{ "Event": { "analysis": "1", "date": "2026-05-06", "extends_uuid": "", "info": "[Threat Intel] Data Extortion Groups Intensify Pressure On Global Aerospace Supply Chains", "protected": false, "publish_timestamp": "1779546629", "published": true, "threat_level_id": "2", "timestamp": "1779546629", "uuid": "a7d2cb24-3c7b-4553-9fea-d3228368f8a1", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#3d38fc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Acquire Infrastructure - T1583\"", "relationship_type": "" }, { "colour": "#7773ac", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"External Remote Services - T1133\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#d4fd6f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Impair Defenses - T1562\"", "relationship_type": "" }, { "colour": "#e8825f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#65d24c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Identity Information - T1589\"", "relationship_type": "" }, { "colour": "#682cad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#b24806", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#1acf09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Trusted Relationship - T1199\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#a0d02a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing for Information - T1598\"", "relationship_type": "" }, { "colour": "#251b6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obtain Capabilities - T1588\"", "relationship_type": "" }, { "colour": "#a42e64", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Information Repositories - T1213\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"lockbit5\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Aerospace\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778151614", "to_ids": false, "type": "link", "uuid": "ae0bc043-f019-4336-b5b9-16cdcf46d622", "value": "https://cyberpress.org/aerospace-supply-chains-targeted/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778151614", "to_ids": false, "type": "text", "uuid": "b5039621-e5df-442f-922d-e748f4ad6d9f", "value": "Cyber threats targeting the global aviation and aerospace sector are rapidly evolving, with ransomware, identity-based intrusions, and platform-level disruptions becoming dominant attack vectors. The interconnected nature of this ecosystem, combined with time-sensitive operations and complex third-party dependencies, makes it highly attractive to threat actors. Shared airport IT platforms represent critical single points of failure, as demonstrated by the September 2025 ransomware attack on Collins Aerospace MUSE system that disrupted major European airports including Heathrow, Brussels, Berlin, and Dublin. Major ransomware groups like LockBit and Cl0p maintain heavy focus on aviation suppliers, while advanced persistent threat groups including Refined Kitten, Wicked Panda, and Fancy Bear conduct strategic espionage targeting intellectual property, aircraft design data, and military aviation intelligence. Emerging threats include vulnerabilities in regional airports, aviation SaaS platforms, and satellite ..." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778151614", "to_ids": false, "type": "text", "uuid": "1035dc63-67bd-4145-a007-d9f740859e9e", "value": "Name: Data Extortion Groups Intensify Pressure On Global Aerospace Supply Chains\nAuthor: AlienVault\nAdversary: LockBit, Cl0p, Refined Kitten, Wicked Panda, Fancy Bear\nTags: [\"critical infrastructure\", \"aerospace\", \"remus\", \"data extortion\", \"apt\", \"espionage\", \"supply chain attacks\", \"aviation\", \"lockbit\", \"ransomware\"]\nTgtd countries: []\nMlwr families: [\"LockBit\", \"Remus\"]\nAttack_ids: [\"T1583\", \"T1133\", \"T1082\", \"T1071\", \"T1562\", \"T1195\", \"T1190\", \"T1567\", \"T1589\", \"T1021\", \"T1070\", \"T1041\", \"T1199\", \"T1566\", \"T1078\", \"T1027\", \"T1486\", \"T1598\", \"T1588\", \"T1213\"]\nIndustries: [\"Aerospace\", \"Transportation\", \"Defense\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1778151614", "to_ids": false, "type": "threat-actor", "uuid": "bfe716a0-9b71-444b-af6c-ff6f71af709c", "value": "LockBit, Cl0p, Refined Kitten, Wicked Panda, Fancy Bear" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546626", "uuid": "ee644f6c-3594-4204-9775-768da4a86101", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546625", "to_ids": true, "type": "md5", "uuid": "3f881361-5676-4ae4-8280-50b6be1501d5", "value": "95daa771a28eaed76eb01e1e8f403f7c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546625", "to_ids": true, "type": "sha1", "uuid": "eba3b934-c4c4-40de-a2a7-5f66f620d5d8", "value": "cdd5717fd3bfd375c1c34237c24073e92ad6dccc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546626", "to_ids": true, "type": "sha256", "uuid": "3f0f3c94-45a5-4207-9123-730cec7a7831", "value": "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897159", "to_ids": true, "type": "ssdeep", "uuid": "39be41e8-48c4-4783-b515-8e8852bec374", "value": "12288:q/tJbVY7R6CCJ5RqRhoS2KMPKZb8VEtiWYbn8wBNsavTduK14UqMs5+p6uaYwsjE:q/XuwyZAVEEhbnNBNgfUjs5+8RsXsx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897159", "to_ids": false, "type": "size-in-bytes", "uuid": "fd0b0fbb-8df2-4216-9316-325b21172010", "value": "710560" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778897159", "to_ids": true, "type": "vhash", "uuid": "a2c4be10-3d88-4fcc-abf0-f2743ddbe264", "value": "075056657d15151\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897159", "to_ids": true, "type": "filename", "uuid": "560b6a3c-3517-4a02-8b0f-aad13227bbf9", "value": "7ea5afbc166c4e23498aa9747be81ceaf8dad90b8daa07a6e4644dc7c2277b82.exe" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 07/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897159", "to_ids": false, "type": "text", "uuid": "b99cd2fd-0cc8-4b2c-934c-a4792a02e2f7", "value": "Type Description: Win32 EXE\nMicrosoft: Ransom:Win64/LockBit.MZZ!MTB\nVT Total Detection:58/71\nFirst Submission:2025-09-14T09:50:20.000000+00:00\nLast Submission:2026-05-15T17:05:24.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546629", "uuid": "a83a5598-cca9-47f4-97a9-0e02966f51f7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546628", "to_ids": true, "type": "md5", "uuid": "ad5a195c-17c9-4027-9a00-87c7a5aac447", "value": "5e1f61b9c1c27cad3b7a81c804ac7b86", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546628", "to_ids": true, "type": "sha1", "uuid": "5e5c6454-9db2-4ae7-bc36-5059d709d0f7", "value": "c1888ba296f57e87a84411ddfce3cabc4536b142", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546629", "to_ids": true, "type": "sha256", "uuid": "ca16166f-8ea9-41e2-9ff1-132c7aa69783", "value": "180e93a091f8ab584a827da92c560c78f468c45f2539f73ab2deb308fb837b38", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778897181", "to_ids": true, "type": "ssdeep", "uuid": "6e688b32-1872-4830-9380-008e9334853c", "value": "12288:0LxxJniMoRpKP9W1u19Ol9tyHDdZIYTbviWYbn8wBNsavTduK14UqMs5XRhazKj:0LIJvyHDPVXahbnNBNgfUjs5Xuz" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778897181", "to_ids": false, "type": "size-in-bytes", "uuid": "83626c82-88b1-4bc5-92bc-67552f1025a1", "value": "708040" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778897181", "to_ids": true, "type": "vhash", "uuid": "5401f09c-22ac-4f84-8066-e0078c90d995", "value": "075056657d15151\"z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778897181", "to_ids": true, "type": "filename", "uuid": "c0fa85f8-0c8a-4dab-bea4-f0092ad8a768", "value": "malware" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 07/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778897181", "to_ids": false, "type": "text", "uuid": "36822dba-130c-4382-877b-55345d5373f1", "value": "Type Description: Win32 EXE\nMicrosoft: Trojan:Win64/Lockbit.HDL!MTB\nVT Total Detection:56/70\nFirst Submission:2025-09-17T21:12:47.000000+00:00\nLast Submission:2026-04-24T20:15:00.000000+00:00" } ] } ] } }