{ "Event": { "analysis": "1", "date": "2026-04-20", "extends_uuid": "", "info": "[Threat Intel] FakeWallet crypto stealer spreading in the App Store", "protected": false, "publish_timestamp": "1776783220", "published": true, "threat_level_id": "3", "timestamp": "1776783220", "uuid": "1bd68ddc-1404-4e40-81ec-57648323e2a1", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#c9dbdd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stage Capabilities - T1608\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#3b33aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Subvert Trust Controls - T1553\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#52d590", "local": false, "name": "misp-galaxy:target-information=\"China\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#170059", "local": false, "name": "rectifyq:topic=\"mobile-attack\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#1a0065", "local": false, "name": "rectifyq:topic=\"crypto-related\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776740408", "to_ids": false, "type": "link", "uuid": "2fee3904-1b04-49a5-acac-7bffb8803f09", "value": "https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776740408", "to_ids": false, "type": "text", "uuid": "2d4eb96a-3af9-4db7-a990-d6e3a9b8b1db", "value": "In March 2026, over twenty phishing applications were discovered in the Apple App Store masquerading as popular cryptocurrency wallets. These malicious apps redirect users to browser pages distributing trojanized versions of legitimate wallets engineered to steal recovery phrases and private keys. The campaign has been active since at least fall 2025, targeting major wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. The infected apps use iOS provisioning profiles for installation and employ library injection techniques to hijack legitimate code. The threat primarily targets users in China where official crypto wallet apps are regionally restricted. Some infected apps also contained SparkKitty modules, suggesting possible links between threat actors. The malware exfiltrates stolen credentials using RSA encryption to command-and-control servers." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776740408", "to_ids": false, "type": "text", "uuid": "1a72f98c-c353-40dd-966d-d4eae40d614f", "value": "Name: FakeWallet crypto stealer spreading in the App Store\nAuthor: AlienVault\nAdversary: \nTags: [\"sparkkitty\", \"credential theft\", \"fakewallet\", \"ios\", \"provisioning profiles\", \"app store\", \"phishing apps\", \"cryptocurrency wallet\"]\nTgtd countries: [\"China\"]\nMlwr families: [\"FakeWallet\", \"SparkKitty\"]\nAttack_ids: [\"T1539\", \"T1555\", \"T1036\", \"T1608\", \"T1041\", \"T1027\", \"T1553\", \"T1573\", \"T1056\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773655", "to_ids": true, "type": "domain", "uuid": "d4ef2705-5a6a-4a52-869d-820c6e776262", "value": "appstoreios.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773676", "to_ids": true, "type": "domain", "uuid": "6ad4cc4b-a2e9-4ee1-85ee-25f7aa2cedf8", "value": "iosfc.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773698", "to_ids": true, "type": "url", "uuid": "2c043639-f927-4952-9328-1cf11b18ba86", "value": "https://139.180.139.209/prod-api/system/confData/getUserConfByKey/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773719", "to_ids": true, "type": "url", "uuid": "775d4383-f373-4c94-8b31-6274ad872238", "value": "https://6688cf.jhxrpbgq.com/6axqkwuq", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773740", "to_ids": true, "type": "url", "uuid": "ab3a354b-de12-4b65-98ee-697408a9f293", "value": "https://api.dc1637.xyz", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773761", "to_ids": true, "type": "url", "uuid": "345dce72-4a3e-4f21-b516-643868b7f4d0", "value": "https://api.npoint.io/153b165a59f8f7d7b097", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773783", "to_ids": true, "type": "url", "uuid": "79192781-ecf4-4dd7-9604-5a7396377173", "value": "https://appstoreios.com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773804", "to_ids": true, "type": "url", "uuid": "b473c507-8662-48a8-b966-6492041438c2", "value": "https://crypto-stroe.cc/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773825", "to_ids": true, "type": "url", "uuid": "7b140f95-a8ef-4c61-93b1-93c64cf6046c", "value": "https://helllo2025.com/api/open/postByTokenpocket", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773846", "to_ids": true, "type": "url", "uuid": "061e98ba-4667-4e57-9cc1-4cc4c12a29ab", "value": "https://iosfc.com/ledger/ios/Rsakeycatch.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773867", "to_ids": true, "type": "url", "uuid": "5d98f23a-6512-4831-bbcd-7a05c3b2c28a", "value": "https://kkkhhhnnn.com/api/open/postByTokenpocket", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773889", "to_ids": true, "type": "url", "uuid": "70ab1827-c656-41e9-ba34-4fa6f6fcb164", "value": "https://mgi1y.siyangoil.com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773910", "to_ids": true, "type": "url", "uuid": "95d7a941-5751-4d0d-9936-0e4515a866a7", "value": "https://mti4ywy4.lahuafa.com/UVB2U/mw2ZmvXKUEbzI0n", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773932", "to_ids": true, "type": "url", "uuid": "6243c4c7-9041-4c79-af66-8d36c0e9cfde", "value": "https://mtjln.siyangoil.com/08dT284P/1ZMz5Xmb0EoQZVvS5", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773953", "to_ids": true, "type": "url", "uuid": "a8b28ff3-dc84-47ed-af0c-4fbe9b471c4a", "value": "https://mziyytm5ytk.ahroar.com/kAN2pIEaariFb8Yc", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773974", "to_ids": true, "type": "url", "uuid": "06722be1-0a9e-477d-88ba-0bd6226110c7", "value": "https://ngy2yjq0otlj.ahroar.com/17pIWJfr9DBiXYrSb", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776773996", "to_ids": true, "type": "url", "uuid": "6450b57f-558f-4392-a6a3-e9c455c6ee88", "value": "https://ngy2yjq0otlj.ahroar.com/EpCXMKDMx1roYGJ", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774017", "to_ids": true, "type": "url", "uuid": "37b789c4-bcec-477b-9cd5-59416461602c", "value": "https://nmu8n.com/tpocket/ios/Rsakeyword.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774038", "to_ids": true, "type": "url", "uuid": "118ef17d-d171-4fb9-a5da-72ff81b590d1", "value": "https://ntm0mdkzymy3n.oukwww.com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774059", "to_ids": true, "type": "url", "uuid": "679b4769-3c6a-4bde-9987-aa46248a0240", "value": "https://ntm0mdkzymy3n.oukwww.com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774081", "to_ids": true, "type": "url", "uuid": "357eb55f-b861-4901-811b-e483e9c78d21", "value": "https://nziwytu5n.lahuafa.com/10RsW/mw2ZmvXKUEbzI0n", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774102", "to_ids": true, "type": "url", "uuid": "05668837-8cc0-4c2f-b497-4e266b3a62f1", "value": "https://odm0.siyangoil.com/TYTmtV8t/JG6T5nvM1AYqAcN", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774124", "to_ids": true, "type": "url", "uuid": "e0de2c71-20d6-454d-82be-9d7bd2a9343e", "value": "https://sxsfcc.com/api/open/postByTokenpocket", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774145", "to_ids": true, "type": "url", "uuid": "76185382-583c-4962-950d-bc6792633d2c", "value": "https://www.gxzhrc.cn/download/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774166", "to_ids": true, "type": "url", "uuid": "fe8adbbf-dc87-47e5-aac1-c150bec8c155", "value": "https://xz.apps-store.im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774188", "to_ids": true, "type": "url", "uuid": "9b57cc68-1f02-4692-a78b-c417cf306c88", "value": "https://xz.apps-store.im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774209", "to_ids": true, "type": "url", "uuid": "f188928e-48c1-4ed6-a128-b3684a446b55", "value": "https://xz.apps-store.im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c=", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774230", "to_ids": true, "type": "url", "uuid": "9cd73186-8991-43f6-b332-6b8ea9828e77", "value": "https://xz.apps-store.im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c=", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774251", "to_ids": true, "type": "url", "uuid": "59cbf4a6-036d-4f51-90c0-567434703bf2", "value": "https://yjzhengruol.com/s/3f605f", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774272", "to_ids": true, "type": "url", "uuid": "ead010b0-9540-400f-88cc-f495909f5dc7", "value": "https://zdrhnmjjndu.ulbcl.com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774293", "to_ids": true, "type": "url", "uuid": "eda8e5a5-009b-4f0c-89c0-f0d16c033e9c", "value": "https://zdrhnmjjndu.ulbcl.com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774315", "to_ids": true, "type": "url", "uuid": "0878b4d6-0f82-49c1-99e5-18485026b311", "value": "https://zmx6f.com/btp/ios/receiRsakeyword.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774336", "to_ids": true, "type": "domain", "uuid": "aa569a56-8e87-4920-8ab1-f5629be6736a", "value": "crypto-stroe.cc", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774357", "to_ids": true, "type": "domain", "uuid": "7a74bcbd-94b1-4d2a-a5a7-4cc68bef6514", "value": "helllo2025.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774378", "to_ids": true, "type": "domain", "uuid": "ce0c1421-8669-4397-afbd-29ad10943a43", "value": "kkkhhhnnn.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774399", "to_ids": true, "type": "domain", "uuid": "dac291b1-3748-472b-a5e7-0249bb8d2808", "value": "nmu8n.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774420", "to_ids": true, "type": "domain", "uuid": "e75fd3d7-dae4-4644-9ac8-bbbd94c91980", "value": "sxsfcc.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774441", "to_ids": true, "type": "domain", "uuid": "a090c7c9-122b-41f5-a4a4-ce343a7d191e", "value": "yjzhengruol.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774463", "to_ids": true, "type": "domain", "uuid": "64219ecf-6d9a-417b-9406-6391c405e7b9", "value": "zmx6f.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774484", "to_ids": true, "type": "hostname", "uuid": "578e76b4-8ae9-4cb6-adf7-e7c4a0fb9eac", "value": "6688cf.jhxrpbgq.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774505", "to_ids": true, "type": "hostname", "uuid": "c748b519-8253-426e-8e1d-92e16e53c609", "value": "api.dc1637.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774526", "to_ids": true, "type": "hostname", "uuid": "38568a4d-7031-451b-aae6-47bbf3bbd595", "value": "mgi1y.siyangoil.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774547", "to_ids": true, "type": "hostname", "uuid": "7b5dc540-96d6-4219-a781-364b9bb8faa7", "value": "mti4ywy4.lahuafa.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774568", "to_ids": true, "type": "hostname", "uuid": "3a577136-73f6-4853-a8b9-ca678e953bd0", "value": "mtjln.siyangoil.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774590", "to_ids": true, "type": "hostname", "uuid": "1da97d09-d053-4b02-9657-829d7b773492", "value": "mziyytm5ytk.ahroar.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774611", "to_ids": true, "type": "hostname", "uuid": "efdef22b-4b7c-43d3-aac7-19f80d2433e7", "value": "ngy2yjq0otlj.ahroar.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774632", "to_ids": true, "type": "hostname", "uuid": "63318fad-c79e-4b6d-8199-afdcd58869ff", "value": "ntm0mdkzymy3n.oukwww.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774653", "to_ids": true, "type": "hostname", "uuid": "b1b783ff-6ad9-4143-a9bb-176f96f2bbcc", "value": "nziwytu5n.lahuafa.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774675", "to_ids": true, "type": "hostname", "uuid": "22e870ca-e45d-45e1-9651-05cc37f1ca95", "value": "odm0.siyangoil.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774696", "to_ids": true, "type": "hostname", "uuid": "6060855d-e123-486f-930a-98cc24275c13", "value": "www.gxzhrc.cn", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774717", "to_ids": true, "type": "hostname", "uuid": "0b29bf8b-94fa-4fe7-a73c-9124ac3ca04f", "value": "xz.apps-store.im", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776774739", "to_ids": true, "type": "hostname", "uuid": "19bf6ba3-8e3e-449c-858f-fb880ba00f19", "value": "zdrhnmjjndu.ulbcl.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Infected cryptowallet IPA file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773594", "to_ids": true, "type": "md5", "uuid": "ce68b85b-df0c-4cc4-8c22-8c7abace6671", "value": "4126348d783393dd85ede3468e48405d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Infected cryptowallet IPA file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773595", "to_ids": true, "type": "md5", "uuid": "b2f7d3b6-35c5-4c11-b270-9e22fb2ce59b", "value": "b639f7f81a8faca9c62fd227fef5e28c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Infected cryptowallet IPA file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773596", "to_ids": true, "type": "md5", "uuid": "aee8c051-127a-40ff-9b43-5e7d9da871ee", "value": "d48b580718b0e1617afc1dec028e9059", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Infected cryptowallet IPA file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773596", "to_ids": true, "type": "md5", "uuid": "1d2c6fd3-2f42-493d-9cb1-a1d317e64321", "value": "bafba3d044a4f674fc9edc67ef6b8a6b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Infected cryptowallet IPA file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773597", "to_ids": true, "type": "md5", "uuid": "91318d3d-962d-4f89-8c1b-a07f0f748a58", "value": "79fe383f0963ae741193989c12aefacc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Infected cryptowallet IPA file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773598", "to_ids": true, "type": "md5", "uuid": "9c59dcb6-05fd-4a50-ab81-0a16e9618db0", "value": "8d45a67b648d2cb46292ff5041a5dd44", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Infected cryptowallet IPA file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773600", "to_ids": true, "type": "md5", "uuid": "4113e64a-77da-4833-a410-46deb389c879", "value": "7e678ca2f01dc853e85d13924e6c8a45", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious dylib file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773600", "to_ids": true, "type": "md5", "uuid": "4e58f7d2-240d-4abd-b9f7-8d967598acef", "value": "be9e0d516f59ae57f5553bcc3cf296d1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious dylib file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773601", "to_ids": true, "type": "md5", "uuid": "927f9ec4-351b-4630-8944-49869baf1fd1", "value": "fd0dc5d4bba740c7b4cc78c4b19a5840", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious dylib file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773602", "to_ids": true, "type": "md5", "uuid": "b8eb9c36-ee84-468f-8f26-ffd6f2b592e1", "value": "7b4c61ff418f6fe80cf8adb474278311", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious dylib file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773603", "to_ids": true, "type": "md5", "uuid": "3f41a890-0a23-4dcc-8a77-5af7e5141c9b", "value": "8cbd34393d1d54a90be3c2b53d8fc17a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious dylib file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773604", "to_ids": true, "type": "md5", "uuid": "0d8d0e32-161e-47a2-809b-d1078b96ce1e", "value": "d138a63436b4dd8c5a55d184e025ef99", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious dylib file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773605", "to_ids": true, "type": "md5", "uuid": "38196c86-a167-408e-80b6-7a5a41f4d3da", "value": "5bdae6cb778d002c806bb7ed130985f3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious React Native application No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773607", "to_ids": true, "type": "md5", "uuid": "1ba2a920-60f3-4102-b95c-c6cf933a0983", "value": "84c81a5e49291fe60eb9f5c1e2ac184b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Phishing HTML for infected Ledger Live app file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773607", "to_ids": true, "type": "md5", "uuid": "2760cbd4-cb08-470b-9db0-e291fbdfeb77", "value": "19733e0dfa804e3676f97eff90f2e467", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious Android file No sample in VT\r\nLast check:21/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776773608", "to_ids": true, "type": "md5", "uuid": "eed1f6d0-9a0f-4497-992c-33557fa5455b", "value": "8f51f82393c6467f9392fb9eb46f9301", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776774760", "uuid": "7c879a67-4749-4798-8031-b123ad4a0618", "Attribute": [ { "category": "Payload delivery", "comment": "Malicious Android file", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776774760", "to_ids": true, "type": "md5", "uuid": "d2253898-983e-477a-a7aa-750e2edb708d", "value": "114721fbc23ff9d188535bd736a0d30e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious Android file", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776773592", "to_ids": true, "type": "sha1", "uuid": "044b666f-f6bd-4ed2-99fd-00a4556c5e41", "value": "6781288a3db42f0ddef920b37cee5ea19d1706c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious Android file", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776773592", "to_ids": true, "type": "sha256", "uuid": "f5b5cff5-ef83-44b2-82f2-fe5bb9cdcc0b", "value": "ce5cb685b831d3eec4c86ca50b110827e7ad1f0e4fec41c4e4f87dcd97f262cb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776772073", "to_ids": true, "type": "ssdeep", "uuid": "d3df7611-4549-4928-afe8-d8948f9b6f95", "value": "3145728:rE1IFl2xTnN9WG5etvcyF1f0btflTpkIRs+lf4WbepT8RLa:ryIFl2xrNdgGfRppCl+M" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776772073", "to_ids": false, "type": "size-in-bytes", "uuid": "b1b373c2-d247-42b6-b3a3-25e4fb8dcf6a", "value": "141019130" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776772073", "to_ids": true, "type": "vhash", "uuid": "d3d3607d-2c2a-40bd-9c45-95222af3aedd", "value": "4343e883d56837364844ff8c3757cc56" }, { "category": "Other", "comment": "Checked: 21/04/2026\nLast-scan\t: 21/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776772073", "to_ids": false, "type": "text", "uuid": "186d2b74-95d3-49ec-89a1-fe40908c0e8e", "value": "Malicious Android file\r\nType Description: Android\nMicrosoft: None\nVT Total Detection:18/69\nFirst Submission:2025-08-29T13:41:03.000000+00:00\nLast Submission:2025-08-29T13:41:03.000000+00:00" } ] } ] } }