{ "Event": { "analysis": "1", "date": "2026-05-07", "extends_uuid": "", "info": "[Threat Intel] PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale", "protected": false, "publish_timestamp": "1779546672", "published": true, "threat_level_id": "2", "timestamp": "1779546672", "uuid": "695fc11f-d4b5-4df4-8563-1b8a8a3a8c7d", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#75e21e", "local": false, "name": "misp-galaxy:producer=\"SentinelOne\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#690e1a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Container and Resource Discovery - T1613\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#0ee843", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Instance Metadata API - T1552.005\"", "relationship_type": "" }, { "colour": "#a4da83", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cron - T1053.003\"", "relationship_type": "" }, { "colour": "#aad818", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#d16319", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Implant Internal Image - T1525\"", "relationship_type": "" }, { "colour": "#e7d11f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Private Keys - T1552.004\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#c7d6f8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Container Administration Command - T1609\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#83e96e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Credential Access - T1212\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#b596f0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Lateral Tool Transfer - T1570\"", "relationship_type": "" }, { "colour": "#7d37d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#a0cbec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Systemd Service - T1543.002\"", "relationship_type": "" }, { "colour": "#50bd28", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#3b4369", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Container API - T1552.007\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#1b0068", "local": false, "name": "rectifyq:topic=\"cloud\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238010", "to_ids": false, "type": "link", "uuid": "73d18c29-a717-4f72-bdd9-d4ac056bc83c", "value": "https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778238010", "to_ids": false, "type": "text", "uuid": "cb899d4e-a10b-4dbe-af26-3307f2655c6c", "value": "PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778238010", "to_ids": false, "type": "text", "uuid": "4dcda698-bb6b-466c-b0b4-8a6171cd5c9b", "value": "Name: PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale\nAuthor: AlienVault\nAdversary: \nTags: [\"kubernetes exploitation\", \"docker compromise\", \"pcpjack\", \"sliver\", \"teampcp\", \"container worm\"]\nTgtd countries: []\nMlwr families: [\"PCPJack\", \"Sliver\"]\nAttack_ids: [\"T1613\", \"T1132.001\", \"T1552.005\", \"T1053.003\", \"T1021.004\", \"T1190\", \"T1525\", \"T1552.004\", \"T1087\", \"T1609\", \"T1083\", \"T1552.001\", \"T1041\", \"T1212\", \"T1059.004\", \"T1078\", \"T1027\", \"T1570\", \"T1059.006\", \"T1071.001\", \"T1543.002\", \"T1046\", \"T1105\", \"T1552.007\"]\nIndustries: []" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238010", "to_ids": false, "type": "vulnerability", "uuid": "e830941f-4ff7-405f-800a-26869b43e561", "value": "CVE-2025-29927" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238010", "to_ids": false, "type": "vulnerability", "uuid": "eb116e61-94b3-4179-80ce-cce1b3a00560", "value": "CVE-2025-48703" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238010", "to_ids": false, "type": "vulnerability", "uuid": "7e0e767d-ea05-4fb4-abe5-9ceb1777c9d0", "value": "CVE-2025-55182" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238010", "to_ids": false, "type": "vulnerability", "uuid": "5fe82c0f-bd24-49c6-bec1-c47e99127df4", "value": "CVE-2026-1357" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900527", "to_ids": true, "type": "domain", "uuid": "c6245db6-118a-4229-9bfe-f4623ef73ca0", "value": "lastpass-login-help.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238010", "to_ids": false, "type": "vulnerability", "uuid": "67f5dfdc-30aa-4e79-834d-eafa0797952b", "value": "CVE-2025-9501" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900548", "to_ids": true, "type": "url", "uuid": "e3455340-8395-41c0-bfb0-c19d13620174", "value": "https://cdn.cloudfront-js.com:8443/u", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900569", "to_ids": true, "type": "hostname", "uuid": "ec8f93b7-6e36-4f31-a118-253e0cd6e3c4", "value": "cdn.cloudfront-js.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "PCPJack infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778900591", "to_ids": true, "type": "ip-dst", "uuid": "078fcc08-a337-42df-b4ec-f6c5ed8c1e71", "value": "38.242.245.147", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "S3 subdomain hosting PCPJack tools", "deleted": false, "disable_correlation": false, "timestamp": "1778900612", "to_ids": true, "type": "hostname", "uuid": "d48223bf-73b6-4cfc-a2b5-b8c78868aa21", "value": "spm-cdn-assets-dist-2026.s3.us-east-2.amazonaws.com", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP addresses are hardcoded into bootstrap.sh and labelled as attacker infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778900633", "to_ids": true, "type": "ip-dst", "uuid": "7079084a-ffc5-4029-83ac-3eec4cc65107", "value": "161.97.129.25", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP addresses are hardcoded into bootstrap.sh and labelled as attacker infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778900654", "to_ids": true, "type": "ip-dst", "uuid": "60eb3fad-2bf9-4345-b6cd-d8b939a8c0f1", "value": "161.97.135.154", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP addresses are hardcoded into bootstrap.sh and labelled as attacker infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778900676", "to_ids": true, "type": "ip-dst", "uuid": "aca5baf4-d708-4c3d-8478-bdc8c6b7e79b", "value": "161.97.163.87", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP addresses are hardcoded into bootstrap.sh and labelled as attacker infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778900697", "to_ids": true, "type": "ip-dst", "uuid": "b70e4818-4038-42ef-a232-0a33b2d0bc2b", "value": "161.97.186.175", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP addresses are hardcoded into bootstrap.sh and labelled as attacker infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778900718", "to_ids": true, "type": "ip-dst", "uuid": "8d360566-767b-4651-9dda-44ace7d750ba", "value": "161.97.187.42", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP addresses are hardcoded into bootstrap.sh and labelled as attacker infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778900739", "to_ids": true, "type": "ip-dst", "uuid": "7387bb2f-3e1f-4329-bf23-d8b0134783d1", "value": "193.187.129.143", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP addresses are hardcoded into bootstrap.sh and labelled as attacker infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778900760", "to_ids": true, "type": "ip-dst", "uuid": "a34c799f-a4af-46a6-a164-980e24f5dc14", "value": "213.136.80.73", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP addresses are hardcoded into bootstrap.sh and labelled as attacker infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778900781", "to_ids": true, "type": "ip-dst", "uuid": "35d12629-66fb-40c3-ae7b-296d76cc7abd", "value": "38.242.204.245", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP addresses are hardcoded into bootstrap.sh and labelled as attacker infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778900802", "to_ids": true, "type": "ip-dst", "uuid": "30b0ffe5-29e3-4173-b06d-753467c8d66c", "value": "38.242.237.196", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP addresses are hardcoded into bootstrap.sh and labelled as attacker infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778900823", "to_ids": true, "type": "ip-dst", "uuid": "8948c2e7-a28c-4224-80d4-d4e93ff66409", "value": "83.171.249.231", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546643", "uuid": "a5d9b72d-2f3a-42e6-918e-ca127bf78aa2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546642", "to_ids": true, "type": "md5", "uuid": "e1a7ab42-e9e1-4ece-a390-f2be847c8f95", "value": "b8e7288656eca9750a5490aa96d3594b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546642", "to_ids": true, "type": "sha1", "uuid": "3db092ac-7808-4bcc-9d4c-526c59d6cc84", "value": "c2dd8051d89c4efa71bd67d2df7d9b4bc3e67810", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546643", "to_ids": true, "type": "sha256", "uuid": "3a63fc59-d3b9-47b7-972c-3de80e192457", "value": "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897271", "to_ids": true, "type": "ssdeep", "uuid": "43403b0a-b712-43f7-a0ed-dcad06c85d66", "value": "192:OPFbBHTK+gLZKa3+I2kesQGtMD4uVX2yR:OtbRbgLZKauIqGmD4QX2U" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897271", "to_ids": false, "type": "size-in-bytes", "uuid": "50aadeb8-ef46-46ce-ba75-a76cd779380d", "value": "8167" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897271", "to_ids": true, "type": "filename", "uuid": "b1bd37c8-e308-4c67-aa08-0f83c15ad152", "value": "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a.sh" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897271", "to_ids": false, "type": "text", "uuid": "e0f0f0ae-7040-44b4-831c-27ef5ce1b59f", "value": "Type Description: Shell script\nMicrosoft: Trojan:SH/CloudWorm.LTSN!MTB\nVT Total Detection:22/61\nFirst Submission:2026-04-28T02:39:30.000000+00:00\nLast Submission:2026-04-28T20:49:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546645", "uuid": "f46b463a-d5ca-4c39-b3a5-e8bd35bfeb84", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546644", "to_ids": true, "type": "md5", "uuid": "22dfaad8-641f-49d3-a18b-1994eb3baeb8", "value": "3e6f07e3d3d05cdd4ec07cbf90091558", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546645", "to_ids": true, "type": "sha1", "uuid": "1a149ee0-78cc-45a3-bd03-ef2afd153ee0", "value": "005587975a483876c1fa26b64b418931019be38f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546645", "to_ids": true, "type": "sha256", "uuid": "f4efc818-c113-4496-ab9b-430b844d6df0", "value": "b1d8149e5c7b6312f40c220e89b1913762f9aa416ff491540b3b7b7040260eb5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897293", "to_ids": true, "type": "ssdeep", "uuid": "2694a0d1-c15e-4247-8b12-3bc0c88d05cd", "value": "393216:MqbSO5KTyCNM/gkTv/7X/7X/Agm1QlxC1Ht+a:Mq+sZCe/gw7X/7X/Agm1QnC1NF" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897293", "to_ids": false, "type": "size-in-bytes", "uuid": "bce37d1a-f4c0-4478-8f3a-13fa48da4801", "value": "33865876" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778897293", "to_ids": true, "type": "vhash", "uuid": "06c7cd80-6a8c-4d3a-86ff-4e86bfc9d295", "value": "a32d859bd1256dc8d6bca18d4f8c19bc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897293", "to_ids": true, "type": "filename", "uuid": "83cf0e32-90b4-48e2-8092-583fd2d64b67", "value": "update.bin" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897293", "to_ids": false, "type": "text", "uuid": "11cc7c43-a844-4b6f-81d5-afc9d5e1e23b", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/CloudWorm.LTSN!MTB\nVT Total Detection:32/64\nFirst Submission:2026-04-01T14:14:39.000000+00:00\nLast Submission:2026-05-07T09:33:57.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546648", "uuid": "781e1c27-2ef9-4a8e-99bb-c6fe003dafe4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546647", "to_ids": true, "type": "md5", "uuid": "18e50770-3716-40c7-8433-3a53fa4d25d8", "value": "17e80f36b7f56d2888f65474bec00f1a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546647", "to_ids": true, "type": "sha1", "uuid": "446c23d8-5802-45b0-8696-a8a21008a0a3", "value": "01cebc48016395e284ac76afc1816f143ee3e7b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546648", "to_ids": true, "type": "sha256", "uuid": "c480ab58-f42d-4498-8855-419988ce9299", "value": "e9c7af65049590ab1d78e6ae52bfbdcdc9d8f3c05501b7f345ed6127e8e1d135", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897315", "to_ids": true, "type": "ssdeep", "uuid": "6a203071-19ca-435d-86fe-e78ebe2a4c03", "value": "96:7ucw0uZc2goGYpVhY3JbYKMwlJ7PnupqnuAVzyDdjADBXZ4f5sEdyNeG1:Cc2NaVZz7PuKFzyxjC+ZG1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897315", "to_ids": false, "type": "size-in-bytes", "uuid": "a7f9048e-8e7c-49f0-84f6-295111cd37df", "value": "10385" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897315", "to_ids": true, "type": "filename", "uuid": "821c3b3f-6cb9-48a7-9de8-8e785bb2c047", "value": "cloud_scan.py" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 14/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897315", "to_ids": false, "type": "text", "uuid": "b3aec872-4c5d-434a-8ad9-1eacf6eb9ddf", "value": "Type Description: Python\nMicrosoft: Trojan:Python/CloudWorm.LTSN!MTB\nVT Total Detection:20/62\nFirst Submission:2026-04-29T00:20:50.000000+00:00\nLast Submission:2026-05-07T09:33:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546650", "uuid": "e64afa0a-59e8-4e4a-aec2-430a8f260cb8", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546650", "to_ids": true, "type": "md5", "uuid": "8b7d3293-0e51-4cdf-86e4-a068658e771f", "value": "44bf47612aa00c7c17d935dd6b971b6e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546650", "to_ids": true, "type": "sha1", "uuid": "031562b5-745a-4399-9c03-457001ecc0a6", "value": "0b86434ca5145636d745222f7e49c903ce6ef538", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546650", "to_ids": true, "type": "sha256", "uuid": "ffd6be8b-f8a8-4023-96fc-f88ce597fbba", "value": "2d3a765a86e2cea9766617abd1a7cb8a1b42734b2845cd43bd29d705dcac5102", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897336", "to_ids": true, "type": "ssdeep", "uuid": "f57d7e06-e16b-4a2a-a60e-4c4fe975fb80", "value": "1536:qcmm0coxzcNMHZS9bJf7FkRP9niBetfo6D:qcmmizXZnfp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897336", "to_ids": false, "type": "size-in-bytes", "uuid": "6d9384c8-a3f1-4b8a-933b-4dfb36145db8", "value": "73297" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897336", "to_ids": true, "type": "filename", "uuid": "9acdb8db-7028-489b-94b0-aa6df1768d6e", "value": "worm.py" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897336", "to_ids": false, "type": "text", "uuid": "5008c1b5-ae21-48ec-abb0-6ee28ad61232", "value": "Type Description: Python\nMicrosoft: Trojan:Python/CloudWorm.LTSN!MTB\nVT Total Detection:27/62\nFirst Submission:2026-03-05T20:57:26.000000+00:00\nLast Submission:2026-05-07T09:32:52.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546653", "uuid": "43c04f73-5d72-44a5-9cd6-31c17b9689f0", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546652", "to_ids": true, "type": "md5", "uuid": "5927ce55-acbf-4fcd-8ac1-c17c60d5b9b9", "value": "7354c768c17c3cfc5d6a3554f2fb83d0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546653", "to_ids": true, "type": "sha1", "uuid": "c493816f-544d-4c30-af94-992e47839520", "value": "2cd2c5268e41cdece1b0506bcda3b9eba2998119", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546653", "to_ids": true, "type": "sha256", "uuid": "3be717cf-6f30-449f-b411-5a43ca23a7f5", "value": "8ceec98e739ccac99a151e0186f2df0a51fae8a2067c0b49d53e52e38bc096a7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897358", "to_ids": true, "type": "ssdeep", "uuid": "79fb9a97-0928-4612-a658-389bdb3c80c9", "value": "96:DZKj0i1TEyvo3gLM18woI/+x3JItVeQ8WWZOG2:DZypYuHLM1GIWItVeQ8W1G2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897358", "to_ids": false, "type": "size-in-bytes", "uuid": "ecfd08d2-29eb-466f-b9ec-ae7b166e5986", "value": "3392" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897358", "to_ids": true, "type": "filename", "uuid": "3d739946-bb37-4897-a260-3a720b81013f", "value": "crypto_util.py" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897358", "to_ids": false, "type": "text", "uuid": "3a0d2865-477b-45c3-a3bd-67e9a9c91cc4", "value": "Type Description: Python\nMicrosoft: Trojan:Python/CloudWorm.LTSN!MTB\nVT Total Detection:25/62\nFirst Submission:2026-04-29T00:19:53.000000+00:00\nLast Submission:2026-05-07T09:33:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546655", "uuid": "8e3d163c-6424-4caf-9562-aac477d4f248", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546655", "to_ids": true, "type": "md5", "uuid": "61f9d9b6-502b-40b0-b140-27528148a89d", "value": "273e2d4e56f33cec2a513adc41cd2066", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546655", "to_ids": true, "type": "sha1", "uuid": "a70798a8-7051-4373-8f24-4fc5da40f4a5", "value": "2fab324eb0d927846c8744dc0e217beea65138e0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546655", "to_ids": true, "type": "sha256", "uuid": "0812dd71-aa8b-4690-a5e9-890ad3fca484", "value": "3676afced780af0d8644e36a8c9aaaff7495cd0e3cf5eb0026c87021cf922f3f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897380", "to_ids": true, "type": "ssdeep", "uuid": "90086cd8-d27c-4b75-93ee-43052702c8f3", "value": "196608:W3hmSje1mtY1VszMUk33BIxMi620no+yc92RmZO4JEvuXGBuIONFJBi4FGq8gCvU:EZG33BXyWEuOfukd88vn04L47EIj7" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897380", "to_ids": false, "type": "size-in-bytes", "uuid": "d143fa6c-41db-4724-a51a-2e0473b68610", "value": "30822548" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778897380", "to_ids": true, "type": "vhash", "uuid": "85e0d52b-5a1d-4fb7-b8ba-f9efb9369e36", "value": "40aca5ef6b8ba9488ede2429c0c7e83e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897380", "to_ids": true, "type": "filename", "uuid": "c435b0e4-dbeb-49a2-aad4-c1d6166fdda5", "value": "update-386.bin" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897380", "to_ids": false, "type": "text", "uuid": "a2202805-fe10-407f-aa67-232fd4561194", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/CloudWorm.LTSN!MTB\nVT Total Detection:33/64\nFirst Submission:2026-05-07T09:34:30.000000+00:00\nLast Submission:2026-05-07T09:34:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546658", "uuid": "47aaf543-707d-4916-bb0c-cb1601178424", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546657", "to_ids": true, "type": "md5", "uuid": "5140c462-7565-4008-9f7f-4cdb5da72a74", "value": "8210f56c98b0f77b3a28649c3b310d3e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546658", "to_ids": true, "type": "sha1", "uuid": "080eadf0-b999-4c8f-a9af-8e0536582361", "value": "339cbf61c80f757085c5afb7304d69f323bdf87a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546658", "to_ids": true, "type": "sha256", "uuid": "6e61f986-ea51-4dcf-8d50-cad7e498e71b", "value": "932058dd584b430f666d64d8bbdf769a8f0b62b67e2c64e41eb9dd40552bd78e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897402", "to_ids": true, "type": "ssdeep", "uuid": "2d2387aa-587c-4642-b610-c6d536000c1d", "value": "768:tmmRnbvOzAAdFzVEmCpRVYwA70A02Zz8ZrgjWnwYz3yyTB2:gUzOzAttYlIA0COrrnwYz3yA2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897402", "to_ids": false, "type": "size-in-bytes", "uuid": "d4df0aa1-ec96-4074-b1eb-145c4715dad9", "value": "50105" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897402", "to_ids": false, "type": "text", "uuid": "224fc71f-c4a1-4c9c-a2d1-13782619579a", "value": "Type Description: Shell script\nMicrosoft: Trojan:SH/CloudWorm.LTSN!MTB\nVT Total Detection:23/61\nFirst Submission:2026-04-29T12:24:37.000000+00:00\nLast Submission:2026-04-29T12:24:37.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546661", "uuid": "a8a884c0-81f1-475a-b7bb-64fead6066ce", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546660", "to_ids": true, "type": "md5", "uuid": "fd6b6eaf-e94c-427f-8508-079c312a2081", "value": "9b0264dd7b47b7645d7628b55fe08440", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546660", "to_ids": true, "type": "sha1", "uuid": "0e7f77a1-e8a1-4913-af8b-fcc35dcf8569", "value": "6060da100b5cd587131a1c11a20d6e0108604744", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546661", "to_ids": true, "type": "sha256", "uuid": "60307710-9c2d-49c2-8829-7df439fa7b52", "value": "5672e18c69d02eda348068f2e3c414cd2e184495cef57c57387aa14f6f5935a2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897424", "to_ids": true, "type": "ssdeep", "uuid": "cc086695-edca-4d91-8b60-cae7b4438dde", "value": "196608:sfp/IWze0I6F3QCSqU8DCRzuI2o+qV2ntoR1P8e/QebA3qy22nVHg:sfp/3xuxpuID+qV2nt5eHuqj2a" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897424", "to_ids": false, "type": "size-in-bytes", "uuid": "7b12b385-1c75-4724-8335-5ea0f4347c9b", "value": "23789716" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778897424", "to_ids": true, "type": "vhash", "uuid": "b557d968-1361-41c2-983c-6ec5dd653f58", "value": "6c625ba8045acd8c783b1954fb128059" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897424", "to_ids": true, "type": "filename", "uuid": "b153b86f-e0c0-4226-adbd-13fcf628df76", "value": "update-arm.bin" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897424", "to_ids": false, "type": "text", "uuid": "a18d682d-3401-4c22-bef2-e77b65ce6ddf", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/CloudWorm.LTSN!MTB\nVT Total Detection:30/64\nFirst Submission:2026-05-07T09:34:13.000000+00:00\nLast Submission:2026-05-07T09:34:13.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546664", "uuid": "7bb896c2-704c-4d72-85ea-48c2747a6129", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546663", "to_ids": true, "type": "md5", "uuid": "a391ed29-f85f-4a5f-b182-4ac098935137", "value": "dab862fbe1f673911f7afcb13a191bd9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546663", "to_ids": true, "type": "sha1", "uuid": "5b36b12e-980b-4e53-a61d-523bf9544605", "value": "848ef1f638807826586802428a7ebafdc710915c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546664", "to_ids": true, "type": "sha256", "uuid": "3b7f7d6d-d343-4cfa-ad24-b8ee49593814", "value": "7b4a60397103a4176cb9abd480b74e372e909543f212ad450bd272e6fffd4a4a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897446", "to_ids": true, "type": "ssdeep", "uuid": "c86c8acf-2a5e-433b-b177-e472b601595f", "value": "96:+v0upqgCoRElb6Zb9b/gCFs4t9wh0CJA5TGLR469V86BglXTwNVGI/l:opqgCow0RvoW5y4+HADwDv" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897446", "to_ids": false, "type": "size-in-bytes", "uuid": "85a92016-0f9b-4b01-a94b-254acea9c9cc", "value": "7700" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897446", "to_ids": true, "type": "filename", "uuid": "c5ee5abd-a5fb-456f-8b15-4198ba159903", "value": "cloud_ranges.py" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 13/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897446", "to_ids": false, "type": "text", "uuid": "91d92ddd-491c-4a51-9428-c8e1d9952536", "value": "Type Description: Python\nMicrosoft: Trojan:Python/CloudWorm.LTSN!MTB\nVT Total Detection:19/63\nFirst Submission:2026-04-29T00:20:26.000000+00:00\nLast Submission:2026-05-07T09:33:28.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546666", "uuid": "5d45eb89-b309-4096-8242-cbddf5f37827", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546666", "to_ids": true, "type": "md5", "uuid": "1a10b8dc-f1d2-40e0-b73a-34c801ac3a0c", "value": "9b2783fbc2a4a8e910ae0839ba031d2d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546666", "to_ids": true, "type": "sha1", "uuid": "bef11185-e7cb-4265-abc8-a19fccf31b89", "value": "9c7ab48c9fdbbeecdad8433529bdab38584f0e25", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546666", "to_ids": true, "type": "sha256", "uuid": "9b411273-dbac-4aca-aab1-d073569a8bd7", "value": "f3b092e9770e7cde71b6684defa7972c800b3daf3336aae056b891ac9e8cb9aa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897468", "to_ids": true, "type": "ssdeep", "uuid": "fc371f7d-e661-40a0-998c-21d55787302f", "value": "384:v9HAsCbPoto4hQvCrHAEK1MkOobnXj4RaVooAtj:v94PotomQKc1PdX8RQo31" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897468", "to_ids": false, "type": "size-in-bytes", "uuid": "7be88065-0736-46e2-a13d-5888970a40f0", "value": "23014" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897468", "to_ids": true, "type": "filename", "uuid": "bd928d5f-6723-40ce-b83c-8ccc70147872", "value": "utils.py" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897468", "to_ids": false, "type": "text", "uuid": "dae0c054-e124-49b0-b24e-4e56c3414601", "value": "Type Description: Python\nMicrosoft: Trojan:Python/CloudWorm.LTSN!MTB\nVT Total Detection:23/62\nFirst Submission:2026-04-28T08:01:01.000000+00:00\nLast Submission:2026-05-07T09:33:43.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546669", "uuid": "091e5fe4-922d-4f4d-bfe5-e3671636a115", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546668", "to_ids": true, "type": "md5", "uuid": "8a8ab9d6-2553-4cc9-a227-86304128875a", "value": "eaff4f12dd24edd8881019835be5bd05", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546669", "to_ids": true, "type": "sha1", "uuid": "4a54bfb9-0b29-475b-b033-4ce0acd06ac2", "value": "a20a9924d92c2b06d82b79c0fe87451c650cabec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546669", "to_ids": true, "type": "sha256", "uuid": "3c2439a9-bdcd-4f98-a1e2-5e5e11f8ed3b", "value": "ce4bdb4e07d291997310b65fae74280c81ecb2651658fc4a97192346297c3df9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897489", "to_ids": true, "type": "ssdeep", "uuid": "5a78dfab-4edc-4678-ac0f-2251a796cee2", "value": "96:JShAC2Mm2bBQqJtdwqY0K/ZKaLT+I0KCtX64r9xp3CsKQsxQGttc7dTmsndh4u4s:MZbBHTK1LZKa3+I2kMkQGt5OD4uhX2yR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897489", "to_ids": false, "type": "size-in-bytes", "uuid": "90ab9531-072c-4a28-b002-a9df32ab519f", "value": "9559" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897489", "to_ids": true, "type": "filename", "uuid": "909f4d88-d627-4463-b75a-3858e9c57fd5", "value": "bootstrap.sh--" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897489", "to_ids": false, "type": "text", "uuid": "0445d9dc-5400-4f77-b948-8ee6a8776f94", "value": "Type Description: Shell script\nMicrosoft: Trojan:SH/CloudWorm.LTSN!MTB\nVT Total Detection:25/61\nFirst Submission:2026-04-28T15:33:14.000000+00:00\nLast Submission:2026-05-07T09:32:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546672", "uuid": "b48d4d4b-a3ed-4898-92af-624c12c8c9a2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546671", "to_ids": true, "type": "md5", "uuid": "1392e7e1-884a-4e97-b612-fb3b85a5a94b", "value": "08a7282a935d6baf3d450fe4f47b67fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546672", "to_ids": true, "type": "sha1", "uuid": "51bbec6e-af8d-4818-b345-8cafd5a48951", "value": "fed52a4bbac7b5b6ae4f76cab3eadd67e79227e3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546672", "to_ids": true, "type": "sha256", "uuid": "3133890a-e404-4c43-8f79-cf99d104b559", "value": "c788d79efa368c71bb40c7514e0a48afee1b7c8aa7a85201c97c88d038e0c886", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897511", "to_ids": true, "type": "ssdeep", "uuid": "5d2758c7-0cf6-4855-8817-1152462e80ee", "value": "768:a17sl3IU9gajDe9dFJtOTVqR/ZXxCH2o1MFfn2u/Qgj6Z8KVUzS/oL4xe2cyi:aml4o1a/JtOxq5pyMIyyi" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897511", "to_ids": false, "type": "size-in-bytes", "uuid": "0fe3a72c-dc20-4764-9b6e-8057545efa9a", "value": "54213" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897511", "to_ids": true, "type": "filename", "uuid": "fae05ab7-84e7-4f24-b72b-59b647113a72", "value": "lateral.py" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897511", "to_ids": false, "type": "text", "uuid": "adca26bd-2848-474a-9c90-bc7f7cd3b425", "value": "Type Description: Python\nMicrosoft: Trojan:Python/CloudWorm.LTSN!MTB\nVT Total Detection:30/62\nFirst Submission:2026-04-29T00:14:29.000000+00:00\nLast Submission:2026-05-07T09:33:05.000000+00:00" } ] } ] } }