{ "Event": { "analysis": "1", "date": "2026-05-11", "extends_uuid": "", "info": "[Threat Intel] Website installer incident (May 2026)", "protected": false, "publish_timestamp": "1779547092", "published": true, "threat_level_id": "2", "timestamp": "1779547092", "uuid": "60647f90-8d16-4246-8004-22427c2e3a19", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Upload Malware - T1608.001\"", "relationship_type": "" }, { "colour": "#e8825f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#c9dbdd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stage Capabilities - T1608\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Host Software Binary - T1554\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#bf2644", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Server Software Component - T1505\"", "relationship_type": "" }, { "colour": "#a05856", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Destruction - T1485\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Drive-by Compromise - T1189\"", "relationship_type": "" }, { "colour": "#297c25", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Inhibit System Recovery - T1490\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778583617", "to_ids": false, "type": "link", "uuid": "365e2389-3089-4199-9c39-c37949750193", "value": "https://jdownloader.org/incident_8.5.2026.html?v=20260508277000", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778583617", "to_ids": false, "type": "text", "uuid": "aa77b568-c85f-4e57-b48b-4cd431e5efda", "value": "In early May 2026, attackers compromised the official JDownloader website by manipulating specific installer download links through the content management system. Between May 6-7, 2026 (UTC), users who downloaded Windows installers via \"Download Alternative Installer\" links or the Linux shell installer were redirected to malicious third-party files instead of genuine installers. The attackers gained CMS-level access only, not server or filesystem control. The incident was detected on May 7 via Reddit alerts, and the server was immediately taken offline. Malicious links were removed, legitimate links restored, and security hardened before the site resumed normal operations on May 8-9. In-app updates and other download paths remained unaffected. Users who executed downloaded installers during the risk window are advised to perform clean OS reinstalls and change passwords from trusted devices." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778583617", "to_ids": false, "type": "text", "uuid": "f944c63b-8229-4cda-b10e-f51374fc44a2", "value": "Name: Website installer incident (May 2026)\nAuthor: AlienVault\nAdversary: \nTags: [\"jdownloader incident\", \"supply chain compromise\", \"windows linux targeting\", \"cms exploitation\", \"website defacement\", \"installer tampering\", \"download link manipulation\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1036.005\", \"T1204.002\", \"T1608.001\", \"T1195\", \"T1036\", \"T1505.003\", \"T1059\", \"T1608\", \"T1204\", \"T1554\", \"T1566\", \"T1059.004\", \"T1078\", \"T1027\", \"T1486\", \"T1195.002\", \"T1505\", \"T1485\", \"T1189\", \"T1490\"]\nIndustries: []" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547072", "uuid": "98131e9f-beaa-4a3a-a4eb-97eeeee15959", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547071", "to_ids": true, "type": "md5", "uuid": "5695be72-622e-4c06-b7da-c6bbd2e06614", "value": "c19d686e686b6b391a4e6583bc7909fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547072", "to_ids": true, "type": "sha1", "uuid": "252303b0-7834-4581-a3f9-decc137b8df7", "value": "e5ac58f956fc17d07435c311fdedcd9885fbb09d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547072", "to_ids": true, "type": "sha256", "uuid": "c3d2c168-fb69-4ad9-a9b7-ba0bdfe9fe41", "value": "5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971476", "to_ids": true, "type": "ssdeep", "uuid": "91d79096-5c51-4b5b-b3f6-1c15cb0eec79", "value": "1572864:MTeu9qDhWj1tA8M8S9qFTJ1HloBWwYU3wq:+cFWj1trM9WTXFoVwq" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971476", "to_ids": false, "type": "size-in-bytes", "uuid": "2b4d6238-2a4c-4715-8d3f-78469ab81aff", "value": "61749248" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971476", "to_ids": true, "type": "vhash", "uuid": "3bd33dc9-955d-4861-9126-c377f5e97481", "value": "067076655d155d05755az457z1vz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971476", "to_ids": true, "type": "filename", "uuid": "42cdbedd-ba47-4d54-89b4-d1cf5aecbaf7", "value": "JDownloader2Setup_windows-amd64_v1_8_0_482.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971476", "to_ids": false, "type": "text", "uuid": "53814a97-5706-4dda-9438-85964ca54d85", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/Malgent!MSR\nVT Total Detection:43/69\nFirst Submission:2026-05-06T03:44:42.000000+00:00\nLast Submission:2026-05-16T14:46:38.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547075", "uuid": "5f9f8c2b-ecf7-4161-ad8f-f96e18d3b328", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547074", "to_ids": true, "type": "md5", "uuid": "4fe4722c-ffbf-473b-b863-592551a374fa", "value": "ee4346d277995bf40196c054de1627f4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547075", "to_ids": true, "type": "sha1", "uuid": "2ace99da-0152-4051-ac4d-f1ec7f2e47ee", "value": "8ce6e138f3df020612acb0826cb952bff24294b9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547075", "to_ids": true, "type": "sha256", "uuid": "e5fcafc9-96ae-4854-8f4b-bf144834f39c", "value": "4ff7eec9e69b6008b77de1b6e5c0d18aa717f625458d80da610cb170c784e97c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971498", "to_ids": true, "type": "ssdeep", "uuid": "fe3f1853-5cbe-4ecc-93a5-5020e27cbabc", "value": "1572864:3Hc4N+NaXiW2yoNqS9qFTJ1HloBWwYU3wq:cx7NbWTXFoVwq" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971498", "to_ids": false, "type": "size-in-bytes", "uuid": "3a265c83-257f-44c3-87d9-b77878ece9df", "value": "62498304" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971498", "to_ids": true, "type": "vhash", "uuid": "788649d9-07e8-47a1-b05e-ab53d1e997f3", "value": "067076655d155d05755az457z1vz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971498", "to_ids": true, "type": "filename", "uuid": "c5a74836-30f0-456f-ad00-25dec1b76e4a", "value": "JDownloader2Setup_windows-x86_v1_8_0_472.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 14/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971498", "to_ids": false, "type": "text", "uuid": "44946a52-2f31-4f47-8e95-13d8ad0e7662", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/Malgent!MSR\nVT Total Detection:36/69\nFirst Submission:2026-05-06T08:23:01.000000+00:00\nLast Submission:2026-05-15T18:34:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547078", "uuid": "ca608613-6d2f-469a-a381-96f7106cf671", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547077", "to_ids": true, "type": "md5", "uuid": "de96bb5b-2340-44f8-9fdd-3e1345a9388c", "value": "26a2abcd92a1fe2be7832c437103b170", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547077", "to_ids": true, "type": "sha1", "uuid": "c8d45d1f-0fb1-4b33-9f4a-11e39b74f2b9", "value": "fd196b51871e6eb3e111e6ebbb0f8d34c575f5f0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547078", "to_ids": true, "type": "sha256", "uuid": "d25aec32-f27d-464c-ac2a-b68ba6b1915d", "value": "04cb9f0bca6e0e4ed30bc92726590724bf60938440b3825252657d1b3af45495", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971520", "to_ids": true, "type": "ssdeep", "uuid": "17f8d816-e6e9-4797-8bf2-15f5447785ae", "value": "1572864:Vr2GnbVpRULAACaIPt8IrkUT2lfavGxKKAeqpqON88tcPmtZz8S9qFTJ1HloBWw5:YqbTdV7eIp2F6GohRtcuz9WTXFoVwq" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971520", "to_ids": false, "type": "size-in-bytes", "uuid": "6fb4088d-92d9-4b78-9ba3-d054f2646eb2", "value": "101420032" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971520", "to_ids": true, "type": "vhash", "uuid": "4ccc745c-6784-4441-bdb8-add7db65e78f", "value": "018076655d155d05755az457z1vz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971520", "to_ids": true, "type": "filename", "uuid": "756709f6-db8b-4af1-910a-dfdcf6672423", "value": "JDownloader2Setup_windows-amd64_v17_0_18.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971520", "to_ids": false, "type": "text", "uuid": "5af6b73b-fd65-44b5-9c31-897ae280ae9e", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/Malgent!MSR\nVT Total Detection:42/69\nFirst Submission:2026-05-06T06:49:56.000000+00:00\nLast Submission:2026-05-16T14:43:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547081", "uuid": "3cc519e8-7898-40ac-b907-84128ad313ce", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547080", "to_ids": true, "type": "md5", "uuid": "bcfc3c3a-5aac-4e05-b98a-3d8ff7eb24b0", "value": "7d1676c965d64ea00b7a7601353873ae", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547080", "to_ids": true, "type": "sha1", "uuid": "36220b03-d52e-4194-b8aa-b2c56c9fad9d", "value": "aae423bc5a8be8c7b5652e4280b3a4ad1044b22e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547081", "to_ids": true, "type": "sha256", "uuid": "8fa971f5-c784-4528-8fc8-081ccda38eaa", "value": "32891c0080442bf0a0c5658ada2c3845435b4e09b114599a516248723aad7805", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971542", "to_ids": true, "type": "ssdeep", "uuid": "b96455c6-d418-41f3-bdaa-538a669f68d5", "value": "3145728:m8KMIGcU6p9KAeZCXp2E04GpMuWTXFoVwq:AMUKsXpfWWJqw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971542", "to_ids": false, "type": "size-in-bytes", "uuid": "022210fc-86b7-4fef-bcd9-a9d07042e27a", "value": "107124736" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971542", "to_ids": true, "type": "vhash", "uuid": "e614002f-fe9a-43aa-92ff-22450eca79d4", "value": "018076655d155d05755az457z1vz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971542", "to_ids": true, "type": "filename", "uuid": "e24be40e-578a-43a4-95d2-d722fce472e8", "value": "JDownloader2Setup_windows-amd64_v21_0_10.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 14/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971542", "to_ids": false, "type": "text", "uuid": "cebfc907-cf68-44b5-9c7a-0604f6955505", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/Malgent!MSR\nVT Total Detection:29/69\nFirst Submission:2026-05-06T00:24:03.000000+00:00\nLast Submission:2026-05-16T12:02:28.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547084", "uuid": "0b64e4c7-8b77-4e3a-b860-2dff2f44df6c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547083", "to_ids": true, "type": "md5", "uuid": "45599f79-941e-4c3f-8d28-18adc534fca6", "value": "be430657cf97c5b1f3fa1abd496a4f3b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547083", "to_ids": true, "type": "sha1", "uuid": "2137c02c-0e44-4ba2-855d-8658b2e49634", "value": "6839bd5a42338c41e81bb9aff8c4ed853d93801e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547084", "to_ids": true, "type": "sha256", "uuid": "90ae3407-be94-4beb-959e-ebb13f08e55f", "value": "6d975c05ef7a164707fa359284a31bfe0b1681fe0319819cb9e2c4eec2a1a8af", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971564", "to_ids": true, "type": "ssdeep", "uuid": "bd5ac816-2d4c-41fa-a7b0-85657bea0735", "value": "196608:cySFlbt8/T0RynDYKSIkLWDZkIOm+7c1/OvhNKhhr:cLRtlM4IkYZkIOm3kLK7" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971564", "to_ids": false, "type": "size-in-bytes", "uuid": "7a9c9fd9-3db9-430a-8ca9-60e7760ee7ce", "value": "7934496" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971564", "to_ids": true, "type": "filename", "uuid": "17758129-880f-4978-9767-b93547cd1465", "value": "JDownloader2Setup_unix_nojre.sh" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 14/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971564", "to_ids": false, "type": "text", "uuid": "e0136cec-759b-46bb-ad2e-e7da704b6ce0", "value": "Type Description: Shell script\nMicrosoft: TrojanDownloader:SH/SystemdExec!MSR\nVT Total Detection:28/61\nFirst Submission:2026-05-06T01:28:04.000000+00:00\nLast Submission:2026-05-12T08:44:00.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547086", "uuid": "b7e72cb5-539f-4166-bf41-b87348fed0ae", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547086", "to_ids": true, "type": "md5", "uuid": "c50d8246-ff22-43bc-8f16-44eb61c874c9", "value": "d3b398a757b424f91e645985ade00516", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547086", "to_ids": true, "type": "sha1", "uuid": "07db5623-c0a3-4b3a-85ea-7f2618cfc402", "value": "c5997e6a28a46041180780eb52842b668a65e4e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547086", "to_ids": true, "type": "sha256", "uuid": "20ee387a-824e-4636-b4f7-078e0c9e6bf4", "value": "de8b2bdfc61d63585329b8cfca2a012476b46387435410b995aeae5b502bd95e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971585", "to_ids": true, "type": "ssdeep", "uuid": "83525f41-0b0a-417b-bfcf-d1a915cb63d4", "value": "1572864:Pb2LmcWv8fxCPfAlErl4In8T1pO1jdedS9qFTJ1HloBWwYU3wqU:emXfsEb8T101jUsWTXFoVwq" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971585", "to_ids": false, "type": "size-in-bytes", "uuid": "db80c5f2-9dbd-4c98-9858-cb0037d7cf21", "value": "87157760" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971585", "to_ids": true, "type": "vhash", "uuid": "609ea013-bd98-4a6a-8eea-aa9a0ba5a00d", "value": "087076655d155d05755az457z1vz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971585", "to_ids": true, "type": "filename", "uuid": "5731f5b1-be3a-4bab-b1d7-0342f1cacfd6", "value": "JDownloader2Setup_windows-x86_v11_0_29.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971585", "to_ids": false, "type": "text", "uuid": "104a4550-f693-4cfc-8625-cedd7027e7f7", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/Malgent!MSR\nVT Total Detection:43/70\nFirst Submission:2026-05-06T08:28:13.000000+00:00\nLast Submission:2026-05-12T08:45:00.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547089", "uuid": "d681b3dd-cee3-41c5-a6cf-09a2a5eecd79", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547088", "to_ids": true, "type": "md5", "uuid": "25936dbe-69b9-4a57-a1da-d26bf5467181", "value": "ec99e2a51151117876e67635ed4e575d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547089", "to_ids": true, "type": "sha1", "uuid": "04bea758-6b79-43d0-88d9-52277ec7e4be", "value": "ea6ca6e83692483c677fd4211e2b1744446cd325", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547089", "to_ids": true, "type": "sha256", "uuid": "87f47c80-13d8-42e6-bc60-8a8912a92263", "value": "e4a20f746b7dd19b8d9601b884e67c8166ea9676b917adea6833b695ba13de16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971607", "to_ids": true, "type": "ssdeep", "uuid": "803e7f6f-6b1f-4e7c-839e-644389a607df", "value": "1572864:O6x+Qhuw190mT8UMuaki5JoDRwT9K2EKS9qFTJ1HloBWwYU3wq:3x+Qn19zMuaXg8tE7WTXFoVwq" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971607", "to_ids": false, "type": "size-in-bytes", "uuid": "9b17cee6-74af-4cc6-b3f4-0a6fa43503eb", "value": "86576128" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971607", "to_ids": true, "type": "vhash", "uuid": "600828fb-d621-496c-b15b-d2f0cf2a5395", "value": "087076655d155d05755az457z1vz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971607", "to_ids": true, "type": "filename", "uuid": "2fc21c0e-d086-4357-b6a2-349183c447ad", "value": "JDownloader2Setup_windows-x86_v17_0_17.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971607", "to_ids": false, "type": "text", "uuid": "f34a886e-d682-43f9-9df0-8d3e0bf716ad", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/Malgent!MSR\nVT Total Detection:40/69\nFirst Submission:2026-05-06T19:35:37.000000+00:00\nLast Submission:2026-05-16T14:55:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547092", "uuid": "ad065bd7-a9fe-4cc1-bf57-b1718942a9cf", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547091", "to_ids": true, "type": "md5", "uuid": "0898da6d-2445-4f1a-8055-763fbf6c68ff", "value": "78d5a63d4de6eb347b4f2ef16dea4f0b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547091", "to_ids": true, "type": "sha1", "uuid": "f6a412b0-0a04-4b23-9e67-e91c27d3f6ae", "value": "476eda2b54696a3f72f8d6328e73cadfa2cdedb4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547092", "to_ids": true, "type": "sha256", "uuid": "ea0eaad6-f83d-4991-b328-81133f8d3c5c", "value": "fb1e3fe4d18927ff82cffb3f82a0b4ffb7280c85db5a8a8b6f6a1ac30a7e7ed9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778971629", "to_ids": true, "type": "ssdeep", "uuid": "2983aac8-d641-4c72-9666-14d302b1b554", "value": "1572864:GCktfizgaEuWYLjradlRoimIXfJL5yLTR3oMz7S9qFTJ1HloBWwYU3wqR:+tfizgnCradzocXfJAnlfKWTXFoVwqR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778971629", "to_ids": false, "type": "size-in-bytes", "uuid": "6a3d585d-e915-40fb-a63e-949fdfaf5517", "value": "104910336" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778971629", "to_ids": true, "type": "vhash", "uuid": "6d318a05-72d7-4033-bea4-97dd3c31172e", "value": "018076655d155d05755az457z1vz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778971629", "to_ids": true, "type": "filename", "uuid": "842f2b18-3520-4c22-aa0f-dd615b849f48", "value": "JDownloader2Setup_windows-amd64_v11_0_30.exe" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778971629", "to_ids": false, "type": "text", "uuid": "d6048855-7289-4954-8b78-c6d4ed7bbe34", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/Malgent!MSR\nVT Total Detection:36/69\nFirst Submission:2026-05-07T02:25:10.000000+00:00\nLast Submission:2026-05-12T12:48:54.000000+00:00" } ] } ] } }