{ "Event": { "analysis": "1", "date": "2026-04-06", "extends_uuid": "", "info": "[Threat Intel] Unit42: Understanding Current Threats to Kubernetes Environments", "protected": false, "publish_timestamp": "1775975069", "published": true, "threat_level_id": "3", "timestamp": "1775975069", "uuid": "eb8b91c2-22d7-4ef6-806b-1c7464e0b8d6", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0afe32", "local": false, "name": "misp-galaxy:producer=\"Palo Alto\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#71ecdb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Manipulation - T1098\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#d0c0c7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Escape to Host - T1611\"", "relationship_type": "" }, { "colour": "#fdd85e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Access Token Manipulation - T1134\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#690e1a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Container and Resource Discovery - T1613\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#150050", "local": false, "name": "rectifyq:sub-category=\"report\"", "relationship_type": "" }, { "colour": "#1b0068", "local": false, "name": "rectifyq:topic=\"cloud\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"Lazarus Group\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"TraderTraitor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775559607", "to_ids": false, "type": "link", "uuid": "94a8f97b-ea93-4284-89b1-477723edc004", "value": "https://unit42.paloaltonetworks.com/modern-kubernetes-threats/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775559607", "to_ids": false, "type": "text", "uuid": "dd67bdad-784c-4c75-a8e7-d378771e8a17", "value": "Palo Alto Networks Unit 42 explains that Kubernetes has become a prime target for attackers as its adoption accelerates in enterprise environments. Their research shows a sharp rise in Kubernetes-related malicious activity, driven less by classic container escape techniques and more by identity abuse and exposed application surfaces. Threat actors commonly gain initial access through misconfigurations or newly disclosed vulnerabilities, then steal Kubernetes service account tokens mounted inside compromised containers. With these identities, attackers can escalate privileges, move laterally across clusters and cloud services, and reach highly sensitive backend systems, making Kubernetes an effective pivot point into broader cloud infrastructure." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775559607", "to_ids": false, "type": "text", "uuid": "e736ace3-ad3a-4bf5-9416-2c8d1254cfed", "value": "Name: Unit42: Understanding Current Threats to Kubernetes Environments\nAuthor: AlienVault\nAdversary: \nTags: [\"React2Shell\", \"Kubernetes\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1106\", \"T1036\", \"T1098\", \"T1059\", \"T1611\", \"T1134\", \"T1055\", \"T1078\", \"T1613\"]\nIndustries: []" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775559607", "to_ids": false, "type": "vulnerability", "uuid": "44fd5bce-084d-49f5-aecd-0255b21bde5a", "value": "CVE-2025-55182" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775559607", "to_ids": false, "type": "vulnerability", "uuid": "e351321b-0c96-452d-8f3a-ae66e2f6a902", "value": "CVE-2026-1731" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775974612", "to_ids": true, "type": "ip-dst", "uuid": "d971ff41-b34b-45c1-8c6e-c6cd6221d2a1", "value": "23.235.188.3", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IOC-description:CC=SG ASN=AS20473 the constant company llc", "deleted": false, "disable_correlation": false, "timestamp": "1775974633", "to_ids": true, "type": "ip-dst", "uuid": "82c513f3-cc59-417e-b7ad-fa49c02fa374", "value": "45.76.155.14", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775974654", "to_ids": true, "type": "url", "uuid": "9a63510c-1ee2-4d22-8125-af98d26ca0d7", "value": "http://45.76.155.14/vim", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775974676", "to_ids": true, "type": "url", "uuid": "b1f6a4b9-0cb3-4a9a-9cf6-6e8b3e051789", "value": "http://104.238.149.198:12349/BVN0VEdddye5odDFVR", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775974697", "to_ids": true, "type": "ip-dst", "uuid": "50fc1477-6ac9-4fea-bf9d-22b342a76d87", "value": "104.238.149.198", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775974718", "uuid": "eb76c4f9-7679-4f69-aa03-cda228459ccf", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775974718", "to_ids": true, "type": "md5", "uuid": "d56043fc-8819-45a6-9fa3-4b8a8f519724", "value": "2c1d348131c4e3e1cb00002f226bad7e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973341", "to_ids": true, "type": "sha1", "uuid": "961c15f4-7146-4d69-856f-233aa2f2ba93", "value": "9cdbc16912dcf188a0f0765ac21777b23b4b2bea", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973342", "to_ids": true, "type": "sha256", "uuid": "7c15cbc6-db1b-4073-8719-82118b872001", "value": "05eac3663d47a29da0d32f67e10d161f831138e10958dcd88b9dc97038948f69", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775973145", "to_ids": true, "type": "ssdeep", "uuid": "b62d3aea-9b45-4ae5-89aa-c889b3f90759", "value": "49152:Z2gRqAB+cSk8C4VFYG5ANKEEJlX8y5d0xTK0UhA:ZDBgcIJ6zslRgKu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775973145", "to_ids": false, "type": "size-in-bytes", "uuid": "a75ad927-3109-4365-b5c5-39e5a5ae6d88", "value": "1972664" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775973145", "to_ids": true, "type": "vhash", "uuid": "fbfcddae-2c4b-49f6-a116-f61b57a96c23", "value": "682f5ba59f72a75bd7b0489346d67781" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775973145", "to_ids": true, "type": "filename", "uuid": "d1c3e3ec-b921-4b3d-a6d1-35b05f952b9f", "value": "su4da2x.exe" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775973145", "to_ids": false, "type": "text", "uuid": "61736a93-c613-4422-a8c2-92be6f1717e6", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/ShyCobra.C!dha\nVT Total Detection:37/65\nFirst Submission:2025-12-10T06:25:44.000000+00:00\nLast Submission:2025-12-10T06:25:44.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775974739", "uuid": "fc74ea5d-266d-4b17-8432-0afab52683af", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775974739", "to_ids": true, "type": "md5", "uuid": "38db3d27-7f9c-4b10-ba20-ed597b48f744", "value": "692238a56e1941b1d92df3d8dfd513eb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973342", "to_ids": true, "type": "sha1", "uuid": "1ec858e2-b628-4232-9be7-192d64ef79e4", "value": "0d0c1f73a284c9f37ebb50f28573b98c825bf2f9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973342", "to_ids": true, "type": "sha256", "uuid": "934bf15b-2c90-445a-a9b9-2df17839ba44", "value": "7d2c9b4a3942f6029d2de7f73723b505b64caa8e1763e4eb1f134360465185d0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775973167", "to_ids": true, "type": "ssdeep", "uuid": "ba0fc828-d90c-4cb7-b0fc-9173e05040a7", "value": "192:+Omf0ZUTaXeXP1tswaVOtiztdSMaVQqke3WFaVuDkgKD5pVCWbBvf2PEZDrE+Lc:9ksztdSMaVhPWFaVuDnKvIExrE+Y" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775973167", "to_ids": false, "type": "size-in-bytes", "uuid": "7cbfdd46-2454-44ef-83e6-bbb81a3487a3", "value": "8524" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775973167", "to_ids": true, "type": "filename", "uuid": "0240849e-52e3-4522-bd93-4f6568781065", "value": "proxy.sh" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775973167", "to_ids": false, "type": "text", "uuid": "29fb45da-312f-401b-96f3-ac9c01fbb7d6", "value": "Type Description: Shell script\nMicrosoft: Trojan:Script/Multiverze!rfn\nVT Total Detection:26/62\nFirst Submission:2025-12-14T10:53:17.000000+00:00\nLast Submission:2025-12-14T18:28:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775974760", "uuid": "d95c1e12-17c2-404e-b8a0-1393ac1cd5a6", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775974760", "to_ids": true, "type": "md5", "uuid": "4c951fad-ea6c-4a94-9f96-fe6a936b710d", "value": "844ec243d0edcaa952a9700ef53d2611", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775973343", "to_ids": true, "type": "sha1", "uuid": "e189b324-6985-49e8-a8ab-4c3a8fb11888", "value": "5bbc39d8de861843050100d09c8dcbc37ab238bd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775973343", "to_ids": true, "type": "sha256", "uuid": "dab10cf3-b232-40ec-9927-291673d78aa0", "value": "bb470a803b6d7b12fb596d2e4a18ea9ca91f40fd34ded7f01a487eed9a1d814d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775973188", "to_ids": true, "type": "ssdeep", "uuid": "667e1ac0-8e62-4f5d-9185-d66a3352ed8f", "value": "48:yUxeHlBcFEAa1xnNXm8qTs3GOY2ev/Q38qBdRd4d:Rmc4e42j+3tdM" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775973188", "to_ids": false, "type": "size-in-bytes", "uuid": "945af5ea-3f80-44a7-a21a-6006d6802de8", "value": "2277" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775973188", "to_ids": true, "type": "filename", "uuid": "72dda0bb-4fc1-4f73-a24f-c7fe0cf1cbe6", "value": "kube.py" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775973188", "to_ids": false, "type": "text", "uuid": "a1af577f-6b73-497d-921d-00eef4b07550", "value": "Type Description: Python\nMicrosoft: None\nVT Total Detection:27/63\nFirst Submission:2026-02-03T22:05:52.000000+00:00\nLast Submission:2026-02-03T22:05:52.000000+00:00" } ] } ] } }