{ "Event": { "analysis": "1", "date": "2026-04-22", "extends_uuid": "", "info": "[Threat Intel] Untangling a Linux Incident With an OpenAI Twist (Part 2)", "protected": false, "publish_timestamp": "1779545323", "published": true, "threat_level_id": "2", "timestamp": "1779545323", "uuid": "c56cf24e-92a3-47a6-ae88-08aeb0d91300", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#8f20d0", "local": false, "name": "misp-galaxy:producer=\"Huntress\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#a4da83", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cron - T1053.003\"", "relationship_type": "" }, { "colour": "#fa3e60", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Command History - T1070.003\"", "relationship_type": "" }, { "colour": "#edf46c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Timestomp - T1070.006\"", "relationship_type": "" }, { "colour": "#e7d11f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Private Keys - T1552.004\"", "relationship_type": "" }, { "colour": "#36a9d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Discovery - T1087\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#71ecdb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Manipulation - T1098\"", "relationship_type": "" }, { "colour": "#d99489", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Systemd Timers - T1053.006\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#36d931", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"", "relationship_type": "" }, { "colour": "#57b2ae", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Resource Hijacking - T1496\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#a0cbec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Systemd Service - T1543.002\"", "relationship_type": "" }, { "colour": "#552d0d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"XDG Autostart Entries - T1547.013\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"xmrig\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942016", "to_ids": false, "type": "link", "uuid": "0c99a15d-920f-4565-b676-5f095ee6da76", "value": "https://www.huntress.com/blog/codex-part-two" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776942016", "to_ids": false, "type": "text", "uuid": "e58d4085-bafd-40df-8688-5cb14b0291a4", "value": "A Linux endpoint was simultaneously compromised by at least two distinct threat actors while the developer user relied on OpenAI's Codex AI agent for security remediation. Actor A deployed a cryptominer mining Monero to a private pool. Actor B installed a multi-revenue botnet including XMRig mining, residential proxy services, and bandwidth-selling components with eight different persistence mechanisms. Actor C, potentially affiliated with Actor B, executed mass data exfiltration of 15 categories including SSH keys, cloud credentials, and API tokens. The threat actors exploited CVE-2025-55182 (React2Shell) affecting Next.js and React applications. While Codex identified some threats, it lacked contextual awareness and privileged access needed for comprehensive incident response, creating additional noise that complicated SOC investigation. The endpoint was ultimately secured through managed EDR telemetry and expert SOC analysis." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776942016", "to_ids": false, "type": "text", "uuid": "140f0bb3-b556-44b7-9f5b-2935327a15e9", "value": "Name: Untangling a Linux Incident With an OpenAI Twist (Part 2)\nAuthor: AlienVault\nAdversary: \nTags: [\"cryptominer\", \"repocket\", \"botnet\", \"linux compromise\", \"multiple threat actors\", \"credential harvesting\", \"systemd-logind\", \"dnser\", \"ai-assisted remediation\", \"earnfm\", \"fkkkf\", \"cve-2025-55182\", \"xmrig\", \"fh8a7d7m\", \"data exfiltration\", \"react2shell\"]\nTgtd countries: []\nMlwr families: [\"XMRig\", \"systemd-logind\", \"fkkkf\", \"FH8a7d7M\", \"dnser\", \"EarnFM\", \"Repocket\"]\nAttack_ids: [\"T1036.005\", \"T1053.003\", \"T1070.003\", \"T1070.006\", \"T1552.004\", \"T1087\", \"T1552.001\", \"T1098\", \"T1053.006\", \"T1059.004\", \"T1562.001\", \"T1078\", \"T1486\", \"T1567.002\", \"T1496\", \"T1071.001\", \"T1543.002\", \"T1547.013\", \"T1105\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321337", "to_ids": true, "type": "ip-dst", "uuid": "0efe892d-b232-44f8-8584-9244b6c854a3", "value": "62.60.246.210", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942016", "to_ids": false, "type": "vulnerability", "uuid": "0eec938d-a207-4009-bf65-2fb1a3c3ddfa", "value": "CVE-2025-30406" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942016", "to_ids": false, "type": "vulnerability", "uuid": "d3f83eec-f835-43d0-9578-51e495c29966", "value": "CVE-2025-55182" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321358", "to_ids": true, "type": "domain", "uuid": "82d3ed0e-ca62-4738-bb7f-6400a0ed1887", "value": "0x1x2x3.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942016", "to_ids": false, "type": "vulnerability", "uuid": "1adaf8f9-a3cc-41e8-ab00-5e922d2c15d7", "value": "CVE-2025-31151" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321379", "to_ids": true, "type": "ip-dst", "uuid": "40b419d9-3e6c-496a-815b-f41097856bb6", "value": "147.45.41.25", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1777303549", "to_ids": true, "type": "ip-dst|port", "uuid": "1c1b86cc-8efd-476b-8bb6-9105b276c852", "value": "62.60.246.210|443" }, { "category": "Network activity", "comment": "On port 3333", "deleted": false, "disable_correlation": false, "timestamp": "1777321400", "to_ids": true, "type": "hostname", "uuid": "15fd1f44-8770-45fc-bdf9-ffa9d031b4f8", "value": "pool.supportxmr.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 4082", "deleted": false, "disable_correlation": false, "timestamp": "1777303549", "to_ids": true, "type": "ip-dst|port", "uuid": "e4ee527d-885e-42b4-a13d-7de4d00d1b8d", "value": "162.55.234.175|4082" }, { "category": "Network activity", "comment": "On port 80", "deleted": false, "disable_correlation": false, "timestamp": "1777303549", "to_ids": true, "type": "ip-dst|port", "uuid": "e4a7dbcb-677b-4ca0-9366-2b96ebead7fc", "value": "147.45.41.25|80" }, { "category": "Network activity", "comment": "On port 80", "deleted": false, "disable_correlation": false, "timestamp": "1777303549", "to_ids": true, "type": "ip-dst|port", "uuid": "b167cc06-b10c-4cb4-ae0a-a698e81cd0c9", "value": "172.245.159.216|80" }, { "category": "Network activity", "comment": "On port 8080", "deleted": false, "disable_correlation": false, "timestamp": "1777303549", "to_ids": true, "type": "ip-dst|port", "uuid": "5e056402-81ca-4000-9e5c-2e14080ec835", "value": "172.86.127.128|8080" }, { "category": "Network activity", "comment": "On port 19999", "deleted": false, "disable_correlation": false, "timestamp": "1777303549", "to_ids": true, "type": "ip-dst|port", "uuid": "eb30453a-c12d-440b-a3c2-5e8492680702", "value": "57.129.119.218|19999" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777303549", "to_ids": true, "type": "email-src", "uuid": "8c9ede09-7e61-4a4d-a218-0521896b96fa", "value": "workoutoffice@protonmail.com" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545323", "uuid": "2e41d987-a683-4dd0-9144-25a26c933564", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545322", "to_ids": true, "type": "md5", "uuid": "86a7ed9a-ffd7-4b5f-994f-1e07ed436a22", "value": "42c6a915128826f5aace777ce0e1475f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545322", "to_ids": true, "type": "sha1", "uuid": "68e2d060-565e-4eda-8709-cc898231c901", "value": "667aa988b617593ff0452284849e1c6a51307797", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545323", "to_ids": true, "type": "sha256", "uuid": "f8fea5ef-a4ce-433e-a971-a7f71c960e51", "value": "781c19b56fbdb17284707f9026e107f639e5447df7df3b248a5d5a50c4b0806c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777312304", "to_ids": true, "type": "ssdeep", "uuid": "94d88552-e7df-4f4f-8ee8-8c3c7bfc2466", "value": "3072:F0ojBwKk/dBAhFatdxGK6r2nP4cPBlUte+qWNXvGEl4p:FQKkYKHxhFIqWNfG" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777312304", "to_ids": false, "type": "size-in-bytes", "uuid": "120fe549-6b71-4cf0-b807-133e8dab5c7e", "value": "138120" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777312304", "to_ids": true, "type": "vhash", "uuid": "b3bee79c-7f39-4cf7-a3ec-04cd0df8bc10", "value": "fe9e66a1e8e86e1faf3d539eae5e27a5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777312304", "to_ids": true, "type": "filename", "uuid": "548b33bb-2b2b-40ad-930f-cd628105d012", "value": "oyhp5tku.exe" }, { "category": "Other", "comment": "Checked: 28/04/2026\nLast-scan\t: 27/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777312304", "to_ids": false, "type": "text", "uuid": "5d80e6cc-21df-43d3-a70a-0d705bcd9e83", "value": "Type Description: ELF\nMicrosoft: None\nVT Total Detection:0/64\nFirst Submission:2026-01-08T15:38:06.000000+00:00\nLast Submission:2026-01-08T15:38:06.000000+00:00" } ] } ] } }