{ "Event": { "analysis": "1", "date": "2026-03-12", "extends_uuid": "", "info": "[Threat Intel] China-nexus Threat Actor Targets Persian Gulf Region With PlugX", "protected": false, "publish_timestamp": "1776392237", "published": true, "threat_level_id": "2", "timestamp": "1776392231", "uuid": "065c7eb5-94eb-4b83-bc05-579bb46cacc9", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6dbaba", "local": false, "name": "misp-galaxy:producer=\"Zscaler\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Bahrain\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"PlugX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"MUSTANG PANDA\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#9edfba", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"", "relationship_type": "" }, { "colour": "#5bb38b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1588.001\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Upload Malware - T1608.001\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compiled HTML File - T1218.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compression - T1027.015\"", "relationship_type": "" }, { "colour": "#256f6a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL - T1574.001\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Double File Extension - T1036.007\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic API Resolution - T1027.007\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Embedded Payloads - T1027.009\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted/Encoded File - T1027.013\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#c295b4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Proxy - T1090.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Junk Code Insertion - T1027.016\"", "relationship_type": "" }, { "colour": "#1b0fe1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#657ac3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Protocol Tunneling - T1572\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Reflective Code Loading - T1620\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773658817", "to_ids": false, "type": "link", "uuid": "bc0187b8-e7f0-4d86-aeea-6e1b5f16ec31", "value": "https://www.zscaler.com/blogs/security-research/china-nexus-threat-actor-targets-persian-gulf-region-plugx" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773658817", "to_ids": false, "type": "text", "uuid": "2fe642d2-9ac0-4565-a9dc-beb49a617a19", "value": "A China-nexus threat actor targeted countries in the Persian Gulf region using a multi-stage attack chain to deploy a PlugX backdoor variant. The campaign exploited the renewed Middle East conflict, using an Arabic-language document lure depicting missile attacks. The attack utilized a ZIP archive containing a malicious Windows shortcut file, which downloaded a CHM file leading to the deployment of PlugX. The malware employed various obfuscation techniques, including control flow flattening and mixed boolean arithmetic. The PlugX variant supported HTTPS for command-and-control communication and DNS-over-HTTPS for domain resolution. Based on the tools and tactics used, the activity is attributed to a China-nexus actor, possibly linked to Mustang Panda." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773658817", "to_ids": false, "type": "text", "uuid": "bf5397f5-74d4-404f-acfb-7cc44dae21b1", "value": "Name: China-nexus Threat Actor Targets Persian Gulf Region With PlugX\nAuthor: AlienVault\nAdversary: Mustang Panda\nTags: [\"china-nexus\", \"korplug\", \"middle east conflict\", \"destroyrat\", \"kaba\", \"sogu\", \"thoper\", \"plugx\"]\nTgtd countries: [\"Bahrain\"]\nMlwr families: [\"PlugX - S0013\", \"Thoper\", \"TVT\", \"DestroyRAT\", \"Sogu\", \"Kaba\", \"Korplug\"]\nAttack_ids: []\nIndustries: [\"Defense\", \"Government\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773658817", "to_ids": false, "type": "threat-actor", "uuid": "03b4fbe1-40fc-4f3a-9ba1-40a9c4d88f72", "value": "Mustang Panda" }, { "category": "Payload delivery", "comment": "Decrypted and decompressed PlugX backdoor No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999113", "to_ids": true, "type": "md5", "uuid": "5109f55b-9380-4749-a55a-dff7f98a8d56", "value": "43622a9b16021a5fb053e89ea5cb2c4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Shellcode loader No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999114", "to_ids": true, "type": "md5", "uuid": "fd5c7f83-3a38-4aa1-8fd8-dd29ca85d623", "value": "4f6ea828ab0456539cf7d79af90acf87", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted shellcode No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999115", "to_ids": true, "type": "md5", "uuid": "67fd5009-8074-42c8-a2fa-4f2419efa7fb", "value": "93a98995ebfd672793b3413606211fa3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TAR archive No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999116", "to_ids": true, "type": "md5", "uuid": "5c9dd8b4-1db3-4ff0-a3ed-1d6624f279b4", "value": "a158f22a6bf5e3678a499c3a2b039b16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 2 malicious Windows shortcut LNK file No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999118", "to_ids": true, "type": "md5", "uuid": "ecff98d4-eeff-4b1f-b901-8de37b35ff86", "value": "b92e4615bb8026a593f0a72451285140", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Encrypted shellcode No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999119", "to_ids": true, "type": "md5", "uuid": "0e081f0f-51a3-449b-ab64-397134810fc9", "value": "bf298f5b0ea62640f538922b32b8c3ed", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decoy PDF file used as a social engineering lure No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999121", "to_ids": true, "type": "md5", "uuid": "d91dacb1-0562-462f-8a65-94b02d6737d3", "value": "da91acba97f7d2935149d80142df8ec9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Encrypted shellcode No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999122", "to_ids": true, "type": "sha1", "uuid": "8a82e2cd-aa12-4cb2-a3d9-a3949d5d9085", "value": "2d70a3f331278b490361d3f7274082f69184209d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Shellcode loader No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999124", "to_ids": true, "type": "sha1", "uuid": "73bc4c7f-1fe1-4bc4-bb14-3950a334d4ff", "value": "31817d5baa9cc6ff22c172652ef312b7300c18a2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted shellcode No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999126", "to_ids": true, "type": "sha1", "uuid": "1a94c752-52d4-47ac-8fd0-bb4c5d8eb3dd", "value": "537044b0c8930522aa1bbbf6220077b36abcdf54", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TAR archive No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999127", "to_ids": true, "type": "sha1", "uuid": "d5162af0-0fa9-44bb-a4dc-9f76146e4c7f", "value": "a5e42ac01e59d61c582e696edfde76452e35a43c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted and decompressed PlugX backdoor No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999129", "to_ids": true, "type": "sha1", "uuid": "7bbc7181-22e1-443c-8744-b8d1c8da7ba0", "value": "bdf4b77508c9295a2e70736ee6d689722f67802e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 2 malicious Windows shortcut LNK file No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999130", "to_ids": true, "type": "sha1", "uuid": "ee318765-1da2-43c4-a8a4-66a6244cb363", "value": "e15c3ff555a30dff5b66333492eed43e07ec72a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decoy PDF file used as a social engineering lure No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999131", "to_ids": true, "type": "sha1", "uuid": "85e39e7a-bf17-455d-871f-ea8e36c85b15", "value": "ec955e2b6874159c63578d6bb85fe67117d45508", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted shellcode No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999132", "to_ids": true, "type": "sha256", "uuid": "273cc0d4-9d5d-4fe0-958e-ab8c9f7bdc82", "value": "014192c07267294116115d867b1dd48d851f0fa4c011cd96e4c5a5f81a6d1de3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 2 malicious Windows shortcut LNK file No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999133", "to_ids": true, "type": "sha256", "uuid": "10f2b08b-5bc7-439b-862d-ae8c37c633b5", "value": "10df3c46624c416f44764d7903b8079bc797c967284afc5bc333eeba0fdbba18", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Encrypted shellcode No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999134", "to_ids": true, "type": "sha256", "uuid": "913733ad-749e-4385-931b-7e492d3bd99e", "value": "1ddbed0328a60bb4f725b4ef798d5d14f29c04f7ffe9a7a6940cacb557119a1c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "TAR archive No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999135", "to_ids": true, "type": "sha256", "uuid": "d6839296-1b49-47c7-9aea-8beb740f1a98", "value": "5adae26409c6576f95270ce9ca3877df3ee60849c18540fd92c0c9c974ba2f6d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Shellcode loader No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999136", "to_ids": true, "type": "sha256", "uuid": "e7380245-0246-4fe3-8398-4e1af8d18078", "value": "c78eb1cecef5f865b6d150adcf67fa5712c5a16b94f1618c32191e61fbe69590", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decoy PDF file used as a social engineering lure No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999139", "to_ids": true, "type": "sha256", "uuid": "d3b986d6-807a-426e-8dc9-4af263c9797b", "value": "e50a4069e173256498e9e801b8f0dcda5a217290869300055ad8a854d4ea210c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted and decompressed PlugX backdoor No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999141", "to_ids": true, "type": "sha256", "uuid": "682a2f56-6ca9-4b3f-8ac8-ed16bda77821", "value": "ef7a813124fd19d11bb5d944cb95779f5fe09ff5a18c26399002759d4b0d66e7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1774000514", "to_ids": true, "type": "ip-dst", "uuid": "60069fbb-1152-408e-9830-55c621cf4314", "value": "91.193.17.117", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "URL hosting the CHM file", "deleted": false, "disable_correlation": false, "timestamp": "1774000536", "to_ids": true, "type": "hostname", "uuid": "251fc8d2-748f-4fd4-a42d-e913cfca9e0b", "value": "www.360printsol.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "URL hosting the CHM file", "deleted": false, "disable_correlation": false, "timestamp": "1774000559", "to_ids": true, "type": "url", "uuid": "3af0d7a6-6589-4b8d-b5b7-fe1f0e5f6f61", "value": "https://www.360printsol.com/2026/alfadhalah/thumbnail?img=index.png", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776392231", "to_ids": false, "type": "link", "uuid": "cbd3185b-6dcf-4328-84f1-f3c454d06bdf", "value": "https://www.zscaler.com/blogs/security-research/china-nexus-threat-actor-targets-arabian-gulf-region-plugx" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774000580", "uuid": "5081807b-ac3a-430d-86d4-9c271faf305c", "Attribute": [ { "category": "Payload delivery", "comment": "ZIP archive containing the LNK", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774000580", "to_ids": true, "type": "md5", "uuid": "70e4b7a9-0e77-4cd0-84c0-74cab4f23cd6", "value": "20eb9f216a1177ee539a012e6301a93e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZIP archive containing the LNK", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999110", "to_ids": true, "type": "sha1", "uuid": "f4b96001-db05-4b3d-9631-5a55fb139ae2", "value": "43c36b06573aeadabb55fd46c55a68c41a16ecc7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZIP archive containing the LNK", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999110", "to_ids": true, "type": "sha256", "uuid": "2ee9fa55-908e-4232-8e26-84d26abb8dd2", "value": "733a0a0ead4fc38173d7e30c7f2e14442ede32507e8adcbb8d3bd719fd2079d0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998009", "to_ids": true, "type": "ssdeep", "uuid": "dbf671e1-13f5-43fd-87e6-0b53bab076fa", "value": "12:5jUN1Hx2tL3V5OjUXBQgC9p2APvaUWqyXoU/4BgYcs9/8EBCG451NdN2a2:9CxK7VYCBQgCj2APvaUByXf4ks9/8cxT" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998009", "to_ids": false, "type": "size-in-bytes", "uuid": "a540ec08-cbc9-4ade-9515-89343932cf68", "value": "708" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998009", "to_ids": true, "type": "vhash", "uuid": "5b8049c6-288d-49c3-8e8b-5a1c3b3104cf", "value": "fd2b20a5f97c40c14e37ab9dbfecb0ba" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998009", "to_ids": true, "type": "filename", "uuid": "afe46f4f-33fe-4052-8ca0-453994ffa546", "value": "photo_2026-03-01_01-20-48.zip" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998009", "to_ids": false, "type": "text", "uuid": "3f384a36-a2ce-4bae-afd9-b9c18ee6bc80", "value": "ZIP archive containing the LNK\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:19/66\nFirst Submission:2026-03-01T17:45:21.000000+00:00\nLast Submission:2026-03-01T17:45:21.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774000602", "uuid": "c0b1cdfd-9d60-4542-9765-fadca3ff31fd", "Attribute": [ { "category": "Payload delivery", "comment": "Stage 1 malicious Windows shortcut LNK file", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774000602", "to_ids": true, "type": "md5", "uuid": "73a1d2e9-ae1b-429e-b5b7-51052651921a", "value": "eb27bbc29b36ae9c66970654925d8c3b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 1 malicious Windows shortcut LNK file", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999111", "to_ids": true, "type": "sha1", "uuid": "f63dc7c5-d38e-4a5c-b489-87787bb660b3", "value": "e3dc5ef72a9d08790f2f21726fa270b77dea3803", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 1 malicious Windows shortcut LNK file", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999111", "to_ids": true, "type": "sha256", "uuid": "3aacb32b-5db7-4034-8d42-b1722df69d3f", "value": "fa3a1153018ac1e1a35a65e445a2bad33eac582c225cf6c38d0886802481cd43", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998187", "to_ids": true, "type": "ssdeep", "uuid": "991ae1e2-7888-43e8-875d-97fb9034e0b5", "value": "12:8d/KiNFQuVk1Ki4u5YoDbTWlTv+UcWf5F4SelvlEfbLVj6h0bdpYrn1Il6:8d/X/FIYoalTvdcWYs/Vj6mdd6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998187", "to_ids": false, "type": "size-in-bytes", "uuid": "85ae0230-8b13-4f59-8a83-a9e89fd93dd8", "value": "851" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998187", "to_ids": true, "type": "vhash", "uuid": "5cd866a8-1c41-4eb5-aa4e-d352f2713d5d", "value": "d0b74fadcd6526ea4920eb45f0006f94" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998187", "to_ids": true, "type": "filename", "uuid": "d6133c6d-773f-4814-b003-7731b4319ff0", "value": "photo_2026-03-01_01-20-48.pdf.lnk" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998187", "to_ids": false, "type": "text", "uuid": "3e9f8e9d-7d1c-4ce2-869b-2b4bb23fe62f", "value": "Stage 1 malicious Windows shortcut LNK file\r\nType Descriptio%WINDIR%\\shortcut\nMicrosoft: Trojan:LNK/Malgent!MSR\nVT Total Detection:25/62\nFirst Submission:2026-03-01T17:50:27.000000+00:00\nLast Submission:2026-03-02T10:37:47.000000+00:00" } ] } ] } }