{ "Event": { "analysis": "1", "date": "2026-03-04", "extends_uuid": "", "info": "[Threat Intel] MuddyWater Exposed: Inside an Iranian APT operation", "protected": false, "publish_timestamp": "1773274387", "published": true, "threat_level_id": "2", "timestamp": "1773274387", "uuid": "9b3007e4-de26-4fed-a902-52837770f8a0", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#26fab6", "local": false, "name": "misp-galaxy:target-information=\"Israel\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Jordan\"", "relationship_type": "" }, { "colour": "#78cd12", "local": false, "name": "misp-galaxy:target-information=\"Egypt\"", "relationship_type": "" }, { "colour": "#a24b57", "local": false, "name": "misp-galaxy:target-information=\"United Arab Emirates\"", "relationship_type": "" }, { "colour": "#c70b8f", "local": false, "name": "misp-galaxy:target-information=\"Portugal\"", "relationship_type": "" }, { "colour": "#b8ab01", "local": false, "name": "misp-galaxy:target-information=\"United States\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"iran\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"MuddyWater\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DNS - T1590.002\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#8d021b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dead Drop Resolver - T1102.001\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#00f752", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploits - T1588.005\"", "relationship_type": "" }, { "colour": "#280b0e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Proxy - T1090.002\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#ecc598", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Account - T1136.001\"", "relationship_type": "" }, { "colour": "#9edfba", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"", "relationship_type": "" }, { "colour": "#e12cbc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Application Layer Protocol - T1095\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Password Guessing - T1110.001\"", "relationship_type": "" }, { "colour": "#6ef296", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Password Spraying - T1110.003\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#6fe7f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"", "relationship_type": "" }, { "colour": "#91649a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Vulnerability Scanning - T1595.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Wordlist Scanning - T1595.003\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "link", "uuid": "fb01bc49-3cb3-4d07-ae2b-7a1221c4feb8", "value": "https://ctrlaltintel.com/threat%20research/MuddyWater/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "text", "uuid": "bf63bb7b-9521-496f-b8e3-b72b7fc9bce5", "value": "Researchers identified and analyzed exposed infrastructure of MuddyWater, an Iranian cyber espionage group linked to the Ministry of Intelligence and Security. The investigation revealed their reconnaissance methods, exploitation of vulnerabilities, custom command and control frameworks, and exfiltration techniques. Targets included organizations in Israel, Jordan, Egypt, UAE, Portugal, and the US. Notable findings include the use of Ethereum smart contracts for C2 communication, multiple custom C2 frameworks, and exploitation of various CVEs. The group showed a pattern of rapid adoption of public exploits and development of custom tools, while also exhibiting operational security failures that enabled this research." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "text", "uuid": "eb6b06fb-24fc-4898-9fd9-eb26d7ccd55b", "value": "Name: MuddyWater Exposed: Inside an Iranian APT operation\nAuthor: AlienVault\nAdversary: MuddyWater\nTags: [\"cve-2025-52691\", \"vulnerability exploitation\", \"cve-2022-42475\", \"arenac2\", \"mois\", \"cve-2025-34291\", \"cve-2024-55591\", \"cve-2025-68613\", \"cve-2026-1731\", \"reconnaissance\", \"cve-2026-1281\", \"cyber espionage\", \"iranian apt\", \"exfiltration\", \"cve-2025-9316\", \"cve-2025-5777\", \"cve-2024-23113\", \"keyc2\", \"tsundere botnet\", \"cve-2025-55182\", \"command and control\", \"persianc2\", \"cve-2025-54068\", \"geopolitical conflict\"]\nTgtd countries: [\"Israel\", \"Jordan\", \"Egypt\", \"United Arab Emirates\", \"Portugal\", \"United States of America\"]\nMlwr families: [\"KeyC2\", \"PersianC2\", \"ArenaC2\", \"Tsundere Botnet\"]\nAttack_ids: []\nIndustries: [\"Government\", \"Defense\", \"Technology\", \"Transportation\", \"Healthcare\", \"Finance\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "threat-actor", "uuid": "705f2a54-e5e7-4add-a46b-3613dda7ee20", "value": "MuddyWater" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273361", "to_ids": true, "type": "ip-dst", "uuid": "dfe9721b-0cef-4345-8409-4038b5e2eb3e", "value": "162.0.230.185", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "4ad2a271-ab27-4b1d-8720-b8d3107774a9", "value": "CVE-2022-42475" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "2cb71ec4-ceb5-45ce-aeb3-9f0e569db9f3", "value": "CVE-2024-23113" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "d4e71b96-a66d-4e64-b60c-6b2b0d738aca", "value": "CVE-2024-5559" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "e46f8baa-f3bc-4c69-9afa-4ad1409c2677", "value": "CVE-2024-55591" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "ea95b2e8-0d47-4225-a2f0-9f49168b6958", "value": "CVE-2025-34291" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "4962af0b-702a-49bb-b6d4-3370b8714216", "value": "CVE-2025-52691" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "63ec3755-c460-4aa0-81b8-27468fdccb6a", "value": "CVE-2025-54068" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "23208614-be67-455e-812c-966fa22adbd0", "value": "CVE-2025-55182" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "52dcc43c-eb1f-4c63-9eaa-b97ebe93f844", "value": "CVE-2025-5777" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "6efa083c-8e24-4e61-a3bc-cd8f9bc0b8f5", "value": "CVE-2025-68613" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "d455a321-85e7-4d4a-98f2-4dc268fb2ab1", "value": "CVE-2025-9316" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "9efc9c1b-0267-4542-9adc-25fc23fdbc4d", "value": "CVE-2026-1281" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766034", "to_ids": false, "type": "vulnerability", "uuid": "e5a6602b-6456-4ffb-b394-3349287999ff", "value": "CVE-2026-1731" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:07/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772825084", "to_ids": true, "type": "sha256", "uuid": "01f9fbfe-0255-48d7-8028-43072446ac38", "value": "bedb882c6e2cf896e14ecf12c90aaa6638f780017d1b8687a40b4a81956e230f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:07/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772825086", "to_ids": true, "type": "sha256", "uuid": "2df7e9f6-a570-427f-b6e1-a1c00ea4ddd6", "value": "c8589ca999526f247db4d3902ade8a85619f8f82338c6230d1b935f413ddcb3d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273382", "to_ids": true, "type": "ip-dst", "uuid": "ebc2ea1c-7ced-47e7-9556-63fc06658cb2", "value": "157.20.182.49", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273403", "to_ids": true, "type": "ip-dst", "uuid": "0c9df56b-c0dc-4192-a981-41a8ad1bbfa0", "value": "185.236.25.119", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273424", "to_ids": true, "type": "ip-dst", "uuid": "557e099f-5a67-4ff6-a9af-193187f51560", "value": "193.17.183.126", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273446", "to_ids": true, "type": "ip-dst", "uuid": "57a0d14d-1699-4a0a-858b-458cca8419bd", "value": "194.11.246.101", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273467", "to_ids": true, "type": "ip-dst", "uuid": "d84d389a-c14a-401e-bc93-e44e25e654d9", "value": "209.74.87.100", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273488", "to_ids": true, "type": "ip-dst", "uuid": "0be207ba-36cd-4ee0-b456-a51530cc90de", "value": "209.74.87.67", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273509", "to_ids": true, "type": "ip-dst", "uuid": "97a1e12b-6683-4838-b23a-168d41ab00c2", "value": "84.110.105.214", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273530", "to_ids": true, "type": "url", "uuid": "e1d70513-3aa3-4905-8a01-c016773690dd", "value": "http://157.20.182.49:10443/success", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273551", "to_ids": true, "type": "url", "uuid": "7ac1eb75-20d3-48ba-8a86-4d143391ef83", "value": "http://194.11.246.101:1338", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273572", "to_ids": true, "type": "hostname", "uuid": "64cb17b4-9e1d-42aa-af50-ea2c5910e90b", "value": "www.xt24.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773273593", "to_ids": true, "type": "ip-dst", "uuid": "35a320ef-9028-4f44-9f8e-bff5f39f328c", "value": "18.223.24.218", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773273615", "uuid": "4342085d-1c43-4094-b589-4b282ebb9239", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773273615", "to_ids": true, "type": "md5", "uuid": "54a30bf9-1e2e-41ca-b04d-d99ec6fdf975", "value": "4d5b14375f90a836e608c28491f0308b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772825081", "to_ids": true, "type": "sha1", "uuid": "d6cb6cc1-6535-4f38-a673-1bfa3b9982ad", "value": "d0d7d0c816753639b5c577aacf14fd2e994b64b0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772825082", "to_ids": true, "type": "sha256", "uuid": "b476cbab-ab6f-4305-ab9c-a11151192284", "value": "7ab597ff0b1a5e6916cad1662b49f58231867a1d4fa91a4edf7ecb73c3ec7fe6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772824822", "to_ids": true, "type": "ssdeep", "uuid": "aeb10b93-b0cc-4c7b-97cf-af8875c9bfa2", "value": "24576:AFWneH3BzqHS1xqIU5QSiMN4iak5B6Fbl31MHQzIctmH2b8rPAe7fdZvBi5pzZon:b" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772824822", "to_ids": false, "type": "size-in-bytes", "uuid": "f78e2d95-a235-4c1c-9c29-143deafe33dc", "value": "2227654" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772824822", "to_ids": true, "type": "vhash", "uuid": "9d106f27-be62-40cf-b7b9-cf1d3fb740fb", "value": "106d24c3f13e98ce8e861f372d50f45e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772824822", "to_ids": true, "type": "filename", "uuid": "0e09db4d-920f-4080-b8b9-899a1cefbda0", "value": "7ab597ff0b1a5e6916cad1662b49f58231867a1d4fa91a4edf7ecb73c3ec7fe6.ps1" }, { "category": "Other", "comment": "Checked: 07/03/2026\nLast-scan\t: 06/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772824822", "to_ids": false, "type": "text", "uuid": "f6fd8b14-aef5-45c4-9b65-9f5e75d87041", "value": "Type Description: Powershell\nMicrosoft: Trojan:Win32/Kepavll!rfn\nVT Total Detection:22/62\nFirst Submission:2026-03-03T09:38:57.000000+00:00\nLast Submission:2026-03-05T17:23:14.000000+00:00" } ] } ] } }