{ "Event": { "analysis": "1", "date": "2026-05-06", "extends_uuid": "", "info": "[Threat Intel] Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit", "protected": false, "publish_timestamp": "1779546574", "published": true, "threat_level_id": "3", "timestamp": "1779546573", "uuid": "879be2a3-1617-4328-910c-155eac2ec686", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#57356b", "local": false, "name": "misp-galaxy:producer=\"Seqrite\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#1b0fe1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerade Task or Service - T1036.004\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#c295b4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Proxy - T1090.001\"", "relationship_type": "" }, { "colour": "#15cd0b", "local": false, "name": "misp-galaxy:target-information=\"Russia\"", "relationship_type": "" }, { "colour": "#4ece2e", "local": false, "name": "misp-galaxy:target-information=\"Tajikistan\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Civil Aviation\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"143 - Central Asia\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778151606", "to_ids": false, "type": "link", "uuid": "37fc266b-3465-43a7-a2a7-844ce79ca8cd", "value": "https://www.seqrite.com/blog/operation-silent-rotor-rust-malware-unmanned-aviation-sector/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778151606", "to_ids": false, "type": "text", "uuid": "edcb1227-6b58-4632-aebd-079611d4553a", "value": "A sophisticated spear phishing campaign targets professionals in the Eurasian unmanned aviation sector, timed to coincide with the XIII Eurasian International Forum 'Unmanned Aviation 2026' in Moscow. The attack delivers malicious archives containing Rust-based executables disguised as legitimate documents from the Russian Aeronautical Information Center. The malware displays aviation-themed decoy documents in Russian while collecting system information including hostnames, volume serial numbers, network adapter details, and environment variables. Collected data is encrypted via XOR and exfiltrated to a C2 server over HTTPS. The malware subsequently downloads and executes a second-stage payload using AES-256 decryption. The campaign demonstrates targeted social engineering with realistic aviation order documents, translation certificates, and product summaries to compromise victims in Russia, Tajikistan, Central Asia, Middle East and Europe." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778151606", "to_ids": false, "type": "text", "uuid": "6326d6d0-4819-47ea-a8d2-578e79117996", "value": "Name: Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit\nAuthor: AlienVault\nAdversary: \nTags: [\"c2 exfiltration\", \"multi-stage payload\", \"aviation sector\", \"unmanned aerial systems\", \"spear phishing\", \"rust malware\", \"operation silent rotor\", \"moscow summit\"]\nTgtd countries: [\"Russian Federation\", \"Tajikistan\"]\nMlwr families: []\nAttack_ids: [\"T1033\", \"T1204.002\", \"T1566.001\", \"T1082\", \"T1106\", \"T1140\", \"T1016\", \"T1083\", \"T1036.004\", \"T1041\", \"T1027\", \"T1059.003\", \"T1071.001\", \"T1105\", \"T1090.001\"]\nIndustries: [\"Aerospace\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778899692", "to_ids": true, "type": "ip-dst", "uuid": "4b96552f-a615-4462-bd3c-b52b9721d810", "value": "45.142.36.76", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778899713", "to_ids": true, "type": "ip-dst", "uuid": "5142331d-9045-4912-a2e1-985e032582c4", "value": "89.108.110.154", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778899734", "to_ids": true, "type": "ip-dst", "uuid": "6b632089-785a-484c-b8cb-a259f57dc2ce", "value": "92.62.113.232", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778899755", "to_ids": true, "type": "url", "uuid": "a35c6b4d-3f7f-4370-8850-98683b959c64", "value": "http://kleymarket.ru", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778899776", "to_ids": true, "type": "domain", "uuid": "0167783c-7e29-4116-a9ee-94b5d7bdbcb8", "value": "kleymarket.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778899798", "to_ids": true, "type": "hostname", "uuid": "68a154e8-191f-4dd4-9e19-871d52f6812b", "value": "cdn.kleymarket.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546560", "uuid": "9a1f3fa1-58ca-4636-b1df-269c942f3991", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546560", "to_ids": true, "type": "md5", "uuid": "002e121f-e474-444e-9324-cc75eab38274", "value": "bd2925f5abaafd7e9d1e9e5946c1cf58", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546560", "to_ids": true, "type": "sha1", "uuid": "d84c5efe-8b15-4985-8ee3-7ce7e2dbe29d", "value": "fe4286b5bc67c65cca870207b8ec22671506c5bf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546560", "to_ids": true, "type": "sha256", "uuid": "cd39c627-9d12-4854-8c72-59552692119f", "value": "2064ef387ac9e51ba72b32004d99e8a0b291dbab24ed8db30f437abf1b40cb49", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778896635", "to_ids": true, "type": "ssdeep", "uuid": "29fac5eb-6d63-4dd5-9524-f4e229ebafc8", "value": "192:Ct0fpTVOnWCSWHd0JvnyLq970Ms9wZb9KCtyC+BtnoJLRpnxLyRsB:a0fphOWpSdonv7n2wZbzpJLR/L5B" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778896635", "to_ids": false, "type": "size-in-bytes", "uuid": "49091109-c352-415a-9dfb-b8aaaf9b56af", "value": "14239" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778896635", "to_ids": true, "type": "vhash", "uuid": "ddd5db5a-a1c9-4201-b4ac-70f7251420bd", "value": "c48e35d5862a41938979201cd4a4c036" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778896635", "to_ids": true, "type": "filename", "uuid": "c707f198-63c7-4070-bcd5-5d4e9cb55a73", "value": "Confirmation of CAICA products order and arrangement of a meeting at the Unmanned Aviation \u2013 2026 forum to discuss payment details and sign a long\u2011term contract.docx" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 12/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778896635", "to_ids": false, "type": "text", "uuid": "bfcb5dbc-1d33-47c8-b387-523320eeb644", "value": "Type Description: Office Open XML Document\nMicrosoft: None\nVT Total Detection:5/66\nFirst Submission:2026-04-21T07:44:04.000000+00:00\nLast Submission:2026-04-21T07:44:04.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546563", "uuid": "9b01d1f7-7f4f-4058-8286-c55f30c25f17", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546562", "to_ids": true, "type": "md5", "uuid": "ff75cafa-794d-41bd-9c1b-bde524bcc968", "value": "5ee2b4adbf2e9abdd8b964e9e11568f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546562", "to_ids": true, "type": "sha1", "uuid": "0be7c585-300a-426f-80af-437d75c5ce5a", "value": "78aedea37a2e64930a42c4f63f4234117fbc5274", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546563", "to_ids": true, "type": "sha256", "uuid": "933ee775-3adc-4f69-bcb0-779f11ddd6f6", "value": "57e26f6e3b311a1064c946b69159ee05abedf9228b2f95c65536429e7ac7fb24", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778896657", "to_ids": true, "type": "ssdeep", "uuid": "a5f29f99-6c06-4ada-88c9-648650bbf579", "value": "24576:PdnfQ0C8eIhLpeAYzhNfOZUKb7gbX4DYcdLEgY6rDPhJg46LfmtyVVdRUf:VfQODBwN2ZXgdGLEg5P3x6LfmYQf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778896657", "to_ids": false, "type": "size-in-bytes", "uuid": "ee74aaba-bcc6-4dc5-8bce-cc38ee956e69", "value": "1514838" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778896657", "to_ids": true, "type": "vhash", "uuid": "31408b04-51a7-4261-b98e-fe94dc2ac553", "value": "0fb9f37bc12ada3164855ee7fb12c1cd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778896657", "to_ids": true, "type": "filename", "uuid": "1d97d402-3583-4be7-b684-2dcbf78ca0b4", "value": "cai partner.zip" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 12/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778896657", "to_ids": false, "type": "text", "uuid": "0bffde33-86a3-4b60-aef7-60eb1a512920", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:33/68\nFirst Submission:2026-04-07T12:04:42.000000+00:00\nLast Submission:2026-04-07T12:04:42.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546565", "uuid": "ce1dfd12-6082-4dc9-9ff3-0ac78f0210c4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546565", "to_ids": true, "type": "md5", "uuid": "c940283b-1bca-4615-b973-63163bf198a2", "value": "b2f6aeebff8f4e693c0e145d3529e4dc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546565", "to_ids": true, "type": "sha1", "uuid": "69d58dfb-fa5b-49a5-a352-92869d0c25e8", "value": "d5b70f3be0e41e88407b872cc901d65325fbd432", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546565", "to_ids": true, "type": "sha256", "uuid": "c26c0f2e-dde1-4d83-90ec-f846942d48d0", "value": "89f8e42c825d09a0a50e99bbf7304d7037be33ea362a57d34f87fa7981f80126", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778896679", "to_ids": true, "type": "ssdeep", "uuid": "4b34a70c-adb9-497c-9194-603c0579d69b", "value": "192:wc8mVNTqAOgb3UyUbwvJ6+TaXpS04RbFR0AwdjffYaoTN:wc3H3OA3hbJPMpuwXRYaoR" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778896679", "to_ids": false, "type": "size-in-bytes", "uuid": "93572720-79d6-41b7-876b-66caac91aea4", "value": "9351" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778896679", "to_ids": true, "type": "vhash", "uuid": "77c373b0-9436-4555-ab9f-6cfb1273e1bd", "value": "75cd256c33a483e42e21a80b1aa6c968" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778896679", "to_ids": true, "type": "filename", "uuid": "cf8fce4c-edd2-46ae-8f6c-196d31b58e56", "value": "summary_order_cai_final.xlsx" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 12/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778896679", "to_ids": false, "type": "text", "uuid": "52dd7290-3b69-4333-a980-6e743cff9d6f", "value": "Type Description: Office Open XML Spreadsheet\nMicrosoft: None\nVT Total Detection:5/66\nFirst Submission:2026-04-21T07:44:04.000000+00:00\nLast Submission:2026-04-21T07:44:04.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546568", "uuid": "96665798-71fa-492e-8388-395cace13a8b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546567", "to_ids": true, "type": "md5", "uuid": "68d83a96-ba40-4b25-8808-ed5d702d2e3e", "value": "7e4e5c2ab300561aba0e0474dfbd8888", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546568", "to_ids": true, "type": "sha1", "uuid": "ea9c8a76-57e2-4ad9-bf29-536d3b844d87", "value": "c5b0a7f462fc9d2e1f0039f4c5238c5a790bc688", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546568", "to_ids": true, "type": "sha256", "uuid": "c7a4d457-14ac-4fbb-9077-6a08bcbe6738", "value": "a7bd8869293212e1671df90d2d41b96d4933eb9408b1111bd830e111a91bb202", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778896701", "to_ids": true, "type": "ssdeep", "uuid": "813600ae-5cea-4450-9fde-955423782540", "value": "6144:gywYFkMTQfJbpxKT6/Ydc04rV+NRyFXV45ILoNbb:gy5FkMEfJ9xkkr0SVZFXII0Fb" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778896701", "to_ids": false, "type": "size-in-bytes", "uuid": "182ca4ed-7f0e-4fb6-b7c5-ef3263aa7e53", "value": "240662" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778896701", "to_ids": true, "type": "vhash", "uuid": "7de6b001-8712-41db-a3c6-c971057fc00a", "value": "97ce943f5abf003cdb223cf714d7c27ca" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778896701", "to_ids": true, "type": "filename", "uuid": "539aeb6d-e188-45de-804c-026d7f8a1c18", "value": "Certificate of translation.PDF" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 14/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778896701", "to_ids": false, "type": "text", "uuid": "5fabf41e-99e7-4fa9-a8c0-c64a31ca1705", "value": "Type Description: PDF\nMicrosoft: None\nVT Total Detection:7/63\nFirst Submission:2026-04-07T12:05:15.000000+00:00\nLast Submission:2026-04-07T12:05:15.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546571", "uuid": "ab3be1a0-1f2b-4219-9cad-dc54415dddff", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546570", "to_ids": true, "type": "md5", "uuid": "b57e66c9-13a5-4dd6-b38b-3273cc4ee272", "value": "6f86655ad8a3bf7baaa38d94ce0016d2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546570", "to_ids": true, "type": "sha1", "uuid": "3974612a-bbaf-4523-8069-fa75efcdebfc", "value": "4e130ddc9f0121950f8e78775c3bcb2eb949f119", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546571", "to_ids": true, "type": "sha256", "uuid": "f7b972cc-a529-47ae-a68c-7514988566b7", "value": "fdef9e489f773319f55f92f712d1b7b5447d59a632b8f4173d1b161d3759ad92", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778896722", "to_ids": true, "type": "ssdeep", "uuid": "a20d2ffb-a0a5-4448-acab-319e2ac11f95", "value": "24576:odnfQ0C8eIhLpeAYzhNfOZUKb7gbX4DYcdLEgY6rDPhJg46LfmtyVVdRU2:2fQODBwN2ZXgdGLEg5P3x6LfmYQ2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778896722", "to_ids": false, "type": "size-in-bytes", "uuid": "e364ed39-92f7-4b58-afb1-263f7c8c5d1d", "value": "1515318" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778896722", "to_ids": true, "type": "vhash", "uuid": "f2482ca6-cd0a-475e-aa0c-9c1a5224ac01", "value": "17d17da157a054d7a8b0793763113b5e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778896722", "to_ids": true, "type": "filename", "uuid": "b4be5cb3-2321-4705-a7a9-2fcd29e12820", "value": "cai partner (1).zip" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 12/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778896722", "to_ids": false, "type": "text", "uuid": "5fc205aa-206b-4640-9332-e81440edce0e", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:29/66\nFirst Submission:2026-04-07T12:03:30.000000+00:00\nLast Submission:2026-04-07T12:03:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546573", "uuid": "11c62c4b-377a-4140-a597-6782da9aff12", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546572", "to_ids": true, "type": "md5", "uuid": "1c9b527a-b4d1-41c1-a782-394da3f7095f", "value": "70105e71035090ff0f6cf979fef67be0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546573", "to_ids": true, "type": "sha1", "uuid": "00da17c9-1dcb-4fa4-82f0-97a2280a1437", "value": "6b7c455f4f1a9b3378177317563cf32ece979e99", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546573", "to_ids": true, "type": "sha256", "uuid": "769f1fda-c1a2-425d-92f6-84ac8c7f4cc7", "value": "5936f42ffd7fa7896eeae725b60a5d26bbf3e584712671ef5da0138ee5d58f60", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778896744", "to_ids": true, "type": "ssdeep", "uuid": "a9b19be3-fc85-405f-9173-9db48f332126", "value": "49152:myJK5xcrb7ikncG7gKdTW34EPm3d7S+b2CYIU6i7:p1riknzttn+" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778896744", "to_ids": false, "type": "size-in-bytes", "uuid": "b75b8645-6f44-4c90-bffd-887cbc368168", "value": "2408448" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778896744", "to_ids": true, "type": "vhash", "uuid": "8c9b78b6-2529-414c-b350-b0c9a1cfc28d", "value": "026066656d156d055043zb2z743z79zacz147z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778896744", "to_ids": true, "type": "filename", "uuid": "32965232-468a-42dd-ab6a-d0ca08a9618a", "value": "01\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u0435 \u0437\u0430\u043a\u0430\u0437\u0430 \u043f\u0440\u043e\u0434\u0443\u043a\u0446\u0438\u0438 \u0426\u0410\u0418.exe" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 12/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778896744", "to_ids": false, "type": "text", "uuid": "bea2d72e-b060-4f85-b1e6-4906f7b6dfc8", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win32/Ravartar!rfn\nVT Total Detection:26/71\nFirst Submission:2026-04-07T12:05:14.000000+00:00\nLast Submission:2026-04-07T12:05:14.000000+00:00" } ] } ] } }