{ "Event": { "analysis": "1", "date": "2026-03-06", "extends_uuid": "", "info": "[Threat Intel] An Investigation Into Years of Undetected Operations Targeting High-Value Sectors", "protected": false, "publish_timestamp": "1773997327", "published": true, "threat_level_id": "2", "timestamp": "1773997327", "uuid": "b063924c-fda5-4e11-92da-eef1585c1c87", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0afe32", "local": false, "name": "misp-galaxy:producer=\"Palo Alto\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#aff0ae", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Permission Groups Discovery - T1069\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#041edc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMB/Windows Admin Shares - T1021.002\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#dac154", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#f055aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create Account - T1136\"", "relationship_type": "" }, { "colour": "#50bd28", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Network Service Discovery - T1046\"", "relationship_type": "" }, { "colour": "#50bcaa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Discovery - T1518\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#370063", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"030 - Eastern Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"034 - Southern Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"035 - South-eastern Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Civil Aviation\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Energy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Pharmacy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Police - Law enforcement\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Technology\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Telecoms\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"State-Sponsored\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Cybercrime\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#fdcb58", "local": false, "name": "rectifyq:MY-relevancy=\"somewhat-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"china\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Sliver\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"MimiKatz\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773054029", "to_ids": false, "type": "link", "uuid": "72394aed-e511-46f4-9f28-3b7849ee4734", "value": "https://unit42.paloaltonetworks.com/cl-unk-1068-targets-critical-sectors/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773054029", "to_ids": false, "type": "text", "uuid": "d8a2a482-52d8-4d56-8a7e-bcfbd3e71333", "value": "Since 2020, a Chinese threat actor dubbed CL-UNK-1068 has been targeting high-value organizations across South, Southeast and East Asia, focusing on critical sectors like aviation, energy, government, and telecommunications. The group employs a diverse toolkit including custom malware, modified open-source utilities, and living-off-the-land binaries to maintain stealthy persistence. Their techniques involve web shell deployment, DLL side-loading attacks, and credential theft. The attackers exfiltrate sensitive data, including configuration files and database backups. While primarily assessed as an espionage operation, cybercriminal motivations cannot be fully ruled out. The activity demonstrates sophisticated cross-platform capabilities, targeting both Windows and Linux environments." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773054029", "to_ids": false, "type": "text", "uuid": "77d5c9e8-3666-48ef-9fe2-5ad0ba71c22d", "value": "Name: An Investigation Into Years of Undetected Operations Targeting High-Value Sectors\nAuthor: AlienVault\nAdversary: CL-UNK-1068\nTags: [\"superdump\", \"xnote\", \"antsword\", \"scanportplus\", \"godzilla\", \"sliver\", \"fast reverse proxy\", \"cyberespionage\"]\nTgtd countries: []\nMlwr families: [\"GodZilla\", \"AntSword\", \"Xnote\", \"Fast Reverse Proxy\", \"ScanPortPlus\", \"SuperDump\", \"Sliver\"]\nAttack_ids: [\"T1033\", \"T1003\", \"T1069\", \"T1082\", \"T1021.002\", \"T1505.003\", \"T1016\", \"T1087\", \"T1059\", \"T1083\", \"T1049\", \"T1057\", \"T1078\", \"T1012\", \"T1136\", \"T1046\", \"T1518\", \"T1574.002\", \"T1021.001\"]\nIndustries: [\"Aviation\", \"Energy\", \"Government\", \"Law Enforcement\", \"Pharmaceutical\", \"Technology\", \"Telecommunications\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1773054029", "to_ids": false, "type": "threat-actor", "uuid": "3ae08f58-9e01-47b5-b087-8312e78a3ead", "value": "CL-UNK-1068" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278153", "to_ids": true, "type": "ip-dst", "uuid": "e0a2fb08-3a1e-4d3f-bffd-50c41c03eb71", "value": "107.148.33.60", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278174", "to_ids": true, "type": "ip-dst", "uuid": "ce1eb2a0-8e9a-4978-91b1-85c19101c85a", "value": "43.255.189.67", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773054029", "to_ids": false, "type": "vulnerability", "uuid": "37cbd6a3-cd12-427a-ac36-d9806db7de4c", "value": "CVE-2021-4034" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773054029", "to_ids": false, "type": "vulnerability", "uuid": "35ad36a7-10d0-4d55-8cfb-b406442a2147", "value": "CVE-2023-34048" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773054029", "to_ids": false, "type": "vulnerability", "uuid": "2db1dba6-2a4d-4ee6-9050-880528932348", "value": "CVE-2026-0628" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276084", "to_ids": true, "type": "md5", "uuid": "317aac6c-e30c-42a3-97e4-884f809e1eac", "value": "153de64a0649787191367d65727db9e5", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276086", "to_ids": true, "type": "md5", "uuid": "dbd7be36-571e-4d5d-8350-f3b4d81fec8c", "value": "19d0db9625256adfc1068de9f5c4ad12", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276088", "to_ids": true, "type": "md5", "uuid": "b81a887d-df4f-4d4d-9ee5-b9500a7de596", "value": "30833ab8ac0c794a3806dbe7c94eaddd", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276089", "to_ids": true, "type": "md5", "uuid": "93987c57-eeb3-4cfa-86db-4704c25df3c6", "value": "bb49d3ff670c3583955d2732ba7d78e0", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276090", "to_ids": true, "type": "md5", "uuid": "2bd5538a-1da5-4297-9d55-8515f86e5f71", "value": "e1cdaa62c9def1e02d46dfa061b96ec5", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276092", "to_ids": true, "type": "sha1", "uuid": "80d179e3-5bf6-4ca4-a1bb-60867e5b84de", "value": "02b0cac600171ad9b7e691def9683dbbccdfe7fc", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276093", "to_ids": true, "type": "sha1", "uuid": "2af09eab-76c1-4f67-be3a-e0b630072c13", "value": "715558e5f1900c65e41b9968b75ba11143f73d86", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276094", "to_ids": true, "type": "sha1", "uuid": "169af871-e4bb-4e91-ba08-007a6e193d27", "value": "c41df1851ea7edf8115ddf59e53af8d9763fac0d", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276096", "to_ids": true, "type": "sha1", "uuid": "bfdb6b87-5411-4c06-9982-d5cd6b8a957d", "value": "ddaed290b7f0838b5547d4e082b9f9c0145fda77", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276096", "to_ids": true, "type": "sha1", "uuid": "d9d7efb0-bc1d-4603-aa09-94593c0b91b6", "value": "f3a0a2bd2c3665b5973bd629bd55e270657ae030", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276097", "to_ids": true, "type": "sha256", "uuid": "49ecc42a-a68c-42a8-9c6c-917a77da0409", "value": "082a55731f972cd15e103104229a68175a8c59a52bae05daa8ed4302df7c2dec", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276098", "to_ids": true, "type": "sha256", "uuid": "951b73e4-cfb3-429f-8b3a-9b0ee939d331", "value": "0c7db12ec29f333bf5f53dc5c73ec446b2265fca3aad5144c3569409e15123cb", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276099", "to_ids": true, "type": "sha256", "uuid": "7d6e20cc-cb8f-48e2-8f72-69af2dba608b", "value": "0d03934eb181c2befbc5341208c4eb8f939e00382ac632216397b8210225c937", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276101", "to_ids": true, "type": "sha256", "uuid": "58317e8f-0b1c-46e9-9ec7-cb8ba75f9948", "value": "26483f0886078cc9f5f9912d3ffce1301e297b435920ab1c86c9107bbdce4db2", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276102", "to_ids": true, "type": "sha256", "uuid": "7e778d92-872c-4258-ade5-358fc5c3f83b", "value": "3b2b6a3ee023dfa168f257b292a28f5fbdbacb5aa2250e1efb36e650529db1b5", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276102", "to_ids": true, "type": "sha256", "uuid": "b979b723-f3c7-4082-b76b-fc5757e1bb6c", "value": "3e698c85660e2c012b3db7f47ca3f2b1af2b6b0e0a0d2bdb7903f91cf9d31732", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276104", "to_ids": true, "type": "sha256", "uuid": "085eafcf-312c-4091-b0c8-62f00c18351c", "value": "524734501be19e9ed1bfab304b0622a2263a4f9e3db0971f3fae93f7e7369c20", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Sliver", "deleted": false, "disable_correlation": false, "timestamp": "1773276105", "to_ids": true, "type": "sha256", "uuid": "6db3011a-0749-4c18-806a-42292ea1925b", "value": "52c817465a56ccd0fb4e914a3274a9e9a93e872583e6239bc6461e4f3e40c567", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276107", "to_ids": true, "type": "sha256", "uuid": "4ef6e7d3-d9de-4dac-9d3a-3bde13e6a352", "value": "5c986203242e2ed25458b0606ee7be57070f6d66b7472b453d92b1b6786443bd", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276108", "to_ids": true, "type": "sha256", "uuid": "715a118b-fde9-4518-b3dc-0d3cb2ce2eb5", "value": "6ddbfd3a96834087501f0c9415a925cafdb92cb8ff34685f138833b4795416d6", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276109", "to_ids": true, "type": "sha256", "uuid": "a7a2cb30-cd8e-4027-8ada-33d59bbe77c8", "value": "8a3345f0d8f1a7d78ea485ae11358cf2ae3d51cb7975524d6d67ba05a08a37ea", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276110", "to_ids": true, "type": "sha256", "uuid": "3c5b78b6-6d54-47cf-90bc-d76cb131cb88", "value": "8d3907d56b1dd1609053cb55dd66f33499e1ea091133df76d8fe6f08f25f37b2", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276111", "to_ids": true, "type": "sha256", "uuid": "3a35d93b-71cb-4fbc-89f2-9c47064034e6", "value": "96f52e4666aa8df67f8d7d00a523cd25e11402108157156775603b3d9514925c", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276112", "to_ids": true, "type": "sha256", "uuid": "bd49d5b6-dc7b-4443-b6db-45a6b2e945b1", "value": "99bd09e1c500866b2b809fd9170f1b8b7e120da21a1f2eed6165fcf81bf519b7", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Xnote", "deleted": false, "disable_correlation": false, "timestamp": "1773276113", "to_ids": true, "type": "sha256", "uuid": "b8c32191-8ac6-4653-8f42-6226df0765d5", "value": "b87cee18720c176c1972cf5c74e3c09877177e0c49c34a04b910bb3c70839b71", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276114", "to_ids": true, "type": "sha256", "uuid": "8f2c20af-61a1-4a8a-9973-71cfbb5259fb", "value": "c880936ba0ca153719c2cca33c1925a9480d28abc88cf4daa02f34cc8cc1c9e5", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276115", "to_ids": true, "type": "sha256", "uuid": "8a1c9cd6-550c-44ef-938d-edf8cf8964d8", "value": "cdb90179188a142d24147edcb72be8b574fac4f6833fff15a6ee803754dec0c0", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "PrintProgram", "deleted": false, "disable_correlation": false, "timestamp": "1773276116", "to_ids": true, "type": "sha256", "uuid": "f8355956-875f-4df6-a9ed-74db21c4cdd2", "value": "ce20c033dcadf17d9cca325869f946efdd82ab0756fa56e262b6f573252d457c", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276117", "to_ids": true, "type": "sha256", "uuid": "ecda6d94-e76f-4c50-b547-da61dd2f7424", "value": "cfcbb3014ecc560ba36103213b36fc62d6b0ef22c49067ff0d860fd7253a7c94", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276118", "to_ids": true, "type": "sha256", "uuid": "ecb8e1f2-6b5b-4c63-ada6-34ce9b5119fb", "value": "cfdcbc553bc7464aedfb6758b0a38acc78d9537eabe9717e60ab0d8d3b355225", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276119", "to_ids": true, "type": "sha256", "uuid": "2b8558c5-135e-44b1-8902-3a79e4e1c5ce", "value": "d6ed94589b0e6a7c3e1a6052e18f3962ca78c385c78036972d5ea72c07a5772c", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276120", "to_ids": true, "type": "sha256", "uuid": "227247e2-aa9d-4e59-950f-2ba7fb044d45", "value": "d8378cf105146217e6ded438187c4ea0edcadb6cf27f5eeddda3fd80cce76d72", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276121", "to_ids": true, "type": "sha256", "uuid": "65ce253e-895a-4df7-be82-b7a079700c45", "value": "e1ff808321ce952384b7fff720584c48ec0fd36480d6bc9ac0d5db036102c368", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276122", "to_ids": true, "type": "sha256", "uuid": "91a2d2c9-8444-4711-b70b-1352558083ad", "value": "e9541e8afa502e13c18734756270b10e3c07f1071283387e63c8f8b0ba591343", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276124", "to_ids": true, "type": "sha256", "uuid": "00ddeb14-e1a6-46c6-86e0-658cb2ed8258", "value": "edc0287da3c6bb62a7b2fd3949be5688628fc0e893b5822bd5734a63c39f7ab1", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Xnote", "deleted": false, "disable_correlation": false, "timestamp": "1773276124", "to_ids": true, "type": "sha256", "uuid": "d6467f13-90e4-47e1-8630-23611bfe2d07", "value": "f710dc61c2edc85841fd733a17b7977dfb889d6476c59bb3c54a5b2fd393ac13", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276125", "to_ids": true, "type": "sha256", "uuid": "cb670c9f-a42f-4d8a-af35-6780b2c9671f", "value": "f7c73b1ac9aff545b184ec7121f2bc706c5064dc3c17f59e9a39469031bf2ef6", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276126", "to_ids": true, "type": "sha256", "uuid": "70facc36-f5a2-4506-927a-87303d9f345e", "value": "fb9400d763a009b3bd2b9468410e0c69ee8a4f58400e532f086cef749422210d", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278195", "to_ids": true, "type": "ip-dst", "uuid": "d8e8f882-c077-4ab5-9906-8164750c7507", "value": "107.148.130.22", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278216", "to_ids": true, "type": "ip-dst", "uuid": "ee8e1882-0217-4f52-8928-9bcc22ba70ef", "value": "107.148.51.251", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278237", "to_ids": true, "type": "ip-dst", "uuid": "f191f5bd-0a59-4a85-b93b-fefb1ec2d7ee", "value": "79.141.169.123", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773276128", "to_ids": true, "type": "sha256", "uuid": "8a7bbc41-d8d1-44c2-861c-64732342dd00", "value": "8af434c2af2d901694cb27ec8639e7054f84938110a5cc4492c1bac597026d50", "Tag": [ { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278259", "to_ids": true, "type": "ip-dst", "uuid": "15c67a8c-000d-4aaa-83f6-488268baec8a", "value": "13.250.108.65", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773278281", "to_ids": true, "type": "ip-dst", "uuid": "3a71c1e0-8325-456b-b189-78c41e335a27", "value": "52.77.253.4", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1773278302", "uuid": "e95e82d8-68ae-4791-b5ae-1fed3840e3db", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773278302", "to_ids": true, "type": "md5", "uuid": "5776b90c-14c5-4eea-9dd1-e6458787522e", "value": "0579c97136b75a3a60423af72f5d0ab1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773276083", "to_ids": true, "type": "sha1", "uuid": "78aafa8a-01c6-4597-8ce8-8a3a2d79ec6b", "value": "1595c9aac94dbf845e4e9c1cd10c5b06638450f7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773276083", "to_ids": true, "type": "sha256", "uuid": "9166ecd9-695c-4111-ba0b-6a2113ccb42e", "value": "f6ac9e5e76bc9daf4772c5be43c9eac1d2611caafd49fac70bbb8eebfa4781ac", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773275247", "to_ids": true, "type": "ssdeep", "uuid": "055deb66-1beb-4755-b0c8-553f713b24b1", "value": "49152:Qj7eSy8g1qrb/TTvO90d7HjmAFd4A64nsfJqjOrKUq/86rXunfpZ3AbtiOYFiQI6:rGGdpZ3S6TL+fDI5E+hEhAvD" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773275247", "to_ids": false, "type": "size-in-bytes", "uuid": "3e33648e-7656-4389-ae82-24ebb5d53ad2", "value": "10350592" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773275247", "to_ids": true, "type": "vhash", "uuid": "e60065f1-7279-4492-85ad-e1fb79c81320", "value": "83b7e04a4a6d626d7dd712758613d1d5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773275247", "to_ids": true, "type": "filename", "uuid": "361577b9-fa2d-4a0c-9eb3-d32d3b32e82b", "value": "nginx" }, { "category": "Other", "comment": "Checked: 12/03/2026\nLast-scan\t: 11/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773275247", "to_ids": false, "type": "text", "uuid": "2e7d2426-6fa3-4540-8c72-817715d1aaab", "value": "Type Description: ELF\nMicrosoft: HackTool:Linux/Multiverze\nVT Total Detection:13/66\nFirst Submission:2024-03-30T01:26:02.000000+00:00\nLast Submission:2024-03-30T01:26:02.000000+00:00" } ] } ] } }