{ "Event": { "analysis": "1", "date": "2026-04-22", "extends_uuid": "", "info": "[Threat Intel] APT Group Expands Toolset With New GoGra Linux Backdoor", "protected": false, "publish_timestamp": "1779544372", "published": true, "threat_level_id": "2", "timestamp": "1779544372", "uuid": "00b35736-bcf9-4c0f-9f27-4b5906c6a089", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#892644", "local": false, "name": "misp-galaxy:producer=\"Symantec\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#9c8729", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"", "relationship_type": "" }, { "colour": "#4985d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#d4fd6f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#b24806", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#ad5a96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#86e845", "local": false, "name": "misp-galaxy:target-information=\"Afghanistan\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"GoGra\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776913210", "to_ids": false, "type": "link", "uuid": "bb07bbb8-fd15-4aeb-9c7a-71a107d64418", "value": "https://www.security.com/blog-post/harvester-new-linux-backdoor-gogra" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776913210", "to_ids": false, "type": "text", "uuid": "c284dfb2-08ef-4564-b3aa-f9f38803d664", "value": "The Harvester APT group has developed a highly-evasive Linux version of its GoGra backdoor that leverages Microsoft Graph API and Outlook mailboxes as a covert command-and-control channel to bypass traditional network defenses. Initial VirusTotal submissions originated from India and Afghanistan, indicating these regions as primary targets. The attackers use social engineering with tailored decoy documents masquerading as legitimate files, including references to Indian food delivery services. The backdoor uses hardcoded Azure AD credentials to poll mailboxes every two seconds, executing commands received via email and exfiltrating results back to operators. Analysis confirms this Linux variant shares nearly identical code with a previously known Windows version, including matching spelling errors, demonstrating the group's multi-platform development strategy and continued expansion of capabilities targeting South Asia for espionage purposes." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776913210", "to_ids": false, "type": "text", "uuid": "a4625f33-4b17-48a6-bd6a-05f66ce7dbf7", "value": "Name: APT Group Expands Toolset With New GoGra Linux Backdoor\nAuthor: AlienVault\nAdversary: Harvester\nTags: [\"graphon\", \"south asia espionage\", \"cross-platform\", \"gogra\", \"linux backdoor\", \"microsoft graph api\", \"azure ad abuse\", \"nation-state\"]\nTgtd countries: [\"Afghanistan\", \"British Indian Ocean Territory\", \"India\"]\nMlwr families: [\"GoGra\", \"Graphon\"]\nAttack_ids: [\"T1543\", \"T1547\", \"T1071\", \"T1562\", \"T1567\", \"T1036\", \"T1087\", \"T1059\", \"T1070\", \"T1083\", \"T1102\", \"T1204\", \"T1041\", \"T1566\", \"T1059.004\", \"T1574\", \"T1027\", \"T1573\", \"T1132\", \"T1070.004\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776913210", "to_ids": false, "type": "threat-actor", "uuid": "87694d61-f7e1-454f-a79e-1a6983e69ef1", "value": "Harvester" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:26/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779544372", "to_ids": true, "type": "md5", "uuid": "a82ed284-046d-411a-a5d2-8ad5dedb9fc2", "value": "b14ca5898a4e4133bbce2ea2315a1916", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778203502", "to_ids": false, "type": "link", "uuid": "a11fe58f-710e-4a94-975a-c43e0c5e94a7", "value": "https://www.security.com/threat-intelligence/harvester-new-linux-backdoor-gogra" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544359", "uuid": "1a5f8f59-99af-457c-bcb3-b7c96f06d0cc", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544358", "to_ids": true, "type": "md5", "uuid": "6284e469-3883-48a0-bf61-18eb106614f4", "value": "8f1af2175403195726957dc58fe64821", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544359", "to_ids": true, "type": "sha1", "uuid": "f323d3e6-86d6-456a-b022-2422c25d7cdd", "value": "c78c6f9b78e9503ab1a079010cf12a6182ec4d43", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544359", "to_ids": true, "type": "sha256", "uuid": "9116ff48-78e1-4300-92b0-5ff8845d3d5d", "value": "2d0177a00bed31f72b48965bee34cec04cb5be8eeea66ae0bb144f77e4d439b1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777213244", "to_ids": true, "type": "ssdeep", "uuid": "a24ed99c-006d-47d3-a8d4-88a1c52fc59b", "value": "98304:ETc+Yfpj741MC2X86dZnIeAsTi9U2luEXsa:ETaRSoLn91Ip" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777213244", "to_ids": false, "type": "size-in-bytes", "uuid": "3e86e995-73d7-45d4-bb4f-7e7a6fcd69de", "value": "7799076" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777213244", "to_ids": true, "type": "vhash", "uuid": "e6bf30b0-e3f0-4018-bff5-c099ee48ea40", "value": "95da6b3d7a5039c08f3f554c59bc1751" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777213244", "to_ids": true, "type": "filename", "uuid": "f777d0c3-237b-47a5-bb70-b433f03628aa", "value": "2d0177a00bed31f72b48965bee34cec04cb5be8eeea66ae0bb144f77e4d439b1.elf" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777213244", "to_ids": false, "type": "text", "uuid": "cd4cdaf9-c5db-4763-a143-1689692bc788", "value": "Type Description: ELF\nMicrosoft: Program:Linux/Multiverze!rfn\nVT Total Detection:28/64\nFirst Submission:2025-12-27T19:37:30.000000+00:00\nLast Submission:2026-01-13T02:59:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544362", "uuid": "f9cf219c-a39b-4027-a9c4-4c8e58332ea5", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544361", "to_ids": true, "type": "md5", "uuid": "0d44f3ff-1ff6-4f72-a335-65b8e30747f6", "value": "abfe90bd06b0781a075ed23757822816", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544362", "to_ids": true, "type": "sha1", "uuid": "46cf7423-d38b-451b-afc7-fc6291695e2d", "value": "afce743ccdd089a4132aad647ed47ba13b3f83b0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544362", "to_ids": true, "type": "sha256", "uuid": "f3743b30-27a9-4fe5-a708-90e3b4e4fc20", "value": "57cd5721bae65c29e58121b5a9b00487a83b6c37dded56052cab2a67f90ea943", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777213266", "to_ids": true, "type": "ssdeep", "uuid": "fe8d2aa2-afa2-4450-b1e2-6d8f2d73e85d", "value": "98304:6ytZW4WMohKECe5dHu2AuDIeOtnkL4gDuwQ8M3Rp:6y3WhM+K4VfAUIbgDP/Yp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777213266", "to_ids": false, "type": "size-in-bytes", "uuid": "85e1daa2-6b8f-4164-8ce7-cce2cad5f582", "value": "3368710" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777213266", "to_ids": true, "type": "vhash", "uuid": "e11f3f8c-efa9-42e9-971d-150ebde23ccc", "value": "e5f62abe0a15abf4b5588f0554d529e8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777213266", "to_ids": true, "type": "filename", "uuid": "ec03f154-5fad-4de1-b138-fd22061940af", "value": "57cd5721bae65c29e58121b5a9b00487a83b6c37dded56052cab2a67f90ea943.zip" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 25/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777213266", "to_ids": false, "type": "text", "uuid": "be4d1091-9ab6-4a37-a91c-5ca5d289218d", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:31/67\nFirst Submission:2026-01-02T07:39:52.000000+00:00\nLast Submission:2026-01-02T07:39:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544365", "uuid": "529dcc0f-c586-4525-98df-0d4a54852e30", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544364", "to_ids": true, "type": "md5", "uuid": "21f36571-9ca8-4f92-a5ac-a71ff15c65b8", "value": "d69cc848443b63eb0ae8d05a6ecfba5e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544365", "to_ids": true, "type": "sha1", "uuid": "a2db4cad-e59c-4f9a-a4bd-2d1e4f8f206d", "value": "a225c68ddfaa81bc3f13bbfc65a85b4e047e8aa5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544365", "to_ids": true, "type": "sha256", "uuid": "29fe5c17-0f64-4bd7-b2ab-f0971892612d", "value": "74ac41406ce7a7aa992f68b4b3042f980027526f33ec6c8d84cb26f20495c9dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777213288", "to_ids": true, "type": "ssdeep", "uuid": "5000e059-8f8b-426c-9b52-a90889b3653c", "value": "49152:FiWCtw/c7AY0f/RumyvpkqahV8sP5nea3cFYmxVnfa6++t7h7qz5lR3SHHFxMAp6:ArtUn8myBghqsjm/nfVHONGMnE8v" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777213288", "to_ids": false, "type": "size-in-bytes", "uuid": "ef2f7a56-e037-4afc-9543-0fd577f4971c", "value": "7708856" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777213288", "to_ids": true, "type": "vhash", "uuid": "7ef2fb32-361d-4c63-9355-ebbec966f089", "value": "bed0051c03c0b002224d3a09f64bb907" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777213288", "to_ids": true, "type": "filename", "uuid": "31589115-4b8c-47d5-9b51-53d6ef40947d", "value": "74ac41406ce7a7aa992f68b4b3042f980027526f33ec6c8d84cb26f20495c9dc.elf" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777213288", "to_ids": false, "type": "text", "uuid": "41c0de2d-d221-4978-8d01-abbfad38f25f", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/Multiverze!rfn\nVT Total Detection:28/64\nFirst Submission:2025-12-21T09:45:50.000000+00:00\nLast Submission:2025-12-21T09:45:50.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544368", "uuid": "1510eab4-22d2-475f-a21b-82e6efbbdf78", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544367", "to_ids": true, "type": "md5", "uuid": "e64d4479-0ea0-41b4-bb5d-7bc4ae1b7231", "value": "1e8a11249ac38ca948a10308cc333a47", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544367", "to_ids": true, "type": "sha1", "uuid": "5eeecc1a-3d8b-419d-9664-fbb7a95daca2", "value": "4d9ae84166f2083a1ee7f3e7a0b3581e4b41bc4b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544368", "to_ids": true, "type": "sha256", "uuid": "1c02011f-5e48-4c19-812d-6da47ea72cef", "value": "9c23c65a8a392a3fd885496a5ff2004252f1ad4388814b20e5459695280b0b82", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777213309", "to_ids": true, "type": "ssdeep", "uuid": "0c29671c-880e-46b5-8cbd-07782376a048", "value": "98304:jPxoLUMn741MC2X86dZnIeAsTi9U2luEDjR:jP1ySoLn91Ih" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777213309", "to_ids": false, "type": "size-in-bytes", "uuid": "c6cba6f2-466b-4f49-890f-814f88081def", "value": "7819556" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777213309", "to_ids": true, "type": "vhash", "uuid": "2d80612d-40db-4413-af50-776e97268bbe", "value": "95da6b3d7a5039c08f3f554c59bc1751" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777213309", "to_ids": true, "type": "filename", "uuid": "2029702e-9c93-4d19-a80d-9d204e5221a7", "value": "9c23c65a8a392a3fd885496a5ff2004252f1ad4388814b20e5459695280b0b82.elf" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777213309", "to_ids": false, "type": "text", "uuid": "1154a9fd-7e12-4fd5-be00-04d57b210b4e", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/Multiverze!rfn\nVT Total Detection:30/64\nFirst Submission:2026-01-02T07:40:11.000000+00:00\nLast Submission:2026-01-02T07:40:11.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779544371", "uuid": "7b5139d3-fb19-4b73-b097-7709cdbe1dfc", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779544370", "to_ids": true, "type": "md5", "uuid": "1581ee20-6dc3-4419-beae-ff9a886c742c", "value": "7bf2191620c2cca5f8238834149ba470", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779544370", "to_ids": true, "type": "sha1", "uuid": "28d70d25-fb29-4024-828d-df9a94bb5708", "value": "7f58210fa9fb9a154a8c9b4d595f10c3ef7f79ec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779544371", "to_ids": true, "type": "sha256", "uuid": "c4fbcb13-3c7c-44b3-bb5b-81dea1ed1db3", "value": "d8d84eaba9b902045ae4fe044e9761ad0ce9051b85feea3f1cf9c80b59b2b123", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777213331", "to_ids": true, "type": "ssdeep", "uuid": "1c607009-4f93-4a9f-8e46-21d69cfa8b86", "value": "98304:GmD/z43ImUuObeMtjzSnkH4d0pXyDslPlwGEm9lv9R+L:GmD/zbD3bb5zcwBiDsrYm9l1C" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777213331", "to_ids": false, "type": "size-in-bytes", "uuid": "d05e7602-9062-4c55-abca-bdd2fa09b291", "value": "3345396" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777213331", "to_ids": true, "type": "vhash", "uuid": "bd5fd738-890c-4c8d-a60f-0d4b700dd1d9", "value": "c2f6e73cc03c94b20a2782a052021fef" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777213331", "to_ids": true, "type": "filename", "uuid": "11a17889-b5d6-46b4-b9bc-eef1deb1c4f9", "value": "d8d84eaba9b902045ae4fe044e9761ad0ce9051b85feea3f1cf9c80b59b2b123.zip" }, { "category": "Other", "comment": "Checked: 26/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777213331", "to_ids": false, "type": "text", "uuid": "90a74eb1-3895-4f10-b130-178f1f7ba74c", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:27/67\nFirst Submission:2025-12-30T02:59:31.000000+00:00\nLast Submission:2025-12-30T02:59:31.000000+00:00" } ] } ] } }