{ "Event": { "analysis": "1", "date": "2026-05-14", "extends_uuid": "", "info": "[Threat Intel] Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor", "protected": false, "publish_timestamp": "1779596377", "published": true, "threat_level_id": "2", "timestamp": "1779596376", "uuid": "4583b718-a906-4818-8811-97ba5fae34a6", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Service Discovery - T1007\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Transfer Size Limits - T1030\"", "relationship_type": "" }, { "colour": "#b672a4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1053\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#4985d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\"", "relationship_type": "" }, { "colour": "#ad5a96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Trusted Developer Utilities Proxy Execution - T1127\"", "relationship_type": "" }, { "colour": "#d4fd6f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"", "relationship_type": "" }, { "colour": "#afd4c9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Endpoint Denial of Service - T1499\"", "relationship_type": "" }, { "colour": "#e8825f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#8b05c0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Audio Capture - T1123\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"142 - Asia\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#fdcb58", "local": false, "name": "rectifyq:MY-relevancy=\"somewhat-relevant\"", "relationship_type": "" }, { "colour": "#256f6a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL - T1574.001\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#705cef", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053.005\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779159611", "to_ids": false, "type": "link", "uuid": "6ad26c89-737c-46c3-ac65-d49b99b5d4a2", "value": "https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1779159611", "to_ids": false, "type": "text", "uuid": "88617d2a-38c9-4366-a5b8-c44ff948dd7a", "value": "Beginning in late September 2025, multiple affected hosts were observed making requests to domains impersonating content delivery networks (CDNs), including infrastructure masquerading as Yahoo- and Apple-affiliated services. Across these cases, Darktrace identified a consistent behavioral execution pattern: the retrieval of legitimate binaries alongside malicious Dynamic Link Libraries (DLLs), enabling sideloading and execution of a modular .NET-based Remote Access Trojan (RAT) framework." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1779159611", "to_ids": false, "type": "text", "uuid": "2ec4d3ad-f0d4-477c-a52a-196c03eb2705", "value": "Name: Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor\nAuthor: AlienVault\nAdversary: Twill Typhoon\nTags: [\"anomalous file\", \"twill typhoon\", \"visual studio\", \"chinese\", \"apt\", \"rat\", \"remote access\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1007\", \"T1027\", \"T1030\", \"T1053\", \"T1071\", \"T1082\", \"T1095\", \"T1140\", \"T1547\", \"T1574\", \"T1127\", \"T1562\", \"T1499\", \"T1195\", \"T1490\", \"T1056\", \"T1123\", \"T1059\", \"T1134\", \"T1055\"]\nIndustries: [\"Higher Education\", \"Investments\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1779159611", "to_ids": false, "type": "threat-actor", "uuid": "5e00ae5e-a515-4807-838b-842b2492bf30", "value": "Twill Typhoon" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779594876", "to_ids": true, "type": "hostname", "uuid": "560cb9e1-e810-403e-9db8-7e22612587bb", "value": "www.icloud-cdn.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593177", "to_ids": true, "type": "md5", "uuid": "fe2f553c-5ab0-4e2d-8520-db043977c79b", "value": "067fbad4d6905d6e13fdc19964c1ea52", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593178", "to_ids": true, "type": "md5", "uuid": "8167fdc9-14ff-4d61-877c-004473085415", "value": "162f69fe29eb7de12b684e979a446131", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593179", "to_ids": true, "type": "md5", "uuid": "a1ec3cfa-7280-4553-b769-f606b5c84ba5", "value": "2cd781ab63a00ce5302ed844cfbecc27", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593180", "to_ids": true, "type": "md5", "uuid": "d5f7df01-bb7a-44fa-a4ce-33bde12747f2", "value": "df3437c88866c060b00468055e6fa146", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779594897", "to_ids": true, "type": "hostname", "uuid": "6bc16ad2-15ff-4f89-b8fd-b8091020a710", "value": "www.yahoo-cdn.it.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594919", "uuid": "49770d98-85e0-4f7e-86fd-5c83b1aee4f8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594919", "to_ids": true, "type": "md5", "uuid": "e0ab11f6-aa09-4910-bd1f-fd378ca1492d", "value": "482cc72e01dfa54f30efe4fefde5422d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593172", "to_ids": true, "type": "sha1", "uuid": "6982b0fc-40dd-467e-9865-a5202f42745f", "value": "bbafc4e7e2a80e98f0a80689cc1e7f09b9ba3b31", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593172", "to_ids": true, "type": "sha256", "uuid": "e312e37d-7aca-429e-ac48-961b9f4ab977", "value": "27620a3685342d8aa5066f66e8aff11729be0d32ad31f5f1d70d0f743ba61f30", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591514", "to_ids": true, "type": "ssdeep", "uuid": "66213a92-71cb-4be0-9bb7-b8da8b91c3ad", "value": "384:sJplixN1MDQJ+CQOxm8LEomXTZhbkGGkge08oGbrFCwaNsosfDRhUxcU:MziNR+ChxXgNZh1NbrwwZVixcU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591514", "to_ids": false, "type": "size-in-bytes", "uuid": "6b197ccc-548b-4d44-ae43-b4a77a04a67e", "value": "28672" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591514", "to_ids": true, "type": "vhash", "uuid": "400522ad-276d-41ee-a37d-a7dc147926a9", "value": "32403655151801192b1122222" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591514", "to_ids": true, "type": "filename", "uuid": "6e15d2db-3a4f-4c46-acd4-ecd1b4d8b9f4", "value": "Client.DmtpFrame.dll" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 21/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591514", "to_ids": false, "type": "text", "uuid": "0d4acf64-fe1b-444f-aa4c-64361fd9ea15", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:40/71\nFirst Submission:2026-03-12T10:40:23.000000+00:00\nLast Submission:2026-03-12T10:40:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594940", "uuid": "2f93a331-ad73-4dd3-b396-6750e3ca9c1a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594940", "to_ids": true, "type": "md5", "uuid": "7c902799-b752-49c2-bdcd-a501f0390a04", "value": "b2c8f1402d336963478f4c5bc36c961a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593172", "to_ids": true, "type": "sha1", "uuid": "ba3bffc4-0e0b-4ce7-8dd3-116bc865f6a1", "value": "8a1f2f9baa900ab09dbfed7714948cdf9cbbf50b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593173", "to_ids": true, "type": "sha256", "uuid": "486a3fb0-ec9f-4578-af02-2a187cdfee5c", "value": "0bb1e7190c781ce5dd02304511604c225f0b1b5efe9c62583971266ef0b4ff3a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591536", "to_ids": true, "type": "ssdeep", "uuid": "868e573a-abc1-490d-a576-df68d68ac7b6", "value": "12288:LUyZ7+nERk4NU+jgZ6cnRbNhtYyZ029OiMqZ5Fb:Q9EjNUxRbR1fjZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591536", "to_ids": false, "type": "size-in-bytes", "uuid": "686db126-a027-4462-abeb-dc07ecaf29ef", "value": "536064" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591536", "to_ids": true, "type": "vhash", "uuid": "1e214cdf-fbfa-4d33-b43d-c0d868805d14", "value": "3550367515119062f71012" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591536", "to_ids": true, "type": "filename", "uuid": "0d0c767b-3829-4258-8ef0-5f8217a5b7f1", "value": "Client.TcpDmtp.dll" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 21/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591536", "to_ids": false, "type": "text", "uuid": "069a3f18-a408-4a11-b230-17788be3ce38", "value": "Type Description: Win32 DLL\nMicrosoft: Trojan:MSIL/Darkvigil.NWA!MTB\nVT Total Detection:37/71\nFirst Submission:2026-03-12T10:38:53.000000+00:00\nLast Submission:2026-05-04T05:47:44.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594961", "uuid": "59dcd603-8722-4410-82f9-826910939eae", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594961", "to_ids": true, "type": "md5", "uuid": "6a9a15df-6a29-4ca2-8eff-c375e4495841", "value": "c17f39d25def01d5c87615388925f45a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593174", "to_ids": true, "type": "sha1", "uuid": "36ebdafb-dc75-45ff-9651-d35e1e4bf894", "value": "49b309ef602f1c1508835f650c2754c7564e849c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593174", "to_ids": true, "type": "sha256", "uuid": "75d5ec1d-6891-4c22-972e-fe58151a75a1", "value": "e4e68fdc71bd942514c7ecaf25a9482d7fe3e2940bcdd27916e9441ef614d0a1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591558", "to_ids": true, "type": "ssdeep", "uuid": "54612532-5b6a-42d4-9440-ae2e0c0e2550", "value": "12288:o8XDXVHhuK/J50JJIwGMceF065RqkufF3FwWxc0x9gNAXmbBtVRkqLIfNq:9TVHIK/mBG/YRqFVtxJhIVNLaq" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591558", "to_ids": false, "type": "size-in-bytes", "uuid": "d0a8fb15-2d0b-4511-9942-86dc292bdf0f", "value": "634368" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591558", "to_ids": true, "type": "vhash", "uuid": "4a07e235-9a0e-4857-9d25-f0373c91af00", "value": "1650976d755c051d5d1dbz3326z1047z1iz4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591558", "to_ids": true, "type": "filename", "uuid": "ce814b37-576c-4a8a-9e6c-b107c0a53104", "value": "browser_host.dll" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 22/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591558", "to_ids": false, "type": "text", "uuid": "50649d0d-f449-4b64-8f47-9e5e9fd70ac8", "value": "Type Description: Win32 DLL\nMicrosoft: PUA:Win32/Packunwan\nVT Total Detection:44/71\nFirst Submission:2026-03-12T10:25:28.000000+00:00\nLast Submission:2026-03-18T16:15:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779594982", "uuid": "e7e6b9ff-969a-4d19-962e-75a91ae3f4ad", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779594982", "to_ids": true, "type": "md5", "uuid": "7e1dcf8b-a543-4d2e-bfd2-3e1bf85ccc99", "value": "fc3959ebd35286a82c662dc81ca658cb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593175", "to_ids": true, "type": "sha1", "uuid": "baab3f32-3ae7-43b5-8a49-ae152a58e440", "value": "ca2da9929110bd223d22a194ac2091af700145ba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593175", "to_ids": true, "type": "sha256", "uuid": "5447f57e-2e3f-4ff6-8342-5058704b6701", "value": "0f3c289fc6521611c7dc81d49d7461307271c95d305974ba7435e3b5a8fb2493", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591600", "to_ids": true, "type": "ssdeep", "uuid": "bae70935-3538-4fde-a54b-88ff57d17458", "value": "12288:dGwcREPC4dZznUrdCWo885bIyOMcKF4PQ5RwzjcU0BxY1AHeEGBokKq7qpQoDZWV:Iwn7WrDof5q/BwRwzABuEK5doDYV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591600", "to_ids": false, "type": "size-in-bytes", "uuid": "7533ab61-11bf-4d15-8f4d-4297b1fa4f0a", "value": "655105" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591600", "to_ids": true, "type": "vhash", "uuid": "cfc0670e-d922-46c1-8c5c-8c25f38bd80f", "value": "3c2aed29bbe9eb669c28c1f2fc06d410" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591600", "to_ids": true, "type": "filename", "uuid": "c9de60df-44a4-4788-9859-dbe1a75d98de", "value": "localfile~" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 22/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591600", "to_ids": false, "type": "text", "uuid": "8da23c77-9c61-4ff5-9f58-44fd80b459db", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:36/68\nFirst Submission:2026-03-12T10:30:35.000000+00:00\nLast Submission:2026-03-12T10:30:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779595003", "uuid": "2acbbd68-7495-493e-b705-995c6f1925ba", "Attribute": [ { "category": "Payload delivery", "comment": "IOC-description:SHA256 of c650a624455c5222906b60aac7e57d48", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779595003", "to_ids": true, "type": "md5", "uuid": "e2236e0a-e8dd-4f3d-ba71-82b196ef7fe8", "value": "c650a624455c5222906b60aac7e57d48", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of c650a624455c5222906b60aac7e57d48", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593176", "to_ids": true, "type": "sha1", "uuid": "838e37d1-69fe-46d0-9928-79ff96782894", "value": "cd9070485ef6f08f2c7570849a6ece9370916135", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "IOC-description:SHA256 of c650a624455c5222906b60aac7e57d48", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593176", "to_ids": true, "type": "sha256", "uuid": "b537e4fd-7574-43fd-8119-5da7143fc161", "value": "47911cb0428f042c2da010ad833cf3830594ecb70cf5d1068ec969751d87647d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779591623", "to_ids": true, "type": "ssdeep", "uuid": "319257b8-637d-451b-aa4e-1ed1a1dee2c0", "value": "384:Nl37qC0oBPOJ4hD73hnO6MQPz4Mdg/IpoiKJ9Yl6dnPU3SERztmbqCJstdMardzV:4ohnuMdy6Iq8y/X" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779591623", "to_ids": false, "type": "size-in-bytes", "uuid": "f6559577-e889-4388-9dcf-e50724d0daac", "value": "24576" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779591623", "to_ids": true, "type": "vhash", "uuid": "96d7c0e7-5f47-4cea-beb5-237791de2811", "value": "32403655151c0b2b60013" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779591623", "to_ids": true, "type": "filename", "uuid": "cbbeee62-8525-4d27-bd2c-0357353242e7", "value": "Microsoft.VisualStudio.HostingProcess.Utilities.Sync.dll" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 21/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779591623", "to_ids": false, "type": "text", "uuid": "999a8ebd-0bed-49ab-8eb4-e5f74d5ccbe0", "value": "IOC-description:SHA256 of c650a624455c5222906b60aac7e57d48\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Wacatac.B!ml\nVT Total Detection:25/71\nFirst Submission:2026-03-12T10:38:10.000000+00:00\nLast Submission:2026-05-14T02:13:20.000000+00:00" } ] } ] } }