{ "Event": { "analysis": "1", "date": "2026-04-30", "extends_uuid": "", "info": "[Threat Intel] ClickFix Removes Your Background but Leaves the Malware", "protected": false, "publish_timestamp": "1779546311", "published": true, "threat_level_id": "3", "timestamp": "1779546310", "uuid": "1dde8747-984b-4371-8986-35106171f488", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8f20d0", "local": false, "name": "misp-galaxy:producer=\"Huntress\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#73cdf4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Portable Executable Injection - T1055.002\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#4bc785", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#5884a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"CASTLELOADER\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Copy and Paste - T1204.004\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777950036", "to_ids": false, "type": "link", "uuid": "5893aeb2-ae96-4879-b46a-4d536007d9eb", "value": "https://www.huntress.com/blog/clickfix-castleloader-backgroundfix" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777950036", "to_ids": false, "type": "text", "uuid": "cc7f906e-73ae-41f0-b5c6-8e469046020e", "value": "BackgroundFix masquerades as a free image-editing tool but functions as a ClickFix social engineering lure. The fake service prompts users to verify they are human, copying malicious commands to their clipboard that invoke finger.exe to retrieve additional payloads. This chain delivers CastleLoader, which subsequently drops NetSupport RAT and a custom .NET stealer dubbed CastleStealer. The loader uses reflective PE injection, API hashing, and ChaCha20-encrypted C2 communications. CastleStealer targets browser credentials, cryptocurrency wallet extensions, and Telegram sessions through DPAPI decryption and Restart Manager APIs. The campaign leverages BYOI tactics with embedded Python interpreters and multiple shellcode stages. A notable implementation flaw exists where launch method 4 references regsrv32.exe instead of the correct regsvr32.exe, causing silent failures." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777950036", "to_ids": false, "type": "text", "uuid": "4099240d-2151-4da1-a2cf-67d4fca6c3b9", "value": "Name: ClickFix Removes Your Background but Leaves the Malware\nAuthor: AlienVault\nAdversary: ClickFix\nTags: [\"netsupport rat\", \"clickfix\", \"reflective loader\", \"castleloader\", \"social engineering\"]\nTgtd countries: []\nMlwr families: [\"CastleLoader\", \"NetSupport RAT\", \"CastleStealer\"]\nAttack_ids: [\"T1113\", \"T1056.001\", \"T1539\", \"T1036.005\", \"T1573.001\", \"T1497.001\", \"T1005\", \"T1140\", \"T1555.003\", \"T1055.002\", \"T1059.001\", \"T1547.001\", \"T1055.012\", \"T1027\", \"T1518.001\", \"T1059.003\", \"T1071.001\", \"T1204.001\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777950036", "to_ids": false, "type": "threat-actor", "uuid": "2bd4e2d5-7bb1-4c10-b46f-1169a38fc366", "value": "ClickFix" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623321", "to_ids": true, "type": "domain", "uuid": "ac4a2d63-7e24-4b7d-b65d-7539a2f0c507", "value": "trindastal.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623342", "to_ids": true, "type": "domain", "uuid": "c85e9638-c1b8-4e6e-8e50-a2adce2e8d9e", "value": "poronto.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623364", "to_ids": true, "type": "domain", "uuid": "f4e84c5b-c9a2-4845-970b-8b83219230b2", "value": "brionter.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "CastleLoader Core (final v8 payload, embedded PE) No sample in VT\r\nLast check:13/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546310", "to_ids": true, "type": "sha256", "uuid": "3fc252ce-717f-4749-b552-3ccd8912a39b", "value": "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623385", "to_ids": true, "type": "ip-dst", "uuid": "f99235a2-d933-4cfe-9163-7c0b5e8fad87", "value": "38.146.28.30", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623406", "to_ids": true, "type": "url", "uuid": "f57313c5-616a-4229-8511-50449136f05a", "value": "http://giovettiadv.com:688", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623426", "to_ids": true, "type": "url", "uuid": "fd296763-622a-470d-aaec-3fc886c8cea2", "value": "http://poronto.com:688", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623448", "to_ids": true, "type": "url", "uuid": "1798ee1c-3006-467e-9c23-9fb1d0b3cbfe", "value": "https://brionter.com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/net40.bin", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623469", "to_ids": true, "type": "url", "uuid": "1eeddc5f-21fb-4d1c-b615-ce910e13b9de", "value": "https://obelnamevalf.org/OaTS7yE9zd/default", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623490", "to_ids": true, "type": "url", "uuid": "7f360847-6e5a-43af-b73c-fb08b1969361", "value": "https://trindastal.com/8250d149-9bf8-566d-9d7d-ea925eae0a4", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623512", "to_ids": true, "type": "domain", "uuid": "517ecbd3-9fe1-4c7d-9458-b317d7e47db1", "value": "ai-scan.digital", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623533", "to_ids": true, "type": "domain", "uuid": "73658bdf-52e4-4226-8f45-86d1265ff820", "value": "background-off.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623554", "to_ids": true, "type": "domain", "uuid": "76f44675-0650-4d0c-9692-11f9217296b1", "value": "background-ready.online", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623575", "to_ids": true, "type": "domain", "uuid": "534f7fd8-08d7-4f30-aee8-2c5e55bffbbf", "value": "backgroundformat.online", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623596", "to_ids": true, "type": "domain", "uuid": "c9e1e515-a38f-41bf-80c7-0a46967ef39f", "value": "bg-go.online", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623618", "to_ids": true, "type": "domain", "uuid": "a5608706-8733-487d-9f08-baac2546e7f7", "value": "bg-ready.online", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623639", "to_ids": true, "type": "domain", "uuid": "a500c48b-ac60-4745-bdd5-3a98788b49e8", "value": "bg-removerok.online", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623660", "to_ids": true, "type": "domain", "uuid": "8200717e-362b-4324-b07e-87ab69fe309a", "value": "bg-transparency.online", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623682", "to_ids": true, "type": "domain", "uuid": "e81faed3-ec02-4b8e-b691-d3767f252b59", "value": "cheeshomireciple.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623703", "to_ids": true, "type": "domain", "uuid": "12a5bce4-5d6b-4421-9f9f-06992e982af2", "value": "giovettiadv.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778623724", "to_ids": true, "type": "domain", "uuid": "2846ad90-7d27-412d-8edd-30ecf7af9af7", "value": "obelnamevalf.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "CastleLoader C2 endpoint", "deleted": false, "disable_correlation": false, "timestamp": "1778623745", "to_ids": true, "type": "url", "uuid": "1fe00dcd-5a5e-4eb7-8aa0-db69c0a33a58", "value": "https://trindastal.com/8250d149-9bf8-566d-9d7d-ea925eae0a4c/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Stage-2 Python downloader URL", "deleted": false, "disable_correlation": false, "timestamp": "1778623767", "to_ids": true, "type": "url", "uuid": "a48f868b-d58e-4126-8d51-398098cdafbe", "value": "https://trindastal.com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/loc8", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Stage-2 RC4-encrypted shellcode URL", "deleted": false, "disable_correlation": false, "timestamp": "1778623788", "to_ids": true, "type": "url", "uuid": "9d3d9b38-f2e3-4355-a0d6-6fc8b893721d", "value": "https://trindastal.com/4ba0af68-0037-5f6e-afd1-64f89fc0f554/v8", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 22989", "deleted": false, "disable_correlation": false, "timestamp": "1778367689", "to_ids": true, "type": "ip-dst|port", "uuid": "0cb0a35b-b18b-4a61-aa77-c97046ba9191", "value": "38.146.28.30|22989" }, { "category": "Persistence mechanism", "comment": "NetSupport install path (task 11)", "deleted": false, "disable_correlation": false, "timestamp": "1778367689", "to_ids": true, "type": "regkey", "uuid": "9f6cbf4c-cadf-4bc3-b3e4-7f888f046806", "value": "%ProgramData%\\CeoliauD\\Dabkina" } ], "Object": [ { "comment": "", "deleted": false, "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", "meta-category": "misc", "name": "credential", "template_uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", "template_version": "5", "timestamp": "1778368146", "uuid": "23dc2bdf-5d24-45ae-b18a-ef72d4b5ca3f", "Attribute": [ { "category": "Other", "comment": "hardcoded ChaCha20 key/nonce pair (key", "deleted": false, "disable_correlation": false, "object_relation": "password", "timestamp": "1778368136", "to_ids": false, "type": "text", "uuid": "aa4937fa-5148-4ca5-a534-eb79e8df344d", "value": "f5dbaa09e60343f252a80d4a313a36ac11442d96b0896022d1a83744e3c11feb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1778368146", "to_ids": false, "type": "text", "uuid": "a91e3920-600f-4aa9-8b3e-8b37c9826ebd", "value": "encryption-key" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546308", "uuid": "f60f7390-b02c-4cae-874a-9118eed4e792", "Attribute": [ { "category": "Payload delivery", "comment": ".NET stealer (net40.bin, decrypted)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546308", "to_ids": true, "type": "md5", "uuid": "27c6a1ad-580c-4b32-aa66-7774a5b9547b", "value": "0c12b8d675c2a9ee681527ce80a603cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": ".NET stealer (net40.bin, decrypted)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546308", "to_ids": true, "type": "sha1", "uuid": "5f5df372-7636-4360-a01f-f1133bcbf223", "value": "5f7f0e3ee21ab21179b5ad30089941b580d7f82d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": ".NET stealer (net40.bin, decrypted)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546308", "to_ids": true, "type": "sha256", "uuid": "c2cfa63d-673d-42f4-882e-04d19844995d", "value": "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778621594", "to_ids": true, "type": "ssdeep", "uuid": "44a93d28-c737-4fa2-9f3d-3c38e99e55e2", "value": "3072:hQ4+jVlbOXc/8WQPbh+pzFeZlH9RbOe9+sfMfyW:hf+jV47WQPV++lHbbkD" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778621594", "to_ids": false, "type": "size-in-bytes", "uuid": "152cc1a1-ee11-4c1b-af3e-d1cd9090bb33", "value": "228352" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778621594", "to_ids": true, "type": "vhash", "uuid": "b31a16ab-1b81-4bdb-8a8e-57cf58b809e1", "value": "225036551511404832112050" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778621594", "to_ids": true, "type": "filename", "uuid": "d51476c1-c307-47b3-a5f4-c3f7eb55dce2", "value": "jo4u6.exe" }, { "category": "Other", "comment": "Checked: 13/05/2026\nLast-scan\t: 11/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778621594", "to_ids": false, "type": "text", "uuid": "2ec5d340-18be-4c87-85bf-d1433d4a27d1", "value": ".NET stealer (net40.bin, decrypted)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:49/71\nFirst Submission:2026-04-30T21:43:58.000000+00:00\nLast Submission:2026-04-30T21:43:58.000000+00:00" } ] } ] } }