{ "Event": { "analysis": "1", "date": "2026-03-23", "extends_uuid": "", "info": "[Threat Intel] GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer", "protected": false, "publish_timestamp": "1775245836", "published": true, "threat_level_id": "2", "timestamp": "1775245836", "uuid": "be35d1c3-491c-4211-af79-5103c1a8bad3", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#2ced92", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#c84641", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"GUI Input Capture - T1056.002\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"3b16bb5a-eb4f-4603-a909-bebc5df4a46d\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774263611", "to_ids": false, "type": "link", "uuid": "4dd876f8-3a73-4377-a2b2-c9863b396328", "value": "https://www.jamf.com/blog/ghostclaw-ghostloader-malware-github-repositories-ai-workflows/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774263611", "to_ids": false, "type": "text", "uuid": "bc963035-36ea-4a28-886b-2f05e645cab4", "value": "The GhostClaw malware campaign has expanded its distribution methods beyond npm packages to include GitHub repositories and AI-assisted development workflows. The attackers impersonate legitimate tools and utilize multi-stage payloads to steal credentials and retrieve additional malicious code. The infection chain involves executing shell commands, presenting fake authentication prompts, and establishing persistence. The campaign leverages both manual installation through README instructions and automated AI-assisted workflows. Multiple GitHub repositories have been identified, all communicating with a common command-and-control infrastructure. This shift in tactics allows the attackers to target a broader range of victims, including developers and users of AI-assisted coding tools." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774263611", "to_ids": false, "type": "text", "uuid": "34f5fc12-ec29-4f7b-8dc9-580c67750df8", "value": "Name: GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer\nAuthor: AlienVault\nAdversary: GhostClaw\nTags: [\"ghostclaw\", \"supply-chain-attack\", \"credential-theft\", \"ghostloader\", \"github\", \"macos\"]\nTgtd countries: []\nMlwr families: [\"GhostClaw\", \"GhostLoader\"]\nAttack_ids: [\"T1204.002\", \"T1036\", \"T1064\", \"T1528\", \"T1547.001\", \"T1056.002\", \"T1059.004\", \"T1027\", \"T1102.002\", \"T1105\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774263611", "to_ids": false, "type": "threat-actor", "uuid": "88678af3-2940-492c-b208-75f8c597f1e9", "value": "GhostClaw" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237478", "to_ids": true, "type": "sha256", "uuid": "edbc7d5e-f314-4a1c-9aa1-73d3ca3faf12", "value": "189b8419863830f2732324a0e02e71721ec550ffa606f9dc719f935db5d25821", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237478", "to_ids": true, "type": "sha256", "uuid": "819e607f-3354-4d76-944a-d425da46c451", "value": "3ab0bcc8ff821bd6ba0e5fdbb992836922a67524f8284d69324f61e651981040", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237480", "to_ids": true, "type": "sha256", "uuid": "8696dc5d-6b42-460a-9c8c-c0270fbd5191", "value": "3c2fa99741e71436eb7f52fcf382bb92425104bd63f82d0bd0111caf2c8b91b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237481", "to_ids": true, "type": "sha256", "uuid": "e12f83f0-8c4a-4f73-a9cb-944272045617", "value": "43dc96bde2d5214ea3e93c1d9f62da54c260587e0b5bd366bb55ab615262384e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237482", "to_ids": true, "type": "sha256", "uuid": "8bb92767-648e-4106-9933-e70dcb6d936d", "value": "593aa8051b146e7b1effd90708210ccac3527076e2b5b5068216553a5557396d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237483", "to_ids": true, "type": "sha256", "uuid": "6ad61648-dfce-4677-aa4c-18e5cbbe731d", "value": "72bc4f82786e23f067d8731dac2b51c033f49ceceab0a64065a160cdff54f488", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237484", "to_ids": true, "type": "sha256", "uuid": "594241af-03de-432e-acec-63501e1d30fc", "value": "8da42291c7c8ad4d7b174367c7b59e6cf57804f659490947957212d16dfcfe16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237485", "to_ids": true, "type": "sha256", "uuid": "91db44c5-0c28-40c0-a360-9935b02881d0", "value": "946206d42497ea54a4df3f3fed262a99632672e99b02abcc7a9aff0f677efba8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237486", "to_ids": true, "type": "sha256", "uuid": "b6253bd6-ad78-4c4c-8f65-d908f442c2c4", "value": "a80f2f5ba53bd19c35af5eed763fbaf9f00487bb4df0997651af861ef157ccea", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237486", "to_ids": true, "type": "sha256", "uuid": "818347a0-a033-4d80-baab-b4555b862ef1", "value": "ad23c83bbcd2e2ed7ba3338b723f3a36ef7a6866672395a04fdb8fbd1bf68a90", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237487", "to_ids": true, "type": "sha256", "uuid": "7af9d4b0-c9f8-44b4-baa6-e9b9e86f261b", "value": "b04cdafdaa9220ab819f33790f014fd84a10f3908e3d7e97a652fa0d76f40c2f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237488", "to_ids": true, "type": "sha256", "uuid": "43f031b9-01fc-432c-ab2f-177b979a0497", "value": "baaa13491ddaba1fc8eb5a3e7848fb1e33f6f1f5b19b5efb0d433ab09e38a1f0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237490", "to_ids": true, "type": "sha256", "uuid": "f4d71e1f-5fdf-4e4b-9d38-d84e4dfd8942", "value": "df8bc4bf6f312a914fa82e56dab59ceb0b2066830696ea7457067f7d446518eb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:04/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1775237491", "to_ids": true, "type": "sha256", "uuid": "9fccb765-6ac1-439f-af27-2fbabcd31334", "value": "ee968f51f1b2c0d9fcdacfd6aa9ef24cc6212118464093e67f1fdaa1144e15b1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775241077", "to_ids": true, "type": "domain", "uuid": "b035e49b-9ce9-4c02-a60c-8e2a090fe7cb", "value": "trackpipe.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775241098", "to_ids": true, "type": "url", "uuid": "b2e6cc45-ba52-42fc-9c0f-77719498b967", "value": "https://github.com/michelleoincx/Bunkr-Downloader-Python", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775241120", "to_ids": true, "type": "url", "uuid": "ccc9501f-c7c2-4371-a7d1-26cca6ff90bf", "value": "https://github.com/elizabethasicb/poly-market-kalshi-bot", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775241141", "to_ids": true, "type": "url", "uuid": "be2ce2e3-6ec7-431b-bee3-634aa537525c", "value": "https://github.com/Sectionnaenumerate/Polymarket-Kalshi-btc-arbitrage-bot", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775241164", "to_ids": true, "type": "url", "uuid": "b627255b-706f-44b1-ab8d-c935e17a2853", "value": "https://github.com/helenigtxu/blooket", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775241185", "to_ids": true, "type": "url", "uuid": "953bf3c0-1159-419f-9e12-e24f6ad4bc83", "value": "https://github.com/deborahikssv/Antigravity-claw", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775241206", "to_ids": true, "type": "url", "uuid": "1ea44814-e0f5-40ee-96e4-1f371e3cc6d7", "value": "https://github.com/antigravity-sdk/antigravity-sdk", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775241227", "to_ids": true, "type": "url", "uuid": "bd36cc5e-8fa3-4215-8ce8-c967fb986621", "value": "https://github.com/FinPyromancerLog/xcode-claw", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775241250", "to_ids": true, "type": "url", "uuid": "15f3676c-7eef-44cb-a536-faefc121b6cc", "value": "https://github.com/Crestdrasnip/Claude-Zeroclaw", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775241271", "to_ids": true, "type": "url", "uuid": "49edb2e0-4bc4-41b7-9ef2-484d0c50e0ca", "value": "https://github.com/Heartflabrace/Doubao-Claw", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775241293", "to_ids": true, "type": "url", "uuid": "614151ed-4808-4732-b1d5-59e90b204987", "value": "https://github.com/helenigtxu/TradingView-Claw", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775241314", "uuid": "f9ddcfd2-21d7-4fd8-b1c0-a5b483995623", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775241314", "to_ids": true, "type": "md5", "uuid": "d166f576-55ff-497f-a9c9-59a87ccca058", "value": "78c37d4e3199c9239925ec87eb6b0ae1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237475", "to_ids": true, "type": "sha1", "uuid": "903446af-186f-479f-aba3-ca6d1e8ce423", "value": "e821eb9af2858f63448d4d91926e4a25006e1e0a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237475", "to_ids": true, "type": "sha256", "uuid": "0e7d311e-ed28-41da-9a2d-873f543aee05", "value": "e3ee5909f908b489a93702709fae038f0b3c864b155013a9ad7d590f1eec7fe4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775237142", "to_ids": true, "type": "ssdeep", "uuid": "f0f76cdf-5b4e-4344-aee7-30af8c2e0b98", "value": "1536:m3fUeRQOyG55lD5wfmkULMI9aSf2X7EtV+jvO31c:m3fPJyG55lFEmkULMIgSuXItVWv2e" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775237142", "to_ids": false, "type": "size-in-bytes", "uuid": "9c94d599-dd3a-4cdb-b986-17140457c6ab", "value": "70860" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775237142", "to_ids": true, "type": "filename", "uuid": "25782c1e-4c1e-4182-b359-c9021669a6e1", "value": "setup.js" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 01/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775237142", "to_ids": false, "type": "text", "uuid": "0e70f566-c9c5-4165-82ea-bdda830c9a73", "value": "Type Description: JavaScript\nMicrosoft: Trojan:JS/OpenClawStealz.Z!MTB\nVT Total Detection:15/61\nFirst Submission:2026-03-11T11:30:49.000000+00:00\nLast Submission:2026-03-11T11:30:49.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775241335", "uuid": "07f57b31-9b84-4d60-8c1b-3eb02431de90", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775241335", "to_ids": true, "type": "md5", "uuid": "cabe20fe-91fc-465a-8455-106db41dcaec", "value": "84b4bc7b49ee2a9bf454113ae338b83f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237477", "to_ids": true, "type": "sha1", "uuid": "416e65e3-c2d8-4384-8af0-730fe9a7d16c", "value": "c116e70de81bd284fdcd813ee840c218cdfcda3e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237477", "to_ids": true, "type": "sha256", "uuid": "f4dccf78-1f44-415e-a468-bb09f0912741", "value": "ec8d3b922db1cf3a82141a53a472538d10563860dfb93259e99d0aec3661734c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775237164", "to_ids": true, "type": "ssdeep", "uuid": "4b09142b-0d14-4bc8-9f0d-bd0653113d2f", "value": "96:VpOuPa6NZDgQW/NlwSZIsjiegkfeuWSQMAWZ48itSxvyqAYsfidNRhK:rOutNZEQW/NlwSZq1S8WVsqAYsfcNHK" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775237164", "to_ids": false, "type": "size-in-bytes", "uuid": "86ed659b-d851-4a13-9cd1-c0228b00a32d", "value": "4523" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775237164", "to_ids": true, "type": "filename", "uuid": "b161f571-3958-4c16-8445-e610f8dddee6", "value": "install.sh" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775237164", "to_ids": false, "type": "text", "uuid": "88e32b3c-c049-4dca-9736-d2f31b185cef", "value": "Type Description: Shell script\nMicrosoft: None\nVT Total Detection:2/61\nFirst Submission:2026-03-11T11:39:16.000000+00:00\nLast Submission:2026-03-11T11:39:16.000000+00:00" } ] } ] } }