{ "Event": { "analysis": "1", "date": "2026-05-07", "extends_uuid": "", "info": "[Threat Intel] Donuts and Beagles: Fake Claude site spreads backdoor", "protected": false, "publish_timestamp": "1779546731", "published": true, "threat_level_id": "3", "timestamp": "1779546731", "uuid": "7865b246-7bcb-4626-aabe-c50b31d21a89", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Sophos\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778238018", "to_ids": false, "type": "link", "uuid": "455990c4-a99a-405a-8c60-53fbcd1d61e8", "value": "https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778238018", "to_ids": false, "type": "text", "uuid": "9aa7afcf-4716-4e74-bb9a-4801c21a3337", "value": "A fraudulent website impersonating Anthropic's Claude AI platform has been distributing a previously undocumented backdoor called Beagle through malvertising campaigns. The attack begins when victims download a fictitious tool named Claude-Pro Relay from claude-pro[.]com, delivered as a 505 MB ZIP archive. The infection chain utilizes DLL sideloading, exploiting a signed G DATA antivirus updater to load malicious code. The technique mirrors PlugX delivery methods but deploys different payloads. Beagle supports eight commands including shell execution, file transfer, and directory listing, communicating with C2 servers using AES encryption. Related samples dating to February 2026 have been identified, with some variants delivering AdaptixC2 framework. Additional domains impersonated security vendors like Trellix, CrowdStrike, and SentinelOne. The infrastructure spans Cloudflare for distribution and Alibaba Cloud for command and control." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778238018", "to_ids": false, "type": "text", "uuid": "8887f92a-d891-40e8-a98c-05e4fff85b50", "value": "Name: Donuts and Beagles: Fake Claude site spreads backdoor\nAuthor: AlienVault\nAdversary: \nTags: [\"beagle\", \"adaptixc2\", \"beagle backdoor\", \"donutloader\"]\nTgtd countries: []\nMlwr families: [\"Beagle\", \"DonutLoader\", \"AdaptixC2\", \"PlugX - S0013\", \"Thoper\", \"TVT\", \"DestroyRAT\", \"Sogu\", \"Kaba\", \"Korplug\"]\nAttack_ids: [\"T1573.001\", \"T1106\", \"T1140\", \"T1059\", \"T1083\", \"T1204\", \"T1041\", \"T1547.001\", \"T1566\", \"T1027\", \"T1132\", \"T1070.004\", \"T1071.001\", \"T1574.002\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946614", "to_ids": true, "type": "domain", "uuid": "a3b187f4-9659-45bf-a3f5-8387862be5f6", "value": "claude-pro.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778946636", "to_ids": true, "type": "hostname", "uuid": "164b3aac-3fe0-4fad-b736-e45574d57916", "value": "license.claude-pro.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "First stage shellcode No sample in VT\r\nLast check:16/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546725", "to_ids": true, "type": "sha256", "uuid": "31ea2d07-a532-4210-b7af-7c942c672b04", "value": "7f50afef2d6e52a160cceb5f2c9945ce89b8e923836e0e550245a46509a98851", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Backdoor No sample in VT\r\nLast check:16/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546727", "to_ids": true, "type": "sha256", "uuid": "2fe872f5-49f8-429f-ae35-dd1536f5fe81", "value": "99cb90a3cd46650b8b766c658b7af1b8bbe54a2ac7dcf61429686fd1c548395b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "AdaptixC2 shellcode No sample in VT\r\nLast check:16/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546729", "to_ids": true, "type": "sha256", "uuid": "55493c54-d475-4461-b60c-f3a34f590e29", "value": "2c30c20854e1f6a493aef344cea2d114c566ebae096c3c75508f4e03d5492288", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1778946657", "to_ids": true, "type": "hostname", "uuid": "9bf7d1eb-2258-4533-b17f-a458352a2e54", "value": "www.gouvvbo.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1778946678", "to_ids": true, "type": "ip-dst", "uuid": "22965f4e-3245-401a-b4d6-37db5b7be549", "value": "8.217.190.58", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NOVUpdate.exe.dat No sample in VT\r\nLast check:16/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546731", "to_ids": true, "type": "sha256", "uuid": "fa9ffe37-ee23-4bcb-a896-b29c2d7055ce", "value": "33f0caec6f03727fc77ca656ab92cbf20fed53f0fe85a06ec9620aab5e8c9e27", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1778946699", "to_ids": true, "type": "domain", "uuid": "cf93ad8b-2a44-4c0b-b166-0beb090e6754", "value": "update-trellix.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546697", "uuid": "a8c904ad-e77c-48be-9d41-1ae77bb81422", "Attribute": [ { "category": "Payload delivery", "comment": "Claude-Pro-windows-x64.zip", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546696", "to_ids": true, "type": "md5", "uuid": "f5516570-7a3b-4433-a522-05d1e14d76f1", "value": "c64eda499e2a21ad158841b9dbc7adc9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Claude-Pro-windows-x64.zip", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546697", "to_ids": true, "type": "sha1", "uuid": "78f1e1dd-aae1-4dfb-bb5e-5f1b3b7c5f5d", "value": "3de213252d98348a7d833c4956a099bfcd36b9e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Claude-Pro-windows-x64.zip", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546697", "to_ids": true, "type": "sha256", "uuid": "064cb5ee-3eaa-48c4-819c-b7887a5b2795", "value": "35feef0e6806c14f4ccdb4fceff8a5757956c50fb5ec9644dedae665304f9f96", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944172", "to_ids": true, "type": "ssdeep", "uuid": "6decfcbb-deb2-493c-97b0-91c5812417b9", "value": "12582912:36IkhdPiU+izHAJzyiAhmgUjp2yrieqJ2BejPU:369/+YCzAspFriEaPU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944172", "to_ids": false, "type": "size-in-bytes", "uuid": "eca34e2f-c67f-4012-810f-924d7431dbf6", "value": "529345384" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778944172", "to_ids": true, "type": "vhash", "uuid": "95734fcf-00df-4210-b5f8-e774241340bd", "value": "1d2f21722b0395121d2b6df296aba3d6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944172", "to_ids": true, "type": "filename", "uuid": "9684f532-d575-4b72-b02d-fa8cc051d8d5", "value": "Claude-Pro-windows-x64.zip" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944172", "to_ids": false, "type": "text", "uuid": "01429e92-894f-4b21-90d8-f5d498a80995", "value": "Claude-Pro-windows-x64.zip\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:7/65\nFirst Submission:2026-04-09T18:24:22.000000+00:00\nLast Submission:2026-04-11T03:35:55.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546700", "uuid": "f43db3e7-2d1d-49a2-9258-1267b7ff77bf", "Attribute": [ { "category": "Payload delivery", "comment": "Claude.msi", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546699", "to_ids": true, "type": "md5", "uuid": "1236c61c-73c6-42c4-8b5d-706725d7b9f4", "value": "efac43473d7e87ede5176fe01a114abb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Claude.msi", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546699", "to_ids": true, "type": "sha1", "uuid": "217e8cfc-ce5b-4373-adda-593c287e518a", "value": "f02a97a42b303c068ac23859599d5610bcbb4550", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Claude.msi", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546700", "to_ids": true, "type": "sha256", "uuid": "e809085f-64c2-41cd-854d-4bb5ec78d8f4", "value": "86a6ffa23e924d1afbfb31b55fe780916cf3c9a4f8c3165542fdd726783fc796", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944194", "to_ids": true, "type": "ssdeep", "uuid": "97f14db2-0e55-493b-9ee8-b1049f2f6b17", "value": "12582912:MptJq/XDBVvusI+0oT/Yi/iTL8CN1zHsEEvEUWOc:MpGVvusw2/Vix1QEEkL" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944194", "to_ids": false, "type": "size-in-bytes", "uuid": "1e493eef-794b-4956-82ba-f3a4b593ff42", "value": "532928512" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778944194", "to_ids": true, "type": "vhash", "uuid": "909a6e8b-0425-4ea7-9ebb-3992f52cffca", "value": "a16aba9e1e0cc5278d5cd32faa75598d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944194", "to_ids": true, "type": "filename", "uuid": "37e38176-9087-4cb4-9883-55c35bd8af4b", "value": "Claude.msi" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944194", "to_ids": false, "type": "text", "uuid": "4dee9b3d-c7f9-450c-9621-5c4603db2d33", "value": "Claude.msi\r\nType Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:15/61\nFirst Submission:2026-04-09T17:00:13.000000+00:00\nLast Submission:2026-04-11T03:42:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546702", "uuid": "ea84ae45-dcca-4d81-8e4b-9669bcb8fd3e", "Attribute": [ { "category": "Payload delivery", "comment": "avk.dll (sideloaded DLL)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546701", "to_ids": true, "type": "md5", "uuid": "a0a17b10-f2bc-43cb-a316-5297d00f05a5", "value": "88ac1c5fc9ee89491c70ea16131e264a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "avk.dll (sideloaded DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546702", "to_ids": true, "type": "sha1", "uuid": "973e86ea-3112-4de4-9eb8-8b084b570d71", "value": "910465739b3170584150e9260bfba6a65e633f35", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "avk.dll (sideloaded DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546702", "to_ids": true, "type": "sha256", "uuid": "799fc206-e349-4825-9a3c-634224617770", "value": "d5590802bf0926ac30d8e31c0911439c35aead82bf17771cfd1f9a785a7bf143", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944216", "to_ids": true, "type": "ssdeep", "uuid": "72f683ee-b8e4-48cd-b6a3-b2e876e85680", "value": "1536:slkswt5LGk3FpPTKEwhfZvEmd8nwzN68t2PCbzsYDJgzneesW5cdwJeMnx1+:shwt5xpPGEocmd8OZt2PCN1UnmwJeMnm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944216", "to_ids": false, "type": "size-in-bytes", "uuid": "657b0faf-2878-4f5a-9f36-002267084cda", "value": "84992" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778944216", "to_ids": true, "type": "vhash", "uuid": "e0e12bc9-e2b7-48c1-94ac-218b2f8d7a4f", "value": "184056655d1d056az4f?z1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944216", "to_ids": true, "type": "filename", "uuid": "1d823854-46f8-4c75-8f5a-4c1aa9654a49", "value": "avk.dll" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944216", "to_ids": false, "type": "text", "uuid": "8b4b2a27-7fc5-46a6-be65-08cb5688d5e3", "value": "avk.dll (sideloaded DLL)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/ShellcodeRunner.AB!MTB\nVT Total Detection:47/71\nFirst Submission:2026-04-09T17:08:46.000000+00:00\nLast Submission:2026-04-09T17:08:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546705", "uuid": "829a4941-2f96-4364-8c0f-66a4f9d68c00", "Attribute": [ { "category": "Payload delivery", "comment": "hostfxr.dll (sideloaded DLL)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546704", "to_ids": true, "type": "md5", "uuid": "ad49b9d3-70fe-4ef6-94dd-7333daafe72c", "value": "d99392248bdd7e351e63ead6733638ba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "hostfxr.dll (sideloaded DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546704", "to_ids": true, "type": "sha1", "uuid": "fafa8ac0-ab4f-4d90-9a2d-869df54ded0c", "value": "e7f240a76337620682d25c5aa654255905ba0b59", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "hostfxr.dll (sideloaded DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546705", "to_ids": true, "type": "sha256", "uuid": "62e1e20c-3cfb-4ff4-8a88-2c7bda018e9a", "value": "0a19870ba24aeb9d4b5dde091ef8071d76f8a5e43ac8c6f5b9f283020580a60a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944280", "to_ids": true, "type": "ssdeep", "uuid": "174e1c34-1ab9-401b-ad98-0a5d2c5dbfd5", "value": "6144:DMkyq8nmVF98l3XAiTRQBqKRVaUuSp6CdqcuMFXKUi4W2PhsH:DM+8AUl3QiTOB3RjJ6q1XJPhsH" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944280", "to_ids": false, "type": "size-in-bytes", "uuid": "7b92a9e6-71f6-460e-b6c3-141f2d597d06", "value": "707072" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778944280", "to_ids": true, "type": "vhash", "uuid": "d0962bbd-7dc2-49c2-89b1-cb94c87c825b", "value": "175096551d15551d151dbz677z409bz2ez1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944280", "to_ids": true, "type": "filename", "uuid": "9b2f3316-5cef-4ee6-97e6-bb71c0469c7b", "value": "hostfxr.dll" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944280", "to_ids": false, "type": "text", "uuid": "2f111c1a-e5c1-4239-860c-473383d05fcb", "value": "hostfxr.dll (sideloaded DLL)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:39/71\nFirst Submission:2026-03-25T17:06:36.000000+00:00\nLast Submission:2026-03-25T17:06:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546707", "uuid": "0eed437d-57c3-4730-9c30-fe051c5b0f3f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546707", "to_ids": true, "type": "md5", "uuid": "972184fc-b4f0-4b05-987b-ac636528af3c", "value": "4faf4fd91d28e014b4f2362d6a7bb8ac", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546707", "to_ids": true, "type": "sha1", "uuid": "a3915495-122e-47c1-bb2a-9faa91ad66ba", "value": "e738db2647237281ed65461b0aaba0c110e97a8c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546707", "to_ids": true, "type": "sha256", "uuid": "32086f5b-c4b0-414d-bbb6-b15e14106f92", "value": "e6d66d192a779f195426db94d2568c03a9bd0d2e8f1972aa32a0317940ae19c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944323", "to_ids": true, "type": "ssdeep", "uuid": "c5ebfaa7-5bfe-4fde-8cb8-7a74909c3f57", "value": "3072:iBayppGqexox1RPuVq7Tjn2wUmWM5e3atLc/AbZSMOctBfChoOePwLQ6hilvWtTf:iBaMpsY1R2VaTzJUmWMcEc/iEMOQBfC5" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944323", "to_ids": false, "type": "size-in-bytes", "uuid": "33b949c8-d533-4d09-9dc8-89d83411f371", "value": "192255" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778944323", "to_ids": true, "type": "vhash", "uuid": "217f6396-24a0-4046-8307-006229755935", "value": "a513cc7f408572c83b6f82c33d54ab96" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944323", "to_ids": true, "type": "filename", "uuid": "93e01c95-1964-4085-bc6b-c9cdc891c86c", "value": "DeviceSync.zip" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944323", "to_ids": false, "type": "text", "uuid": "5183b429-3d97-4bec-9c3d-e445d87e23e1", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:44/68\nFirst Submission:2026-02-23T10:56:51.000000+00:00\nLast Submission:2026-02-25T08:32:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546709", "uuid": "98246e2f-5d92-41b8-afbc-53420b85259f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546709", "to_ids": true, "type": "md5", "uuid": "036f2825-7673-4ea9-8782-c3dcf725b72d", "value": "bb5c88de9e04e6306260b9f3a4498933", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546709", "to_ids": true, "type": "sha1", "uuid": "5b3d732b-0480-422d-858f-f601015b1e63", "value": "650fe45334fb7410a655db8684127f1d3913ac6f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546709", "to_ids": true, "type": "sha256", "uuid": "ffd9e89b-0dd9-4009-889e-fde2d17c6115", "value": "46dea8c1af85134a7b15fc7168386eadd15474b1a6159567b24e83d8a30fc6ef", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944345", "to_ids": true, "type": "ssdeep", "uuid": "b62fefb3-7574-4410-a184-eb75b43dd1f6", "value": "6144:zdwwwFTHXgDoGWdPzB7BD9bWM6qBsWlFvWQ3xdg0vJ5xb+zdMkdRQWH+OgqtDuqx:zQQu1SM5pxWQ3x5lb+XtfIqi/Re59o6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944345", "to_ids": false, "type": "size-in-bytes", "uuid": "93e94dbb-cf58-4cb5-b594-dab87b37b520", "value": "501505" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778944345", "to_ids": true, "type": "vhash", "uuid": "7f750311-d70f-46ab-b0fc-e9c85c6facf4", "value": "9023dd223c64b31398e1d14847aa2b02" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944345", "to_ids": true, "type": "filename", "uuid": "fb09e01a-9d53-458e-81eb-df22f43eb194", "value": "Estado de Cuenta.zip" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944345", "to_ids": false, "type": "text", "uuid": "3eac3250-cc93-494e-a152-8c172a0939cc", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:34/68\nFirst Submission:2026-03-25T17:06:15.000000+00:00\nLast Submission:2026-03-25T17:06:15.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546712", "uuid": "e8a75036-85c4-4267-94a4-dc4614c8f00b", "Attribute": [ { "category": "Payload delivery", "comment": "MpClient.dll (sideloaded DLL)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546711", "to_ids": true, "type": "md5", "uuid": "c6ff31ed-2a63-4b71-a15a-af118f554506", "value": "3b3dd8f3a5e1ff85c63f2453ad270415", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MpClient.dll (sideloaded DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546712", "to_ids": true, "type": "sha1", "uuid": "8ddac29a-7b69-468d-9974-4532555e7d7c", "value": "caa77f63a1a86499b8d70a656c2a86fa2b77feff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MpClient.dll (sideloaded DLL)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546712", "to_ids": true, "type": "sha256", "uuid": "2b03aca6-cf08-4e26-870b-2c91cd4a629d", "value": "a3c5c7253c0b3ed92e86dc5661d8530a0e8acdf8768e80362e5fe897ccb6cd84", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944367", "to_ids": true, "type": "ssdeep", "uuid": "d2b1b651-151e-4001-b2af-1403cf21bdcb", "value": "3072:pKl1VfXcccBW7hEvpf4K8sdtV0hOGubuue/4kYZSa:YlX/wMhEhdxBaV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944367", "to_ids": false, "type": "size-in-bytes", "uuid": "72b21795-9e73-4378-a42e-aa59b2299f8b", "value": "112128" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778944367", "to_ids": true, "type": "vhash", "uuid": "e01408b6-6d52-4ea7-bb81-552a4d5d8cd4", "value": "115066655d155d055az51&z10e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944367", "to_ids": true, "type": "filename", "uuid": "e8e4816b-6827-4ac0-8317-07e3a7e508d8", "value": "MpClient.dll" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944367", "to_ids": false, "type": "text", "uuid": "cb975de9-ceab-4216-9513-c3f00eed239f", "value": "MpClient.dll (sideloaded DLL)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Qwexlafiba!rfn\nVT Total Detection:33/71\nFirst Submission:2026-02-23T10:57:14.000000+00:00\nLast Submission:2026-02-23T10:57:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546715", "uuid": "b8023120-dbd1-4240-b554-146fcc3b7fac", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546714", "to_ids": true, "type": "md5", "uuid": "7624535a-56c2-43e1-916f-429cac359b22", "value": "fef1d3cb35129ad25d95e279565b9001", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546714", "to_ids": true, "type": "sha1", "uuid": "81edde96-c465-4f40-936c-35b82532e8ba", "value": "0440647d5a976e0464576071bbeaeb189685b6c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546715", "to_ids": true, "type": "sha256", "uuid": "b5f29319-a140-431a-80a0-9a43874d9ddd", "value": "4457ed2e5ef770f70596735a6bac03f78e426a548335742ac761fba60f987a26", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944389", "to_ids": true, "type": "ssdeep", "uuid": "4af039a1-3062-4fd7-973f-558cb336a3e1", "value": "12288:nT2XbiSkUnbZVepg4fDfEjldRwXF0ru8oX:T2XbiVUnbZEi1lkFUu8oX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944389", "to_ids": false, "type": "size-in-bytes", "uuid": "fb102fb5-d841-4381-8fef-125aa82808b9", "value": "399066" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778944389", "to_ids": true, "type": "vhash", "uuid": "67a5ce64-8ee0-49a6-aa1f-49bcada1af83", "value": "49a2af7026a1ecd5fba4480d9b047def" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944389", "to_ids": true, "type": "filename", "uuid": "4c309cca-3b9a-4683-b540-e59ca60b9a4e", "value": "Claude-Pro-Relay-Technical-Overview.zip" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944389", "to_ids": false, "type": "text", "uuid": "0d5da4ed-ea91-411a-ab18-026b6fccaaaf", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:42/68\nFirst Submission:2026-04-17T07:38:28.000000+00:00\nLast Submission:2026-04-17T07:38:28.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546717", "uuid": "3bb69e48-7a81-4971-89bb-48b01626a93b", "Attribute": [ { "category": "Payload delivery", "comment": "NOVUpdate.exe (legitimate binary, misused in sideloading)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546717", "to_ids": true, "type": "md5", "uuid": "307447fa-e9ac-43b1-8424-463eb77d8c20", "value": "3a5b4b08e6ae35fd3ff44ccfb6c4b1aa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NOVUpdate.exe (legitimate binary, misused in sideloading)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546717", "to_ids": true, "type": "sha1", "uuid": "da829941-3635-497e-812a-14c7c4bf9e10", "value": "b5b57a9737a2572d7920d67455f370237ea3c793", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NOVUpdate.exe (legitimate binary, misused in sideloading)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546717", "to_ids": true, "type": "sha256", "uuid": "b92767f0-c025-4b79-a7c7-35137f9070cb", "value": "be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944411", "to_ids": true, "type": "ssdeep", "uuid": "d82479b1-3e40-4da8-ba43-ee80341f1c45", "value": "6144:a90odz4lMRUBzynGdXpdMTvyE1NKBmtS/TKA8PCMNf1:a90gmMRUBzFvdMTvyEz+hLXGN" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944411", "to_ids": false, "type": "size-in-bytes", "uuid": "a6b5bdf4-ed45-4f8f-9dee-11a88de3b0e1", "value": "510952" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778944411", "to_ids": true, "type": "vhash", "uuid": "e7e78b25-4320-46fd-805a-3cf2a685ee59", "value": "055056655d15151188z6e7za08013z101001gz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944411", "to_ids": true, "type": "filename", "uuid": "4c3b313d-2516-4f01-89f5-e10fffccabdf", "value": "AVK.exe" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944411", "to_ids": false, "type": "text", "uuid": "36b8ce8d-b710-4c4b-8fca-ff7d36b6d00b", "value": "NOVUpdate.exe (legitimate binary, misused in sideloading)\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/71\nFirst Submission:2017-07-02T12:27:01.000000+00:00\nLast Submission:2025-12-12T02:36:59.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546720", "uuid": "dc741ce1-e50e-4817-a97b-687efbba7bb2", "Attribute": [ { "category": "Payload delivery", "comment": "NOVUpdate.exe.dat", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546719", "to_ids": true, "type": "md5", "uuid": "1332998e-e0a3-4056-8c5a-3bc7b6a0f778", "value": "3fe9c84025f4401f8cd661675642c526", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NOVUpdate.exe.dat", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546720", "to_ids": true, "type": "sha1", "uuid": "16c000c4-8952-4e52-b5a0-c31a1d2f4c03", "value": "8c1966e50b4bff1c85916e2648534d6c4d0b26c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "NOVUpdate.exe.dat", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546720", "to_ids": true, "type": "sha256", "uuid": "1a15345e-3512-486c-af3a-bdfa88c98dfa", "value": "8ac88aeecd19d842729f000c6ab732261cb11dd15cdcbb2dd137dc768b2f12bc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944433", "to_ids": true, "type": "ssdeep", "uuid": "f6fd9f54-93c4-4603-bb5a-26784e22b76e", "value": "1536:maYlKPYTtOyawa/ca9gi4ZOCVt0//gCBSFPESov4VuBo/:maY1tzawCv4h4//do1fuBy" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944433", "to_ids": false, "type": "size-in-bytes", "uuid": "07248464-2f4d-4930-aeec-df693ebd6b7c", "value": "91211" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944433", "to_ids": true, "type": "filename", "uuid": "07fa24e7-08de-421d-8d79-6a3dd9967e93", "value": "NOVUpdate.exe.dat" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944433", "to_ids": false, "type": "text", "uuid": "29db66da-d2e4-4102-98c7-c48889e75459", "value": "NOVUpdate.exe.dat\r\nType Description: unknown\nMicrosoft: None\nVT Total Detection:1/63\nFirst Submission:2026-05-13T13:57:26.000000+00:00\nLast Submission:2026-05-13T13:57:26.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546723", "uuid": "3aa64cac-fd7e-42be-9f8a-69dc19289302", "Attribute": [ { "category": "Payload delivery", "comment": "GolddTV.msi", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546722", "to_ids": true, "type": "md5", "uuid": "6bdbcd56-54a9-4118-954b-5507511e5dee", "value": "796f82a4833be330b1e35af63e55b597", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GolddTV.msi", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546723", "to_ids": true, "type": "sha1", "uuid": "39b96a60-fb94-4d75-99a7-0d802c71ebff", "value": "9f2ddf69c23ce1f01db492f518800f12f9a11b52", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GolddTV.msi", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546723", "to_ids": true, "type": "sha256", "uuid": "621b546c-e902-41dd-93a9-05c7d82e5b82", "value": "586f27257d3eaee7d4bec9e9207c317a9caeded95eca3969739d7e8181d24620", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778944455", "to_ids": true, "type": "ssdeep", "uuid": "8478b42a-f73c-4ba3-92a0-8d4f885e538f", "value": "12288:d5rYMSLWEY8Yep/sTfZ6LWG/2UPMTZobNAL8pnfcjCxVyE7gW:d5rYXWEOtRil/7PMT6bNAApnfcjsyFW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778944455", "to_ids": false, "type": "size-in-bytes", "uuid": "0ed41bda-7c0e-47f8-b134-9645f4e9daf3", "value": "734208" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778944455", "to_ids": true, "type": "vhash", "uuid": "2eaf9064-9774-4725-be2c-5344113d6170", "value": "72e7c15c4fb08255dac8c0b422694faf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778944455", "to_ids": true, "type": "filename", "uuid": "0807e82f-bb01-4718-8df4-e669ab6f310c", "value": "GolddTV.msi" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778944455", "to_ids": false, "type": "text", "uuid": "ff88689c-a26e-44bf-92e2-a1d7601149f6", "value": "GolddTV.msi\r\nType Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:35/62\nFirst Submission:2026-04-09T22:38:46.000000+00:00\nLast Submission:2026-04-09T22:38:46.000000+00:00" } ] } ] } }