{ "Event": { "analysis": "1", "date": "2026-05-05", "extends_uuid": "", "info": "[Threat Intel] Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader", "protected": false, "publish_timestamp": "1779546557", "published": true, "threat_level_id": "3", "timestamp": "1779546556", "uuid": "f4b731dc-f335-424d-883c-086d4f415791", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#6dbaba", "local": false, "name": "misp-galaxy:producer=\"Zscaler\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#838eb9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keychain - T1555.001\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#7eb739", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Msiexec - T1218.007\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#e7d11f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Private Keys - T1552.004\"", "relationship_type": "" }, { "colour": "#c84641", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"GUI Input Capture - T1056.002\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#e1e63b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Remcos\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778065211", "to_ids": false, "type": "link", "uuid": "6901526f-e53b-4eaa-90fd-c81c2d50bb00", "value": "https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778065211", "to_ids": false, "type": "text", "uuid": "d62bc6e7-aeb5-4b49-b05b-cd73672f7f13", "value": "In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive \"DeepSeek-Claw\" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778065211", "to_ids": false, "type": "text", "uuid": "95607120-6bf4-41b1-af41-88aadc9a7a89", "value": "Name: Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader\nAuthor: AlienVault\nAdversary: \nTags: [\"remcos\", \"ghostloader\", \"deepseek-claw\", \"openclaw\"]\nTgtd countries: []\nMlwr families: [\"Remcos\", \"GhostLoader\"]\nAttack_ids: [\"T1059.007\", \"T1539\", \"T1555.001\", \"T1204.002\", \"T1497.001\", \"T1218.007\", \"T1005\", \"T1552.004\", \"T1056.002\", \"T1059.004\", \"T1562.001\", \"T1027\", \"T1195.002\", \"T1059.003\", \"T1071.001\", \"T1574.002\"]\nIndustries: []" }, { "category": "Network activity", "comment": "MSI download URL", "deleted": false, "disable_correlation": false, "timestamp": "1778899475", "to_ids": true, "type": "domain", "uuid": "5ac3b778-4f39-414d-905b-4a4403b1f401", "value": "dropras.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GhostLoader C2", "deleted": false, "disable_correlation": false, "timestamp": "1778899496", "to_ids": true, "type": "domain", "uuid": "28583d3f-ee68-494e-93de-8537827797ca", "value": "trackpipe.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Remcos RAT No sample in VT\r\nLast check:16/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546556", "to_ids": true, "type": "md5", "uuid": "85b81c50-316e-4189-b758-5c9c4eb43eef", "value": "2c4b7c8b48e6b4e5f3e8854f2abfedb5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "licence_key", "deleted": false, "disable_correlation": false, "timestamp": "1778893531", "to_ids": true, "type": "other", "uuid": "b3335832-8119-4e9a-adf0-05db291e5df4", "value": "82536825e700f4c863238a90dd314687" }, { "category": "Network activity", "comment": "MSI download URL", "deleted": false, "disable_correlation": false, "timestamp": "1778899519", "to_ids": true, "type": "url", "uuid": "9ba66e99-5803-47e0-9095-24365520eb2a", "value": "http://dropras.xyz/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "MSI download URL", "deleted": false, "disable_correlation": false, "timestamp": "1778899540", "to_ids": true, "type": "url", "uuid": "3aee94a5-e0be-4a94-b33d-6bac5febad92", "value": "https://cloudcraftshub.com/api", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GhostLoader C2", "deleted": false, "disable_correlation": false, "timestamp": "1778899561", "to_ids": true, "type": "url", "uuid": "a5479c01-fac2-471b-9348-5fefb501a2a0", "value": "https://trackpipe.dev", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "MSI download URL", "deleted": false, "disable_correlation": false, "timestamp": "1778899583", "to_ids": true, "type": "domain", "uuid": "b33600a0-5253-42bd-bf92-a0684859658a", "value": "cloudcraftshub.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "GitHub repository", "deleted": false, "disable_correlation": false, "timestamp": "1778899604", "to_ids": true, "type": "url", "uuid": "ec4d4e07-004f-4af1-8c5a-9396168fbc82", "value": "https://github.com/Needvainverter93/deepseek-claw", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Remcos C2", "deleted": false, "disable_correlation": false, "timestamp": "1778893477", "to_ids": true, "type": "ip-dst|port", "uuid": "214e65d4-43a0-4002-ae45-44e52cfbe106", "value": "146.19.24.131|2404" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546549", "uuid": "14ffc59d-7f01-42b8-bece-5d1233130296", "Attribute": [ { "category": "Payload delivery", "comment": "\u201cDeepseek-Claw\u201d named OpenClaw Skill", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546548", "to_ids": true, "type": "md5", "uuid": "587ef0d7-a2b0-47d5-8626-7a07cc2e4556", "value": "1c267cab0a800a7b2d598bc1b112d5ce", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "\u201cDeepseek-Claw\u201d named OpenClaw Skill", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546549", "to_ids": true, "type": "sha1", "uuid": "637c333d-1ce6-4439-a5b0-167478582de0", "value": "d2e44f083ff9a1e91e6312c7b5b14ffeb960cab0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "\u201cDeepseek-Claw\u201d named OpenClaw Skill", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546549", "to_ids": true, "type": "sha256", "uuid": "a5e1836a-436e-47e4-8461-3c6a9d147c71", "value": "b1958fdd306b160b10b2f63d7536fe747bf714ac5ea07b229c9bbc6fb9484013", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778896547", "to_ids": true, "type": "ssdeep", "uuid": "d70c07ef-eb70-44d5-98aa-186833745536", "value": "768:1DzSNeHTNAl6j9EDN52X5jC4P1Xs2/75I9bhW7Tu+Dq5NeCxEhTQYVq7dj/rAI:1DzSNF+aDN0B3P1Xft2Ym+DKHxqQdV" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778896547", "to_ids": false, "type": "size-in-bytes", "uuid": "f66e0ece-8d03-40f9-803b-00eaf9bed3f1", "value": "44836" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778896547", "to_ids": true, "type": "vhash", "uuid": "3718b546-c199-45b7-a1a7-f8a423385cc1", "value": "297388d050b79a41bd05465534cc814a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778896547", "to_ids": true, "type": "filename", "uuid": "81061479-5eac-4fbc-b8b1-4f39a2aff1b8", "value": "skill.zip" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778896547", "to_ids": false, "type": "text", "uuid": "fdcf1363-7eaf-44a6-a099-bbe757ab2eb4", "value": "\u201cDeepseek-Claw\u201d named OpenClaw Skill\r\nType Description: ZIP\nMicrosoft: None\nVT Total Detection:27/66\nFirst Submission:2026-03-12T23:20:16.000000+00:00\nLast Submission:2026-03-12T23:20:16.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546552", "uuid": "c09bb51e-aad9-493a-aa02-af24a5cd7fde", "Attribute": [ { "category": "Payload delivery", "comment": "MSI Installer", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546551", "to_ids": true, "type": "md5", "uuid": "9ce40142-da67-4f1b-a024-a184ca7f55d9", "value": "2a5f619c966ef79f4586a433e3d5e7ba", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MSI Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546551", "to_ids": true, "type": "sha1", "uuid": "2e487671-f01f-405f-a500-5dee96e287fd", "value": "470c3803bd5a4770eb5470a84a831f187f591c64", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "MSI Installer", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546552", "to_ids": true, "type": "sha256", "uuid": "68f56bec-e72a-491e-8f61-4337b0213b06", "value": "0d3ca4872e757fa406c10aa6893e831c2aaadce0687537d14fdce1702517b2d0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778896569", "to_ids": true, "type": "ssdeep", "uuid": "0e6b41c9-2379-40b3-9615-68edc29962e9", "value": "12288:QgoRfJH3qE/Nj6h000G3AzxZAAqu7H1rI5vo5eqVlI1Z:QgoRfJH39NjS90GUxZAAqAH1rIarU" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778896569", "to_ids": false, "type": "size-in-bytes", "uuid": "1d2e870f-c2e1-4525-8c1c-de8475ac78a6", "value": "663552" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778896569", "to_ids": true, "type": "vhash", "uuid": "0461a59a-17b7-4b2e-8ad6-e27fdc549527", "value": "32fe66a890dbb4ef39f48ef6ec4a5e8d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778896569", "to_ids": true, "type": "filename", "uuid": "cee384c5-79b5-49ad-92eb-548b6afadc9c", "value": "dropras.msi" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778896569", "to_ids": false, "type": "text", "uuid": "f9354875-43b4-4bbf-a19c-f03d6cbb0eb2", "value": "MSI Installer\r\nType Descriptio%WINDIR%\\Installer\nMicrosoft: None\nVT Total Detection:13/62\nFirst Submission:2026-02-13T04:20:00.000000+00:00\nLast Submission:2026-03-15T05:42:23.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546554", "uuid": "08699d15-b9a4-4bde-87b7-68da03837879", "Attribute": [ { "category": "Payload delivery", "comment": "Shellcode loader", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546554", "to_ids": true, "type": "md5", "uuid": "b81a4502-e683-4508-9736-220bf4c85673", "value": "cc1af839a956c8e2bf8e721f5d3b7373", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Shellcode loader", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546554", "to_ids": true, "type": "sha1", "uuid": "e4c5c7a0-0a6e-4536-ade6-f9a81c395301", "value": "ee4aa25f9c7129a0a88b2e13826009591a8ea59d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Shellcode loader", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546554", "to_ids": true, "type": "sha256", "uuid": "47378dd4-ebff-4a12-b6a1-9656a274cc39", "value": "670ba1799495280dc9f300e5b320b1ba49f2f8d324a411a72e0fcabcd29b071a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778896612", "to_ids": true, "type": "ssdeep", "uuid": "58998814-382e-4e1a-b56c-dc478c0c431f", "value": "12288:cK8BRzsTulkmivko4PqwGjqu/NA6p00Ua3MpxZANPuWH1rp5vg5+:Z8BRzsTulkmi8oDNjhNAQ9UaUxZANPzH" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778896612", "to_ids": false, "type": "size-in-bytes", "uuid": "a53cda50-dd62-4c16-a2dc-bfd2752c24a6", "value": "681984" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778896612", "to_ids": true, "type": "vhash", "uuid": "c63d58ee-c278-45bd-b037-f3739c310c3c", "value": "165056655d75156028z57nz9ez2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778896612", "to_ids": true, "type": "filename", "uuid": "a3632c2d-fd19-4baf-be3f-b1895ccdcc55", "value": "DllPayload" }, { "category": "Other", "comment": "Checked: 16/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778896612", "to_ids": false, "type": "text", "uuid": "c27352b1-0a1c-4af0-a049-db6d9664f53e", "value": "Shellcode loader\r\nType Description: Win32 DLL\nMicrosoft: Trojan:Win32/Malgent.LTSN!MTB\nVT Total Detection:44/71\nFirst Submission:2026-02-13T04:20:50.000000+00:00\nLast Submission:2026-03-31T04:00:48.000000+00:00" } ] } ] } }