{ "Event": { "analysis": "1", "date": "2026-04-01", "extends_uuid": "", "info": "[Threat Intel] North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack", "protected": false, "publish_timestamp": "1775970089", "published": true, "threat_level_id": "2", "timestamp": "1775970089", "uuid": "6fdf6d12-d9cf-4b8d-8987-e86d2ad0c667", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6e57da", "local": false, "name": "misp-galaxy:producer=\"Mandiant\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7d37d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"north korea\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"UNC1069\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775098812", "to_ids": false, "type": "link", "uuid": "a5255fae-6e14-4a07-ae93-5648f0deded3", "value": "https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775098812", "to_ids": false, "type": "text", "uuid": "687d9b4e-079a-4f03-8637-519356fc8cd3", "value": "Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package \"axios.\" Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named \"plain-crypto-js\" into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775098812", "to_ids": false, "type": "text", "uuid": "c94ea4b1-c391-4c9e-9e4c-6c373fd846f3", "value": "Name: North Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain Attack\nAuthor: AlienVault\nAdversary: UNC1069\nTags: [\"JavaScript\", \"NPM\", \"axios\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1059.006\", \"T1059.001\", \"T1195.002\", \"T1059.004\", \"T1547.001\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1775961215", "to_ids": false, "type": "threat-actor", "uuid": "dc845c24-4c92-417a-a8eb-c2439586f95e", "value": "UNC1069", "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"UNC1069\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775964150", "to_ids": true, "type": "sha1", "uuid": "de68c3b2-838f-4f1b-ac6c-f356410404db", "value": "6119a9735c3f294183164833582a0c9f38b24d70", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775964151", "to_ids": true, "type": "sha1", "uuid": "89ffb204-629d-4c75-aa98-0481c88593d8", "value": "c6f553ee31f7f9ed93bb69324fa64483173d046e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965401", "to_ids": true, "type": "domain", "uuid": "3cf8c11d-b57b-4892-abe5-03c1c76e6519", "value": "sfrclak.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965422", "to_ids": true, "type": "ip-dst", "uuid": "996453ea-fa2b-4d1f-b816-c42b96c6a8e3", "value": "142.11.206.73", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 8000", "deleted": false, "disable_correlation": false, "timestamp": "1775965443", "to_ids": true, "type": "url", "uuid": "4908672e-b14b-4945-a588-225bfbb7dcc8", "value": "http://sfrclak.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775965464", "to_ids": true, "type": "url", "uuid": "d4fb84ee-ceef-4f07-b750-eaa310341146", "value": "http://sfrclak.com:8000/6202033", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspected UNC1069 Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1775965485", "to_ids": true, "type": "ip-dst", "uuid": "8fb375ff-bb67-4c54-b73e-8957b2a68b2d", "value": "23.254.167.216", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1775961261", "uuid": "de32fa1c-86e9-4879-beff-f32bbef5b911", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1775961261", "to_ids": false, "type": "text", "uuid": "909a67b8-602d-4bc5-9443-c52de478e637", "value": "G_Backdoor_WAVESHAPER.V2_PS_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1775961261", "to_ids": false, "type": "comment", "uuid": "5be96c4a-5520-484d-89d7-219f56a9c678", "value": "Detects the WAVESHAPER.V2 PowerShell backdoor which communicates with C2 via base64 encoded JSON beacons and supports PE injection and script execution" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1775961261", "to_ids": true, "type": "yara", "uuid": "21e11a48-f02c-4bf6-afee-5edb980a43f9", "value": "rule G_Backdoor_WAVESHAPER.V2_PS_1\r\n{\r\n meta:\r\n description = \"Detects the WAVESHAPER.V2 PowerShell backdoor which communicates with C2 via base64 encoded JSON beacons and supports PE injection and script execution\"\r\n author = \"GTIG\"\r\n md5 = \"04e3073b3cd5c5bfcde6f575ecf6e8c1\"\r\n date_created = \"2026/03/31\"\r\n date_modified = \"2026/03/31\"\r\n rev = 1\r\n platforms = \"Windows\"\r\n family = \"WAVESHAPER.V2\"\r\n strings:\r\n $ss1 = \"packages.npm.org/product1\" ascii wide nocase\r\n $ss2 = \"Extension.SubRoutine\" ascii wide nocase\r\n $ss3 = \"rsp_peinject\" ascii wide nocase\r\n $ss4 = \"rsp_runscript\" ascii wide nocase\r\n $ss5 = \"rsp_rundir\" ascii wide nocase\r\n $ss6 = \"Init-Dir-Info\" ascii wide nocase\r\n $ss7 = \"Do-Action-Ijt\" ascii wide nocase\r\n $ss8 = \"Do-Action-Scpt\" ascii wide nocase\r\n condition:\r\n uint16(0) != 0x5A4D and filesize < 100KB and 5 of ($ss*)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1775961276", "uuid": "4f362e9d-a72f-4969-8ed7-649e5fa60141", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1775961276", "to_ids": false, "type": "text", "uuid": "845090a8-2989-49d8-9ca3-2884719cf6d8", "value": "G_Hunting_Downloader_suspected_UNC1069_PS_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1775961276", "to_ids": false, "type": "comment", "uuid": "7514dea3-9777-4cf5-b58b-d72748cf20fc", "value": "Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply chain attack. Associated to WAVESHAPER.V2" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1775961276", "to_ids": true, "type": "yara", "uuid": "13805873-1919-4076-b6d6-c7c13806787d", "value": "rule G_Hunting_Downloader_suspected_UNC1069_PS_1\r\n{\r\n meta:\r\n description = \"Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply chain attack. Associated to WAVESHAPER.V2\"\r\n author = \"GTIG\"\r\n md5 = \"089e2872016f75a5223b5e02c184dfec\"\r\n date_created = \"2026/03/31\"\r\n date_modified = \"2026/03/31\" \r\n rev = 1\r\n platforms = \"Windows\"\r\n strings:\r\n $ss1 = \"start /min powershell -w h\" ascii wide nocase\r\n $ss2 = \"[scriptblock]::Create([System.Text.Encoding]::UTF8.GetString\" ascii wide nocase\r\n $ss3 = \"Invoke-WebRequest -UseBasicParsing\" ascii wide nocase\r\n $ss4 = \"-Method POST -Body\" ascii wide nocase\r\n $ss5 = \"packages.npm.org/product1\" ascii wide nocase\r\n condition:\r\n uint16(0) != 0x5A4D and filesize < 5KB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1775961294", "uuid": "a2a7c2b6-6e71-4716-bb8e-c4ba1defd459", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1775961294", "to_ids": false, "type": "text", "uuid": "ce32714f-881c-4239-a65e-0e4331748941", "value": "G_Hunting_Downloader_SILKBELL_1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1775961294", "to_ids": false, "type": "comment", "uuid": "b7d684d9-ca00-4011-b5a6-f959e911bba7", "value": "Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfuscation and custom XOR. Associated with WAVESHAPER.V2" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1775961294", "to_ids": true, "type": "yara", "uuid": "29a684ad-4bef-4e68-8196-a274a7e65594", "value": "rule G_Hunting_Downloader_SILKBELL_1\r\n{\r\n meta:\r\n description = \"Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfuscation and custom XOR. Associated with WAVESHAPER.V2\"\r\n author = \"GTIG\"\r\n md5 = \"7658962ae060a222c0058cd4e979bfa1\"\r\n date_created = \"2026/03/31\"\r\n date_modified = \"2026/03/31\" \r\n rev = 1\r\n platforms = \"Any\"\r\n strings:\r\n $ss1 = \"OrDeR_7077\" ascii wide fullword\r\n $ss2 = \"String.fromCharCode(S^a^333)\" ascii wide\r\n $ss3 = \"\\\"TE9DQUw^\\\".replaceAll(\\\"^\\\",\\\"=\\\")\" ascii wide\r\n $ss4 = \"\\\"UFM_\\\".replaceAll(\\\"_\\\",\\\"=\\\")\" ascii wide\r\n $ss5 = \"\\\"U0NSXw--\\\".replaceAll(\\\"-\\\",\\\"=\\\")\" ascii wide\r\n $ss6 = \"\\\"UFNfQg--\\\".replaceAll(\\\"-\\\",\\\"=\\\")\" ascii wide\r\n $ss7 = \"\\\"d2hlcmUgcG93ZXJzaGVsbA((\\\".replaceAll(\\\"(\\\",\\\"=\\\")\" ascii wide\r\n condition:\r\n uint16(0) != 0x5A4D and filesize < 100KB and all of them\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965507", "uuid": "a6375a19-721b-45a3-addd-73dc374d33cc", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965507", "to_ids": true, "type": "md5", "uuid": "9406bae9-5324-4e34-ba5f-d03d9790bb52", "value": "04e3073b3cd5c5bfcde6f575ecf6e8c1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964141", "to_ids": true, "type": "sha1", "uuid": "fa2a6a25-bfcd-48bb-a33c-94b97827e0b9", "value": "a90c26e7cbb3440ac1cad75cf351cbedef7744a8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964141", "to_ids": true, "type": "sha256", "uuid": "67b70779-b827-4628-a618-65f2a4a9d949", "value": "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963230", "to_ids": true, "type": "ssdeep", "uuid": "9ad714cd-a875-4611-9390-b645a33ef84b", "value": "192:b9u9gG89mD+SOzuahCnGX1pybp0j5PWFmFBiMluIY26qb7cTOXAWumPTvCfuYRNI:b4KG8MwzuaEnGDPWFsBiM9Yy/LCfj7H6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963230", "to_ids": false, "type": "size-in-bytes", "uuid": "95a9c60e-d297-4d3d-80bd-ff8566f8fb7c", "value": "11042" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963230", "to_ids": true, "type": "vhash", "uuid": "6b6a8422-11db-47c2-b815-df05a5733b21", "value": "58929cf2b703de329505bcef391d8dcb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963230", "to_ids": true, "type": "filename", "uuid": "3bc9f6d7-3244-47b9-b048-33e4bfb68f70", "value": "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101.ps1" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963230", "to_ids": false, "type": "text", "uuid": "bf4c7a01-c4f5-4e39-80dd-4f3f39afa559", "value": "Type Description: Powershell\nMicrosoft: Backdoor:PowerShell/TalonStrike.B!dha\nVT Total Detection:35/62\nFirst Submission:2026-03-31T02:52:21.000000+00:00\nLast Submission:2026-04-02T07:10:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965528", "uuid": "c3a9cdae-ff08-4d79-a89f-2ff6ba5a27ae", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965528", "to_ids": true, "type": "md5", "uuid": "edac3abd-16a7-481a-94ad-958cfbdb82d1", "value": "089e2872016f75a5223b5e02c184dfec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964142", "to_ids": true, "type": "sha1", "uuid": "3021c05d-540a-4044-a6b7-498ad25af83f", "value": "978407431d75885228e0776913543992a9eb7cc4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964142", "to_ids": true, "type": "sha256", "uuid": "cac2c3e9-b4ea-4724-a5b2-80482aa41f65", "value": "f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963251", "to_ids": true, "type": "ssdeep", "uuid": "77aedc7e-a694-4283-ae66-2eaf90171f42", "value": "6:rz8SFXF+RLgyKBM3S1z+ILh8JkziZw1T34WSV2o4VhRUaep1T34W0:X8+ERLgyaIS1HGuziZwh2MhXsh0" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963251", "to_ids": false, "type": "size-in-bytes", "uuid": "ce6400a4-9511-4755-985e-8961309140b3", "value": "265" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963251", "to_ids": true, "type": "filename", "uuid": "d390d675-b042-4509-bc4b-304b6174419f", "value": "f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd.bat" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 12/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963251", "to_ids": false, "type": "text", "uuid": "e05676b4-5fb1-41e8-b4c2-188fc4fbc9f6", "value": "Type Description: Powershell\nMicrosoft: TrojanDownloader:BAT/TalonStrike.F!dha\nVT Total Detection:34/62\nFirst Submission:2026-03-31T02:26:44.000000+00:00\nLast Submission:2026-04-10T09:14:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965549", "uuid": "8102ff7d-087a-4618-a31d-fff4e224ea19", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965549", "to_ids": true, "type": "md5", "uuid": "0a654312-dd05-4d6c-aa4d-5cbc7645d8c2", "value": "7658962ae060a222c0058cd4e979bfa1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964143", "to_ids": true, "type": "sha1", "uuid": "e1d1f44d-9274-4d8e-a790-52aef67a964c", "value": "b0e0f12f1be57dc67fa375e860cedd19553c464d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964143", "to_ids": true, "type": "sha256", "uuid": "70e523a2-a8dd-4a54-b68c-7760597fc6da", "value": "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963273", "to_ids": true, "type": "ssdeep", "uuid": "ea756a85-b39c-435a-85de-e83228646fd4", "value": "96:V0BwY31H/x2Nov7NMUtjlNU0kCsSuckO6Jg5yD8pm:V07H/x2NSBNxjl4S9t5yopm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963273", "to_ids": false, "type": "size-in-bytes", "uuid": "1c369cb4-714e-458e-8ab5-5d2a4c00b9b0", "value": "4209" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963273", "to_ids": true, "type": "vhash", "uuid": "9cfc7e7c-d4a9-423b-b0ea-48f61c90a295", "value": "38941ec9dea7b975f11cc8643b2a9926" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963273", "to_ids": true, "type": "filename", "uuid": "36c3d91d-4851-4871-9d18-4a34fc2fd991", "value": "setup.js" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963273", "to_ids": false, "type": "text", "uuid": "f1ea57dd-fa8d-4ac1-a349-ec4fed36f985", "value": "Type Description: JavaScript\nMicrosoft: TrojanDownloader:JS/TalonStrike.D!dha\nVT Total Detection:34/62\nFirst Submission:2026-03-31T04:19:15.000000+00:00\nLast Submission:2026-04-10T03:39:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965570", "uuid": "b89c6a0c-3540-4db4-bb3e-fc196efa699e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965570", "to_ids": true, "type": "md5", "uuid": "9d4b333e-97ab-47ee-9420-690e36d8e5bd", "value": "7a9ddef00f69477b96252ca234fcbeeb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964145", "to_ids": true, "type": "sha1", "uuid": "6c875369-9ef3-4d8c-9015-59a083633258", "value": "13ab317c5dcab9af2d1bdb22118b9f09f8a4038e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964145", "to_ids": true, "type": "sha256", "uuid": "16ebb8d6-7ccc-4803-8f54-2007c18f7dfc", "value": "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963295", "to_ids": true, "type": "ssdeep", "uuid": "9f9e2422-791f-46d4-add3-1c1ce06f255a", "value": "6144:xjazCtUlrLxJnzsOOAx2Y+AktJgRESAtxVZS63vYdCzsbAkuNjepym:xjazCtyJcYKgRESAT93AdUjepym" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963295", "to_ids": false, "type": "size-in-bytes", "uuid": "34aa3881-2187-44bd-83e1-ca9093f16aad", "value": "657424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963295", "to_ids": true, "type": "vhash", "uuid": "1ba278a4-637f-460a-8bc4-a8bfbd7dac23", "value": "5888402d25bc5f77c7c3d92ca5d30997" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963295", "to_ids": true, "type": "filename", "uuid": "656109f0-b3b6-4327-8476-34078790e2c7", "value": "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a.macho" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963295", "to_ids": false, "type": "text", "uuid": "353f7489-194b-4301-8cab-b49036c1c00a", "value": "Type Description: Mach-O\nMicrosoft: Backdoor:MacOS/TalonStrike.A!dha\nVT Total Detection:36/64\nFirst Submission:2026-03-31T01:05:29.000000+00:00\nLast Submission:2026-04-08T14:55:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965591", "uuid": "b8ff9c45-5014-4415-92e1-81abbee818f2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965591", "to_ids": true, "type": "md5", "uuid": "c13e67fc-04a3-410e-a33a-42df183c9931", "value": "db7f4c82c732e8b107492cae419740ab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964146", "to_ids": true, "type": "sha1", "uuid": "014bde23-17a4-4e46-850f-83fb8ea84452", "value": "07d889e2dadce6f3910dcbc253317d28ca61c766", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964146", "to_ids": true, "type": "sha256", "uuid": "1c2dcd9a-f33e-4aae-88bd-a3a47ae9a9a2", "value": "58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963316", "to_ids": true, "type": "ssdeep", "uuid": "ea1622c7-af94-4d19-b625-a7a3a68a12e0", "value": "1536:uXG6U0Qn6xK9yaoMZ2NUX6KX1hkKAqFlsaPXOdV2VLbgQvMjCtVpWl+0iium82FM:uWD6MIMAiDXoL6wQg9jQVElKI82Te" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963316", "to_ids": false, "type": "size-in-bytes", "uuid": "49f6a1a7-604c-46e5-bf8e-b8e9fc33fb81", "value": "89868" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963316", "to_ids": true, "type": "vhash", "uuid": "9bba8381-015c-458c-bd8b-13c61d096978", "value": "cd8e4404877b2b40dc62d177414fd4bb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963316", "to_ids": true, "type": "filename", "uuid": "a7b32afe-a83d-48a8-9c8a-3516e8d64718", "value": "58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668.gz" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963316", "to_ids": false, "type": "text", "uuid": "48eb155d-441b-45ca-af32-99932e6cadae", "value": "Type Description: GZIP\nMicrosoft: TrojanDownloader:JS/TalonStrike.D!dha\nVT Total Detection:34/63\nFirst Submission:2026-03-31T02:57:22.000000+00:00\nLast Submission:2026-04-08T05:57:15.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965612", "uuid": "0ac053d0-ae91-4f1f-8bf1-745dd61af610", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965612", "to_ids": true, "type": "md5", "uuid": "f7011094-75da-4486-92d7-2198ef0edb9a", "value": "90e8e227ba8bef0ea7e0212b5b1e0d4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964147", "to_ids": true, "type": "sha1", "uuid": "df33b168-7086-446b-ac4e-286d3c3b2552", "value": "dbd62d788ce8dcaa96116a73f70ee24813d59428", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964147", "to_ids": true, "type": "sha256", "uuid": "6d1346f5-ff05-458e-8bcd-91f107fc38eb", "value": "ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963338", "to_ids": true, "type": "ssdeep", "uuid": "1290ea6b-a072-4f36-a41b-897cab80dbb0", "value": "192:b9u9gG89mD+SOzuahCnGX1pybp0j5PWFmFBiMluIY266b7cTOXAWnTvfOkFHPL:b4KG8MwzuaEnGDPWFsBiM9YChLf1HD" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963338", "to_ids": false, "type": "size-in-bytes", "uuid": "114bbd1f-1c1d-4d90-991a-cd6e9bc089a7", "value": "10656" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775963338", "to_ids": true, "type": "vhash", "uuid": "00fbbe70-5542-43e1-ab1a-e489f14e1947", "value": "6999d755f2fc6f1ce13e39107e15280c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963338", "to_ids": true, "type": "filename", "uuid": "290a6bc5-b634-407d-97d5-764a6179f712", "value": "ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c.ps1" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963338", "to_ids": false, "type": "text", "uuid": "d69f8c58-b6bd-4416-b089-244475f96391", "value": "Type Description: Powershell\nMicrosoft: Backdoor:PowerShell/TalonStrike.B!dha\nVT Total Detection:35/62\nFirst Submission:2026-03-31T00:39:55.000000+00:00\nLast Submission:2026-04-02T07:10:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775965633", "uuid": "0016176a-8b19-47db-b564-db3f791721e9", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775965633", "to_ids": true, "type": "md5", "uuid": "085aa9e6-a747-44c7-bcd7-446b495ae320", "value": "9663665850cdd8fe12e30a671e5c4e6f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775964148", "to_ids": true, "type": "sha1", "uuid": "dd9d0a51-4fbf-493c-9a1d-fca96998f48d", "value": "59faac136680104948e083b3b67a70af9bfa5d5e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775964149", "to_ids": true, "type": "sha256", "uuid": "51899255-2884-4c41-a4ca-2631799337b3", "value": "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775963360", "to_ids": true, "type": "ssdeep", "uuid": "e1af9bc5-7384-4c23-a8cb-eef083b5ffdb", "value": "192:V+OTSQFF3MjzSCII7s32HaYo5uuFe0+60U2WICd/tPQTnd/Y+cLL2dPj47Hp79Bb:V+OTJRCII7sRdI8mT+IkUAsQ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775963360", "to_ids": false, "type": "size-in-bytes", "uuid": "d66beaf2-4c91-46ed-95de-bc8b19324bcc", "value": "12323" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775963360", "to_ids": true, "type": "filename", "uuid": "7d1cec2b-bf3c-4de3-8c2e-7543d3b0186e", "value": "__fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf.py" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775963360", "to_ids": false, "type": "text", "uuid": "50f050c1-046f-4796-ac1f-fa68c05a3d4c", "value": "Type Description: Python\nMicrosoft: Backdoor:Python/TalonStrike.C!dha\nVT Total Detection:36/63\nFirst Submission:2026-03-31T02:52:31.000000+00:00\nLast Submission:2026-04-08T13:20:07.000000+00:00" } ] } ] } }