{ "Event": { "analysis": "1", "date": "2024-06-19", "extends_uuid": "", "info": "[Threat Intel] Cloaked and Covert: Uncovering UNC3886 Espionage Operations", "protected": false, "publish_timestamp": "1780042070", "published": true, "threat_level_id": "2", "timestamp": "1780042069", "uuid": "f0dae99d-cc52-47ed-9db9-f8b09d2a05de", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#fdcb58", "local": false, "name": "rectifyq:MY-relevancy=\"somewhat-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Mandiant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"UNC3886\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"021 - Northern America\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"035 - South-eastern Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"VIRTUALGATE\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"tsh\"", "relationship_type": "" }, { "colour": "#3a00dd", "local": false, "name": "rectifyq:action-taken=\"diamond-model\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1770869811", "to_ids": false, "type": "link", "uuid": "cb67dba5-0701-441b-8dd8-6c8ebc253d7e", "value": "https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations" }, { "category": "Payload delivery", "comment": "UTILITY No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874508", "to_ids": true, "type": "md5", "uuid": "b3410a4b-24ac-46ea-b5c1-fb32b09cb0c0", "value": "381b7a2a6d581e3482c829bfb542a7de", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "INSTALLER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874529", "to_ids": true, "type": "md5", "uuid": "2ca25ec5-fb05-4be5-9c22-fe0541c51b09", "value": "876787f76867ecf654019bd19409c5b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ARCHIVE No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874551", "to_ids": true, "type": "md5", "uuid": "dfd5a31e-a174-4e66-9c6e-bd6cbdd0aea3", "value": "827d8ae502e3a4d56e6c3a238ba855a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ARCHIVE No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874572", "to_ids": true, "type": "md5", "uuid": "d01be56e-5bca-4e69-ab5a-032d783f85bd", "value": "9ea86dccd5bbde47f8641b62a1eeff07", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ARCHIVE No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874594", "to_ids": true, "type": "md5", "uuid": "3dacf8d1-dba0-48da-bc27-9bac38d408fd", "value": "fcb742b507e3c074da5524d1a7c80f7f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "UTILITY No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874615", "to_ids": true, "type": "md5", "uuid": "14b356bc-038f-4a64-bb5c-b82b9ce6e0a9", "value": "129ba90886c5f5eb0c81d901ad10c622", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "UTILITY No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874636", "to_ids": true, "type": "md5", "uuid": "ef07cf12-e2b5-4ce0-b025-39c10538dbf6", "value": "0f76936e237bd87dfa2378106099a673", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "UTILITY No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874657", "to_ids": true, "type": "md5", "uuid": "50e47323-db7a-477b-90b4-e668b502280c", "value": "d18a5f1e8c321472a31c27f4985834a4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LAUNCHER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874678", "to_ids": true, "type": "md5", "uuid": "d68b5d4c-191c-43a9-8806-cc5ac91d5e32", "value": "4ddca39b05103aeb075ebb0e03522064", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GHOSTTOWN UTILITY No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874699", "to_ids": true, "type": "md5", "uuid": "5166af26-1724-4c57-974d-bb45ad21711a", "value": "0e43a0f747a60855209b311d727a20bf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LOOKOVER SNIFFER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874720", "to_ids": true, "type": "md5", "uuid": "24cb2229-ae33-4636-b6c4-7367254c5668", "value": "1d89b48548ea1ddf0337741ebdb89d92", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "LOOKOVER SNIFFER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874742", "to_ids": true, "type": "md5", "uuid": "87ff816a-7baf-43a6-a8af-4d1feecc71cf", "value": "ecb34a068eeb2548c0cbe2de00e53ed2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MOPSLED.LINUX BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874763", "to_ids": true, "type": "md5", "uuid": "af4c2392-ddc8-4bf6-8021-d98333a77ef1", "value": "89339821cdf6e9297000f3e6949f0404", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MOPSLED.LINUX LAUNCHER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874784", "to_ids": true, "type": "md5", "uuid": "9a541279-12db-4cc8-801d-3b5651c4fa59", "value": "c870ea6a598c12218e6ac36d791032b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE LAUNCHER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874805", "to_ids": true, "type": "md5", "uuid": "4d51c56e-fbf7-455b-be7f-2ba982b6683f", "value": "1079d416e093ba40aa9e95a4c2a5b61f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874826", "to_ids": true, "type": "md5", "uuid": "cf12a5d1-9984-4284-a92d-2180794b2125", "value": "ed9be20fea9203f4c4557c66c5b9686c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874848", "to_ids": true, "type": "md5", "uuid": "20079158-e40c-4445-89d0-d1d536db9aaa", "value": "568074d60dd4759e963adc5fe9f15eb1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE LAUNCHER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874869", "to_ids": true, "type": "md5", "uuid": "ecd9b82e-192c-469d-93f5-62098deb3f00", "value": "4d5e4f64a9b56067704a977ed89aa641", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874890", "to_ids": true, "type": "md5", "uuid": "f48718f2-f402-4c79-b506-493418dde793", "value": "1b7aee68f384e252286559abc32e6dd1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874911", "to_ids": true, "type": "md5", "uuid": "9300a213-cf66-40ea-8856-34e4956f17d0", "value": "b754237c7b5e9461389a6d960156db1e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874932", "to_ids": true, "type": "md5", "uuid": "0e0fa2bb-3d15-4737-ab67-4ae0076ba50c", "value": "f41ad99b8a8c95e4132e850b3663cb40", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE LAUNCHER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874953", "to_ids": true, "type": "md5", "uuid": "f1cf62d2-a54c-4500-9695-e8589e361c98", "value": "48f9bbdb670f89fce9c51ad433b4f200", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874974", "to_ids": true, "type": "md5", "uuid": "1d19db79-e3a7-4aac-85c6-1fdd717a3688", "value": "4fb72d580241f27945ec187855efd84a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE CONTROLLER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770874995", "to_ids": true, "type": "md5", "uuid": "b7b93e19-36a6-46d3-9375-8a6e789dc736", "value": "e2cdf2a3380d0197aa11ff98a34cc59e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE.SHELL BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875016", "to_ids": true, "type": "md5", "uuid": "1d767c60-5eef-44be-9e26-19ead001abcb", "value": "fd3834d566a993c549a13a52d843a4e1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE.SHELL BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875037", "to_ids": true, "type": "md5", "uuid": "1633357f-3f7b-4655-8820-bb6a24ef14a3", "value": "4282de95cc54829d7ac275e436e33b78", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE.SHELL BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875059", "to_ids": true, "type": "md5", "uuid": "075446e1-22a4-4bc8-a43d-80165b1ed053", "value": "c9c00c627015bd78fda22fa28fd11cd7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "REPTILE.SHELL BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875081", "to_ids": true, "type": "md5", "uuid": "c02ea2be-4413-4195-82bc-47a10d2ae761", "value": "047ac6aebe0fe80f9f09c5c548233407", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "RIFLESPINE BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875102", "to_ids": true, "type": "md5", "uuid": "aec307c8-d901-476e-a159-9b33c04c97fc", "value": "bca2ccff0596a9f102550976750e2a89", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TINYSHELL CONTROLLER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875123", "to_ids": true, "type": "md5", "uuid": "9ea6867d-8173-4aa2-89a7-ea7c9acc737b", "value": "3a8a60416b7b0e1aa5d17eefb0a45a16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TINYSHELL BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875145", "to_ids": true, "type": "md5", "uuid": "d36c0e23-643e-4c8b-a054-2875d5b80de2", "value": "6e248f5424810ea67212f1f2e4616aa5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TINYSHELL CONTROLLER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875166", "to_ids": true, "type": "md5", "uuid": "82d710b9-e43d-4d0f-9e9c-7fc0eed03c52", "value": "5d232b72378754f7a6433f93e6380737", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALGATE DROPPER", "deleted": false, "disable_correlation": false, "timestamp": "1770875167", "to_ids": true, "type": "md5", "uuid": "7f468e9e-fa7f-4d32-9ef5-859aa0110140", "value": "3c7316012cba3bbfa8a95d7277cda873", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPEER UTILITY No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875208", "to_ids": true, "type": "md5", "uuid": "f83f46e3-f49f-4ee7-bfa7-55fcde0a9264", "value": "9c428a35d9fc1fdaf31af186ff6eec08", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPIE ARCHIVE No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875230", "to_ids": true, "type": "md5", "uuid": "931dccb5-e870-4177-87a4-8f97342d11ef", "value": "2716c60c28cf7f7568f55ac33313468b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPIE BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875251", "to_ids": true, "type": "md5", "uuid": "23325588-adac-4641-a0ae-4e2320d5c23b", "value": "61ab3f6401d60ec36cd3ac980a8deb75", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPIE LAUNCHER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875272", "to_ids": true, "type": "md5", "uuid": "ed1cac07-6f26-45e9-8c44-064c0f2338c3", "value": "bd6e38b6ff85ab02c1a4325e8af29ce4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPITA LAUNCHER No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875293", "to_ids": true, "type": "md5", "uuid": "d73ba1dd-4af3-4a61-83f3-c9242cd946f2", "value": "9ef5266a9fdd25474227c3e33b8e6d77", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPITA BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875315", "to_ids": true, "type": "md5", "uuid": "2df2b016-78fd-42e2-9781-29322c799188", "value": "a7cd7b61d13256f5478feb28ab34be72", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPITA BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875336", "to_ids": true, "type": "md5", "uuid": "0fed158d-c49e-4e80-83f5-f2dd0da7efc4", "value": "cd3e9e4df7e607f4fe83873b9d1142e3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPITA ARCHIVE No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875357", "to_ids": true, "type": "md5", "uuid": "d648ed55-416e-4181-b8ef-8a0ef80373de", "value": "62bed88bd426f91ddbbbcfcd8508ed6a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPITA BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875378", "to_ids": true, "type": "md5", "uuid": "52cfb1f8-db1f-48d1-9edf-5b885bbc11b2", "value": "8e80b40b1298f022c7f3a96599806c43", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPITA BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875399", "to_ids": true, "type": "md5", "uuid": "e5246a80-6047-4851-8afc-b9e5da16776e", "value": "c9f2476bf8db102fea7310abadeb9e01", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPITA BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875421", "to_ids": true, "type": "md5", "uuid": "35157900-bf06-4b18-b4e4-68f2f58fc6ab", "value": "2c28ec2d541f555b2838099ca849f965", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPITA BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875442", "to_ids": true, "type": "md5", "uuid": "026c560c-b24b-41e5-864f-91ac3b2e27a6", "value": "2bade2a5ec166d3a226761f78711ce2f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALPITA BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875463", "to_ids": true, "type": "md5", "uuid": "4e113794-f271-48f7-8687-ae8baddce9cb", "value": "969d7f092ed05c72f27eef5f2c8158d6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALSHINE BACKDOOR No sample in VT\r\nLast check:12/02/2026", "deleted": false, "disable_correlation": false, "timestamp": "1770875485", "to_ids": true, "type": "md5", "uuid": "846a691c-999e-4c24-aeca-20c0eb3a3a3d", "value": "084132b20ed65b2930129b156b99f5b3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042006", "to_ids": true, "type": "ip-dst", "uuid": "cf3bdc83-15ae-4248-bb4e-95cd672f8111", "value": "8.222.218.20", "Tag": [ { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042007", "to_ids": true, "type": "ip-dst", "uuid": "4b747b27-c87f-4ca0-bde8-f944211d5f66", "value": "8.222.216.144", "Tag": [ { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042009", "to_ids": true, "type": "ip-dst", "uuid": "63961da4-31c2-4629-8c3e-c2a043ac0372", "value": "8.219.131.77", "Tag": [ { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042010", "to_ids": true, "type": "ip-dst", "uuid": "faed5be1-75e7-4db9-bf92-71adbbb04be9", "value": "8.219.0.112", "Tag": [ { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042012", "to_ids": true, "type": "ip-dst", "uuid": "8c056bca-6deb-48c4-9372-3917b55b3305", "value": "8.210.75.218", "Tag": [ { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042016", "to_ids": true, "type": "ip-dst", "uuid": "d21e5ea6-9012-49e7-b830-e7a3401ff8a5", "value": "8.210.103.134", "Tag": [ { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042017", "to_ids": true, "type": "ip-dst", "uuid": "14b18f8d-9084-4498-a6cd-3c72113d4411", "value": "47.252.54.82", "Tag": [ { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042023", "to_ids": true, "type": "ip-dst", "uuid": "aaff7fc2-da68-4f8c-b681-0205a73bf3a2", "value": "47.251.46.35", "Tag": [ { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042024", "to_ids": true, "type": "ip-dst", "uuid": "c9f913bb-48a9-4920-a2fc-9b4926c51fa4", "value": "47.246.68.13", "Tag": [ { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042026", "to_ids": true, "type": "ip-dst", "uuid": "2b01e390-5465-40ad-8833-79c734755233", "value": "47.243.116.155", "Tag": [ { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042027", "to_ids": true, "type": "ip-dst", "uuid": "f020d2a8-e269-44ef-99e7-b5cfdf00e35a", "value": "47.241.56.157", "Tag": [ { "colour": "#836891", "local": false, "name": "asn:asn=\"45102\"", "relationship_type": "" }, { "colour": "#692b04", "local": false, "name": "asn:as-owner=\"ALIBABA-CN-NET Alibaba US Technology Co., Ltd.\"", "relationship_type": "" }, { "colour": "#9256df", "local": false, "name": "asn:as-country=\"CN\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042029", "to_ids": true, "type": "ip-dst", "uuid": "46bd6120-2f96-4ce0-8d33-902048566b98", "value": "45.77.106.183", "Tag": [ { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042031", "to_ids": true, "type": "ip-dst", "uuid": "29c7c6ac-1532-4d1c-85e6-44313dad123e", "value": "45.32.252.98", "Tag": [ { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042032", "to_ids": true, "type": "ip-dst", "uuid": "5c4091df-d157-4c4b-bbc9-8c8800d24487", "value": "207.246.64.38", "Tag": [ { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042034", "to_ids": true, "type": "ip-dst", "uuid": "055d32e7-aa2a-4837-ab3b-3c19779c34a8", "value": "149.28.122.119", "Tag": [ { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042036", "to_ids": true, "type": "ip-dst", "uuid": "890cb489-d7ec-4877-a7c9-49835b4c49ca", "value": "155.138.161.47", "Tag": [ { "colour": "#133012", "local": false, "name": "asn:asn=\"20473\"", "relationship_type": "" }, { "colour": "#650025", "local": false, "name": "asn:as-owner=\"AS-VULTR\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042037", "to_ids": true, "type": "ip-dst", "uuid": "10ec9c45-a90f-4ef2-823f-c7926ad82d3f", "value": "154.216.2.149", "Tag": [ { "colour": "#78321d", "local": false, "name": "asn:asn=\"55720\"", "relationship_type": "" }, { "colour": "#295f2f", "local": false, "name": "asn:as-owner=\"GIGABIT-MY Gigabit Hosting Sdn Bhd\"", "relationship_type": "" }, { "colour": "#12ee4d", "local": false, "name": "asn:as-country=\"MY\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"malaysia\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042039", "to_ids": true, "type": "ip-dst", "uuid": "bc072f95-d261-4461-84c3-55e2d8fe9063", "value": "103.232.86.217", "Tag": [ { "colour": "#78321d", "local": false, "name": "asn:asn=\"55720\"", "relationship_type": "" }, { "colour": "#295f2f", "local": false, "name": "asn:as-owner=\"GIGABIT-MY Gigabit Hosting Sdn Bhd\"", "relationship_type": "" }, { "colour": "#12ee4d", "local": false, "name": "asn:as-country=\"MY\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"malaysia\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042041", "to_ids": true, "type": "ip-dst", "uuid": "b666ab4c-4454-4a5c-bc62-0b81c2257dfa", "value": "103.232.86.210", "Tag": [ { "colour": "#78321d", "local": false, "name": "asn:asn=\"55720\"", "relationship_type": "" }, { "colour": "#295f2f", "local": false, "name": "asn:as-owner=\"GIGABIT-MY Gigabit Hosting Sdn Bhd\"", "relationship_type": "" }, { "colour": "#12ee4d", "local": false, "name": "asn:as-country=\"MY\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"malaysia\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042043", "to_ids": true, "type": "ip-dst", "uuid": "c38056e3-1e59-419f-9389-4ac123247483", "value": "103.232.86.209", "Tag": [ { "colour": "#78321d", "local": false, "name": "asn:asn=\"55720\"", "relationship_type": "" }, { "colour": "#295f2f", "local": false, "name": "asn:as-owner=\"GIGABIT-MY Gigabit Hosting Sdn Bhd\"", "relationship_type": "" }, { "colour": "#12ee4d", "local": false, "name": "asn:as-country=\"MY\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"malaysia\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042045", "to_ids": true, "type": "ip-dst", "uuid": "81fdf324-6fe8-4811-a903-e6da25f5306f", "value": "58.64.204.165", "Tag": [ { "colour": "#d993cc", "local": false, "name": "asn:asn=\"17444\"", "relationship_type": "" }, { "colour": "#40db64", "local": false, "name": "asn:as-owner=\"HKBNESL-AS-AP HKBN Enterprise Solutions Limited\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042047", "to_ids": true, "type": "ip-dst", "uuid": "6b5a1533-c581-43be-bf9b-c225370689cf", "value": "58.64.204.142", "Tag": [ { "colour": "#d993cc", "local": false, "name": "asn:asn=\"17444\"", "relationship_type": "" }, { "colour": "#40db64", "local": false, "name": "asn:as-owner=\"HKBNESL-AS-AP HKBN Enterprise Solutions Limited\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042048", "to_ids": true, "type": "ip-dst", "uuid": "e504cfbf-ce06-4599-87d9-4c57bba0f0dd", "value": "58.64.204.139", "Tag": [ { "colour": "#d993cc", "local": false, "name": "asn:asn=\"17444\"", "relationship_type": "" }, { "colour": "#40db64", "local": false, "name": "asn:as-owner=\"HKBNESL-AS-AP HKBN Enterprise Solutions Limited\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042050", "to_ids": true, "type": "ip-dst", "uuid": "19fb96bb-6f83-4e97-b091-49ffe14edf36", "value": "165.154.7.145", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042052", "to_ids": true, "type": "ip-dst", "uuid": "28f5a3ef-9e44-4628-89aa-0080c9aab601", "value": "165.154.135.108", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042054", "to_ids": true, "type": "ip-dst", "uuid": "7317709c-efa6-4ed2-a591-f8058d43f48a", "value": "165.154.134.40", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042056", "to_ids": true, "type": "ip-dst", "uuid": "27161dea-6a27-4043-be5c-440ac8629963", "value": "152.32.231.251", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042057", "to_ids": true, "type": "ip-dst", "uuid": "c54c9948-f8be-4217-8c75-cec56f81f24e", "value": "152.32.205.208", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042059", "to_ids": true, "type": "ip-dst", "uuid": "24b04a93-ed54-4239-9978-7cfdb619b64e", "value": "152.32.144.15", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042061", "to_ids": true, "type": "ip-dst", "uuid": "6ad57414-89a0-4f5b-aff8-2a5adcac94d9", "value": "152.32.129.162", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042063", "to_ids": true, "type": "ip-dst", "uuid": "01fe7357-3c88-4086-9d56-a300e0875319", "value": "123.58.207.86", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042064", "to_ids": true, "type": "ip-dst", "uuid": "2081391e-9887-4acf-98ba-d1f6322c796d", "value": "123.58.196.34", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042066", "to_ids": true, "type": "ip-dst", "uuid": "71bc71aa-bba2-43f6-931f-f1a3fe140294", "value": "118.193.63.40", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042068", "to_ids": true, "type": "ip-dst", "uuid": "32f71886-0bee-4fd8-9df7-95191ccac78e", "value": "118.193.61.71", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780042069", "to_ids": true, "type": "ip-dst", "uuid": "524b8529-95ed-4f21-b0c7-38055d5107c2", "value": "118.193.61.178", "Tag": [ { "colour": "#c3a785", "local": false, "name": "asn:asn=\"135377\"", "relationship_type": "" }, { "colour": "#273bfe", "local": false, "name": "asn:as-owner=\"UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK LIMITED\"", "relationship_type": "" }, { "colour": "#fbf8fb", "local": false, "name": "asn:as-country=\"HK\"", "relationship_type": "" }, { "colour": "#daa28c", "local": false, "name": "misp-galaxy:country=\"hong kong\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770874463", "to_ids": false, "type": "comment", "uuid": "11ab9313-aa76-4c67-976f-b352443fcf89", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/240619-UNC3886/24.png" }, { "category": "Other", "comment": "diamond-model", "deleted": false, "disable_correlation": false, "timestamp": "1770874472", "to_ids": false, "type": "comment", "uuid": "9eb7b6a7-c767-43b9-831d-b1da2fc5114f", "value": "https://raw.githubusercontent.com/rectifyq/Collections/refs/heads/main/Diamond-Models/2024/240619-UNC3886/25.png" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1770874027", "uuid": "b4446b8c-faf6-459b-9c63-4802395d8793", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1770874027", "to_ids": false, "type": "text", "uuid": "2e3f4982-7953-43b6-8aa0-ed32f9dd5c68", "value": "M_Sniffer_LOOKOVER_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1770874027", "to_ids": false, "type": "comment", "uuid": "652e63f0-bee4-4c1a-b777-d920d3cb7b5f", "value": "M_Sniffer_LOOKOVER_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1770874027", "to_ids": true, "type": "yara", "uuid": "2c2a937a-9b43-4734-8e35-7ade191b7ea0", "value": "rule M_Sniffer_LOOKOVER_1 {\r\nmeta:\r\n author = \"Mandiant\"\r\nstrings:\r\n $str1 = \"TKEY\" \r\n $str2 = \"FILTER\" \r\n $str3 = \"DEVICE\" \r\n $str4 = \"SNFILENAME\" \r\n $str5 = \"/var/lib/libsyslog.so\" \r\n $code = {8B 55 F8 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00 \r\n48 8B 45 E0 48 01 C8 8B 00 88 02 8B 45 F8 83 C0 01 89 C2 48 8B 45 E8 48 01 \r\nC2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B 00 C1 E8 08 88 \r\n02 8B 45 F8 83 C0 02 89 C2 48 8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 \r\n00 00 48 8B 45 E0 48 01 C8 8B 00 C1 E8 10 88 02 8B 45 F8 83 C0 03 89 C2 48 \r\n8B 45 E8 48 01 C2 8B 45 FC 48 8D 0C 85 00 00 00 00 48 8B 45 E0 48 01 C8 8B \r\n00 C1 E8 18 88 02 83 45 FC 01 83 45 F8 04} \r\ncondition:\r\n uint32(0) == 0x464c457f and filesize < 5MB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1770874044", "uuid": "22d05c5a-8acf-4d76-b9ac-e794d5bb656b", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1770874044", "to_ids": false, "type": "text", "uuid": "e2eb5a79-a864-4847-b0ac-48baa6ec4cf4", "value": "M_Utility_GHOSTTOWN_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1770874044", "to_ids": false, "type": "comment", "uuid": "7a2fe93c-1d24-442e-9c7d-cf041fbeb6d8", "value": "M_Utility_GHOSTTOWN_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1770874044", "to_ids": true, "type": "yara", "uuid": "b8f759e4-b634-4f59-96d8-d7a14698f68f", "value": "rule M_Utility_GHOSTTOWN_1 {\r\nmeta:\r\n author = \"Mandiant\"\r\nstrings:\r\n $code1 = { 2F 76 61 72 2F 6C 6F 67 } \r\n $code2 = { 2F 76 61 72 2F 72 75 6E } \r\n $debug1 = \"=== results ===\" ascii\r\n $debug2 = \"=== %s ===\" ascii\r\n $debug3 = \"searching record in file %s\" ascii\r\n $debug4 = \"record not matched, not modifing %s\" ascii\r\n $debug5 = \"delete %d records in %s\" ascii\r\n $debug6 = \"NEVER_LOGIN\" ascii\r\n $debug7 = \"you need to specify a username to clear\" ascii\r\n $pattern1 = \"%-10s%-10s%-10s%-20s%-10s\" ascii\r\n $pattern2 = \"%-15s%-10s%-15s%-10s\" ascii\r\ncondition:\r\n uint32(0) == 0x464C457F and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1770874061", "uuid": "1b3cc35e-49a6-4a1e-8ef9-7387cf0e6603", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1770874061", "to_ids": false, "type": "text", "uuid": "c0856cfc-a5f0-4d60-84ec-577adc7dad04", "value": "M_Utility_VIRTUALPEER_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1770874061", "to_ids": false, "type": "comment", "uuid": "98dca761-8ed6-4482-b0db-e2cd68bb01e8", "value": "M_Utility_VIRTUALPEER_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1770874061", "to_ids": true, "type": "yara", "uuid": "928560cf-d66d-4451-b1b0-f380790b51ec", "value": "rule M_Utility_VIRTUALPEER_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $vmci_socket_family = {B? 00 00 00 00 B? 02 00 00 00 B? 28 00 \r\n00 00 e8 [4-128] B? 00 00 00 00 48 8d [5] b? 00 00 00 00 e8 [4-64] B? \r\n00 00 00 00 48 8d [5] b? 00 00 00 00 e8 [4-64] B? B8 07 00 00 [0-8] b? \r\n00 00 00 00 e8}\r\n $vmci_socket_marker1 = \"/dev/vsock\" ascii wide\r\n $vmci_socket_marker2 = \"/vmfs/devices/char/vsock/vsock\" \r\nascii wide\r\n $vmci_socket_init_bind_listen = {e8 [4] 89 45 [4-64] 8B 45 ?? b? \r\n00 00 00 00 b? 01 00 00 00 [0-4] e8 [4-128] B? 10 00 00 00 [1-16] e8 \r\n[4-128] BE 01 00 00 00 [1-16] e8 [4] 83 F8 FF}\r\n $socket_read_write = {BA 01 00 00 00 48 89 CE 89 C7 E8 [4] 48 \r\n85 C0 [1-64] BA 01 00 00 00 48 89 CE 89 C7 E8 [4] 48 85 C0 7e ?? eb}\r\n $marker1 = \"nc \"\r\n condition:\r\n uint32(0) == 0x464c457f and all of them\r\n \r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1770874258", "uuid": "890ab298-3032-4c44-9f20-f179f885b8de", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1770874258", "to_ids": false, "type": "text", "uuid": "ee907347-d69f-42b2-b1c6-6fcdc38e3aa0", "value": "M_Hunting_VIRTUALPITA_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1770874258", "to_ids": false, "type": "comment", "uuid": "4c5f83d6-9cb2-4e3b-b9d7-521fa88b4549", "value": "M_Hunting_VIRTUALPITA_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1770874258", "to_ids": true, "type": "yara", "uuid": "2c89b1b2-0488-4d01-be43-a22e14696269", "value": "rule M_Hunting_VIRTUALPITA_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n strings:\r\n $forpid = { 70 69 64 20 [0-10] 69 6E 20 60 [0-10] 70 73 20 2D [0-10] \r\n63 20 7C 20 [0-10] 67 72 65 70 [0-10] 20 76 6D 73 [0-10] 79 73 6C 6F [0-10] \r\n67 64 20 7C [0-10] 20 61 77 6B [0-10] 20 27 7B 20 [0-10] 70 72 69 6E [0-10] \r\n74 20 24 31 [0-10] 20 7D 27 60 [0-10] 3B 20 64 6F [0-10] 20 6B 69 6C [0-10] \r\n6C 20 2D 39 [0-10] 20 24 70 69 [0-10] 64 3B 20 64 [0-10] 6F 6E 65 00 }\r\n $vmsyslogd = { 2F 75 73 72 [0-10] 2F 6C 69 62 [0-10] 2F 76 6D 77 \r\n[0-10] 61 72 65 2F [0-10] 76 6D 73 79 [0-10] 73 6C 6F 67 [0-10] 2F 62 69 6E \r\n[0-10] 2F 76 6D 73 [0-10] 79 73 6C 6F [0-10] 67 64 00 00 }\r\n condition:\r\n uint32(0) == 0x464c457f and any of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1770874275", "uuid": "47e3274d-efae-4b1f-bc8d-bca62a7e4c55", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1770874275", "to_ids": false, "type": "text", "uuid": "925db7b8-e117-4bd2-b6bd-617458871332", "value": "M_APT_Launcher_REPTILE_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1770874275", "to_ids": false, "type": "comment", "uuid": "416f3152-03e3-4c0a-a15c-31c4dd5b1f65", "value": "M_APT_Launcher_REPTILE_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1770874275", "to_ids": true, "type": "yara", "uuid": "71e46f99-e443-4979-95b8-a20f0b4e897e", "value": "rule M_APT_Launcher_REPTILE_1 {\r\nmeta:\r\n author = \"Mandiant\"\r\nstrings:\r\n $str1 = {B8 00 00 00 00 E8 A1 FE FF FF 48 8B 85 40 FF FF FF 48 \r\n83 C0 08 48 8B 00 BE 00 00 00 00 48 89 C7 B8 00 00 00 00 E8 ?? \r\nFD FF FF 89 45 ?8 48 8D 95 50 FF FF FF 8B 45 ?8 48 89 D6 89 C7 \r\nE8 ?? 0? 00 00 48 8B 45 80 48 89 45 F0 48 8B 45 F0 48 89 C7 E8 \r\n?? F? FF FF 48 89 45 ?8 48 8B 55 F0 48 8B 4D ?8 8B 45 ?8 48 89 \r\nCE 89 C7 E8 ?? FC FF FF 48 8B 55 F0 48 8B 45 ?8 B9 4? 0C 40 00 \r\n48 89 C6 BF AF 00 00 00 B8 00 00 00 00 E8 ?? FC FF FF E8 ?? FC \r\nFF FF 8B 00 83 F8 25 75 07 C7 45 ?C 00 00 00 00 } \r\n $str2 = {81 7D F? FF 03 00 00 7E E9 BE 02 00 00 00 BF ?? 0C 40 \r\n00 B8 00 00 00 00 E8 ?? F? FF FF 89 45 F? 8B 45 F? BE 01 00 00 \r\n00 89 C7 E8 ?? FD FF FF 8B 45 F? BE 02 00 00 00 89 C7 E8 ?? F? \r\nFF FF C9 C3} \r\ncondition:\r\n uint32(0) == 0x464C457F and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1770874290", "uuid": "a1826a05-39ff-4a08-92d4-1fd79abdde80", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1770874290", "to_ids": false, "type": "text", "uuid": "db662efb-a98d-44db-b520-f7a912744548", "value": "M_APT_Backdoor_VIRTUALSHINE_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1770874290", "to_ids": false, "type": "comment", "uuid": "39f7074e-fd84-4d6f-b01b-88b86cd9ea00", "value": "M_APT_Backdoor_VIRTUALSHINE_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1770874290", "to_ids": true, "type": "yara", "uuid": "71accefc-5312-4463-be22-0ebe782a2955", "value": "rule M_APT_Backdoor_VIRTUALSHINE_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n\tstrings:\r\n\t\t$str1 = \"/dev/vsock\"\r\n\t\t$str2 = \"/vmfs/devices/char/vsock/vsock\"\r\n\t\t$str3 = \"nds4961l \"\r\n\t\t$str4 = \"[!] VMCISock_GetAFValue().\"\r\n\t\t$str5 = \"[+] Connected to server.[ %s:%s ]\"\r\n\t\t$str6 = \"TERM=xterm\"\r\n\t\t$str7 = \"PWD=/tmp/\"\r\n\tcondition:\r\n\t\tuint32(0) == 0x464C457F and all of them\r\n \r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1770874306", "uuid": "af9d182b-bce3-43f5-969c-26ac5307ff63", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1770874306", "to_ids": false, "type": "text", "uuid": "a56ef25d-6e30-429b-a30c-f07cf07dce1c", "value": "M_APT_BACKDOOR_MOPSLED_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1770874306", "to_ids": false, "type": "comment", "uuid": "17efa25f-f905-4b84-9713-caeaedfe9622", "value": "M_APT_BACKDOOR_MOPSLED_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1770874306", "to_ids": true, "type": "yara", "uuid": "25fd2cb4-457e-4f64-b162-15a11d9d10bf", "value": "rule M_APT_BACKDOOR_MOPSLED_1\r\n{\r\n\tmeta:\r\n\t\tauthor = \"Mandiant\"\r\n\tstrings:\r\n\t\t$x = { e8 ?? ?? ?? ?? 85 c0 0f 85 ?? ?? ?? ?? 4? 8d ?? ?4 ?8 \r\nbe ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 0f 84 ?? ?? ?? ?? 4? 8b 94 ?? ?? ?? ?? \r\n?? 4? 8b 44 ?? ?? 4? 89 e1 [0-6] be ?? ?? ?? ?? b? ?? ?? ?? ?? 4? 89 10 8b \r\n94 ?? ?? ?? ?? ?? [0-6] 89 50 08 4? 8b 54 ?? ?? c7 42 0c ?? ?? ?? ?? e8 \r\n?? ?? ?? ?? }\r\n condition:\r\n uint32(0) == 0x464c457f and uint8(4) == 2 and filesize < 5MB and $x\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1770874323", "uuid": "772bd6a8-d5b9-4d28-9088-1047882a0ea0", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1770874323", "to_ids": false, "type": "text", "uuid": "babf9fe1-520c-4c2d-80c3-216238bbaa9a", "value": "M_APT_BACKDOOR_MOPSLED_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1770874323", "to_ids": false, "type": "comment", "uuid": "80f9f346-fb19-4eb7-8d2a-fe5770b14f79", "value": "M_APT_BACKDOOR_MOPSLED_1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1770874323", "to_ids": true, "type": "yara", "uuid": "370ee8fa-32c9-4917-884b-51f76d6de77e", "value": "rule M_APT_BACKDOOR_MOPSLED_1\r\n{\r\n\tmeta:\r\n\t\tauthor = \"Mandiant\"\r\n\tstrings:\r\n\t\t$x = { e8 ?? ?? ?? ?? 85 c0 0f 85 ?? ?? ?? ?? 4? 8d ?? ?4 \r\n?8 be ?? ?? ?? ?? e8 ?? ?? ?? ?? 84 c0 0f 84 ?? ?? ?? ?? 4? 8b 94 \r\n?? ?? ?? ?? ?? 4? 8b 44 ?? ?? 4? 89 e1 [0-6] be ?? ?? ?? ?? b? ?? ?? \r\n?? ?? 4? 89 10 8b 94 ?? ?? ?? ?? ?? [0-6] 89 50 08 4? 8b 54 ?? ?? \r\nc7 42 0c ?? ?? ?? ?? e8 ?? ?? ?? ?? }\r\n condition:\r\n uint32(0) == 0x464c457f and uint8(4) == 2 and filesize < 5MB and $x\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1770875167", "uuid": "8e502611-4cc5-4408-89a1-c37806aea391", "Attribute": [ { "category": "Payload delivery", "comment": "VIRTUALGATE DROPPER", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1770875167", "to_ids": true, "type": "md5", "uuid": "1f49989e-4630-4900-8604-457e3ec44e29", "value": "3c7316012cba3bbfa8a95d7277cda873", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALGATE DROPPER", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1770875167", "to_ids": true, "type": "sha1", "uuid": "f78cce5f-98b6-4635-9a80-fc5683e397af", "value": "d6a57b9aaa20fe4f3330f5979979081af09a4232", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VIRTUALGATE DROPPER", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1770875167", "to_ids": true, "type": "sha256", "uuid": "9f6a05ca-2a29-473d-9ca0-a58690f38584", "value": "1893523f2a4d4e7905f1b688c5a81b069f06b3c3d8c0ff9d16620468d117edbb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1770875167", "to_ids": true, "type": "ssdeep", "uuid": "7d82a339-9fe3-4ab7-b44d-fb2e29c6bda1", "value": "3072:r58eFcfsGa/nxv1ekqQgR3KWF0OM+MRq8IufDkeQzSYWRNcomBEceSXCp:9EKd1ek6RlF0NWuYnQRNciceSXCp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1770875167", "to_ids": false, "type": "size-in-bytes", "uuid": "53c60e33-635f-41d9-87f2-b990e119c588", "value": "196096" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1770875167", "to_ids": true, "type": "vhash", "uuid": "d4515771-c98f-437a-b5e9-04fb4345829f", "value": "015076655d755515555az4b!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1770875167", "to_ids": true, "type": "filename", "uuid": "b149c6b1-6961-45e7-b24b-4da51db74604", "value": "avp.exe" }, { "category": "Other", "comment": "Checked: 12/02/2026\nLast-scan\t: 28/01/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1770875167", "to_ids": false, "type": "text", "uuid": "894396ca-050d-4005-89f1-4141f9781da4", "value": "VIRTUALGATE DROPPER\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Virtualgate!MSR\nVT Total Detection:54/72\nFirst Submission:2022-03-24T15:18:13.000000+00:00\nLast Submission:2022-10-17T03:51:46.000000+00:00" } ] } ] } }