{ "Event": { "analysis": "1", "date": "2026-02-26", "extends_uuid": "", "info": "[Threat Intel] Novel DPRK stager using Pastebin and text steganography", "protected": false, "publish_timestamp": "1772807232", "published": true, "threat_level_id": "2", "timestamp": "1772807231", "uuid": "b8740b4c-75cd-40fa-80ca-7584b9c59adf", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#9e0269", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#8ee4ab", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Deployment Tools - T1072\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"north korea\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"WageMole\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"3912f9ee-b67b-44c7-9004-d350af57f776\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"a640909a-a19b-44af-b207-b5c3d680298e\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772506808", "to_ids": false, "type": "link", "uuid": "5ad95627-9ea3-4d36-89f6-5f3667a80a3d", "value": "https://kmsec.uk/blog/dprk-text-steganography/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772506808", "to_ids": false, "type": "text", "uuid": "80fcf4a1-b07a-4a86-8aa7-5ea50c9a96be", "value": "A new malicious campaign involving seventeen npm packages has been identified, utilizing Pastebin and text steganography as a dead-drop resolver. The attackers employ a complex decoding mechanism to extract C2 URLs from seemingly benign text on Pastebin. The malware targets multiple platforms, including Windows, macOS, and Linux, downloading and executing platform-specific payloads. The infection chain involves multiple fallback domains hosted on Vercel, demonstrating a sophisticated approach to maintain persistence. This novel technique, along with other recent developments, indicates an accelerated pace of testing and development by the threat actor, suggesting continued iterations in their infection methodologies." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772506808", "to_ids": false, "type": "text", "uuid": "5f7fabf1-2c2c-40e9-8328-fc50a0b08746", "value": "Name: Novel DPRK stager using Pastebin and text steganography\nAuthor: AlienVault\nAdversary: FAMOUS CHOLLIMA\nTags: [\"pastebin\", \"steganography\", \"stager\", \"javascript\", \"multi-platform\", \"vercel\", \"npm\", \"dprk\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1059.007\", \"T1082\", \"T1036\", \"T1059\", \"T1102\", \"T1552.001\", \"T1072\", \"T1059.001\", \"T1547.001\", \"T1059.004\", \"T1027\", \"T1012\", \"T1059.003\", \"T1071.001\", \"T1105\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1772506808", "to_ids": false, "type": "threat-actor", "uuid": "de0bc91d-1324-4e2d-9604-c26f4f842b4a", "value": "FAMOUS CHOLLIMA" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772574431", "to_ids": true, "type": "sha256", "uuid": "9e17a544-6b64-45d3-a98b-1b4d7ac38c46", "value": "869c327b8dc757fa126cd281bc4a14d809c50e9a792954442c55cea5b46912ec", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772574432", "to_ids": true, "type": "sha256", "uuid": "7181cda4-983e-40da-a063-b0877b42ddb8", "value": "bce0da6547ae74f97e2bb61672a3e159b837acf01f7c68a813ea75c3835ff303", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772574433", "to_ids": true, "type": "sha256", "uuid": "c2a0a977-5796-45ab-a1d2-136a02a95321", "value": "e361d2859ba2eb2540bf6fb12db0b9857ef610bb9920830921e986d4b9109e89", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574450", "to_ids": true, "type": "hostname", "uuid": "370f338a-4c00-4029-aa87-fe00588d9e04", "value": "ext-checkdin.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574472", "to_ids": true, "type": "hostname", "uuid": "71940a54-9dee-4224-ae44-21a39831f8c6", "value": "cleverstack-ext301.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574493", "to_ids": true, "type": "hostname", "uuid": "9d15f26a-6ab3-474f-a47d-2ac49f7a209d", "value": "cleverstack-app998.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574514", "to_ids": true, "type": "hostname", "uuid": "a73fbd4c-b968-4ef3-a044-eabeab435c9f", "value": "brightlaunch-ext742.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574536", "to_ids": true, "type": "hostname", "uuid": "acc063b0-9dba-4e22-a569-9e229cd1ceaa", "value": "brightlaunch-app615.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574557", "to_ids": true, "type": "hostname", "uuid": "56b0a836-2f36-46ee-bac7-34ab97e53970", "value": "primevector-ext483.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574578", "to_ids": true, "type": "hostname", "uuid": "59fd0043-8378-4679-88c4-46026e78c9f1", "value": "primevector-app920.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574599", "to_ids": true, "type": "hostname", "uuid": "3526ad64-9b16-4221-b630-332187c1b08c", "value": "zenithflow-ext156.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574620", "to_ids": true, "type": "hostname", "uuid": "c3041e4c-4f0b-4f48-a4ad-70b1f6e9088a", "value": "zenithflow-app877.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574642", "to_ids": true, "type": "hostname", "uuid": "816dedcc-aebf-44f7-8739-94964833eee1", "value": "cloudharbor-ext664.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574663", "to_ids": true, "type": "hostname", "uuid": "3bc56610-3f10-4054-9ae0-78c0912e0a3a", "value": "cloudharbor-app239.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574684", "to_ids": true, "type": "hostname", "uuid": "d12f2351-bf75-4cd3-9966-282b36a9d77a", "value": "sparkforge-ext518.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574706", "to_ids": true, "type": "hostname", "uuid": "b95ab697-0aaa-436a-b219-9fe545eaf3b0", "value": "sparkforge-app790.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574727", "to_ids": true, "type": "hostname", "uuid": "fbd4bb1a-0ec0-414b-b155-918b44c9f9fa", "value": "logicfield-ext432.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574748", "to_ids": true, "type": "hostname", "uuid": "2a5d8c1a-b3f5-413b-911c-0907a7c9a170", "value": "logicfield-app681.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574770", "to_ids": true, "type": "hostname", "uuid": "aea7fcff-4260-432c-b4c9-a601a1abdcc0", "value": "atlasnode-ext957.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574791", "to_ids": true, "type": "hostname", "uuid": "947209ef-ab06-41fc-ba5d-48c416ac47bc", "value": "atlasnode-app204.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574814", "to_ids": true, "type": "hostname", "uuid": "3671f5a0-c33b-475c-9e29-c2ee65ff92ca", "value": "signalbase-ext369.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574835", "to_ids": true, "type": "hostname", "uuid": "ac256a4e-5101-4f4e-b2d6-5e8963747e9b", "value": "signalbase-app845.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574856", "to_ids": true, "type": "hostname", "uuid": "e1593167-f782-42b9-a611-491330a278f3", "value": "neuraldock-ext126.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574877", "to_ids": true, "type": "hostname", "uuid": "2f26df10-fbde-43e1-9b36-8f7627e54a95", "value": "neuraldock-app734.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574898", "to_ids": true, "type": "hostname", "uuid": "aa84cc38-d32c-46ef-ae07-cba41e675fde", "value": "orbitstack-ext592.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574920", "to_ids": true, "type": "hostname", "uuid": "90b5776d-7495-4452-b5ce-01f04c1c36a4", "value": "orbitstack-app318.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574941", "to_ids": true, "type": "hostname", "uuid": "9c8c3a55-e584-497e-a8d4-180ac8819bff", "value": "fusionlayer-ext807.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574964", "to_ids": true, "type": "hostname", "uuid": "481bf1b4-3acd-42bf-ba6f-0a8f824cc63f", "value": "fusionlayer-app463.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772574985", "to_ids": true, "type": "hostname", "uuid": "bfdd6439-a9e8-470d-b421-aa0cb5d6b74e", "value": "quantapath-ext275.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575006", "to_ids": true, "type": "hostname", "uuid": "a5dfcf74-e066-454a-b490-34479161d86f", "value": "quantapath-app914.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575028", "to_ids": true, "type": "hostname", "uuid": "46ee1293-01f8-45ef-befa-487c53b27768", "value": "visiondock-ext648.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575049", "to_ids": true, "type": "hostname", "uuid": "2ae1f46c-18c0-45de-8d6f-9c3736e5ada9", "value": "visiondock-app157.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575071", "to_ids": true, "type": "hostname", "uuid": "67d2b970-3a70-4426-b141-8f10a54d3d68", "value": "openmatrix-ext539.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575092", "to_ids": true, "type": "hostname", "uuid": "5685a8b9-74e9-45a1-b8f4-cebb040d434a", "value": "openmatrix-app882.vercel.app", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575114", "to_ids": true, "type": "url", "uuid": "c4d4f992-5b7f-411c-acd2-b9a5280f1eca", "value": "https://pastebin.com/CJ5PrtNk", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575136", "to_ids": true, "type": "url", "uuid": "34442e18-01c9-41d9-912c-0516cf266361", "value": "https://pastebin.com/0ec7i68M", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772575159", "to_ids": true, "type": "url", "uuid": "c559f1f1-6192-4f15-91d3-429b4f29b2a1", "value": "https://pastebin.com/DjDCxcsT", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572383", "to_ids": true, "type": "filename", "uuid": "7a3c51aa-55ee-47a7-9d75-46ca9867185b", "value": "christopher.smith.hal47" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572383", "to_ids": true, "type": "email-src", "uuid": "b891220b-e026-4a20-a3ff-cfc259beef4d", "value": "christopher.smith.hal47@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "be7e903b-b221-423f-9ddc-5c457b728d03", "value": "christopher.smith.hj47" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "c7c50a15-8d42-4e77-9be1-3ccffe57a8f9", "value": "christopher.smith.hj47@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "97c2675c-5a6b-487e-b8fb-2f36e92a9370", "value": "christopher.smith.ye47" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "d80052c2-e383-4569-a003-9b49a67e6f7e", "value": "christopher.smith.ye47@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "0a07b35b-e25e-4c09-8e0a-5f48bb80a8c8", "value": "christopher.smith471014" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "0425cd5c-428b-4a3d-a6dd-1d37f2316c31", "value": "christopher.smith471014@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "92e6a7e2-a76d-4aa6-bba1-e9cd38279657", "value": "hello.mr.jr29" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "f59c4538-b62e-44a2-8f11-943d1879d20e", "value": "hello.mr.jr29@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "765f5feb-333f-4672-90c8-6cd5f9b78c1a", "value": "patrick.sullivan1896" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "fd05d627-f612-4af4-88ac-efb33785fdbc", "value": "patrick.sullivan1896@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "1b7ea8c1-716e-47dc-9515-04765aecf6a5", "value": "veryanthony00@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "8d8a8fb7-0ecb-453a-9078-48901c275a56", "value": "charles.cm.morgan" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "0de23c56-41c2-433f-87b8-d2a9d1fb8563", "value": "charles.cm.morgan@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "972f7f23-6f13-41e1-8ecb-6b19d49f4c37", "value": "andrew.ddn.walker" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "b6f2df39-c0a2-46be-a719-bc04650b16a7", "value": "andrew.ddn.walker@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "05d14f33-fd94-4b13-b979-302260642257", "value": "andrew.dea.walker00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "e61b734a-e55e-4095-aafa-474b384ad746", "value": "andrew.dea.walker00@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "b7632341-d8a1-45f8-9e3d-613afcb98145", "value": "stefan.matic.topdev00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "06c67ae9-c920-42d8-8a6e-af25322f7b41", "value": "stefan.matic.topdev00@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "61295eaa-13c9-480f-a4e3-5e66b4b2ac52", "value": "andrew.dn.walker00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "90b1fcd2-1af2-4a9e-8c97-f7f55ef8a013", "value": "andrew.dn.walker00@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "08757879-5659-4e43-9972-1075977a6a6e", "value": "andrew.d.walker00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "dc68088e-1232-487b-9c53-a2efaae70113", "value": "andrew.d.walker00@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "filename", "uuid": "48b5477f-ef92-4a0a-ae4b-4fdf7c305a43", "value": "andrew.dean.walker00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "4aef8256-73d0-4050-bee6-eb2a7323a5c4", "value": "andrew.dean.walker00@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "465c85ba-4d22-4707-b3d1-da4055334923", "value": "andrewdeanwalker007@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "0b413c0a-9dfa-447c-bf8c-5f64794a2b76", "value": "needlesstosay0o0o0@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772572384", "to_ids": true, "type": "email-src", "uuid": "e2e50df6-807b-4b2e-a6e2-f501fd6364ad", "value": "whereisandrew2@gmail.com" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772575180", "uuid": "5073cd4b-5a84-4a80-ab18-38d797a0bfe2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772575180", "to_ids": true, "type": "md5", "uuid": "88e9ef70-2473-4299-81f6-14b76553724a", "value": "8425f42ef4908723f60582b6def226bc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772574429", "to_ids": true, "type": "sha1", "uuid": "7459ab9c-1635-484a-9901-5f89f0e2594a", "value": "a9a31100ea215a6108f24b4728735350221eff09", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772574429", "to_ids": true, "type": "sha256", "uuid": "3f153564-80ce-40fd-b731-8302c5d06ebd", "value": "accf04ad3228a22532d2f5802a5b0c379c3616564c4766fc1f1ca20dac8dba07", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772574087", "to_ids": true, "type": "ssdeep", "uuid": "0b44c2df-9a9f-4bb1-99f9-2e6912ca49f8", "value": "3:QAQnBAB:QAQnBAB" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772574087", "to_ids": false, "type": "size-in-bytes", "uuid": "7c46fc78-d8a0-4b5c-ad45-a82f47151764", "value": "21" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772574087", "to_ids": true, "type": "filename", "uuid": "490ebc0d-a479-439d-bd72-6c077755a235", "value": "tokenw" }, { "category": "Other", "comment": "Checked: 04/03/2026\nLast-scan\t: 25/02/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772574087", "to_ids": false, "type": "text", "uuid": "f4204227-e597-42eb-ac58-bb04af599259", "value": "Type Description: Text\nMicrosoft: None\nVT Total Detection:0/62\nFirst Submission:2026-02-25T15:55:22.000000+00:00\nLast Submission:2026-02-25T15:55:22.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772575201", "uuid": "3b85af0c-01fd-40c3-9175-84650795c4fd", "Attribute": [ { "category": "Payload delivery", "comment": "malicious JavaScript file", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772575201", "to_ids": true, "type": "md5", "uuid": "194543f6-4553-413d-971d-5c55c0047085", "value": "38233d77050b5f34aa0c0014d1b8ab3a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "malicious JavaScript file", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772574430", "to_ids": true, "type": "sha1", "uuid": "33bddf1a-b36a-415f-8104-f7631ff2972a", "value": "848e45088ab83918b2fef09301663cb3759d550e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "malicious JavaScript file", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772574430", "to_ids": true, "type": "sha256", "uuid": "7a42bce2-8613-4c0a-b279-2e4209b31d30", "value": "da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772574131", "to_ids": true, "type": "ssdeep", "uuid": "ba83a935-4551-47e7-9a66-f06bcc8f3df6", "value": "384:I+cGlJzHyAVk+HUBWIMLkHzWyHlFBJqjHu7CdfS5XIfZCjqn5Kj48RLxtjn/JizE:bHlJmAVk+0BWIML0WyFF3UH0CdfS5XIo" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772574131", "to_ids": false, "type": "size-in-bytes", "uuid": "e08cac15-530e-48ae-8997-bbf71d7225b4", "value": "14810" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772574131", "to_ids": true, "type": "vhash", "uuid": "90f3e2c7-7fd9-457d-b6f3-7be127c91201", "value": "db32c91cedc6a37de40c74ae057ca7ef" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772574131", "to_ids": true, "type": "filename", "uuid": "de38e798-a048-4290-94a6-e569ab77519a", "value": "version.js" }, { "category": "Other", "comment": "Checked: 04/03/2026\nLast-scan\t: 04/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772574131", "to_ids": false, "type": "text", "uuid": "79482ba6-fde7-4d39-a443-65db234539a4", "value": "malicious JavaScript file\r\nType Description: JavaScript\nMicrosoft: Trojan:Script/Wacatac.B!ml\nVT Total Detection:5/62\nFirst Submission:2026-03-01T12:17:50.000000+00:00\nLast Submission:2026-03-01T17:23:39.000000+00:00" } ] } ] } }