attribute": [ { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779535795", "to_ids": true, "type": "md5", "uuid": "1c435740-7368-4fbb-ba2a-7889c0c102d5", "value": "f67508174a0aca32dd1f2e9fe14bd753", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779535795", "to_ids": true, "type": "sha1", "uuid": "b74defdd-25ae-4fec-94e1-52875eedfeed", "value": "ab1cf3602664f81c851ed8cedcbc5c04037a3f52", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779535796", "to_ids": true, "type": "sha256", "uuid": "46453d82-a6df-4a1a-ba9b-2ed00e5ad3fc", "value": "293821e049387d48397454d39233a5a67d0ae06d59b7e5474e8ae557b0fc5b06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770396878", "to_ids": true, "type": "ssdeep", "uuid": "42a5f0d8-3f16-4664-a5b8-3045c3cec0a7", "value": "24576:yBXC/MHAC137WuolvawFfI/5SkyKTjEqWvR7CP+Tg17oBG:yEMH51" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770396878", "to_ids": false, "type": "size-in-bytes", "uuid": "82dc2df1-39b7-4167-97a9-e9541b20cfe1", "value": "1329664" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770396878", "to_ids": true, "type": "vhash", "uuid": "7597b79d-c96e-461d-b75b-491aef67ba1c", "value": "1160a6551d15551d15151088z56?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770396878", "to_ids": true, "type": "filename", "uuid": "2b2107d1-fbd9-41e7-b7b2-d1eb289485f1", "value": "DllSafeCheck64.dll" }, { "category": "Other", "comment": "Checked: 07/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770396878", "to_ids": false, "type": "text", "uuid": "dcaf04b4-8511-4e01-a8a0-f5d6b4827065", "value": "Cobalt Strike\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/CobaltStrike.IO!MTB\nVT Total Detection:40/72\nFirst Submission:2024-07-09T16:44:17.000000+00:00\nLast Submission:2025-01-20T07:05:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779535798", "uuid": "085cdf07-f49c-4709-a789-866b3fa65c40", "Attribute": [ { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779535797", "to_ids": true, "type": "md5", "uuid": "13777d95-24d9-40cb-ac5c-2bf1eb5059db", "value": "c0950bc8dc3b66a9c1d4db1bda010bc4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779535798", "to_ids": true, "type": "sha1", "uuid": "58f73cdb-baf7-4cf1-9fc5-c594f0430c73", "value": "8ca2947d5906580aebbf5e962d255bfd6f10be89", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779535798", "to_ids": true, "type": "sha256", "uuid": "11125ea3-662d-4085-9481-b29a1ed8721c", "value": "358ca77ccc4a979ed3337aad3a8ff7228da8246eebc69e64189f930b325daf6a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770396900", "to_ids": true, "type": "ssdeep", "uuid": "802fb74e-c096-427f-ab40-5069c8f218d1", "value": "12288:b2RAPGlifLenn2Ai1+R/jhk6F5ZgDcRch9pUsvz:KlifLCn2Ai1+R/jhkMZgoROU6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770396900", "to_ids": false, "type": "size-in-bytes", "uuid": "a2232bba-01f8-4800-8e4b-7ba204a1e6a8", "value": "531856" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770396900", "to_ids": true, "type": "vhash", "uuid": "0744a2e6-f21a-4481-8582-d95a473b957c", "value": "155046655d156az42?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770396900", "to_ids": true, "type": "filename", "uuid": "c66f9e17-c1b3-40d8-955e-721a24ad3b97", "value": "msedgeupdate.dll" }, { "category": "Other", "comment": "Checked: 07/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770396900", "to_ids": false, "type": "text", "uuid": "b5658562-3ded-49bf-acac-7d9b5a8c48b2", "value": "Cobalt Strike\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/CobaltStrike!rfn\nVT Total Detection:45/72\nFirst Submission:2025-01-16T13:03:11.000000+00:00\nLast Submission:2025-06-03T12:44:21.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779535802", "uuid": "5f0aa83a-5299-4189-afef-ea9daf647a01", "Attribute": [ { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779535800", "to_ids": true, "type": "md5", "uuid": "83ccaf43-0cb1-43e1-9802-75e74e1c6763", "value": "dcd660f26aceb67e48e1096a8a209f70", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779535801", "to_ids": true, "type": "sha1", "uuid": "6d83effe-d4ee-477e-96a5-ea3a10d168b4", "value": "1363a0f9381ae791ca3e5483949759367e5015da", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779535802", "to_ids": true, "type": "sha256", "uuid": "6b5ea931-dff4-4bd2-9a19-78dfd6129703", "value": "5175b1720fe3bc568f7857b72b960260ad3982f41366ce3372c04424396df6fe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770396922", "to_ids": true, "type": "ssdeep", "uuid": "ca3b2910-0881-4852-89fe-ae25dbe18777", "value": "12288:r2RAvIIfLenn2Ai1+R/jhk6F5ZgDcRch9pUsFz:xfLCn2Ai1+R/jhkMZgoROUU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770396922", "to_ids": false, "type": "size-in-bytes", "uuid": "e4be5d59-855f-4c6b-9c89-438783eec9ab", "value": "531856" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770396922", "to_ids": true, "type": "vhash", "uuid": "35ba0cf9-642e-43df-8dcc-5c9e5ff16168", "value": "155046655d156az42?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770396922", "to_ids": true, "type": "filename", "uuid": "729ec6ce-0d32-4801-8745-f81ee95e700b", "value": "msedgeupdate.dll" }, { "category": "Other", "comment": "Checked: 07/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770396922", "to_ids": false, "type": "text", "uuid": "1fd9439f-56ce-4ae0-b16f-3a90af6fe8e7", "value": "Cobalt Strike\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:43/72\nFirst Submission:2025-01-21T08:25:31.000000+00:00\nLast Submission:2025-01-22T12:14:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779535805", "uuid": "1d25e080-478c-45ff-b16a-0327f85ff02a", "Attribute": [ { "category": "Payload delivery", "comment": "Phishing/Downloader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779535805", "to_ids": true, "type": "md5", "uuid": "88a2b5cf-2fc2-4184-b5f6-f0600a212ad6", "value": "7333a243a53f0b29bc7325bb2450b881", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Phishing/Downloader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779535805", "to_ids": true, "type": "sha1", "uuid": "114d2772-7398-4a07-a84a-8f6fdebac104", "value": "683a4c997079c6f0d0c363096075cee2c7e4e843", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Phishing/Downloader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779535805", "to_ids": true, "type": "sha256", "uuid": "3d3b62ab-ace7-4c00-b56b-3f3b41a7364b", "value": "66ec547b97072828534d43022d766e06c17fc1cafe47fbd9d1ffc22e2d52a9c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770396943", "to_ids": true, "type": "ssdeep", "uuid": "395a3733-16c9-4357-b745-c325d358fdf2", "value": "1536:HTnw7ayuWg3DvYRm1kNM5sjd578O7HNzhJx0k/FRQV:zkuWCYRdNM5grIYNrTS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770396943", "to_ids": false, "type": "size-in-bytes", "uuid": "bb617f67-26ac-4b4d-b292-98738d2fe1e9", "value": "76091" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770396943", "to_ids": true, "type": "vhash", "uuid": "3981173b-0600-4386-b0ed-5a926b4fd8ae", "value": "fbd361296c90cbb3417e952b9ff4288a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770396943", "to_ids": true, "type": "filename", "uuid": "a4b8ded4-ac8d-4a49-a58f-faa69a695d9a", "value": "Politsei- ja Piirivalveameti organisatsiooni struktuuri muudatused.zip" }, { "category": "Other", "comment": "Checked: 07/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770396943", "to_ids": false, "type": "text", "uuid": "af952205-f175-43bf-87b0-59b6efd079e9", "value": "Phishing/Downloader\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:31/69\nFirst Submission:2025-02-14T10:31:22.000000+00:00\nLast Submission:2025-02-14T10:31:22.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779535808", "uuid": "3613223e-8a12-4a76-a9e8-472016e6dfd0", "Attribute": [ { "category": "Payload delivery", "comment": "CVE-2019-11580 Exploit", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779535807", "to_ids": true, "type": "md5", "uuid": "b4a6149e-bb2b-4629-aa5f-506eb684577c", "value": "97b3f5d523bdb226514675ea1c4a4962", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CVE-2019-11580 Exploit", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779535808", "to_ids": true, "type": "sha1", "uuid": "26ea9e42-2b23-457d-9b43-4ba8f549ebdb", "value": "c926186e9c39ef9e522fed57f19aff80ef3eb904", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CVE-2019-11580 Exploit", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779535808", "to_ids": true, "type": "sha256", "uuid": "69fa08e5-faa3-472b-869e-63a4138795bc", "value": "9ed487498235f289a960a5cc794fa0ad0f9ef5c074860fea650e88c525da0ab4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770396986", "to_ids": true, "type": "ssdeep", "uuid": "8bcfed8a-7ce1-498b-8727-788f9860fbe4", "value": "48:9wbJ9LcEOLv4Vtsfn8xKLpXxs8/0pgZRLnLr:KpO7468UNqNC/z/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770396986", "to_ids": false, "type": "size-in-bytes", "uuid": "df8f15ef-53c7-4708-9b15-8913b605eb05", "value": "1757" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770396986", "to_ids": true, "type": "vhash", "uuid": "30d4dc06-d98c-4c04-b73d-09765de74ebd", "value": "f24ad90a157889dfd7f72c0fac2f69dd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770396986", "to_ids": true, "type": "filename", "uuid": "0f55cd9d-72c7-467d-9a45-9b0bbab24537", "value": "9ed487498235f289a960a5cc794fa0ad0f9ef5c074860fea650e88c525da0ab4.zip.000" }, { "category": "Other", "comment": "Checked: 07/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770396986", "to_ids": false, "type": "text", "uuid": "feea1265-dc50-4e7f-af9e-1ebd28a0cea5", "value": "CVE-2019-11580 Exploit\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:7/66\nFirst Submission:2025-03-25T08:31:28.000000+00:00\nLast Submission:2026-02-04T01:12:03.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779535811", "uuid": "0a3962bc-2cca-425e-b7d6-b889f75261e3", "Attribute": [ { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779535810", "to_ids": true, "type": "md5", "uuid": "f4ac737e-bcb9-47df-be4e-be9d349f24d1", "value": "49da92e2e969a4428bdd63d1aa644285", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779535810", "to_ids": true, "type": "sha1", "uuid": "c2218811-df7a-4601-a1b5-26df416d571d", "value": "40207818fa8237745e876a791ee1928b76e71cba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779535811", "to_ids": true, "type": "sha256", "uuid": "1db26386-eed1-44ba-a0ac-4218aeea8f8a", "value": "b2a6c8382ec37ef15637578c6695cb35138ceab42ce4629b025fa4f04015eaf2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770397008", "to_ids": true, "type": "ssdeep", "uuid": "6f8ba7d6-afee-4c10-b5ee-6ce9c3751e86", "value": "24576:PKn9j0A3cl+W3NLo/x5akoeLBNXyNxNl1kUwTCp:yb3cl3dLh" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770397008", "to_ids": false, "type": "size-in-bytes", "uuid": "bd331e60-68d4-4623-afeb-241a0e387dc9", "value": "1328640" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770397008", "to_ids": true, "type": "vhash", "uuid": "cc5d3413-d9aa-4752-8c27-1f8776708d7f", "value": "116096551d15551d15151088z5c?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770397008", "to_ids": true, "type": "filename", "uuid": "aeb5b8ec-63dc-420f-8378-fcbbaa10d106", "value": "igtsb.exe" }, { "category": "Other", "comment": "Checked: 07/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770397008", "to_ids": false, "type": "text", "uuid": "65e648c1-9429-4424-8c95-9a3abf0ab3cc", "value": "Cobalt Strike\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/CobaltStrike.IQ!MTB\nVT Total Detection:44/72\nFirst Submission:2024-03-20T07:56:22.000000+00:00\nLast Submission:2024-06-18T13:09:28.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779535813", "uuid": "a9c16c24-5e28-47fb-9c11-67374bc191a2", "Attribute": [ { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779535812", "to_ids": true, "type": "md5", "uuid": "443ea3fa-dd80-421c-b53d-bfc4aae335b0", "value": "48269c797226e181717f41b8b8e6f650", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779535813", "to_ids": true, "type": "sha1", "uuid": "6f6f04c5-952a-4c76-b1c7-4ad3e615034e", "value": "e267c833c81728392fea9e91d75587e90684357a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Cobalt Strike", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779535813", "to_ids": true, "type": "sha256", "uuid": "a905e233-a669-4b2b-9387-7baee9963430", "value": "c876e6c074333d700adf6b4397d9303860de17b01baa27c0fa5135e2692d3d6f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770397031", "to_ids": true, "type": "ssdeep", "uuid": "f5404760-81a0-42ef-85ce-cbb5d3da0a45", "value": "24576:LKnJQ+J6WORn/x5akoeLBNXyNxNl1kUwTo:GJQO/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770397031", "to_ids": false, "type": "size-in-bytes", "uuid": "1e6e74cd-666a-45b5-858f-78bf8fb1f1cf", "value": "1328640" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770397031", "to_ids": true, "type": "vhash", "uuid": "94244abd-fa64-4a6a-a74b-5ad97c2231f0", "value": "116096151d15151d15150088z5c?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770397031", "to_ids": true, "type": "filename", "uuid": "2ed0d0aa-a33f-4039-9520-9af260a344c8", "value": "12rip.exe" }, { "category": "Other", "comment": "Checked: 07/02/2026\nLast-scan\t: 06/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770397031", "to_ids": false, "type": "text", "uuid": "77936b7c-eedd-487f-9a9f-48db53f85f5a", "value": "Cobalt Strike\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/CobaltStrike.IQ!MTB\nVT Total Detection:41/72\nFirst Submission:2024-03-26T11:35:34.000000+00:00\nLast Submission:2024-03-26T11:35:34.000000+00:00" } ] } ] } }