{ "Event": { "analysis": "1", "date": "2026-05-07", "extends_uuid": "", "info": "[Threat Intel] Threat Actors Weaponize Tiflux RMMs in Malspam Attacks", "protected": false, "publish_timestamp": "1779546639", "published": true, "threat_level_id": "3", "timestamp": "1779546638", "uuid": "66e683a8-e077-43de-b903-1a8d01c2429d", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8f20d0", "local": false, "name": "misp-galaxy:producer=\"Huntress\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#e00500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Access Tools - T1219\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#6d779a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Privilege Escalation - T1068\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238006", "to_ids": false, "type": "link", "uuid": "e6bc9a68-2850-40ef-b966-729fe324bcbf", "value": "https://www.huntress.com/blog/tiflux-rmm-install" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778238006", "to_ids": false, "type": "text", "uuid": "6020f139-5c23-4546-8f74-0d4fdddb5a98", "value": "Since late February, there has been an uptick in incidents involving Tiflux, a lesser-known Brazilian commercial remote management tool being weaponized by threat actors. The attack chain begins with phishing emails containing fake document lures that deliver a malicious MSI installer. Once executed, the installer deploys multiple remote access tools including UltraVNC, Splashtop, and ScreenConnect for persistent access. The Tiflux installer contains concerning components such as outdated VNC versions from 2014, expired certificates, hardcoded passwords, and a vulnerable HwRwDrv.sys driver known for privilege escalation abuse. The threat actors leverage these tools to establish persistence, capture screenshots, and collect system profiling information. This campaign exemplifies the continuing pattern of adversaries abusing legitimate remote management software for stealthy access to victim environments while chaining multiple tools together to maintain control." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778238006", "to_ids": false, "type": "text", "uuid": "fba8ce52-1b94-4cf4-8bff-b7d05a3518d7", "value": "Name: Threat Actors Weaponize Tiflux RMMs in Malspam Attacks\nAuthor: AlienVault\nAdversary: \nTags: [\"splashtop\", \"ultravnc\", \"rmm abuse\", \"tiflux\"]\nTgtd countries: []\nMlwr families: [\"Tiflux\", \"UltraVNC\", \"Splashtop\", \"ScreenConnect\"]\nAttack_ids: [\"T1113\", \"T1036.005\", \"T1204.002\", \"T1543.003\", \"T1566.002\", \"T1082\", \"T1219\", \"T1112\", \"T1070.001\", \"T1552.001\", \"T1547.001\", \"T1562.001\", \"T1078\", \"T1068\", \"T1027\", \"T1573\", \"T1071.001\", \"T1574.002\"]\nIndustries: []" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238006", "to_ids": false, "type": "vulnerability", "uuid": "894ec0fc-329f-4c6f-af0d-268300935ff3", "value": "CVE-2023-39143" }, { "category": "Payload delivery", "comment": "Tiflux installer msi file No sample in VT\r\nLast check:16/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546636", "to_ids": true, "type": "sha256", "uuid": "113fae40-75dd-4f9e-8aaa-a3d0d02b8d1f", "value": "87074c1bfd071fc47410a52af863e9ca62b2b85950c4cf643a220f0ea5717952", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Tiflux installer msi file No sample in VT\r\nLast check:16/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546638", "to_ids": true, "type": "sha256", "uuid": "1cb44edf-cd3f-4139-8033-798b93084533", "value": "f792d82e4472c001852998a3575e492907f38daa8d58ecdb3b3604b38d7b8a07", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Payload URL", "deleted": false, "disable_correlation": false, "timestamp": "1778900356", "to_ids": true, "type": "url", "uuid": "6ad6ec95-a86f-47db-b23a-6f0028f3724b", "value": "http://84.54.33.192:8040/Bin/ScreenConnect.ClientSetup.msi", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Payload URL", "deleted": false, "disable_correlation": false, "timestamp": "1778900377", "to_ids": true, "type": "url", "uuid": "c0a5c4c6-bdae-4698-8f9e-6801476dd17d", "value": "https://anythinghere.woremix.icu/Viewfiles/download.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Payload URL", "deleted": false, "disable_correlation": false, "timestamp": "1778900399", "to_ids": true, "type": "url", "uuid": "0e93af1e-6c50-48a6-9bb6-33c4b381f0aa", "value": "https://lenwillfilenetwork.com/downloads/Network%20Solutions%20Agreement.msi", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Threat actor controlled domain", "deleted": false, "disable_correlation": false, "timestamp": "1778900420", "to_ids": true, "type": "domain", "uuid": "4995cf1f-8c93-4435-9794-087dc8050339", "value": "lenwillfilenetwork.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Threat actor controlled domain", "deleted": false, "disable_correlation": false, "timestamp": "1778900441", "to_ids": true, "type": "hostname", "uuid": "42b63a12-2b56-4ca9-bf46-75a09cc68211", "value": "anythinghere.woremix.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Threat actor controlled domain", "deleted": false, "disable_correlation": false, "timestamp": "1778900462", "to_ids": true, "type": "hostname", "uuid": "a579d4a1-21aa-48a5-8d00-a433ca32b616", "value": "shankar.woremix.icu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ScreenConnect download and C2", "deleted": false, "disable_correlation": false, "timestamp": "1778900483", "to_ids": true, "type": "ip-dst", "uuid": "913fcaef-2524-4472-a939-d270a3806381", "value": "84.54.33.192", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "ScreenConnect download IP and port", "deleted": false, "disable_correlation": false, "timestamp": "1778895374", "to_ids": true, "type": "ip-dst|port", "uuid": "2e9afd46-8b32-4025-b071-e18181e93592", "value": "84.54.33.192|8040" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546634", "uuid": "1665f3d1-4424-4168-aa50-49b014a56c93", "Attribute": [ { "category": "Payload delivery", "comment": "ScreenConnect installer msi file", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546634", "to_ids": true, "type": "md5", "uuid": "34f78f55-f70f-40f0-a867-318bce980c4e", "value": "9aeb06bf120a8242a0079a7ec442b121", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ScreenConnect installer msi file", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546634", "to_ids": true, "type": "sha1", "uuid": "75a3e1a8-daab-4e87-ba7b-e4073d1cb27a", "value": "9a20abb6061bb4ad36818447b05bd09a790cfad9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ScreenConnect installer msi file", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546634", "to_ids": true, "type": "sha256", "uuid": "8edf5867-7ac1-478d-ac43-7a1b21a32075", "value": "0b95524e5b00688f7f5efe56a74b93985feb2152d9336d44ca7a8dd9ca25d2d5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897206", "to_ids": true, "type": "ssdeep", "uuid": "4fb417b1-3304-4739-8e45-d09bc60895ee", "value": "393216:5xIQzck6xIQz4xIQzPxIQzcxIQzuxIQzgxIQzt:Hz0zizNz2zQzazt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897206", "to_ids": false, "type": "size-in-bytes", "uuid": "1cce9648-e5ec-4ebf-ab8f-64eecbf4543c", "value": "13484032" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778897206", "to_ids": true, "type": "vhash", "uuid": "bb04deab-bc13-4a7c-8896-769fd807a2db", "value": "45155b83172cd3ff230fec9025027227" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897206", "to_ids": true, "type": "filename", "uuid": "87401bf8-153c-4d94-932f-98713a4ada4a", "value": "screenconnect.clientsetup.msi" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897206", "to_ids": false, "type": "text", "uuid": "2226496d-22b5-4881-9537-104cb1d7c282", "value": "ScreenConnect installer msi file\r\nType Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:16/62\nFirst Submission:2026-05-08T21:44:35.000000+00:00\nLast Submission:2026-05-08T21:44:35.000000+00:00" } ] } ] } }