{ "Event": { "analysis": "1", "date": "2026-03-30", "extends_uuid": "", "info": "[Threat Intel] TeamPCP\u2019s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM", "protected": false, "publish_timestamp": "1775907147", "published": true, "threat_level_id": "2", "timestamp": "1775907147", "uuid": "b655a546-6a2d-4694-b0d6-69f3a05e209c", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#717bc3", "local": false, "name": "misp-galaxy:producer=\"Trend Micro\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#3c0f50", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1027.002\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774926007", "to_ids": false, "type": "link", "uuid": "1ecd8e01-fbc7-4eb1-9d5a-f75d18e43a22", "value": "https://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774926007", "to_ids": false, "type": "text", "uuid": "c96b34f6-3586-425b-9f66-a90dc15b0ad6", "value": "TeamPCP launched a sophisticated attack on the Telnyx Python SDK, publishing malicious versions 4.87.1 and 4.87.2 to PyPI. The attack represents an evolution from their previous LiteLLM campaign, incorporating WAV-based steganography, split-file code injection, and expanded platform support. The payload, activated on import, uses stealthy techniques to download and execute credential-stealing malware across Linux, macOS, and Windows systems. Key changes include the use of audio steganography to hide malicious code, improved evasion through split-file injection, and the addition of Windows support with Startup folder persistence. The attackers shifted from HTTPS to plaintext HTTP infrastructure, potentially exposing their activities to network monitoring. Organizations are advised to downgrade to the last clean version and treat affected systems as compromised." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774926007", "to_ids": false, "type": "text", "uuid": "05cad105-73d4-45ab-9d08-2bda00711218", "value": "Name: TeamPCP\u2019s Telnyx Attack Marks a Shift in Tactics Beyond LiteLLM\nAuthor: AlienVault\nAdversary: TeamPCP\nTags: [\"base64 encoding\", \"pypi\", \"persistence\", \"steganography\", \"credential theft\", \"supply-chain attack\", \"wav files\", \"multi-platform\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1036.005\", \"T1204.002\", \"T1055\", \"T1059\", \"T1547.001\", \"T1571\", \"T1027\", \"T1102.002\", \"T1070.004\", \"T1027.002\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774926007", "to_ids": false, "type": "threat-actor", "uuid": "b0577563-b65d-4c34-8214-f67028f8fa9b", "value": "TeamPCP" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775903947", "to_ids": true, "type": "ip-dst", "uuid": "45d8a8e3-b7df-45b6-b179-2e97f841d8da", "value": "83.142.209.203", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Data exfiltration endpoint", "deleted": false, "disable_correlation": false, "timestamp": "1775903968", "to_ids": true, "type": "url", "uuid": "f449d705-6dea-4bae-9223-4b8db659352f", "value": "https://83.142.209.203", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Payload delivery", "deleted": false, "disable_correlation": false, "timestamp": "1775903989", "to_ids": true, "type": "url", "uuid": "05a9b4a7-2ca1-4200-ac64-29616b2150eb", "value": "https://83.142.209.203:8080/hangup.wav", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Payload delivery", "deleted": false, "disable_correlation": false, "timestamp": "1775904010", "to_ids": true, "type": "url", "uuid": "8edac14e-952f-450a-852d-bd5f68243df9", "value": "https://83.142.209.203:8080/ringtone.wav", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Exfiltration", "deleted": false, "disable_correlation": false, "timestamp": "1775904031", "to_ids": true, "type": "url", "uuid": "dd21a9fb-a08e-4016-b1b9-37b0df4e4d21", "value": "https://models.litellm.cloud/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775904052", "to_ids": true, "type": "url", "uuid": "b61f1b31-e4b5-4906-98c9-ac84d55019b8", "value": "http://83.142.209.203:8080/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C&C server / payload", "deleted": false, "disable_correlation": false, "timestamp": "1775904073", "to_ids": true, "type": "url", "uuid": "1ab87228-b680-4787-8394-3131e7c270d8", "value": "https://checkmarx.zone/raw", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775904094", "uuid": "779b77cf-2796-4e48-974c-b17ef2360a0b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775904094", "to_ids": true, "type": "md5", "uuid": "552256b7-1755-4797-82af-780667a8c663", "value": "5870a0bf82bbdf2687d8dce89dfa668f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902624", "to_ids": true, "type": "sha1", "uuid": "929a7dc2-555c-45df-ac8b-cdba83609a9b", "value": "4ce6ad55d8912aacc4ae4c572237131d0b7ba4b5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902624", "to_ids": true, "type": "sha256", "uuid": "c23877ae-b4a3-4636-8cca-138c6733cdf2", "value": "cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901518", "to_ids": true, "type": "ssdeep", "uuid": "bc858d7f-a1f7-4212-a17d-d9ff038a5db9", "value": "24576:raIs7IIJ0BemXNXI9fXxovWLZg21bRecJykl3dpblLn7STR7mhiY6Dp90u2xG/mV:l+IIJ0rI9/evW5D5Ct6bYsu4J2VMSeEk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901518", "to_ids": false, "type": "size-in-bytes", "uuid": "24f54a55-7d9a-49e9-950f-9d4007b9d68b", "value": "2316357" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775901518", "to_ids": true, "type": "vhash", "uuid": "90e052b7-5aa3-4dce-acbb-265c4f743be4", "value": "be8a9f7997ea000d3b62a409add18d28" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901518", "to_ids": true, "type": "filename", "uuid": "90285df9-68e1-455a-9f1e-6c0fa07d57a0", "value": "cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3.zip" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 11/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901518", "to_ids": false, "type": "text", "uuid": "03015ac1-ba91-44d2-a307-1d6a97519640", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:32/67\nFirst Submission:2026-03-27T04:15:48.000000+00:00\nLast Submission:2026-03-30T11:45:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775904115", "uuid": "00f13e91-f16e-4161-b923-fc8a4f1d4426", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775904115", "to_ids": true, "type": "md5", "uuid": "8f02a042-41d0-4b7b-b744-258176d6cdfd", "value": "b1c6036b046bcf8c80601742ebcc61b0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902624", "to_ids": true, "type": "sha1", "uuid": "28bdaaea-1d68-4744-92e7-8acc6abe0332", "value": "512efdfc832b012677341d251670c7192c463b21", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902625", "to_ids": true, "type": "sha256", "uuid": "a6158bc7-aa07-4b35-b75f-fa7c1e44318e", "value": "23b1ec58649170650110ecad96e5a9490d98146e105226a16d898fbe108139e5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901539", "to_ids": true, "type": "ssdeep", "uuid": "25cfa436-cac3-4de7-b915-0f36468df5d1", "value": "3072:5NgKC9pJ0ueaIs840OgsY4QL0CjlJQ7lZ0eZNEEVk0wtzP44vi0RXzH0m1:HgZ9pDeam+gsg7jlJmtZNfUtzPBDXz51" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901539", "to_ids": false, "type": "size-in-bytes", "uuid": "26fbb9ee-419e-4e21-8403-5d3afff99683", "value": "351121" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901539", "to_ids": true, "type": "filename", "uuid": "83c2de1c-481c-4b16-b3e0-e28081f0e86b", "value": "_client.py" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901539", "to_ids": false, "type": "text", "uuid": "947a2f9f-32dd-48f8-8828-5cfd9811f3aa", "value": "Type Description: Python\nMicrosoft: Trojan:Python/TlnxStealer.A\nVT Total Detection:33/63\nFirst Submission:2026-03-27T04:04:48.000000+00:00\nLast Submission:2026-03-30T12:20:11.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775904137", "uuid": "05201206-b5f2-416d-b5d5-7c09b4e4c4eb", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775904137", "to_ids": true, "type": "md5", "uuid": "9cd9de2b-484a-4418-a236-e4839b68c454", "value": "188d8592f393ce45f7273102f02efee1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902625", "to_ids": true, "type": "sha1", "uuid": "2d51118b-2e98-4dfd-9fc9-56a6f3e5109d", "value": "59d1537bd095fb01617da08cf4bd89f72e158f9b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902625", "to_ids": true, "type": "sha256", "uuid": "9c4bd155-c9e8-4270-92f6-f1e876302657", "value": "7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901561", "to_ids": true, "type": "ssdeep", "uuid": "9ec8be96-e439-42bb-a0e4-d4e0575a426d", "value": "24576:rX5s7IIJ0BemXNXI9fXxovWLZg21bRecJykl3dpblLn7STR7mhiY6Dp90u2xkm9h:1+IIJ0rI9/evW5D5Ct6bYsustS1y" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901561", "to_ids": false, "type": "size-in-bytes", "uuid": "e73825ab-faa0-476f-b827-48ecb76a62d3", "value": "2316358" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775901561", "to_ids": true, "type": "vhash", "uuid": "313279a6-040c-4440-a796-bf89cf72fda8", "value": "be8a9f7997ea000d3b62a409add18d28" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901561", "to_ids": true, "type": "filename", "uuid": "f2e2b5fa-2410-4d4e-ac37-a0c213567c72", "value": "telnyx-4.87.1-py3-none-any.whl" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901561", "to_ids": false, "type": "text", "uuid": "c8d2c008-ed7c-4289-8ded-90248a7b9490", "value": "Type Description: ZIP\nMicrosoft: None\nVT Total Detection:28/67\nFirst Submission:2026-03-27T04:02:20.000000+00:00\nLast Submission:2026-03-30T11:45:11.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775904158", "uuid": "a431d048-b126-4b63-a061-9c2fa4da833f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775904158", "to_ids": true, "type": "md5", "uuid": "b189edf6-7148-488f-baba-90a9df4e38fa", "value": "9e837f0b9e8037b06256e2ec4291f757", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775902626", "to_ids": true, "type": "sha1", "uuid": "584436cf-6146-41c5-a8c0-b1cc3fcecd63", "value": "6e06766423a9c046511fb32b100c4a49adfe6e2b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775902626", "to_ids": true, "type": "sha256", "uuid": "005ad6b4-dc03-44b9-b047-1ff19300e40b", "value": "ab4c4aebb52027bf3d2f6b2dcef593a1a2cff415774ea4711f7d6e0aa1451d4e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775901583", "to_ids": true, "type": "ssdeep", "uuid": "f14b1879-3941-4108-a998-b2ae1b659ba9", "value": "3072:5NgKC9pJ0ueaIs840OgsY4QL0CjlJQ7lZ0eZNEEVk0wtzP44vi0RXzH0mV:HgZ9pDeam+gsg7jlJmtZNfUtzPBDXz5V" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775901583", "to_ids": false, "type": "size-in-bytes", "uuid": "6a5bdc58-44a5-470a-b859-3361755e0102", "value": "351121" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775901583", "to_ids": true, "type": "filename", "uuid": "516d7809-ada9-4662-96f7-18d2405700cd", "value": "_client.py" }, { "category": "Other", "comment": "Checked: 11/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775901583", "to_ids": false, "type": "text", "uuid": "ccb46071-127d-4b0d-b647-2fdda775afd8", "value": "Type Description: Python\nMicrosoft: Trojan:Python/TlnxStealer.A\nVT Total Detection:33/63\nFirst Submission:2026-03-27T04:17:56.000000+00:00\nLast Submission:2026-03-30T12:20:16.000000+00:00" } ] } ] } }