{ "Event": { "analysis": "1", "date": "2026-03-02", "extends_uuid": "", "info": "[Threat Intel] Dust Specter APT Targets Government Officials in Iraq", "protected": false, "publish_timestamp": "1772807250", "published": true, "threat_level_id": "1", "timestamp": "1772807250", "uuid": "c722f963-0d5d-424d-9c11-8009ba47db75", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6dbaba", "local": false, "name": "misp-galaxy:producer=\"Zscaler\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#9edfba", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#82eae0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1583.001\"", "relationship_type": "" }, { "colour": "#4e866e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Traffic Signaling - T1205\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#4494e4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Protocol or Service Impersonation - T1001.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#4929fe", "local": false, "name": "misp-galaxy:target-information=\"Iraq\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Copy and Paste - T1204.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"iran\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772593213", "to_ids": false, "type": "link", "uuid": "1e4e493b-1311-4ab3-b17b-f28fac9b13ac", "value": "https://www.zscaler.com/blogs/security-research/dust-specter-apt-targets-government-officials-iraq" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772593213", "to_ids": false, "type": "text", "uuid": "31822b22-ae3e-47a7-aa26-e08db09900f1", "value": "A suspected Iran-nexus threat actor, dubbed Dust Specter, targeted Iraqi government officials in January 2026. The campaign involved impersonating Iraq's Ministry of Foreign Affairs and using compromised government infrastructure to host malicious payloads. Two attack chains were identified, utilizing previously undocumented malware including SPLITDROP, TWINTASK, TWINTALK, and GHOSTFORM. The malware employed creative evasion techniques, leveraged generative AI for development, and used file-based polling mechanisms for command execution. The campaign also incorporated ClickFix-style attacks and social engineering lures. Attribution to an Iran-nexus group is based on code similarities, victimology, and overlapping tactics with known Iranian APT groups." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772593213", "to_ids": false, "type": "text", "uuid": "583756ff-ea1f-431b-b4c0-e8e8134c8476", "value": "Name: Dust Specter APT Targets Government Officials in Iraq\nAuthor: AlienVault\nAdversary: Dust Specter\nTags: [\"generative ai\", \"twintask\", \"twintalk\", \"iraq\", \"iran-nexus\", \"ghostform\", \"government\", \"social engineering\", \"apt\", \"clickfix\", \"splitdrop\"]\nTgtd countries: [\"Iraq\"]\nMlwr families: [\"SPLITDROP\", \"TWINTASK\", \"TWINTALK\", \"GHOSTFORM\"]\nAttack_ids: [\"T1132.001\", \"T1587.001\", \"T1082\", \"T1140\", \"T1583.001\", \"T1205\", \"T1112\", \"T1001.003\", \"T1071.001\", \"T1574.002\"]\nIndustries: [\"Government\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1772593213", "to_ids": false, "type": "threat-actor", "uuid": "2b946292-8cd5-4e6d-84c2-99111350ee57", "value": "Dust Specter" }, { "category": "Payload delivery", "comment": "Worker module (TWINTASK) No sample in VT\r\nLast check:06/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772765803", "to_ids": true, "type": "md5", "uuid": "8ec35a84-f913-40f2-bae1-fe4ead3db1c8", "value": "19ab3fd2800f62a47bf13a4cc4e4c124", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "C2 orchestrator (TWINTALK) No sample in VT\r\nLast check:06/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772765804", "to_ids": true, "type": "md5", "uuid": "0f0f9ec7-dd86-4af1-9d5a-471dbad532ec", "value": "63702bd6422ec2d5678d4487146ea434", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Base64-encoded PowerShell command No sample in VT\r\nLast check:06/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772765804", "to_ids": true, "type": "md5", "uuid": "6e0beb42-dde4-4e01-865c-59f908f311b9", "value": "aa887d32eb9467abba263920e55d6abe", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Base64-encoded PowerShell command No sample in VT\r\nLast check:06/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772765805", "to_ids": true, "type": "sha1", "uuid": "42bf1a89-6caf-4f8d-9d3d-96a39953e937", "value": "ad97e1bba1d040a237727afdb2787d6867d72b74", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Worker module (TWINTASK) No sample in VT\r\nLast check:06/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772765806", "to_ids": true, "type": "sha1", "uuid": "13a593aa-24cf-4cc5-97e0-76d56f3c9dea", "value": "c79c261457def606c3393dde77c82832a5c0ded3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "C2 orchestrator (TWINTALK) No sample in VT\r\nLast check:06/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772765806", "to_ids": true, "type": "sha1", "uuid": "09faf24c-3def-40b0-abbe-85edbaf3f11b", "value": "c7dff3a0675f330feb9a7c469f8340369451d122", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Base64-encoded PowerShell command No sample in VT\r\nLast check:06/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772765807", "to_ids": true, "type": "sha256", "uuid": "1a37956c-fa53-42b7-bc09-e7f50bddee73", "value": "6af71297ce7681e64d9a4c5449a7326f17f3f107cb7940ec5e0840390c457a47", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Worker module (TWINTASK) No sample in VT\r\nLast check:06/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772765808", "to_ids": true, "type": "sha256", "uuid": "b651d5e1-3f86-41e2-a1ce-bfaa422029ae", "value": "ad26cd72a83b884a8bc5aaa87309683953e151ebb3fde42eda7bf9a4406e530d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "C2 orchestrator (TWINTALK) No sample in VT\r\nLast check:06/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1772765809", "to_ids": true, "type": "sha256", "uuid": "5e40ba5a-8860-48b9-9989-6029673c079a", "value": "f3f2dc31f70a105db161a5e7b463b2215d3cbd64ac0146fd68e39da1c279f7ef", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766541", "to_ids": true, "type": "url", "uuid": "951c342d-d213-458a-971c-3a8d24cfbe99", "value": "https://ca.iq/packages/mofaSurvey_20_30_oct.zip", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766562", "to_ids": true, "type": "url", "uuid": "b166f2ab-ab0e-43cd-8c11-f79790c967a0", "value": "https://meetingapp.site/webexdownload", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766583", "to_ids": true, "type": "url", "uuid": "ad3cbda7-1eee-47f5-a9e3-375e2231174e", "value": "https://meetingapp.site/webexdownload'", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766605", "to_ids": true, "type": "domain", "uuid": "316b2a8f-d858-4772-a138-61eaae2b66c3", "value": "afterworld.store", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766626", "to_ids": true, "type": "domain", "uuid": "d4f894a4-5067-48aa-a520-30ecbb2d5062", "value": "girlsbags.shop", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766647", "to_ids": true, "type": "domain", "uuid": "19948bbf-2e58-4ddc-8f1a-d9f4926796a4", "value": "lecturegenieltd.pro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766669", "to_ids": true, "type": "domain", "uuid": "16ba55f5-5035-4d5b-8654-4eeeb8ac6b14", "value": "meetingapp.site", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766690", "to_ids": true, "type": "domain", "uuid": "7feacd70-8db2-45b0-b09d-9b02701b439e", "value": "onlinepettools.shop", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766712", "to_ids": true, "type": "domain", "uuid": "2de4f1cf-127c-480b-ac17-e448b34566c9", "value": "web14.info", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772766733", "to_ids": true, "type": "domain", "uuid": "759f06de-8053-4485-95a3-88af1a7aef3b", "value": "web27.info", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772766754", "uuid": "986f3def-b329-442e-8a83-83ce9b307d7f", "Attribute": [ { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772766754", "to_ids": true, "type": "md5", "uuid": "09a2868d-8380-462b-8764-aed78f8b6407", "value": "70a9b537b9b7e1b410576d798e6c5043", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772765794", "to_ids": true, "type": "sha1", "uuid": "2042842a-41bd-49b0-af1f-b7b3c386c264", "value": "cb1760c90fb6c399e0125c7aa793efe37c4ce533", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772765794", "to_ids": true, "type": "sha256", "uuid": "33460318-f2df-40b7-940a-4cb3175e8d55", "value": "a27d53608ab05b5c7cb86bcf4a273435238beeb7e7efd7845375b2aa765f51e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772765323", "to_ids": true, "type": "ssdeep", "uuid": "2dbf9423-0e26-46cb-ba17-70467a5e5e84", "value": "6144:BuCInHLhJI4FY/ixjci6ychf8xalGQGtSV41kJDsTDDpBnse6OVxLV/W:JQL32ikCaUS4csRBse6sfW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772765323", "to_ids": false, "type": "size-in-bytes", "uuid": "0196b4fd-2f40-44c5-978e-eee9630a7118", "value": "736256" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772765323", "to_ids": true, "type": "vhash", "uuid": "023fd60f-f510-464c-992b-363bfa7aa9e5", "value": "275036651514b01039fa7fa52032" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772765323", "to_ids": true, "type": "filename", "uuid": "d1faa465-284d-42f8-a0b0-daeec4e1f03c", "value": "webInfo.exe" }, { "category": "Other", "comment": "Checked: 06/03/2026\nLast-scan\t: 05/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772765323", "to_ids": false, "type": "text", "uuid": "24049fb2-ca60-4fdc-8501-3dc77e388470", "value": "Attack Chain 2 (GHOSTFORM)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:30/72\nFirst Submission:2025-07-23T13:01:14.000000+00:00\nLast Submission:2026-03-03T04:07:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772766776", "uuid": "358f191d-349d-4cf9-aa01-f65b826a2d8c", "Attribute": [ { "category": "Payload delivery", "comment": "Dropper (SPLITDROP)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772766776", "to_ids": true, "type": "md5", "uuid": "8a64b99e-9fbc-4129-ae55-17f0fbfe0dc4", "value": "78275f3fc7e209b85bff6a6f99acc68a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper (SPLITDROP)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772765795", "to_ids": true, "type": "sha1", "uuid": "5366fb35-5863-4c1f-94f6-9b1bf3c9548b", "value": "fc08f8403849c6233978a363f4cdc58cd7041823", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dropper (SPLITDROP)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772765795", "to_ids": true, "type": "sha256", "uuid": "7befb429-3a3e-4992-9103-e7be7299fbd4", "value": "6bb0d45799076b3f2d7f602b978a0779868fc72a1188374f6919fbbfba23efce", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772765345", "to_ids": true, "type": "ssdeep", "uuid": "cd2ba7d4-0837-41f0-9f20-76d1433b3497", "value": "49152:YQ/WarzVvO5K5u+KO+nuov4YxRI5KNA2mDTpM1xnbgszgJeq:lfvOrnuB4NaTpGlbgJx" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772765345", "to_ids": false, "type": "size-in-bytes", "uuid": "48aa8963-1284-4ef9-9dac-f449e4609019", "value": "3181056" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772765345", "to_ids": true, "type": "vhash", "uuid": "2b19c159-2317-4d84-a205-1904f23a2843", "value": "236036751511608291c2022" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772765345", "to_ids": true, "type": "filename", "uuid": "3fc42e50-2fdb-4c08-9765-5125ae2bd9a9", "value": "CheckFopil.exe" }, { "category": "Other", "comment": "Checked: 06/03/2026\nLast-scan\t: 05/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772765345", "to_ids": false, "type": "text", "uuid": "791c0279-53c3-4e78-b9f8-c37f776628f3", "value": "Dropper (SPLITDROP)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Egairtigado!rfn\nVT Total Detection:28/72\nFirst Submission:2026-02-16T10:25:18.000000+00:00\nLast Submission:2026-03-03T06:35:35.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772766797", "uuid": "6c55c45b-0655-4aae-9795-b21a97ae02b8", "Attribute": [ { "category": "Payload delivery", "comment": "ZIP archive containing Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772766797", "to_ids": true, "type": "md5", "uuid": "af63630b-68fa-4512-b32a-9d4153484cb3", "value": "7f17fa22feaced1a16d4d39c545cdb16", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZIP archive containing Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772765796", "to_ids": true, "type": "sha1", "uuid": "f8672d18-71fa-44b1-a6bb-e140c52d36f9", "value": "369b56a89b2fce2cbdc36f5a23bdec6067242911", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZIP archive containing Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772765796", "to_ids": true, "type": "sha256", "uuid": "ddd33adb-38b9-4c7c-b3e7-2b134d023eb4", "value": "fa51aff99d86a9f1f65aa0ebbf6ca40411d343cea59370851ab328b97e2164bb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772765367", "to_ids": true, "type": "ssdeep", "uuid": "3529117f-dda7-4b15-abd3-42cad7ef46a8", "value": "6144:1L1HjEwbSbBYTqrFrx96ksCkzDuUP+ZDsUZfpybLwZMm3ihC:1p/b8Bwqrvj6P+ld9pyu53iY" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772765367", "to_ids": false, "type": "size-in-bytes", "uuid": "a9d51662-c5fb-4a06-a855-6e18311349eb", "value": "310499" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772765367", "to_ids": true, "type": "vhash", "uuid": "d449cab9-25e0-444f-81ca-4acc81e68f1c", "value": "163c6ca891ab6d5d3259669a602ffb9b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772765367", "to_ids": true, "type": "filename", "uuid": "6c18fbab-0266-43d0-b96b-9f208999632c", "value": "893506.zip" }, { "category": "Other", "comment": "Checked: 06/03/2026\nLast-scan\t: 05/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772765367", "to_ids": false, "type": "text", "uuid": "dec92997-c94d-41b4-a3c6-2d00c111f62b", "value": "ZIP archive containing Attack Chain 2 (GHOSTFORM)\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:25/69\nFirst Submission:2025-07-23T13:00:45.000000+00:00\nLast Submission:2025-07-23T13:00:45.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772766818", "uuid": "4c08e0b1-951f-4f83-ac68-c685f28bdf53", "Attribute": [ { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772766818", "to_ids": true, "type": "md5", "uuid": "8922ab89-b02e-45da-aaf7-bf4d58040de6", "value": "809139c237c4062baecab43570060d67", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772765798", "to_ids": true, "type": "sha1", "uuid": "eb8f3b61-a68e-4415-9de9-895081d545da", "value": "8735ee29c409b8d101eb3170f011455be41b7a91", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772765798", "to_ids": true, "type": "sha256", "uuid": "4b37f8c7-62c7-46e5-abb2-ee7b039a396b", "value": "3a66ae5942f6feb79cf81ee70451f761253e0e0bde95f0840abdd42a804fad39", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772765389", "to_ids": true, "type": "ssdeep", "uuid": "8469fc75-a7a8-47a9-9076-573428a662c7", "value": "6144:5TtuCInHLhJI4FY/ixjci6ychf8xalGQGtSV41kJDsTDDpBnse6OVxLV/W:l1QL32ikCaUS4csRBse6sfW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772765389", "to_ids": false, "type": "size-in-bytes", "uuid": "886e9a39-01be-455a-9361-d2a4fd1cb5d5", "value": "497664" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772765389", "to_ids": true, "type": "vhash", "uuid": "4254a8a1-62ba-4ab4-b27b-9467f3ca33a7", "value": "245036651514b01039f87ea52032" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772765389", "to_ids": true, "type": "filename", "uuid": "bc2531d7-5197-4734-84f7-a4df10f530be", "value": "file_oct_surv.exe" }, { "category": "Other", "comment": "Checked: 06/03/2026\nLast-scan\t: 05/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772765389", "to_ids": false, "type": "text", "uuid": "1f8ee935-2bbe-4cdb-93e6-49f256384ba9", "value": "Attack Chain 2 (GHOSTFORM)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:MSIL/GhostForm.DA!MTB\nVT Total Detection:42/72\nFirst Submission:2025-11-19T10:54:07.000000+00:00\nLast Submission:2026-03-02T20:34:39.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772766839", "uuid": "23908c88-958c-4acd-86e8-61b7087d922c", "Attribute": [ { "category": "Payload delivery", "comment": "Password-protected RAR archive", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772766839", "to_ids": true, "type": "md5", "uuid": "a39bfdbb-ca18-4ed1-95c0-52e1f503459e", "value": "8f44262afaa171b78fc9be20a0fb0071", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Password-protected RAR archive", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772765799", "to_ids": true, "type": "sha1", "uuid": "1671eb6b-0ebc-40ef-a152-932df6a3438b", "value": "1debc4c512ded889464e386739d5d2f61b87ff13", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Password-protected RAR archive", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772765799", "to_ids": true, "type": "sha256", "uuid": "e6aeb4d2-9639-418d-b9d7-f62f641daff2", "value": "293ee1fe8d36aa79cf1f64f5ddef402bc6939d229c6fca955c7b796119564779", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772765411", "to_ids": true, "type": "ssdeep", "uuid": "cfaa3981-a3ed-4047-8264-52591d631cef", "value": "6144:0lbMdHKxs+MHN4tBKRSflBe41xVxTQwwyAdWwF2bk:0ZMdQMHN4tsR2v1hTQyAdDA4" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772765411", "to_ids": false, "type": "size-in-bytes", "uuid": "b7ba257c-9d96-406a-9cdf-58e0c940b934", "value": "286759" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772765411", "to_ids": true, "type": "filename", "uuid": "1f096178-19fb-40da-bbaa-1e2b74bc52ed", "value": "mofa-secret-code-92,110-135_118-128.rar" }, { "category": "Other", "comment": "Checked: 06/03/2026\nLast-scan\t: 05/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772765411", "to_ids": false, "type": "text", "uuid": "1b90b7a0-d976-4e7c-ab62-4995be3de9c7", "value": "Password-protected RAR archive\r\nType Description: RAR\nMicrosoft: None\nVT Total Detection:0/63\nFirst Submission:2026-01-28T10:07:48.000000+00:00\nLast Submission:2026-01-28T10:07:48.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772766861", "uuid": "574f7744-95f4-4120-a7fc-a05f5f9ef9bc", "Attribute": [ { "category": "Payload delivery", "comment": "ZIP archive containing Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772766861", "to_ids": true, "type": "md5", "uuid": "f7253b21-0eb7-40ea-b307-d10e3d8041f2", "value": "a7561eb023bb2c4025defcfe758d8ac2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZIP archive containing Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772765800", "to_ids": true, "type": "sha1", "uuid": "b1a30060-5980-4ed2-9780-a291084cdac2", "value": "df04e36c106691f9fe88e5798e4ae86438bd4f1d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "ZIP archive containing Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772765800", "to_ids": true, "type": "sha256", "uuid": "a7aecabd-a671-422d-91ef-4a484b45e863", "value": "eb5b7275c41de8e98d72696eeac9cba3719f334f8e7974e6b8760ece820b1d0c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772765433", "to_ids": true, "type": "ssdeep", "uuid": "f9df7999-3873-43d7-aa99-86cc28dd85dd", "value": "6144:OUAqfEqI434BMoJYgqkC9EfdDpQkqk9Nw/JH99djT5IRei7mYxLV3:OYfEPkfgqb9EvZTkJH9/j+ReiLX" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772765433", "to_ids": false, "type": "size-in-bytes", "uuid": "c45dc41e-747e-435d-a2a1-49663b0c3064", "value": "296703" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772765433", "to_ids": true, "type": "filename", "uuid": "2ecc100f-8047-40e6-9932-0da4b4ae2bf5", "value": "mofaSurvey_20_30_oct.zip" }, { "category": "Other", "comment": "Checked: 06/03/2026\nLast-scan\t: 06/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772765433", "to_ids": false, "type": "text", "uuid": "f2d7f60e-fd1e-4e51-82e7-caf02c1e92bd", "value": "ZIP archive containing Attack Chain 2 (GHOSTFORM)\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:25/65\nFirst Submission:2025-11-19T10:53:19.000000+00:00\nLast Submission:2025-11-19T10:53:19.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772766882", "uuid": "f27edd2d-08ed-4ee2-8bc4-3f03548d6e10", "Attribute": [ { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772766882", "to_ids": true, "type": "md5", "uuid": "bc925b27-5134-413f-b838-86ea2e9ba0f3", "value": "b19add5ccaa17a1308993e6f3f786b06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772765801", "to_ids": true, "type": "sha1", "uuid": "dda31f48-d1e6-4385-9621-77abfbd5f6fe", "value": "51a746c85bd486f223130173b7e674379a51b694", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772765801", "to_ids": true, "type": "sha256", "uuid": "4881027e-ba9a-4c6a-9fb1-c51f7100162f", "value": "69294ad90aeb7f05e501e7191c95beb14e23da5587dd75557c867e2944a57fdc", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772765477", "to_ids": true, "type": "ssdeep", "uuid": "7d8e0b30-7224-4d91-a681-f89d120c3fb9", "value": "1536:ABIp45Aje/Jij+zHRJQC5bffBffHfffazx2M:rpOi9ARJQC5bffBffHfff0x2M" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772765477", "to_ids": false, "type": "size-in-bytes", "uuid": "e2a98c64-0ec0-42bb-8961-b00522649f26", "value": "272384" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772765477", "to_ids": true, "type": "vhash", "uuid": "f0e4b468-9750-4261-95b3-0b83b8e8912e", "value": "225036551511a0862e244025" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772765477", "to_ids": true, "type": "filename", "uuid": "9121e2ba-c94d-4bcd-82e7-f4cfc3d27b5d", "value": "RiroDiog.exe" }, { "category": "Other", "comment": "Checked: 06/03/2026\nLast-scan\t: 05/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772765477", "to_ids": false, "type": "text", "uuid": "6f4c6ab5-7632-476d-b515-05a20b0d6d6e", "value": "Attack Chain 2 (GHOSTFORM)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:40/72\nFirst Submission:2026-01-11T04:19:41.000000+00:00\nLast Submission:2026-03-03T03:48:30.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772766904", "uuid": "c826c111-e290-4ce8-90a5-8478654077bc", "Attribute": [ { "category": "Payload delivery", "comment": "Password-protected RAR archive", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772766904", "to_ids": true, "type": "md5", "uuid": "74893ead-f79c-4920-980f-0468069be1be", "value": "b8254efd859f5420f1ce4060e4796c08", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Password-protected RAR archive", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772765801", "to_ids": true, "type": "sha1", "uuid": "0dc69f34-35bb-48c8-b6d7-33778a0d44b2", "value": "8621be9e1aa730d1ac8eb06fa8f66d9da70ff293", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Password-protected RAR archive", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772765802", "to_ids": true, "type": "sha256", "uuid": "d0dc6ebc-47a4-4eec-9119-69ec2d510fc1", "value": "903f7869a94d88d43b9140bb656f7bb86ef725efc78ef2ff9d12fd7c7c2aca74", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772765498", "to_ids": true, "type": "ssdeep", "uuid": "4189d21e-af37-4a27-bc0b-c7d9a1993e10", "value": "49152:zt9V93kNnA47aMoD4fLfFYoBZTrfMnOftl1H1P7135M39bW6dO4XxrMZsQQSdKa:b7kNAArLBhrfSOftDH1PM3NW3ImZsQQI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772765498", "to_ids": false, "type": "size-in-bytes", "uuid": "fadfeea0-381c-4778-b6e2-12de2886c878", "value": "3180718" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772765498", "to_ids": true, "type": "filename", "uuid": "48f0a65e-5d28-4ae2-ba2a-fc67609524c5", "value": "mofa-Network-code" }, { "category": "Other", "comment": "Checked: 06/03/2026\nLast-scan\t: 05/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772765498", "to_ids": false, "type": "text", "uuid": "d31edeea-caac-47eb-a7c6-437507d9c5bf", "value": "Password-protected RAR archive\r\nType Description: RAR\nMicrosoft: None\nVT Total Detection:0/63\nFirst Submission:2026-02-11T10:20:01.000000+00:00\nLast Submission:2026-02-11T10:20:01.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772766925", "uuid": "12bc1ef2-2583-4eae-bb45-8b6d5ae47f2d", "Attribute": [ { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772766925", "to_ids": true, "type": "md5", "uuid": "04f62e71-2edc-48f2-ba17-16fb1f0b2d6c", "value": "d5ddf40ba2506c57d3087d032d733e08", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772765802", "to_ids": true, "type": "sha1", "uuid": "61111287-3589-4733-8d20-36c7cb017ce8", "value": "682c043443cb81b6c2fde8c5df43333f5d1fec53", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Attack Chain 2 (GHOSTFORM)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772765802", "to_ids": true, "type": "sha256", "uuid": "c74d9d7a-bc28-40e3-8cf3-b26079cefecb", "value": "797325b3c8a9356dcace75d93cb5cfb7847d2049c66772d4cc2cee821618cb96", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772765521", "to_ids": true, "type": "ssdeep", "uuid": "860a12ee-25ce-474f-8a1a-b42073ff1f0f", "value": "6144:fg2uCInHLhJI4FY/ixjci6ychf8xalGQGtSV41kJDsTDDpBnse6OVxLV/W:fgEQL32ikCaUS4csRBse6sfW" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772765521", "to_ids": false, "type": "size-in-bytes", "uuid": "74d94848-59f1-491a-9bf4-85f5cfbcf088", "value": "497664" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1772765521", "to_ids": true, "type": "vhash", "uuid": "5d636e82-62bc-4b88-a24d-afe7baaa7f98", "value": "245036651514b01037f57ea52033" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772765521", "to_ids": true, "type": "filename", "uuid": "2e023182-0da3-419b-bf60-67d5b858a4d8", "value": "lecGen.exe" }, { "category": "Other", "comment": "Checked: 06/03/2026\nLast-scan\t: 05/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772765521", "to_ids": false, "type": "text", "uuid": "bc935c4b-20b5-47c9-a83c-b0a2e4fb0d75", "value": "Attack Chain 2 (GHOSTFORM)\r\nType Description: Win32 EXE\nMicrosoft: Trojan:Win32/Malgent!MSR\nVT Total Detection:46/72\nFirst Submission:2026-01-28T11:55:45.000000+00:00\nLast Submission:2026-03-02T20:09:36.000000+00:00" } ] } ] } }