{ "Event": { "analysis": "1", "date": "2026-04-23", "extends_uuid": "", "info": "[Threat Intel] Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools", "protected": false, "publish_timestamp": "1779545377", "published": true, "threat_level_id": "3", "timestamp": "1779545376", "uuid": "03a26498-a07a-401a-a777-d9624403826b", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#e00500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"", "relationship_type": "" }, { "colour": "#682cad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776942034", "to_ids": false, "type": "text", "uuid": "bbef9b45-86af-40b6-b7ab-2468d046cfe5", "value": "A phishing campaign utilized a fraudulent Adobe-themed website to trick victims into downloading and executing ScreenConnect remote access software. Once initial access was established, threat actors conducted interactive operations deploying multiple malicious binaries including a credential harvesting tool named password.exe. The attackers also exploited the ms-phone URI handler to launch the Phone Link application, attempting to socially engineer victims into linking their mobile devices to potentially capture notifications, authentication prompts, and sensitive information. The attack demonstrates a multi-stage compromise focusing on persistence establishment, credential theft, and preparation for potential lateral movement across the victim's network infrastructure." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776942034", "to_ids": false, "type": "text", "uuid": "3cc840cd-042d-4c91-a170-e80e327ad5f1", "value": "Name: Phishing Attack via Adobe-Themed Lure Delivering ScreenConnect and Credential Harvesting Tools\nAuthor: AlienVault\nAdversary: \nTags: [\"adobe lure\", \"phishing\", \"phone link\", \"screenconnect\", \"uri handler exploitation\", \"social engineering\", \"credential harvesting\", \"password.exe\", \"remote access\"]\nTgtd countries: []\nMlwr families: [\"ScreenConnect\", \"password.exe\"]\nAttack_ids: [\"T1056.001\", \"T1204.002\", \"T1566.002\", \"T1071\", \"T1053\", \"T1106\", \"T1140\", \"T1555\", \"T1219\", \"T1021\", \"T1112\", \"T1059\", \"T1204\", \"T1566\", \"T1027\", \"T1573\", \"T1056\", \"T1134\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610204", "to_ids": true, "type": "domain", "uuid": "0d99fdea-6aff-4a11-8d0a-df8c3ff5c79f", "value": "multifixcargas.com.br", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610226", "to_ids": true, "type": "url", "uuid": "aa047809-add1-4cd8-9851-def1a5a68e66", "value": "https://still-smoke-8dac.matthewrobertoo6467.workers.dev/en/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777610246", "to_ids": true, "type": "hostname", "uuid": "a71d018c-8317-47aa-b481-753f9402e9ca", "value": "multifixcargas.com.br", "Tag": [ { "colour": "#669ae5", "local": false, "name": "AlreadyExistsError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545374", "uuid": "ac84ee38-e2ac-4588-8241-9710ad5e06b0", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545373", "to_ids": true, "type": "md5", "uuid": "84dd9bd1-44b3-4c28-9d3a-b48cdbbad108", "value": "acc881b7521ca6366c5f90c72b51dc2e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545373", "to_ids": true, "type": "sha1", "uuid": "35e0a5d3-510f-4c64-b533-4427cabb861d", "value": "e9a8787578e17b125187a03eae9e2db0be407601", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545374", "to_ids": true, "type": "sha256", "uuid": "9f27b57a-4a71-4de3-a2f8-a61604cadada", "value": "18399555137b889a51eb543ddf01b3b7471a6e20453ee24801f8895528e7632f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777607506", "to_ids": true, "type": "ssdeep", "uuid": "401b46b6-2cb5-4ded-82b6-ad236a03e254", "value": "384:+rWfxrCdjm3JFu237ftCauokwlwAJmxOjrzJUunRRsfOQ8gwGYCAIVmOPOegSVTY:+aZrC6FkArzqSR2GdGYCAIVX7VtMW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777607506", "to_ids": false, "type": "size-in-bytes", "uuid": "fc06fbcb-521c-4d44-800a-2d3dc5f4fd71", "value": "25088" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777607506", "to_ids": true, "type": "vhash", "uuid": "4e7e0c61-c5d9-4aea-a70c-bd219e6b9d84", "value": "22403675151150829172010" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777607506", "to_ids": true, "type": "filename", "uuid": "8e904de3-5078-4f96-8924-f5cc2f6043b8", "value": "WindowsPassKey.exe" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777607506", "to_ids": false, "type": "text", "uuid": "e2d76a7d-aac7-4421-adfc-cc458e3441d6", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:20/71\nFirst Submission:2025-07-16T13:45:11.000000+00:00\nLast Submission:2026-04-16T20:05:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545376", "uuid": "183fabe9-a0c2-42c8-9398-dd2e05d24605", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545376", "to_ids": true, "type": "md5", "uuid": "ff846dd7-69b7-420e-adda-a823d92d0e3f", "value": "b3a2e37d066b444de23e1f98790a9fc1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545376", "to_ids": true, "type": "sha1", "uuid": "576d0e36-aa87-4b66-9412-cc0354fca91a", "value": "e81ba20e4b62ee5bb4648e57cd4811084dfab5c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545376", "to_ids": true, "type": "sha256", "uuid": "a4bcdd44-d8ef-4a4c-a6fb-6b21ce0764c9", "value": "499d07894f730fb685ee3cbfc1a933e0da93750c1ed25a49b2eb9c32adef156a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777607527", "to_ids": true, "type": "ssdeep", "uuid": "f104eed1-e073-4223-b799-0f7ada72d189", "value": "768:3fxuxf6fmm8WxUc1/zQOeqjM5vteTs4UNicsy8XwyCsRmXLbv66Nur3neufIwWGJ:3fxuxf6ftZjivteTsnNiTXwyBRObi977" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777607527", "to_ids": false, "type": "size-in-bytes", "uuid": "8e9d05f4-3039-4e68-9f5d-2d0a14d7f501", "value": "47616" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777607527", "to_ids": true, "type": "vhash", "uuid": "7b9386eb-7d42-4f00-a40f-efc4981a164b", "value": "2440367515110082d141021" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777607527", "to_ids": true, "type": "filename", "uuid": "61b28d21-a696-4b40-99a4-8dbb83b51c1a", "value": "phonepc.exe" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777607527", "to_ids": false, "type": "text", "uuid": "1892cb8e-de9e-48dc-9493-357987f72208", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:11/71\nFirst Submission:2025-05-29T20:01:17.000000+00:00\nLast Submission:2026-03-30T12:22:02.000000+00:00" } ] } ] } }