{ "Event": { "analysis": "1", "date": "2026-03-12", "extends_uuid": "", "info": "[Threat Intel] Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft", "protected": false, "publish_timestamp": "1774022006", "published": true, "threat_level_id": "2", "timestamp": "1774011123", "uuid": "7c1e7398-b0dd-4146-ab02-446a9fde2f27", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#96f4f6", "local": false, "name": "misp-galaxy:producer=\"Microsoft\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#3bc6ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Code Signing - T1553.002\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773658820", "to_ids": false, "type": "link", "uuid": "1b0b7da4-f704-48c0-aa2f-b141e29be204", "value": "https://www.microsoft.com/en-us/security/blog/2026/03/12/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773658820", "to_ids": false, "type": "text", "uuid": "448abb66-8444-403c-8aca-ae9a34eff48f", "value": "A credential theft campaign by Storm-2561 exploits SEO poisoning to distribute fake VPN clients. Users searching for legitimate VPN software are redirected to malicious websites hosting ZIP files containing trojans masquerading as trusted VPN clients. These digitally signed trojans harvest VPN credentials and exfiltrate data to attacker-controlled infrastructure. The campaign uses GitHub repositories, legitimate code-signing certificates, and sophisticated post-theft redirection strategies to avoid detection. The attack chain involves initial access through SEO manipulation, execution of malicious MSI files, credential theft via fake VPN interfaces, and data exfiltration. Defensive recommendations include enabling cloud-delivered protection, using EDR in block mode, and enforcing multi-factor authentication." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773658820", "to_ids": false, "type": "text", "uuid": "6607362a-83c5-468a-b5f6-4bb17a972bc5", "value": "Name: Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft\nAuthor: AlienVault\nAdversary: Storm-2561\nTags: [\"credential theft\", \"code signing\", \"vpn\", \"seo poisoning\", \"hyrax\"]\nTgtd countries: []\nMlwr families: [\"Hyrax\"]\nAttack_ids: [\"T1056.001\", \"T1553.002\", \"T1005\", \"T1140\", \"T1059\", \"T1083\", \"T1204\", \"T1041\", \"T1547.001\", \"T1566\", \"T1027\", \"T1012\", \"T1574.002\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773658820", "to_ids": false, "type": "threat-actor", "uuid": "b7842966-9eca-42a7-bc77-277be44862e3", "value": "Storm-2561" }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (GlobalProtect-VPN.exe) No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773999162", "to_ids": true, "type": "sha256", "uuid": "8f625199-0106-40c6-b8d3-cb9ebff9ff33", "value": "98f21b8fa426fc79aa82e28669faac9a9c7fce9b49d75bbec7b60167e21963c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP address where stolen data is sent", "deleted": false, "disable_correlation": false, "timestamp": "1774000625", "to_ids": true, "type": "ip-dst", "uuid": "188c0b6a-b0cf-44d9-9fe1-f1e35a0e3a10", "value": "194.76.226.93", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000647", "to_ids": true, "type": "domain", "uuid": "0b75a593-edaf-4ae2-abbd-abc708f86c07", "value": "checkpoint-vpn.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000668", "to_ids": true, "type": "domain", "uuid": "1de531c0-8398-4d2f-b53b-b48bc420c5b1", "value": "cisco-secure-client.es", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000690", "to_ids": true, "type": "domain", "uuid": "1389d7e0-4037-4522-abfc-999d3df88545", "value": "forticlient-vpn.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000712", "to_ids": true, "type": "domain", "uuid": "3c1e2659-7a06-4165-a25d-4b899667df5d", "value": "forticlient-vpn.fr", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000733", "to_ids": true, "type": "domain", "uuid": "578bb70f-2108-4649-b558-8fa74b9b021f", "value": "forticlient-vpn.it", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000756", "to_ids": true, "type": "domain", "uuid": "d23cc1d9-0cb1-43f4-9602-151d75e9fc86", "value": "forticlient.ca", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000777", "to_ids": true, "type": "domain", "uuid": "41587948-7134-45d0-81e2-e86cea0a94bf", "value": "forticlient.co.uk", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000799", "to_ids": true, "type": "domain", "uuid": "c7d58ac2-0ae7-4a77-aef3-b46ad0e28414", "value": "forticlient.no", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000820", "to_ids": true, "type": "domain", "uuid": "a4d86322-a86b-42a9-80a7-6d3f3e2c0f20", "value": "ivanti-pulsesecure.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000841", "to_ids": true, "type": "domain", "uuid": "27c6e680-7c1b-4bcd-a924-7a616e8df27f", "value": "ivanti-secure-access.de", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Initial access domain (GitHub ZIP)", "deleted": false, "disable_correlation": false, "timestamp": "1774000863", "to_ids": true, "type": "domain", "uuid": "38f529b1-2cfb-4b7b-9e8b-bcaccf87cc44", "value": "ivanti-vpn.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2 where stolen credentials are sent", "deleted": false, "disable_correlation": false, "timestamp": "1774000884", "to_ids": true, "type": "domain", "uuid": "dda3949a-9a7f-491a-9301-c5e32697d1a0", "value": "myconnection.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000906", "to_ids": true, "type": "domain", "uuid": "bb24176f-386d-42c1-972e-cafb3822d784", "value": "pn-connection.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000928", "to_ids": true, "type": "domain", "uuid": "3f31c663-f80f-450d-baf3-16bd85f19733", "value": "sonicwall-netextender.nl", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000949", "to_ids": true, "type": "domain", "uuid": "be160412-e666-430b-8093-d8c7b1cd9272", "value": "sophos-connect.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Initial access domain (GitHub ZIP)", "deleted": false, "disable_correlation": false, "timestamp": "1774000971", "to_ids": true, "type": "domain", "uuid": "7992a2db-1129-4a84-914b-2538102482e3", "value": "vpn-fortinet.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774000992", "to_ids": true, "type": "domain", "uuid": "ddbae2bd-e948-4539-bad3-917736efd96c", "value": "forticlient-for-mac.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774001014", "to_ids": true, "type": "hostname", "uuid": "33dff485-a0b6-4bab-81ed-0af6717aa30b", "value": "forticlient.co.uk", "Tag": [ { "colour": "#669ae5", "local": false, "name": "AlreadyExistsError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774001036", "to_ids": true, "type": "domain", "uuid": "39a6c7f8-597c-4b57-9d4e-4f7dc91a1d46", "value": "fortinet-vpn.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Suspect initial access domain", "deleted": false, "disable_correlation": false, "timestamp": "1774001057", "to_ids": true, "type": "domain", "uuid": "238ad6b7-d36b-42e5-af03-f4ce262fb191", "value": "watchguard-vpn.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2 where stolen credentials are sent", "deleted": false, "disable_correlation": false, "timestamp": "1774001078", "to_ids": true, "type": "domain", "uuid": "2ab7a593-f0f8-4759-99e5-dfdbc57958de", "value": "vpn-connection.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GitHub URL hosting VPN-CLIENT.zip file (no longer available)", "deleted": false, "disable_correlation": false, "timestamp": "1774001100", "to_ids": true, "type": "url", "uuid": "f0b5a8b8-2762-4c77-a9a1-958769e4ff4a", "value": "https://github.com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zip", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001122", "uuid": "f0fc57cc-1eca-4aa4-80ce-d1191ec3656d", "Attribute": [ { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (vpn.exe)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001122", "to_ids": true, "type": "md5", "uuid": "4dfbfc64-33eb-4920-8f78-2b674b711aad", "value": "09b3c00aad42edef05e9e2b38ef32eda", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (vpn.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999144", "to_ids": true, "type": "sha1", "uuid": "cb9916fd-c49b-4676-ac46-bff865d3e091", "value": "1e71e99abfc5f70e04adac5a8a535248818aa38d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (vpn.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999145", "to_ids": true, "type": "sha256", "uuid": "f2c62af2-8d99-4455-a415-d136e622d172", "value": "26db3fd959f12a61d19d102c1a0fb5ee7ae3661fa2b301135cdb686298989179", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998527", "to_ids": true, "type": "ssdeep", "uuid": "a14ff08e-710b-42b1-b1e3-bcd7f5c41667", "value": "98304:hLPuIRoy3yZmjR6nU4nFjZdZv60EsDk3tSC3DBXHh9AM17QiTey7ULy9ncBMn5PN:Tx39jR6n/F1Gtx7ULy7" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998527", "to_ids": false, "type": "size-in-bytes", "uuid": "4769e1ee-69b8-4cf2-a723-95e6b1c5d1c4", "value": "11185408" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998527", "to_ids": true, "type": "vhash", "uuid": "68f06216-b704-4540-8c68-eafdfc08c96e", "value": "017076655d156d155550b041zb0c006d3z81za043za090100774z137z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998527", "to_ids": true, "type": "filename", "uuid": "4330f02a-bcc8-4a7d-9770-35b0ccf466eb", "value": "vpn.exe" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998527", "to_ids": false, "type": "text", "uuid": "7fa21205-8909-4873-8467-a670c0cea72d", "value": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (vpn.exe)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Tedy!MTB\nVT Total Detection:28/71\nFirst Submission:2026-01-26T10:01:45.000000+00:00\nLast Submission:2026-01-26T10:01:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001143", "uuid": "4b602b5c-0a5c-4efd-b9f6-7aa76d6246df", "Attribute": [ { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (Pulse.exe)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001143", "to_ids": true, "type": "md5", "uuid": "7a25424a-75cd-436c-a832-7c7c293d36ad", "value": "d6cbe364b0f6c7c675419055569e2523", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (Pulse.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999146", "to_ids": true, "type": "sha1", "uuid": "48632b47-311e-4943-9758-0e541b26ad34", "value": "32397697c209953ef0252b95b904893cb07fa975", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (Pulse.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999146", "to_ids": true, "type": "sha256", "uuid": "1e68cab0-b795-4655-a170-fe1254370266", "value": "44906752f500b61d436411a121cab8d88edf614e1140a2d01474bd587a8d7ba8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998550", "to_ids": true, "type": "ssdeep", "uuid": "5740a46e-f8a6-4e03-b168-bb90f0bb3d0b", "value": "49152:qhxjVCMnmbHwC4eLOZIEQrKA2B4Az4S7ZFuPJIE/6a/KQ:y/abHwiOZIPrKA2eAkSu/6s" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998550", "to_ids": false, "type": "size-in-bytes", "uuid": "805f217b-1d89-432c-9f31-30d122fc0383", "value": "4751128" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998550", "to_ids": true, "type": "vhash", "uuid": "2411c72b-717a-47b4-818f-2ef48233dd3c", "value": "046066655d1d151564c0902212300c36z18131z1010e0c028d03120020a95z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998550", "to_ids": true, "type": "filename", "uuid": "335f7f32-eca1-4d19-8b36-4d54c69add11", "value": "Pulse.exe" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998550", "to_ids": false, "type": "text", "uuid": "4d40a5f8-8cb7-450c-b041-5703e31df7ad", "value": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (Pulse.exe)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Tedy.CC!MTB\nVT Total Detection:24/71\nFirst Submission:2025-12-16T23:26:30.000000+00:00\nLast Submission:2026-01-22T18:45:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001164", "uuid": "aabece36-e055-4272-969b-0b83bdf53532", "Attribute": [ { "category": "Payload delivery", "comment": "ZIP file retrieved from GitHub (VPN-Client.zip)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001164", "to_ids": true, "type": "md5", "uuid": "082bcc21-c707-4e18-b1f1-87e47b34ec0d", "value": "fcbaf5f629e8d233b695c8b3cea28b3d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZIP file retrieved from GitHub (VPN-Client.zip)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999148", "to_ids": true, "type": "sha1", "uuid": "c056aa6b-178d-4901-87f6-96fda5de45c1", "value": "82b05df63283b4f84041834c42490a6181043865", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZIP file retrieved from GitHub (VPN-Client.zip)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999148", "to_ids": true, "type": "sha256", "uuid": "f3c8bcfd-1d35-45b5-a626-5424d6fa1b48", "value": "57a50a1c04254df3db638e75a64d5dd3b0d6a460829192277e252dc0c157a62f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998573", "to_ids": true, "type": "ssdeep", "uuid": "1656ae4e-bea4-40d6-b4c1-5befed5695c9", "value": "1572864:lyJZYP6iGFm98+JFQFu/Ab6hlrvyN3+oUCOi8DN7mW:EJ2EFmTQJ6hlrvyN1JOLn" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998573", "to_ids": false, "type": "size-in-bytes", "uuid": "d09f86e5-6530-41cd-bca5-9791a6aa1d23", "value": "70524610" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998573", "to_ids": true, "type": "vhash", "uuid": "a9441317-706f-41cb-ba4c-f00b9b83c88e", "value": "f0b23b4fc22a351e09c2e4870e5f15bb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998573", "to_ids": true, "type": "filename", "uuid": "07c7213c-b10d-4f74-be1f-9e236ad56405", "value": "VPN_Client.zip" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998573", "to_ids": false, "type": "text", "uuid": "8b412b5a-d479-4191-81d1-cd1f3638fe40", "value": "ZIP file retrieved from GitHub (VPN-Client.zip)\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:12/66\nFirst Submission:2026-01-22T22:07:13.000000+00:00\nLast Submission:2026-01-26T09:59:57.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001186", "uuid": "e784cc10-ea72-4fc9-80d5-a7123b1f8b8f", "Attribute": [ { "category": "Payload delivery", "comment": "Malicious DLL that steals data from C:\\ProgramData\\Pulse Secure\\ConnectionStore\\connstore.dat and exfiltrating it (inspector.dll)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001186", "to_ids": true, "type": "md5", "uuid": "5423faa6-7635-43b6-861f-e2363954eeb1", "value": "c0f3acc808ad91bdd436b60787a049b8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious DLL that steals data from C:\\ProgramData\\Pulse Secure\\ConnectionStore\\connstore.dat and exfiltrating it (inspector.dll)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999150", "to_ids": true, "type": "sha1", "uuid": "6594593f-3931-4c7c-ae88-bf2404e5e7b8", "value": "bb7d808e246b52114540b6d310e5d2c8936c6188", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious DLL that steals data from C:\\ProgramData\\Pulse Secure\\ConnectionStore\\connstore.dat and exfiltrating it (inspector.dll)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999150", "to_ids": true, "type": "sha256", "uuid": "efba829f-2618-4f40-bd98-d69a0d1769bb", "value": "6129d717e4e3a6fb4681463e421a5603b640bc6173fb7ba45a41a881c79415ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998596", "to_ids": true, "type": "ssdeep", "uuid": "cb05e0a4-1272-41f2-826f-a47cc0566f43", "value": "3072:TGi8DBTUepi3qPKEmpphTcaYgfiRCOr71ibVo0vf:a1tTjpCMpmpjTc5gUibf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998596", "to_ids": false, "type": "size-in-bytes", "uuid": "f81391d6-b7e8-481b-9df7-619599c469a9", "value": "110360" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998596", "to_ids": true, "type": "vhash", "uuid": "69c606e3-6c8e-45b3-9188-ec672d22f2ef", "value": "115056655d15556az45nz45z86z3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998596", "to_ids": true, "type": "filename", "uuid": "6d0e2afd-1756-49a8-95fe-e88bc9e8ee0d", "value": "inspector.dll" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998596", "to_ids": false, "type": "text", "uuid": "8673051f-0700-4530-b86c-8fe84c30599e", "value": "Malicious DLL that steals data from %ALLUSERSPROFILE%\\Pulse Secure\\ConnectionStore\\connstore.dat and exfiltrating it (inspector.dll)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:37/71\nFirst Submission:2025-12-16T23:26:30.000000+00:00\nLast Submission:2025-12-16T23:26:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001207", "uuid": "439212bf-7812-4999-82cb-fe2fb8974c0d", "Attribute": [ { "category": "Payload delivery", "comment": "Suspicious DLL file loaded by the above executables; also signed by Taiyuan Lihua Near Information Technology Co., Ltd. (dwmapi.dll)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001207", "to_ids": true, "type": "md5", "uuid": "09cf606e-2920-4858-8c9b-01721db2bc57", "value": "1ef8789705d339b6b39440a38a3acf01", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Suspicious DLL file loaded by the above executables; also signed by Taiyuan Lihua Near Information Technology Co., Ltd. (dwmapi.dll)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999151", "to_ids": true, "type": "sha1", "uuid": "082a73fe-8474-454a-8db0-f2678e97320e", "value": "c99e0b819aa21faa8d645b0201c179c566adc1a2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Suspicious DLL file loaded by the above executables; also signed by Taiyuan Lihua Near Information Technology Co., Ltd. (dwmapi.dll)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999152", "to_ids": true, "type": "sha256", "uuid": "400505ce-5159-4103-a1c9-bfb9a7319a9f", "value": "6c9ab17a4aff2cdf408815ec120718f19f1a31c13fc5889167065d448a40dfe6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998620", "to_ids": true, "type": "ssdeep", "uuid": "9894a281-8836-4366-93b9-4a72db89c3a9", "value": "384:ah0C+wgMQz/3diEnn4AWW85Yh4+ibgrQ2ADyJrztd3rKigKzCKjd3gSGBkSXZ:Nl73oEnR8h+iU82ADK9d3/gKzCKZikuZ" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998620", "to_ids": false, "type": "size-in-bytes", "uuid": "fee57681-fec1-4b2f-971b-67babd597df1", "value": "47896" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998620", "to_ids": true, "type": "vhash", "uuid": "81b83541-ccc3-4777-bb12-7043239bad2f", "value": "1440975d151c055d1d1dbz160e$z2c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998620", "to_ids": true, "type": "filename", "uuid": "f0da0230-de43-416f-b262-330a7d3271f7", "value": "dwmapi.dll" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998620", "to_ids": false, "type": "text", "uuid": "0c0ab064-5b5b-4d2a-b2e8-211a766a7dc0", "value": "Suspicious DLL file loaded by the above executables; also signed by Taiyuan Lihua Near Information Technology Co., Ltd. (dwmapi.dll)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:39/71\nFirst Submission:2025-12-16T23:26:29.000000+00:00\nLast Submission:2025-12-16T23:26:29.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001229", "uuid": "bfc2451c-22ea-4cf0-9c90-23f8187c580d", "Attribute": [ { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (Sophos-Connect-Client.exe)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001229", "to_ids": true, "type": "md5", "uuid": "a81ffa21-6d3f-48ca-88a2-7c757e3ef4bc", "value": "ec6212c853cbbdc02b5158b4fb3548fb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (Sophos-Connect-Client.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999153", "to_ids": true, "type": "sha1", "uuid": "3837e38b-3407-41f3-90c9-b363aad494e9", "value": "0552e886cafb70e5032c413f986bfa7807a18760", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (Sophos-Connect-Client.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999154", "to_ids": true, "type": "sha256", "uuid": "6e23546b-67db-4782-917c-2b0b62c99df1", "value": "85c4837e3337165d24c6690ca63a3274dfaaa03b2ddaca7f1d18b3b169c6aac1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998643", "to_ids": true, "type": "ssdeep", "uuid": "bc555635-6470-4252-88a6-3b3dfaf5cb92", "value": "98304:7oMwURBHM8XQSNq+0LTCvWKCRSiC//1NreoLMhq5CrPpH43uZ+MXa/bK8+87BBEl:kL2XQSNq+hO6Tj2fM/y" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998643", "to_ids": false, "type": "size-in-bytes", "uuid": "159c43ac-be7e-46a9-aceb-8bf88f157c2a", "value": "13802240" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998643", "to_ids": true, "type": "vhash", "uuid": "07764637-1c1f-4b11-8739-8c058227c173", "value": "017076655d156d1515509043zc00723z91za045za0100774z137z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998643", "to_ids": true, "type": "filename", "uuid": "035c300b-ca07-437f-93fa-bfc3bb28d7c9", "value": "Sophos-Connect-Client.exe" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998643", "to_ids": false, "type": "text", "uuid": "84e48201-d9ed-4de7-ab9c-4f4b782a3fd8", "value": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (Sophos-Connect-Client.exe)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Tedy.CC!MTB\nVT Total Detection:31/71\nFirst Submission:2026-01-06T16:05:32.000000+00:00\nLast Submission:2026-01-23T08:30:28.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001251", "uuid": "4fb42187-fb64-41e7-95f0-372c6682daf2", "Attribute": [ { "category": "Payload delivery", "comment": "Suspicious MSI file downloaded from the masqueraded Ivanti pulse VPN client domain (VPN-Client.msi)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001251", "to_ids": true, "type": "md5", "uuid": "6e888aa2-310d-4324-aeb3-a00c38e6c829", "value": "8101669915443060c2e5f72e36798618", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Suspicious MSI file downloaded from the masqueraded Ivanti pulse VPN client domain (VPN-Client.msi)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999156", "to_ids": true, "type": "sha1", "uuid": "0667fe40-643d-45fb-ad0a-7a0aaf8a5d08", "value": "6d1e53bdc97f72fab9c4782bd2b1e0dd9d6c93ef", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Suspicious MSI file downloaded from the masqueraded Ivanti pulse VPN client domain (VPN-Client.msi)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999156", "to_ids": true, "type": "sha256", "uuid": "1440dab8-9ba1-4671-a060-db50bc464649", "value": "862f004679d3b142d9d2c729e78df716aeeda0c7a87a11324742a5a8eda9b557", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998668", "to_ids": true, "type": "ssdeep", "uuid": "af3a158c-b26b-4bce-99a4-8c2d86dc9924", "value": "1572864:aV/RJI5YQGOJ4NAoRArD1v/WFy3TEQ7Cf60u48jhwg:iZ6YOurAhWFy3TEQG7um" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998668", "to_ids": false, "type": "size-in-bytes", "uuid": "17fba558-f301-4208-9264-43a1aa2f6425", "value": "75851264" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998668", "to_ids": true, "type": "vhash", "uuid": "c9da6d02-db3e-4e6f-a7d8-86f2df216466", "value": "8605ba8d2548c999fbef337d7f2cd614" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998668", "to_ids": true, "type": "filename", "uuid": "515a09f1-5449-47ed-9a4a-aae63013cd04", "value": "VPN-Client.msi" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998668", "to_ids": false, "type": "text", "uuid": "1d50fcdb-919e-4a62-911d-b64a7271a68a", "value": "Suspicious MSI file downloaded from the masqueraded Ivanti pulse VPN client domain (VPN-Client.msi)\r\nType Descriptio%WINDIR%\\Installer\nMicrosoft: Trojan:Win64/Tedy.CC!MTB\nVT Total Detection:16/63\nFirst Submission:2025-12-16T23:23:21.000000+00:00\nLast Submission:2026-01-26T10:00:40.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001272", "uuid": "06eb27d8-c823-4d6a-adc2-1521cad26dc0", "Attribute": [ { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd.(PulseSecureService.exe)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001272", "to_ids": true, "type": "md5", "uuid": "589279e0-b72c-463f-bd40-e75788d7641e", "value": "da9d12bbbf17c3e7b0e26831037fce12", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd.(PulseSecureService.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999157", "to_ids": true, "type": "sha1", "uuid": "d13768ab-e571-4950-bc7a-928b879650c8", "value": "33b07904a37f2c39efb43c149d181b524abebd38", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd.(PulseSecureService.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999158", "to_ids": true, "type": "sha256", "uuid": "683bf763-3d53-4897-a2bb-e6199d9621c4", "value": "8ebe082a4b52ad737f7ed33ccc61024c9f020fd085c7985e9c90dc2008a15adc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998691", "to_ids": true, "type": "ssdeep", "uuid": "fde32bfb-6518-44c1-8d8d-bfb9d632a76f", "value": "12288:yr1dd03o7dd/DIl0v+q1nOPZDasCi7wYhvmmAg1Abx:ygl0zeDasC1YJmmAgw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998691", "to_ids": false, "type": "size-in-bytes", "uuid": "32c7c005-5237-4d8c-ba55-94cbcfb8cf35", "value": "526104" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998691", "to_ids": true, "type": "vhash", "uuid": "abfd05c8-edb8-48f2-a144-c0c1e909b387", "value": "055096555d1555151d151323z72z7d7za083z105041z2033z2274z4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998691", "to_ids": true, "type": "filename", "uuid": "9a5b6710-48db-4ff7-a4ac-136c0a2140a3", "value": "PulseSecureService.exe" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998691", "to_ids": false, "type": "text", "uuid": "f8496ff6-e476-4895-a2b8-40bca30e84ed", "value": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd.(PulseSecureService.exe)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Tedy.CC!MTB\nVT Total Detection:26/71\nFirst Submission:2025-12-16T23:26:29.000000+00:00\nLast Submission:2025-12-16T23:26:29.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001293", "uuid": "a99a13e2-4da5-49db-b9cb-ac9cfe4b6e0c", "Attribute": [ { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (VPN-Client.exe)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001293", "to_ids": true, "type": "md5", "uuid": "b93c7a42-2d1d-42c7-afc5-e98d9b52f1b6", "value": "dd0846c994edd78cac2a44b8851f00d3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (VPN-Client.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999159", "to_ids": true, "type": "sha1", "uuid": "a75f80a4-4450-4c77-8d71-27797b5319cc", "value": "e775de4f63ef49668828240fdc4778fcae37575b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (VPN-Client.exe)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999160", "to_ids": true, "type": "sha256", "uuid": "a6a240e2-ce5f-4120-8979-873568553c93", "value": "cfa4781ebfa5a8d68b233efb723dbde434ca70b2f76ff28127ecf13753bfe011", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998737", "to_ids": true, "type": "ssdeep", "uuid": "a027de33-d008-4a27-8273-fb70cda53037", "value": "98304:NC1Z1jNqB5950VvFrTYofsOq5U8mZ+G/d+eK+LJ0gt2raGBLe0884/0fJgnvvusA:2jNgX0Vv5lv7EVet84N3uP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998737", "to_ids": false, "type": "size-in-bytes", "uuid": "7b24ca0e-d270-40c8-8cd7-9c7ecbec60ef", "value": "11047168" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998737", "to_ids": true, "type": "vhash", "uuid": "d2c37f13-b423-49d8-804e-1c4e4a9e50c2", "value": "017076655d156d155550b041zb0c006d3z81za043za090100774z137z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998737", "to_ids": true, "type": "filename", "uuid": "9116bd91-6de5-4dbe-ab05-09b588c1fac2", "value": "VPN-Client.exe" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998737", "to_ids": false, "type": "text", "uuid": "b65efe7d-a69f-476c-b42f-92eba05e30d6", "value": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (VPN-Client.exe)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Tedy!MTB\nVT Total Detection:30/71\nFirst Submission:2026-01-12T19:39:33.000000+00:00\nLast Submission:2026-01-27T16:56:22.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774001314", "uuid": "f3e6fe6d-3258-40e9-8f1c-7fedb0b3471c", "Attribute": [ { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (WiredAccessMethod.dll)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1774001314", "to_ids": true, "type": "md5", "uuid": "a8634d2a-ca23-4ef0-a018-0b8dff963107", "value": "68529d3d99fccac503484068d8bbd693", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (WiredAccessMethod.dll)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999161", "to_ids": true, "type": "sha1", "uuid": "86220979-032d-4d9f-8e53-bfb923bcaeeb", "value": "fdd954ab648ec39bd77d15393de4c83f7e5afa8e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (WiredAccessMethod.dll)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999161", "to_ids": true, "type": "sha256", "uuid": "ede898ac-ff3b-41a1-b682-3c7ba0ac28cb", "value": "eb8b81277c80eeb3c094d0a168533b07366e759a8671af8bfbe12d8bc87650c9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773998762", "to_ids": true, "type": "ssdeep", "uuid": "84b2e1ed-bb9a-4a95-9219-41f59f78a9a6", "value": "12288:TVhUp39D1hjkni1hrlZgOybk1770v5SoVilRXTokbdmyBMv2QsW7k6juJ+X+tOl5:TDUpS2B7VB76juWQOlyl2IwyMl" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773998762", "to_ids": false, "type": "size-in-bytes", "uuid": "84ff6114-fc87-47eb-83fd-e37fbbe16adb", "value": "698648" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773998762", "to_ids": true, "type": "vhash", "uuid": "15064afd-1c65-4187-aa73-6ec97ad2507c", "value": "165056655d151561b3z92z647z9081z20106041z2033zc55z5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773998762", "to_ids": true, "type": "filename", "uuid": "408c9a6b-2780-4b5d-b422-32ef0417f8dc", "value": "WiredAccessMethod.dll" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773998762", "to_ids": false, "type": "text", "uuid": "812428af-f4b6-4a32-9ea7-4189d4bf981a", "value": "Malware signed by Taiyuan Lihua Near Information Technology Co., Ltd. (WiredAccessMethod.dll)\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win64/Tedy.CC!MTB\nVT Total Detection:27/71\nFirst Submission:2025-12-16T23:26:30.000000+00:00\nLast Submission:2025-12-16T23:26:30.000000+00:00" } ] } ] } }