{ "Event": { "analysis": "1", "date": "2026-03-06", "extends_uuid": "", "info": "[Threat Intel] Middle East Conflict Fuels Opportunistic Cyber Attacks", "protected": false, "publish_timestamp": "1773997261", "published": true, "threat_level_id": "3", "timestamp": "1773997261", "uuid": "82ddbd5e-9ac7-4b8e-902d-f525b9be70cc", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6dbaba", "local": false, "name": "misp-galaxy:producer=\"Zscaler\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#5bb38b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1588.001\"", "relationship_type": "" }, { "colour": "#aa1f95", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Bahrain\"", "relationship_type": "" }, { "colour": "#20a667", "local": false, "name": "misp-galaxy:target-information=\"Iran\"", "relationship_type": "" }, { "colour": "#4929fe", "local": false, "name": "misp-galaxy:target-information=\"Iraq\"", "relationship_type": "" }, { "colour": "#26fab6", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Cybercrime\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Stealc\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773054013", "to_ids": false, "type": "link", "uuid": "25a736cf-bfbe-4488-96e4-a725f579b3e6", "value": "https://www.zscaler.com/blogs/security-research/middle-east-conflict-fuels-opportunistic-cyber-attacks" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773054013", "to_ids": false, "type": "text", "uuid": "e9eaf8ea-0910-48d0-b6a5-75f24a097bc6", "value": "The ongoing conflict in the Middle East has triggered a surge in cybercriminal activity. Over 8,000 newly registered domains with conflict-related keywords have been identified, many of which may be weaponized in future campaigns. Multiple cases of malicious activity have been observed, including targeted attacks using conflict-themed lures, deployment of the LOTUSLITE backdoor, fake news blogs leading to StealC malware, phishing sites impersonating government portals, donation scams, fraudulent storefronts, and meme-coin pump-and-dump schemes. Threat actors are leveraging various techniques such as DLL sideloading, shellcode execution, and social engineering to compromise victims. The campaigns demonstrate the opportunistic nature of cybercriminals in exploiting geopolitical events for malicious purposes." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773054013", "to_ids": false, "type": "text", "uuid": "e6956825-30b2-46b4-8754-f93fa567f2ed", "value": "Name: Middle East Conflict Fuels Opportunistic Cyber Attacks\nAuthor: AlienVault\nAdversary: Mustang Panda\nTags: [\"stealc\", \"shellcode\", \"lotuslite\", \"middle east\", \"meme-coin\", \"backdoor\", \"dll sideloading\", \"donation scam\", \"phishing\"]\nTgtd countries: [\"Bahrain\", \"Iran, Islamic Republic of\", \"Iraq\", \"Israel\"]\nMlwr families: [\"LOTUSLITE\", \"StealC\"]\nAttack_ids: [\"T1566.002\", \"T1071\", \"T1140\", \"T1036\", \"T1055\", \"T1588.001\", \"T1074\", \"T1102\", \"T1204\", \"T1547.001\", \"T1027\", \"T1059.003\"]\nIndustries: [\"Government\", \"Defense\", \"Finance\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773054013", "to_ids": false, "type": "threat-actor", "uuid": "e2d9cb05-dd4d-405c-a134-7abb792ccf64", "value": "Mustang Panda" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276254", "to_ids": true, "type": "ip-dst", "uuid": "ee0dc26e-7f18-4815-85c5-2ed2c7495f45", "value": "172.81.60.97", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted shellcode. No sample in VT\r\nLast check:12/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773276058", "to_ids": true, "type": "md5", "uuid": "a8ecdb9b-06f1-4f89-9a81-989876eb9197", "value": "8c5a4dafed1586cec48d8eda267d8e42", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted shellcode. No sample in VT\r\nLast check:12/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773276058", "to_ids": true, "type": "sha1", "uuid": "3114741c-49fa-4ad0-a173-14e0dafcc97a", "value": "b9dfc411699e07343b9b95daa79fe7e4b6811579", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Decrypted shellcode. No sample in VT\r\nLast check:12/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1773276060", "to_ids": true, "type": "sha256", "uuid": "1280c929-2f60-4c0b-bf3e-f005bfbae9be", "value": "24b11b4b999b385bede48ad9f0570e2e5da4a2054b96738b1e4d4946ece94bc1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1773276275", "to_ids": true, "type": "ip-dst", "uuid": "c1f11e7d-c794-4251-ac8f-09eb7bfa4e90", "value": "80.97.160.190", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276296", "to_ids": true, "type": "url", "uuid": "1908f028-b0dc-44ce-a131-311c95fe7718", "value": "http://www.e-kflower.com/_prozn/_skin_mbl/home/KApp.rar", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276317", "to_ids": true, "type": "url", "uuid": "379787b6-966b-4e80-bd2a-f97579b4fc69", "value": "http://www.e-kflower.com/_prozn/_skin_mbl/home/KAppl.rar", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276338", "to_ids": true, "type": "url", "uuid": "7b6b3969-f881-449b-9edf-88f0b8ae7ff8", "value": "https://www.360printsol.com/2026/alfadhalah/thumbnail?img=index.png.", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276360", "to_ids": true, "type": "domain", "uuid": "e81da5db-5824-4427-81d4-50af53152ac6", "value": "cfgomma.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276381", "to_ids": true, "type": "domain", "uuid": "5fc588a5-d301-4020-ad97-e54872e45d60", "value": "e-kflower.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Redirecting domain", "deleted": false, "disable_correlation": false, "timestamp": "1773276402", "to_ids": true, "type": "domain", "uuid": "24ab73a5-0cc5-4674-8572-bf9b203f11af", "value": "flourishingscreencousin.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276423", "to_ids": true, "type": "domain", "uuid": "76f8b8db-112e-43ef-abcb-6966214f0669", "value": "irandonation.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Pump-and-dump promotion for the $KHAMENEI meme coin", "deleted": false, "disable_correlation": false, "timestamp": "1773276445", "to_ids": true, "type": "domain", "uuid": "c2efce7c-9122-487a-8c02-4530de45e915", "value": "khameneisol.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276466", "to_ids": true, "type": "domain", "uuid": "b969640a-9677-4e95-b1fb-0f463de2a6c8", "value": "nowarwithiran.store", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276492", "to_ids": true, "type": "hostname", "uuid": "06e4d34b-5d83-4b4e-bc95-a23bae0147ac", "value": "arch.megadatahost1.lol", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276514", "to_ids": true, "type": "hostname", "uuid": "14b57c1a-066a-438d-9806-879339b2ae10", "value": "arch2.maxdatahost1.cyou", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276535", "to_ids": true, "type": "hostname", "uuid": "d97a49e8-56c2-4b49-89c1-ab25b0c74940", "value": "arch2.megadatahost1.lol", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276560", "to_ids": true, "type": "hostname", "uuid": "2fb587d3-d09b-4e3f-9636-9e0ad982421d", "value": "media.hyperfilevault2.mom", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276581", "to_ids": true, "type": "hostname", "uuid": "03505063-4073-419c-ba43-e1038ee079f5", "value": "media.maxdatahost1.cyou", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276603", "to_ids": true, "type": "hostname", "uuid": "d627cd94-3df0-41fe-9106-166eadc16bc5", "value": "media.megadatahost1.lol", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276624", "to_ids": true, "type": "hostname", "uuid": "354717b5-3247-4b3f-b00f-57ee0b673046", "value": "media.megafilehost2.sbs", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276646", "to_ids": true, "type": "hostname", "uuid": "8ae8b59b-db45-45ca-8030-bae26260185b", "value": "www.360printsol.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276668", "to_ids": true, "type": "hostname", "uuid": "52cf28f2-b924-4dfc-858a-6c33bd5ec60f", "value": "www.e-kflower.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Redirecting domain", "deleted": false, "disable_correlation": false, "timestamp": "1773276689", "to_ids": true, "type": "domain", "uuid": "90906ea4-dc1d-473b-8a89-c2bf89acc80a", "value": "holidayslettucecircumvent.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276710", "to_ids": true, "type": "url", "uuid": "a90d7734-0ded-41e6-8823-e9815fb5952b", "value": "www.e-kflower.com/_prozn/_skin_mbl/home/KApp.rar", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276731", "to_ids": true, "type": "url", "uuid": "07a1151b-521b-4f5d-90dc-3bff9db6aa27", "value": "www.e-kflower.com/_prozn/_skin_mbl/home/KAppl.rar", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773276752", "uuid": "141a28b3-9bc0-4702-9c3f-111b96f7f17d", "Attribute": [ { "category": "Payload delivery", "comment": "StealC", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773276752", "to_ids": true, "type": "md5", "uuid": "f797244b-539a-4d5f-b917-816cfe7a6070", "value": "098bc0dd6a02a777fabb1b7d6f2da505", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "StealC", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773276051", "to_ids": true, "type": "sha1", "uuid": "4bb9df43-cffe-4d9e-acb6-86441f2f3a20", "value": "66526bce0f78643eeb2868d4a352c44f993fa6be", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "StealC", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773276051", "to_ids": true, "type": "sha256", "uuid": "397f8a3f-e773-485c-91d4-dda01543f226", "value": "cec3293c507861fc7d1418d702a9f5fcf3bbcb52d1ad1cbe4644c5a6bcf1be95", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773274938", "to_ids": true, "type": "ssdeep", "uuid": "86e619ed-4582-42a2-95cc-94b170821130", "value": "24576:t66QG8RUZ8uyyQU4nYr8l84tblOoydx9RgQEy5+yhOcsYgtd/q25OK1h:t6/G8RJ3y0SObooKzYy5+CMYgtLOK1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773274938", "to_ids": false, "type": "size-in-bytes", "uuid": "4760b511-205a-4317-aae3-650e48251ba7", "value": "2155520" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773274938", "to_ids": true, "type": "vhash", "uuid": "bc6b65af-5640-40bb-9a6f-a8606dce46c6", "value": "026076657d1d1554551az28!z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773274938", "to_ids": true, "type": "filename", "uuid": "a1bee6ee-efa9-4e3b-afad-228469bd7009", "value": "documentation.exe" }, { "category": "Other", "comment": "Checked: 12/03/2026\nLast-scan\t: 11/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773274938", "to_ids": false, "type": "text", "uuid": "73ae07fe-1ed5-47ab-9e44-3a2757d27bb3", "value": "StealC\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/Vigorf.A\nVT Total Detection:47/71\nFirst Submission:2026-03-05T11:02:34.000000+00:00\nLast Submission:2026-03-05T11:02:34.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773276774", "uuid": "08821001-5eb5-4068-96e2-2de8d443e744", "Attribute": [ { "category": "Payload delivery", "comment": "Stage 2 DLL (LOTUSLITE).", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773276774", "to_ids": true, "type": "md5", "uuid": "a3bd14e8-dc8b-47a6-ae51-982aa414ca09", "value": "10fb1122079b5ae8e4147253a937f40f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 2 DLL (LOTUSLITE).", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773276052", "to_ids": true, "type": "sha1", "uuid": "11f38dce-bb49-47fb-9de2-8257b3a2bcc9", "value": "7d4e31c8b11be7c970860c4fbc8fe85c70724cb1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Stage 2 DLL (LOTUSLITE).", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773276052", "to_ids": true, "type": "sha256", "uuid": "16aed474-c428-42e1-93fb-c68615e8b894", "value": "8564763407064117726211ff8f89555e5a3b2b70bc9667032abd69cbe53b5216", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773274960", "to_ids": true, "type": "ssdeep", "uuid": "c3160b56-39a9-4092-8d26-4ca41c6b9a88", "value": "12288:aRvSGegYwKUu56rpekBynohJ8Z6eRGVmvydR9IXy9wcFBynW:a895cDBPJCkmvydzhx0" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773274960", "to_ids": false, "type": "size-in-bytes", "uuid": "d13a5e93-5208-4242-a5bd-babab844a8cb", "value": "783872" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773274960", "to_ids": true, "type": "vhash", "uuid": "1b9e204d-43f9-4160-901b-1ebf90e2e38d", "value": "175076655d151d15156028z7ehz2011z1dz11" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773274960", "to_ids": true, "type": "filename", "uuid": "8c93cf19-91bc-4870-a78a-f4f0f63a172f", "value": "NVIDIA app.App" }, { "category": "Other", "comment": "Checked: 12/03/2026\nLast-scan\t: 11/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773274960", "to_ids": false, "type": "text", "uuid": "b026dace-06ec-4363-bf36-c09caa562cc8", "value": "Stage 2 DLL (LOTUSLITE).\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:23/72\nFirst Submission:2026-03-06T19:25:30.000000+00:00\nLast Submission:2026-03-09T15:23:36.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773276795", "uuid": "809b820a-060d-44a9-bc39-f722db518bfd", "Attribute": [ { "category": "Payload delivery", "comment": "Malicious stage 1 DLL.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773276795", "to_ids": true, "type": "md5", "uuid": "dd3bc016-6237-419b-bea9-8f62ed6db935", "value": "6accd57e48c34cadc998d00594229e42", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious stage 1 DLL.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773276054", "to_ids": true, "type": "sha1", "uuid": "7b3ed548-8438-436f-a022-4ffd8280f481", "value": "be34901237c9fa9563e8dc9e71faf3a7e68f983f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious stage 1 DLL.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773276054", "to_ids": true, "type": "sha256", "uuid": "7d51e953-3dec-4538-8832-924b83576b55", "value": "4fb9b5d115bceee45a89447fb2565faef07452cda6b8e244e53ad91499c3d9b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773274982", "to_ids": true, "type": "ssdeep", "uuid": "f61bad74-8588-4744-8e5d-cb8eb88c4210", "value": "768:Mzv5tVX59+sYJobGjEL2VX5032fxSFKahlAkkg4jtn2uEDzJYJML1IK+XDuNH:k5tN7YACOJ3RukKKgKIHXDi" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773274982", "to_ids": false, "type": "size-in-bytes", "uuid": "272d99b7-d916-43ea-bd63-af2b7d7cec93", "value": "66560" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773274982", "to_ids": true, "type": "vhash", "uuid": "2a327b3d-1f1d-4a33-a768-93193c3702f7", "value": "164056655d55151045z10041nz1ez4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773274982", "to_ids": true, "type": "filename", "uuid": "a9a11b37-bcc7-4cb7-afe4-c1b93b034114", "value": "fhbmemobook.book" }, { "category": "Other", "comment": "Checked: 12/03/2026\nLast-scan\t: 12/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773274982", "to_ids": false, "type": "text", "uuid": "795f509a-c53e-407d-be86-b5300a375090", "value": "Malicious stage 1 DLL.\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Etset!rfn\nVT Total Detection:23/72\nFirst Submission:2026-03-04T07:58:45.000000+00:00\nLast Submission:2026-03-04T07:58:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773276818", "uuid": "5a0f5e96-88b2-4900-9d18-e5c95daa2f97", "Attribute": [ { "category": "Payload delivery", "comment": "Legitimate data importer utility from the KuGou music software suite.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773276818", "to_ids": true, "type": "md5", "uuid": "2cc6c6a0-c0c9-46de-b4ce-2854ef01f61f", "value": "722bcd4b14aac3395f8a073050b9a578", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Legitimate data importer utility from the KuGou music software suite.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773276055", "to_ids": true, "type": "sha1", "uuid": "37d6eb7c-978d-4612-8f3e-d53c0b26d9ad", "value": "e5baecb74c456df26aa7e0fa1661838cd86ccfd7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Legitimate data importer utility from the KuGou music software suite.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773276055", "to_ids": true, "type": "sha256", "uuid": "6b86e3aa-8961-464b-b67d-27dc333288b0", "value": "819f586ca65395bdd191a21e9b4f3281159f9826e4de0e908277518dba809e5b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773275004", "to_ids": true, "type": "ssdeep", "uuid": "298f75a5-590e-4274-8b73-3c455eb10b62", "value": "1536:zU3ekuRe/fijP69qvyly8/m45n3AqlQJxYsWxzcdmnstH809YX:qfijP6MqAam4p3Dwx1mns+0aX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773275004", "to_ids": false, "type": "size-in-bytes", "uuid": "a9f5e4bf-9533-44c7-9891-bf8464154e96", "value": "85696" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773275004", "to_ids": true, "type": "vhash", "uuid": "16a90eae-9235-458c-88fb-e1d6c7bc3663", "value": "084066655d1515556az4-z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773275004", "to_ids": true, "type": "filename", "uuid": "d2994a72-3e19-491a-9aba-dd2e8d09a3da", "value": "KApp.rar" }, { "category": "Other", "comment": "Checked: 12/03/2026\nLast-scan\t: 11/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773275004", "to_ids": false, "type": "text", "uuid": "b4e16003-9cf5-4154-b087-8885ecd5ebe8", "value": "Legitimate data importer utility from the KuGou music software suite.\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/72\nFirst Submission:2021-12-01T13:05:16.000000+00:00\nLast Submission:2026-03-10T23:39:02.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773276839", "uuid": "86a1da85-f078-4c50-8f90-08309dc3546d", "Attribute": [ { "category": "Payload delivery", "comment": "Legitimate binary.", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773276839", "to_ids": true, "type": "md5", "uuid": "2a5e260f-4fd6-4172-98c0-714f5d7f5fb0", "value": "972585e50798cb5f122f766d8f26637f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Legitimate binary.", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773276057", "to_ids": true, "type": "sha1", "uuid": "5478f439-2ee0-44fd-9328-703a67e72924", "value": "1b3fa84de23c6e789958462e6185e9cf0680ed9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Legitimate binary.", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773276057", "to_ids": true, "type": "sha256", "uuid": "33bb3425-9070-452d-bfe7-04dad7bdf270", "value": "db40546435a7c42b32493301e333c8c0010e652fecd02463614a386f916055ec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773275047", "to_ids": true, "type": "ssdeep", "uuid": "0a364122-d412-4bd9-aec7-692aa9aeab7c", "value": "3072:bqNZ5QoZ/cJjoKYJXzy2eamHKigu/fgl1glfdjgBftJeCEyJNEWM7I+nN:KZ5QwWshmHKVuE1gQJeCEMN3ZA" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773275047", "to_ids": false, "type": "size-in-bytes", "uuid": "b648cae1-7717-4ee3-adf5-a21220b2ebd8", "value": "174816" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773275047", "to_ids": true, "type": "vhash", "uuid": "a98eef65-c1c4-4390-9a70-b3913e1cf436", "value": "015066655d1515656az45jz2jz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773275047", "to_ids": true, "type": "filename", "uuid": "485b7b11-ad08-4313-a4f4-5bee2a31a9d5", "value": "fhbmemobook.exe" }, { "category": "Other", "comment": "Checked: 12/03/2026\nLast-scan\t: 11/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773275047", "to_ids": false, "type": "text", "uuid": "33e02ec6-a443-44fa-aace-4b5caa10ee47", "value": "Legitimate binary.\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/72\nFirst Submission:2023-06-05T05:08:49.000000+00:00\nLast Submission:2026-03-02T14:32:32.000000+00:00" } ] } ] } }