{ "Event": { "analysis": "1", "date": "2026-04-01", "extends_uuid": "", "info": "[Threat Intel] Threat Actors Leverage Claude Code Leak as Social Engineering Lure to Distribute Malicious Payloads via GitHub", "protected": false, "publish_timestamp": "1776462991", "published": true, "threat_level_id": "2", "timestamp": "1776462991", "uuid": "b232cb09-8ea0-4c33-b16c-2e40a9d80097", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6dbaba", "local": false, "name": "misp-galaxy:producer=\"Zscaler\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#c202a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#cfba47", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"data-breach\"", "relationship_type": "" }, { "colour": "#150050", "local": false, "name": "rectifyq:sub-category=\"report\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"GhostSocks\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Vidar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776135639", "to_ids": false, "type": "link", "uuid": "ccf7bfed-5fa0-491b-be3c-eda8ab3d8138", "value": "https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776135639", "to_ids": false, "type": "text", "uuid": "4ed0b35f-c8c3-48f2-8de9-e756b76c56de", "value": "Cybercriminals are exploiting the recent Claude Code leak incident by using it as a social engineering tactic to deliver malware through GitHub repositories. The attackers have created trojanized versions of the leaked Claude source code, distributing malicious payloads including Vidar stealer version 18.7 and GhostSocks trojan. The campaign demonstrates rapid opportunistic exploitation of high-profile security incidents, with compromised repositories serving as delivery mechanisms. Organizations are advised to implement Zero Trust architecture to mitigate risks from shadow AI instances and trojanized Claude agents. Multiple GitHub repositories have been identified hosting the malicious code, with command and control infrastructure established across multiple IP addresses and domains." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776135639", "to_ids": false, "type": "text", "uuid": "4eb1703f-4d22-4ddf-9bf8-f0cb4d1eaf52", "value": "Name: Threat Actors Leverage Claude Code Leak as Social Engineering Lure to Distribute Malicious Payloads via GitHub\nAuthor: AlienVault\nAdversary: \nTags: [\"tradedownloader\", \"ghostsocks\", \"social engineering\", \"zero trust\", \"github delivery\", \"vidar\", \"vidar stealer\", \"trojanized repositories\", \"ai security\", \"claude code leak\", \"ghostsocks trojan\"]\nTgtd countries: []\nMlwr families: [\"Vidar\", \"GhostSocks\", \"TradeDownloader\"]\nAttack_ids: [\"T1113\", \"T1539\", \"T1204.002\", \"T1566.002\", \"T1071\", \"T1106\", \"T1005\", \"T1140\", \"T1555\", \"T1567\", \"T1059\", \"T1020\", \"T1204\", \"T1041\", \"T1566\", \"T1027\", \"T1573\", \"T1056\", \"T1071.001\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "GhostSocks C2", "deleted": false, "disable_correlation": false, "timestamp": "1776401945", "to_ids": true, "type": "ip-dst", "uuid": "8115d3ea-4cc8-4158-bc25-96e516125836", "value": "94.228.161.88", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "GhostSocks No sample in VT\r\nLast check:17/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776399329", "to_ids": true, "type": "md5", "uuid": "404d5ba1-0ce8-43e2-85d3-c3e16694bd51", "value": "3388b415610f4ae018d124ea4dc99189", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GhostSocks C2", "deleted": false, "disable_correlation": false, "timestamp": "1776401966", "to_ids": true, "type": "ip-dst", "uuid": "c9017e78-c3eb-4ad3-95b4-81b5fb22aa32", "value": "147.45.197.92", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GhostSocks C2", "deleted": false, "disable_correlation": false, "timestamp": "1776401987", "to_ids": true, "type": "url", "uuid": "59c57132-e262-491a-888d-c24b1c41ec22", "value": "https://147.45.197.92:443", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GhostSocks C2", "deleted": false, "disable_correlation": false, "timestamp": "1776402008", "to_ids": true, "type": "url", "uuid": "80d72282-6af5-4770-b95a-89c861ed1252", "value": "https://94.228.161.88:443", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar C2", "deleted": false, "disable_correlation": false, "timestamp": "1776402029", "to_ids": true, "type": "url", "uuid": "1b828c2f-5bde-42c8-8c31-0c994d164f38", "value": "https://rti.cargomanbd.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar C2", "deleted": false, "disable_correlation": false, "timestamp": "1776402050", "to_ids": true, "type": "hostname", "uuid": "e0454c18-22ca-4375-9b0f-f03f4ec0af42", "value": "rti.cargomanbd.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar DDR (Dead Drop Resolvers)", "deleted": false, "disable_correlation": false, "timestamp": "1776402072", "to_ids": true, "type": "url", "uuid": "1015c309-84ff-416f-8434-0b479ca97407", "value": "https://steamcommunity.com/profiles/76561198721263282", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Vidar DDR", "deleted": false, "disable_correlation": false, "timestamp": "1776402093", "to_ids": true, "type": "url", "uuid": "39d32776-cfd9-4968-9e00-c30bd096df46", "value": "https://telegram.me/g1n3sss", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GhostSocks C2", "deleted": false, "disable_correlation": false, "timestamp": "1776402114", "to_ids": true, "type": "url", "uuid": "5db403a1-b0e1-404c-a0e6-8df72265b4df", "value": "https://147.45.197.92", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GhostSocks C2", "deleted": false, "disable_correlation": false, "timestamp": "1776402134", "to_ids": true, "type": "url", "uuid": "dba8d0d3-13fa-4b17-9511-ab97cdd13d25", "value": "https://94.228.161.88", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Trojanized Claude Code source leak", "deleted": false, "disable_correlation": false, "timestamp": "1776402156", "to_ids": true, "type": "url", "uuid": "ebf371ed-9e03-408f-931d-145e272a0624", "value": "https://github.com/leaked-claude-code/leaked-claude-code", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Trojanized Claude Code source leak", "deleted": false, "disable_correlation": false, "timestamp": "1776402177", "to_ids": true, "type": "url", "uuid": "af0a326a-1842-4e0d-b6b7-115dedddfa1b", "value": "https://github.com/my3jie/leaked-claude-code", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Trojanized repository publisher", "deleted": false, "disable_correlation": false, "timestamp": "1776402198", "to_ids": true, "type": "url", "uuid": "07366c8a-0cc5-410a-a672-0aee8c698ea8", "value": "https://github.com/idbzoomh1", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776402219", "uuid": "4a181a10-475b-4bd9-9b97-c7bdbc26a7ad", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper EXE file for payload", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776402219", "to_ids": true, "type": "md5", "uuid": "f5579589-c33a-4443-a98a-0eab52d1f5dc", "value": "77c73bd5e7625b7f691bc00a1b561a0f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper EXE file for payload", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399324", "to_ids": true, "type": "sha1", "uuid": "a45d5bfd-25d7-4f73-843a-64b3744c22fd", "value": "7798feb26b98bb11f758d68e10fed0e0d7c78881", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper EXE file for payload", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399324", "to_ids": true, "type": "sha256", "uuid": "73f81955-4b47-479b-8fbc-a3c1870af80f", "value": "7d5e84dd59165422f31a5a0e53aabba657a6fbccc304e8649f72d49e468ae91a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398369", "to_ids": true, "type": "ssdeep", "uuid": "2e2cc77d-8ddf-4518-912d-83c5d3e6162d", "value": "3145728:wnytKxBi8hEUhBS4XEl0fXtwqhN+ePOo5pJ9JhZFcF3X:wytKx5PS40ywqRPOo5pjPC" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398369", "to_ids": false, "type": "size-in-bytes", "uuid": "34676d16-7b16-4cfd-b399-ae5a5f505fb5", "value": "125171712" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776398369", "to_ids": true, "type": "vhash", "uuid": "92ae0997-4332-4b72-9d84-bab3ced47f55", "value": "018076657d156d057550a3zb0d00493z81z6033za032z554z137z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398369", "to_ids": true, "type": "filename", "uuid": "88486893-ccca-4d04-9c3c-b8f7376ff8cf", "value": "TradeAI.exe" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398369", "to_ids": false, "type": "text", "uuid": "897427a3-4947-45c7-b93b-8e1873f20db1", "value": "Dropper EXE file for payload\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/OpenClaw.BB!MTB\nVT Total Detection:36/70\nFirst Submission:2026-03-31T17:59:49.000000+00:00\nLast Submission:2026-04-02T11:52:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776402240", "uuid": "6fd853e6-8d85-4cc0-9f30-174288e2870d", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper EXE file for payload", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776402240", "to_ids": true, "type": "md5", "uuid": "11e97e2b-cc85-411b-8b43-e6066b72324c", "value": "81fb210ba148fd39e999ee9cdc085dfc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper EXE file for payload", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399325", "to_ids": true, "type": "sha1", "uuid": "875bef03-0c2d-4f1b-9c03-13390528686f", "value": "868cf681a86623abd4cc03c73662eb04c5f5bdfd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper EXE file for payload", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399325", "to_ids": true, "type": "sha256", "uuid": "cc44dc06-e843-40ee-bfca-a081c08c44bd", "value": "17145a933525ca8a6f29a818cf0fd94c37f20836090791bec349ae6e705670d4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398391", "to_ids": true, "type": "ssdeep", "uuid": "f23b487b-3ca8-478f-b6e6-42d8632e5495", "value": "3145728:+oyIY32wVSxBi8hEUhBS4XOeO0fXtwqhN+ePd5pJ9JhZFaPccc:+15VSx5PS4eeDwqRPd5pjP" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398391", "to_ids": false, "type": "size-in-bytes", "uuid": "37b7cc38-3f0d-42f7-9315-812887bf8ce9", "value": "131031552" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776398391", "to_ids": true, "type": "vhash", "uuid": "f0e6e55c-fafb-44e5-8b1b-6b045273ccd6", "value": "018076657d156d057550a3zb0d00493z81z6033za032z554z137z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398391", "to_ids": true, "type": "filename", "uuid": "76ff4991-7ce8-4caf-bcde-589d4e52a459", "value": "TradeAI.exe" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398391", "to_ids": false, "type": "text", "uuid": "70e70a29-eab2-4d42-ac84-f68d140b9deb", "value": "Dropper EXE file for payload\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win64/OpenClaw.BB!MTB\nVT Total Detection:46/70\nFirst Submission:2026-04-01T12:14:54.000000+00:00\nLast Submission:2026-04-03T10:51:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776402262", "uuid": "ff261595-c36a-489a-900d-06a6724e6c0f", "Attribute": [ { "category": "Payload delivery", "comment": "Initial archive file", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776402262", "to_ids": true, "type": "md5", "uuid": "c61af44b-12b8-47d7-b8ab-1c363db8102a", "value": "8660646bbc6bb7dc8f59a764e25fe1fd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Initial archive file", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399326", "to_ids": true, "type": "sha1", "uuid": "6061baed-a64c-4f91-a63c-fc6e8a2c7ae9", "value": "dff9ea007c0b24d35fd7393313c64a4b42ed1109", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Initial archive file", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399326", "to_ids": true, "type": "sha256", "uuid": "cea73ae0-d418-460d-b64b-f5deea965704", "value": "afa34c71a45f21d599c0bd90ac9026f68727aab0019c3b378956401475180c9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398413", "to_ids": true, "type": "ssdeep", "uuid": "712710e3-a9ec-4c82-ba9d-dc066e60e01e", "value": "3145728:fbVLsgDG3xMC5W4ZtebNwy69r+ljoQKIPUzUteDqZYta:fbVtG3xM28wyAr8joQbP/teDqZGa" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398413", "to_ids": false, "type": "size-in-bytes", "uuid": "af347cd7-a7c0-4a98-9b73-207400c468c6", "value": "119013552" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776398413", "to_ids": true, "type": "vhash", "uuid": "021b696c-d118-4654-b522-853adc1ea6d3", "value": "def64176a1d9a10b68a3569e9ba324ff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398413", "to_ids": true, "type": "filename", "uuid": "2df97343-f152-43d9-8fed-48dfa86261a8", "value": "ClaudeCode_x64(1).7z" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398413", "to_ids": false, "type": "text", "uuid": "94fd8d6c-4180-4825-9280-3bea04d23573", "value": "Initial archive file\r\nType Description: 7ZIP\nMicrosoft: None\nVT Total Detection:30/62\nFirst Submission:2026-04-01T12:22:44.000000+00:00\nLast Submission:2026-04-06T20:51:44.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776402283", "uuid": "351a55bb-d83e-49fd-9648-792d34bafe37", "Attribute": [ { "category": "Payload delivery", "comment": "Vidar v18.7", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776402283", "to_ids": true, "type": "md5", "uuid": "d99fbf60-28d0-4bbb-90df-73b8839e7bed", "value": "9a6ea91491ccb1068b0592402029527f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Vidar v18.7", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399327", "to_ids": true, "type": "sha1", "uuid": "756ac284-80cc-4e50-af29-9ed073cd4539", "value": "7942f7097e151f90cb5c9f579042c36133e93306", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Vidar v18.7", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399327", "to_ids": true, "type": "sha256", "uuid": "600d140a-43d7-4d9d-b2ec-78bae7a0be5a", "value": "b4554c85f50c56d550d6c572a864deb0442404ddefe05ff27facb3cbfb90b4d6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398435", "to_ids": true, "type": "ssdeep", "uuid": "3c40b161-0e64-4d94-9165-6d28b517b4a3", "value": "24576:4u5OwTx1k/58deR6sXzHxbXWHFLuv3O3r/OXTy3YD6lDmhU:4S3V1k/5R64zHlXWHFLsQr/OXTy3k+m" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398435", "to_ids": false, "type": "size-in-bytes", "uuid": "4f6d61a3-c74e-415c-a5b9-c57c921428e5", "value": "2022400" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776398435", "to_ids": true, "type": "vhash", "uuid": "ec9a19bd-d0e2-4358-8477-636bfd9176e5", "value": "026076655d155d05755az5c3z23z2tz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398435", "to_ids": true, "type": "filename", "uuid": "7271f7b4-3479-4557-8746-0e4ee44c523d", "value": "Watchdog.exe" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398435", "to_ids": false, "type": "text", "uuid": "d2e113a1-a66d-44da-a522-6eaad9946841", "value": "Vidar v18.7\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:37/72\nFirst Submission:2026-04-03T05:20:19.000000+00:00\nLast Submission:2026-04-03T16:30:04.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776402304", "uuid": "5fa09902-711e-4de2-a958-5171b8cf4f54", "Attribute": [ { "category": "Payload delivery", "comment": "Initial archive file", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776402304", "to_ids": true, "type": "md5", "uuid": "5c01424f-a9d7-455b-873f-d2c8070eed0e", "value": "d8256fbc62e85dae85eb8d4b49613774", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Initial archive file", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399328", "to_ids": true, "type": "sha1", "uuid": "bdcbfdb1-c97a-492d-a695-ae826f0b4318", "value": "4c3b9af7995072965e763fca0e472f00b84a8aea", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Initial archive file", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399328", "to_ids": true, "type": "sha256", "uuid": "582ec726-829b-45af-ac74-2caeceb9497f", "value": "06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398456", "to_ids": true, "type": "ssdeep", "uuid": "a8eae12c-842d-4ec8-acd0-88e127323527", "value": "3145728:o5I1eLUeGh/tiyMgoyCcZHwUFhOqe0xQeK3oCgndd:o5I1eLYzMgAc55eEV0y" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398456", "to_ids": false, "type": "size-in-bytes", "uuid": "aefc3c23-9abd-4b2b-aaca-783ce6a569ba", "value": "113167823" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776398456", "to_ids": true, "type": "vhash", "uuid": "4546806c-c1c5-441e-bae9-027a72f38e6e", "value": "def64176a1d9a10b68a3569e9ba324ff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398456", "to_ids": true, "type": "filename", "uuid": "0e56df76-53ca-40af-94f4-29c5e275d4fc", "value": "ClaudeCode_x64.7z" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398456", "to_ids": false, "type": "text", "uuid": "31c5610a-4bbe-4192-b4aa-4d6102eadc23", "value": "Initial archive file\r\nType Description: 7ZIP\nMicrosoft: Trojan:Win32/Kepavll!rfn\nVT Total Detection:20/62\nFirst Submission:2026-03-31T18:24:12.000000+00:00\nLast Submission:2026-04-02T22:28:39.000000+00:00" } ] } ] } }