{ "Event": { "analysis": "1", "date": "2026-04-02", "extends_uuid": "", "info": "[Threat Intel] A Technique-Based Approach to Hunting Web-Delivered Malware", "protected": false, "publish_timestamp": "1775975035", "published": true, "threat_level_id": "4", "timestamp": "1775975035", "uuid": "095b84a6-d41c-4b3b-ac59-72de809f1b50", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#b40719", "local": false, "name": "misp-galaxy:producer=\"censys\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#150050", "local": false, "name": "rectifyq:sub-category=\"report\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"XWorm\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775271609", "to_ids": false, "type": "link", "uuid": "79a9bd83-b1fb-400a-9494-73ff521a3841", "value": "https://censys.com/blog/technique-based-approach-hunting-web-delivered-malware/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775271609", "to_ids": false, "type": "text", "uuid": "9504f6e9-5236-4df5-8c16-d8b27d1e4e85", "value": "This report presents a technique-based approach to HTTP body hunting using Censys that addresses this tension directly, and demonstrates its effectiveness by walking through a live discovery: a ClickFix campaign delivering XWorm V5.6 through a 5-stage attack chain." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775271609", "to_ids": false, "type": "text", "uuid": "8dfb98c3-e8a3-4b9c-aaf7-0c22d11e48af", "value": "Name: A Technique-Based Approach to Hunting Web-Delivered Malware\nAuthor: AlienVault\nAdversary: \nTags: []\nTgtd countries: []\nMlwr families: []\nAttack_ids: []\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775973328", "to_ids": true, "type": "sha256", "uuid": "d9e7a57e-714e-4d06-8b91-4b39514f5056", "value": "b67d8db2f53547b4a5b070b736cd93cbdf3ece21109972d54f193e8ede0b584b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775973329", "to_ids": true, "type": "sha256", "uuid": "52c7b476-7a99-4955-8dfa-4211f773e2f4", "value": "c52314cea0d81acd337cec2f968e55d20c52aca4504d7c452842cd1dcfb9fdf1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775973755", "to_ids": true, "type": "url", "uuid": "878fb9bc-58cf-4789-8d61-19a51aa6ea69", "value": "https://4a-m.al/ConvertedFile.txt", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775973777", "to_ids": true, "type": "url", "uuid": "36136e4f-d37d-4db2-976d-f444b8332742", "value": "https://4a-m.al/ConvertedFile.txt.", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775973798", "to_ids": true, "type": "url", "uuid": "de9bccf3-4ee9-43bd-baea-6e00852cca53", "value": "https://4a-m.al/ConvertedFile.txtStage", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775973819", "to_ids": true, "type": "url", "uuid": "e2cb3cfe-07e0-49d9-b693-ea47574804a6", "value": "https://orcanmedikal.com.tr/tool.hta", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775973840", "to_ids": true, "type": "url", "uuid": "00594179-fe67-46a8-8fd6-688ec5e6d917", "value": "https://orcanmedikal.com.tr/tool.htaStage", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775973861", "to_ids": true, "type": "domain", "uuid": "c3fa512f-36df-4dd0-b723-67920d828d78", "value": "4a-m.al", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775973882", "to_ids": true, "type": "domain", "uuid": "b5831965-0f8c-4b42-8c92-2f41f20556e8", "value": "orcanmedikal.com.tr", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2 Host", "deleted": false, "disable_correlation": false, "timestamp": "1775973904", "to_ids": true, "type": "ip-dst", "uuid": "0d452f09-1d1e-4bc9-9b01-0679cc186e79", "value": "86.106.85.194", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775973924", "to_ids": true, "type": "hostname", "uuid": "6dfc744b-aed4-4909-baf4-76fdddbb78d4", "value": "orcanmedikal.com.tr", "Tag": [ { "colour": "#669ae5", "local": false, "name": "AlreadyExistsError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Same ClickFix page", "deleted": false, "disable_correlation": false, "timestamp": "1775973945", "to_ids": true, "type": "hostname", "uuid": "f58da099-e5f4-4b41-8f41-727c7464fac6", "value": "mail.orcanmedikal.com.tr", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Same ClickFix page", "deleted": false, "disable_correlation": false, "timestamp": "1775973967", "to_ids": true, "type": "hostname", "uuid": "1ed60083-0958-4b95-a393-19eb3a6750bf", "value": "www.orcanmedikal.com.tr", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Stage 3 steganographic JPEG (removed/darked)", "deleted": false, "disable_correlation": false, "timestamp": "1775973988", "to_ids": true, "type": "url", "uuid": "7bcfa133-032b-454c-93a6-a01dce42f739", "value": "https://archive.org/download/optimized_msi_20250904/optimized_MSI.png", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775974009", "uuid": "d33b4ce8-8902-40d3-923f-8eea6f86ab3a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775974009", "to_ids": true, "type": "md5", "uuid": "f401c355-36f5-4ae6-87c0-f6a24b13076e", "value": "46912c7ccc19ec28668f1e2771c37eed", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973322", "to_ids": true, "type": "sha1", "uuid": "e2dfe733-a466-4e96-8da7-7fb29ec5bf97", "value": "6c36798e0205584677dabd2579954130d8f87774", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973323", "to_ids": true, "type": "sha256", "uuid": "94697cd4-b338-4375-9afc-2a0daac7797f", "value": "7e13561d794f7065e9cb3afc319acc7ac9861b4cf653082c1a11d5cc25a5d1f1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775972839", "to_ids": true, "type": "ssdeep", "uuid": "fa2a93c5-c5bb-4796-8aa7-01fbd0e077e4", "value": "768:kQ2A5Unv1+tybbH/UASLKygbFf9YGOMh23fPd:92A5Unv1+oHHMVKyoFf9YGOMYHd" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775972839", "to_ids": false, "type": "size-in-bytes", "uuid": "b4195a2b-a93f-404a-8883-7476a9812bf1", "value": "36864" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775972839", "to_ids": true, "type": "vhash", "uuid": "c602ce66-8b13-481c-9fb7-85923f021505", "value": "23403655151170772b110020" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775972839", "to_ids": true, "type": "filename", "uuid": "1da546db-8c9f-4953-91c9-6bd28952b481", "value": "SecondDirect.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 23/12/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775972839", "to_ids": false, "type": "text", "uuid": "ab0b0772-f5f6-4f28-be4c-e4d6e6d06f45", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:MSIL/AsyncRAT!atmn\nVT Total Detection:57/72\nFirst Submission:2025-09-17T23:12:20.000000+00:00\nLast Submission:2025-09-17T23:12:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775974030", "uuid": "47511d7f-1173-43d5-baea-af6f11d757f8", "Attribute": [ { "category": "Payload delivery", "comment": "HTA with Unicode emoji obfuscation, served from orcanmedikal[.]com[.]tr", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775974030", "to_ids": true, "type": "md5", "uuid": "0326003c-9fa1-4ec3-8b89-0ec17540ba16", "value": "6eecd66ae05253ef93d83ece6b821d8b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "HTA with Unicode emoji obfuscation, served from orcanmedikal[.]com[.]tr", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973323", "to_ids": true, "type": "sha1", "uuid": "a7d06626-4eb1-45c1-83ed-194ad4b73ba8", "value": "d0be9720e53dd93884774b65067db5991ee96d51", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "HTA with Unicode emoji obfuscation, served from orcanmedikal[.]com[.]tr", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973323", "to_ids": true, "type": "sha256", "uuid": "5804b88d-d259-4cd4-be4d-ca31ef9c612c", "value": "020668f00325631bec2b9c6dd8596d7744e118f68424fdbb28eb2a318f3a7adf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775972861", "to_ids": true, "type": "ssdeep", "uuid": "27a09dab-6ec9-44d9-9bb5-1a88e7d5f957", "value": "1536:/8rGfZx04DPPI8Lcsq6LzS85Ea56QJF4irAk341NoBrGH:qGfZx0yPPI8d28SLQJbO" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775972861", "to_ids": false, "type": "size-in-bytes", "uuid": "65e809d1-a638-4b39-8f91-b1e2764b609e", "value": "109874" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775972861", "to_ids": true, "type": "vhash", "uuid": "1d95da96-da59-47d2-b966-cc0f3ebeac3c", "value": "ffe10e9c76e6c72bf05ab38c20f8431a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775972861", "to_ids": true, "type": "filename", "uuid": "a88a1f47-3ba1-4809-9b0b-419526ece0ec", "value": "tool.hta" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 07/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775972861", "to_ids": false, "type": "text", "uuid": "b9cdd03b-0592-417b-a7dd-811e82fcfa71", "value": "HTA with Unicode emoji obfuscation, served from orcanmedikal[.]com[.]tr\r\nType Description: HTML\nMicrosoft: TrojanDownloader:JS/RemcosRAT.RVF!MTB\nVT Total Detection:28/62\nFirst Submission:2026-03-18T20:00:42.000000+00:00\nLast Submission:2026-04-03T18:15:56.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775974052", "uuid": "65c538ae-e482-43b6-ba16-a86b3f91b86c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775974052", "to_ids": true, "type": "md5", "uuid": "dbc50412-c378-4a9c-8ad7-e7fd5f103a6a", "value": "8b2051f5e2d428947bdee1e903029343", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973325", "to_ids": true, "type": "sha1", "uuid": "76bed182-912f-4451-b651-7fadecc858dc", "value": "6b7283d633691e75f1dc9d78a5c5fe12e52ae0f1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973325", "to_ids": true, "type": "sha256", "uuid": "4551ea59-bd39-4d89-aea0-275710d9f7c9", "value": "656991f4dabe0e5d989be730dac86a2cf294b6b538b08d7db7a0a72f0c6c484b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775972882", "to_ids": true, "type": "ssdeep", "uuid": "0ff04783-c5db-4432-b102-f0407bfab155", "value": "24576:8+EhkjixLXR+bG/f29mFusqa+n0tkR5JoZh73VVPYDlJ0K3x0cGPM0wgHGnv3UcN:8UixbItdTrJoFVPMvXGNzkx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775972882", "to_ids": false, "type": "size-in-bytes", "uuid": "fd0e68b2-9db2-4245-b3a0-cb6666a52442", "value": "2900144" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775972882", "to_ids": true, "type": "filename", "uuid": "d8b5d045-19ed-4827-95fc-7b49516e4ed5", "value": "stego" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 07/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775972882", "to_ids": false, "type": "text", "uuid": "2213b3f5-7c30-4384-816c-743c22c730f9", "value": "Type Description: JPEG\nMicrosoft: None\nVT Total Detection:14/61\nFirst Submission:2026-02-16T01:40:55.000000+00:00\nLast Submission:2026-02-27T12:24:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775974073", "uuid": "fc238f34-4f48-43de-b9cd-3b448789b4c3", "Attribute": [ { "category": "Payload delivery", "comment": "PhantomVAI loader extracted from JPEG. PE32 .NET DLL, 1.1 MB. Babel-obfuscated.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775974073", "to_ids": true, "type": "md5", "uuid": "b69e8ecd-f3ec-40ec-aaa3-8be90f03ef43", "value": "34e90568af4dcd40f4f04174ec326e2a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PhantomVAI loader extracted from JPEG. PE32 .NET DLL, 1.1 MB. Babel-obfuscated.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973326", "to_ids": true, "type": "sha1", "uuid": "27011cfa-3b01-4025-abb7-c59cfe963a94", "value": "aff537f1ab0f8b502691fc3a791de715af23b30b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PhantomVAI loader extracted from JPEG. PE32 .NET DLL, 1.1 MB. Babel-obfuscated.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973326", "to_ids": true, "type": "sha256", "uuid": "c71aaf4b-bda6-4a4f-ae1b-c8186691f345", "value": "adc2f550e7ff2b707a070ffaa50fc367af6a01c037f1f5b347c444cca3c9a650", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775972904", "to_ids": true, "type": "ssdeep", "uuid": "788b0ae5-fecd-42d8-b5bf-a6d19346b21d", "value": "6144:QhGGc7TlhQeyJZPv0+R0r9X77TWIzPzRIvA3KcJ/TgXey7XWmk6WaJVYkZsuSbcj:3lCtv0GI6gavACL7XWmTJVoQLkexCs" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775972904", "to_ids": false, "type": "size-in-bytes", "uuid": "ae38c91b-a178-466c-89b1-7c7562225162", "value": "1132032" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775972904", "to_ids": true, "type": "vhash", "uuid": "d4b17565-1263-415e-abac-99f98e887bf8", "value": "31603655151990716ff84aa231e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775972904", "to_ids": true, "type": "filename", "uuid": "e4e5ab1c-583b-4364-8761-f591f7d69cd7", "value": "Microsoft.Win32.TaskScheduler.dll" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 07/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775972904", "to_ids": false, "type": "text", "uuid": "2e4ed3b4-89e1-4613-a02d-7564073eaa04", "value": "PhantomVAI loader extracted from JPEG. PE32 .NET DLL, 1.1 MB. Babel-obfuscated.\r\nType Description: Win32 DLL\nMicrosoft: Backdoor:MSIL/Caminho.ARP!AMTB\nVT Total Detection:50/72\nFirst Submission:2026-02-16T01:29:13.000000+00:00\nLast Submission:2026-02-26T17:01:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775974095", "uuid": "0526ad63-9a18-4bc1-bbe7-522d8f44790e", "Attribute": [ { "category": "Payload delivery", "comment": "Reversed + base64-encoded XWorm payload, downloaded from 4a-m[.]al", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775974095", "to_ids": true, "type": "md5", "uuid": "e11754d0-2ddb-4f0e-bd24-9e79ba4afe04", "value": "e013048d6ae5bb1289e36c9742b58934", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Reversed + base64-encoded XWorm payload, downloaded from 4a-m[.]al", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973327", "to_ids": true, "type": "sha1", "uuid": "328c14a4-ab23-4fb6-8f91-74e5772f7975", "value": "a91542050b09fe8dae321c113c9f657a7e1cd110", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Reversed + base64-encoded XWorm payload, downloaded from 4a-m[.]al", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973327", "to_ids": true, "type": "sha256", "uuid": "fe61b762-7b6d-47e9-8067-4c86f36b65f0", "value": "6f67c7441e31d448502050c9783a1032c307946323f29e41a82fb19915c59531", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775972969", "to_ids": true, "type": "ssdeep", "uuid": "1fc79ee4-22bd-4bda-8c20-cf1d359f7929", "value": "1536:iaWt1jtxgw9o7leVFr+nRd5Lht89oGdN+Vg:hWVxxeYVqn5Lh6amN+Vg" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775972969", "to_ids": false, "type": "size-in-bytes", "uuid": "a2e1f7ef-b571-4eea-81dd-5b91c460b7a2", "value": "49155" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775972969", "to_ids": true, "type": "filename", "uuid": "ee5615d7-2e7a-413e-891a-127e76bc0ffd", "value": "ConvertedFile.txt" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 06/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775972969", "to_ids": false, "type": "text", "uuid": "5996bf4e-9ac4-4fc1-ab8b-f59d6e9db8b9", "value": "Reversed + base64-encoded XWorm payload, downloaded from 4a-m[.]al\r\nType Description: Powershell\nMicrosoft: None\nVT Total Detection:21/62\nFirst Submission:2025-09-17T23:12:16.000000+00:00\nLast Submission:2025-10-17T21:35:12.000000+00:00" } ] } ] } }