{ "Event": { "analysis": "1", "date": "2026-05-15", "extends_uuid": "", "info": "[Threat Intel] Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations", "protected": false, "publish_timestamp": "1779596347", "published": true, "threat_level_id": "2", "timestamp": "1779593849", "uuid": "a30d2c51-b056-4b55-ad4d-971722af82d8", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1100\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"8206e5d7-9189-4d8b-855d-339fa45e9c47\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#9edfba", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"", "relationship_type": "" }, { "colour": "#b9e5c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"NTDS - T1003.003\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#7d37d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Python - T1059.006\"", "relationship_type": "" }, { "colour": "#8efd0f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Account Manager - T1003.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#5affe5", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Remote Management - T1021.006\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778928758", "to_ids": false, "type": "link", "uuid": "4632daa3-6e7e-44d8-a33e-7cde8aaf574b", "value": "https://oasis-security.io/blog/malaysian-government-with-undisclosed-c2-infrastructure" }, { "category": "Network activity", "comment": "Adversary Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1778931256", "to_ids": true, "type": "ip-dst", "uuid": "dd74de7a-169c-4c0e-bd61-e69c4b590379", "value": "20.17.161.118", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "External Data Exfiltration to Cloudflare Storage", "deleted": false, "disable_correlation": false, "timestamp": "1778931462", "to_ids": true, "type": "url", "uuid": "698c21eb-2ded-4404-a72b-b2e7cc8f842b", "value": "https://7d83b67b237af36f803533a57d8a4843.r2.cloudflarestorage.com/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778931483", "to_ids": true, "type": "url", "uuid": "61e0b9a0-b5ee-4027-a265-f220c1dcdcff", "value": "http://20.17.161.118/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Laravel RCE Exploit Chain", "deleted": false, "disable_correlation": false, "timestamp": "1778931656", "to_ids": true, "type": "url", "uuid": "3b0f2b55-0e7e-42f3-a4a2-06bafdbda838", "value": "http://20.17.161.118:8888/rce_ekyc_chain2", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Laravel RCE Exploit Chain", "deleted": false, "disable_correlation": false, "timestamp": "1778931678", "to_ids": true, "type": "url", "uuid": "d7bb18e9-c778-43b0-86f5-5c6a6fc04147", "value": "http://20.17.161.118:8888/rce_ekyc_chain9", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Laravel RCE Exploit Chain", "deleted": false, "disable_correlation": false, "timestamp": "1778931699", "to_ids": true, "type": "url", "uuid": "d6b13233-baf7-4efe-bd55-73bdbb506f34", "value": "http://20.17.161.118:8888/rce_ekyc_chain10", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Laravel RCE Exploit Chain", "deleted": false, "disable_correlation": false, "timestamp": "1778931720", "to_ids": true, "type": "url", "uuid": "973a395c-f512-4126-b9b8-53c51a83d2a7", "value": "http://20.17.161.118:8888/rce_ekyc_chain14", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Laravel RCE Exploit Chain", "deleted": false, "disable_correlation": false, "timestamp": "1778931742", "to_ids": true, "type": "url", "uuid": "2a24803d-9f87-4851-92f2-456865578198", "value": "http://20.17.161.118:8888/rce_ekyc_chain20", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2 URL", "deleted": false, "disable_correlation": false, "timestamp": "1778931763", "to_ids": true, "type": "url", "uuid": "3d0c1176-23e8-432f-b57c-adeb0da929a3", "value": "https://20.17.161.118/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }