{ "Event": { "analysis": "1", "date": "2026-05-14", "extends_uuid": "", "info": "[Threat Intel] Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities", "protected": false, "publish_timestamp": "1779596345", "published": true, "threat_level_id": "2", "timestamp": "1779596345", "uuid": "fbb6cb43-042c-4d70-99d5-c92d71587c91", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#7c6ad9", "local": false, "name": "misp-galaxy:producer=\"Cisco Talos Intelligence Group\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#f28fb8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"OS Credential Dumping - T1003\"", "relationship_type": "" }, { "colour": "#0ee843", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Instance Metadata API - T1552.005\"", "relationship_type": "" }, { "colour": "#aad818", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SSH - T1021.004\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#9feaf0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#71ecdb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Manipulation - T1098\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#57b2ae", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Resource Hijacking - T1496\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#f055aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create Account - T1136\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"vulnerability\"", "relationship_type": "" }, { "colour": "#170057", "local": false, "name": "rectifyq:sub-category=\"critical-vuln\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900416", "to_ids": false, "type": "link", "uuid": "07b4c25d-2802-4df2-bf40-8224400d1426", "value": "https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778900416", "to_ids": false, "type": "text", "uuid": "d2f75167-d581-4398-b836-511a52f76e1d", "value": "Cisco Talos tracks active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, allowing remote attackers to obtain administrative privileges. The exploitation is attributed to UAT-8616, a sophisticated threat actor previously involved in similar attacks. Additionally, multiple threat clusters have been exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since March 2026, following public release of proof-of-concept code by ZeroZenX Labs. Post-compromise activities include deployment of various webshells, including XenShell, Godzilla, and Behinder variants, along with cryptocurrency miners, red team frameworks like Sliver and AdaptixC2, and credential stealers. Ten distinct threat clusters have been identified, each utilizing different malicious tooling and infrastructure. Affected systems require immediate patching and security measures." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778900416", "to_ids": false, "type": "text", "uuid": "304450a2-df03-44e5-b1eb-93a40367a8c4", "value": "Name: Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities\nAuthor: AlienVault\nAdversary: UAT-8616\nTags: [\"sd-wan\", \"sliver\", \"godzilla\", \"adaptixc2\", \"cryptocurrency mining\", \"behinder\", \"webshells\", \"xmrig\", \"cve-2026-20128\", \"cve-2026-20133\", \"xenshell\", \"credential theft\", \"gsocket\", \"cisco\", \"authentication bypass\", \"nimplant\", \"cve-2026-20182\", \"cve-2026-20122\", \"kscan\", \"cve-2026-20127\"]\nTgtd countries: []\nMlwr families: [\"XenShell\", \"Godzilla\", \"Behinder\", \"Sliver\", \"AdaptixC2\", \"XMRig\", \"Nimplant\", \"KScan\", \"gsocket\"]\nAttack_ids: [\"T1003\", \"T1552.005\", \"T1021.004\", \"T1005\", \"T1190\", \"T1505.003\", \"T1090\", \"T1083\", \"T1552.001\", \"T1098\", \"T1059.004\", \"T1562.001\", \"T1078\", \"T1027\", \"T1573\", \"T1496\", \"T1070.004\", \"T1071.001\", \"T1136\", \"T1018\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1778900416", "to_ids": false, "type": "threat-actor", "uuid": "b2957bd4-1264-4c53-b657-be45d3a3e890", "value": "UAT-8616" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900416", "to_ids": false, "type": "vulnerability", "uuid": "2fc72676-9682-407f-b7bb-38e62f8a79aa", "value": "CVE-2025-20333" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900416", "to_ids": false, "type": "vulnerability", "uuid": "742979db-9b91-4de3-b7d8-1f3b369f9adc", "value": "CVE-2025-20362" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593253", "to_ids": true, "type": "ip-dst", "uuid": "173f1cb5-bfe7-4fd4-a700-038e744b7846", "value": "176.65.139.31", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900416", "to_ids": false, "type": "vulnerability", "uuid": "5fe262dd-5816-4c0b-ad0f-5f4c776fe751", "value": "CVE-2026-20127" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900416", "to_ids": false, "type": "vulnerability", "uuid": "ed757087-671f-43c8-b85f-168e2268bc71", "value": "CVE-2026-20122" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900416", "to_ids": false, "type": "vulnerability", "uuid": "711ab3dd-1f76-4f60-866a-41a8a028f2b7", "value": "CVE-2026-20128" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900416", "to_ids": false, "type": "vulnerability", "uuid": "6889a16b-e62c-4599-9c30-4ed0380bd7f5", "value": "CVE-2026-20133" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593275", "to_ids": true, "type": "ip-dst", "uuid": "2b7b2736-5558-45b7-b328-e29926affae1", "value": "38.181.52.89", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593296", "to_ids": true, "type": "ip-dst", "uuid": "79582883-b5cd-4d4f-a957-0dbc14d6867b", "value": "47.104.248.7", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778900416", "to_ids": false, "type": "vulnerability", "uuid": "b03403b9-ca2c-40c5-b41d-086965928e68", "value": "CVE-2026-20182" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593088", "to_ids": true, "type": "md5", "uuid": "07ae2444-97af-468f-8aed-93804d717d6a", "value": "fece5b954e69b2c6a8d0a1029631a0d7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593089", "to_ids": true, "type": "sha256", "uuid": "8151d63c-8038-4eff-9fbe-a8a834ca356f", "value": "0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593090", "to_ids": true, "type": "sha256", "uuid": "069d2229-a666-4bb8-b3c5-bcae701f4100", "value": "0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593091", "to_ids": true, "type": "sha256", "uuid": "419634c1-d5eb-4596-8615-7c81d396c309", "value": "17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593092", "to_ids": true, "type": "sha256", "uuid": "f63214de-30e8-4111-aad8-235287fe8320", "value": "5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593093", "to_ids": true, "type": "sha256", "uuid": "9a8115d8-05c3-44cb-be84-bc598dc41965", "value": "72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593093", "to_ids": true, "type": "sha256", "uuid": "99cc8338-2fc9-47eb-88f3-126500d04bd6", "value": "7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593094", "to_ids": true, "type": "sha256", "uuid": "8567cf4f-05d3-45a6-92fa-f89378fd15bb", "value": "b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:24/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779593095", "to_ids": true, "type": "sha256", "uuid": "88fe5efb-a5e6-49dc-979f-4789d4ddde5a", "value": "f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593318", "to_ids": true, "type": "ip-dst", "uuid": "f8eb6475-5be6-41ee-9acf-4626caec32b7", "value": "104.233.156.1", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593339", "to_ids": true, "type": "ip-dst", "uuid": "44ef6b3d-f102-40f6-85b9-2084f3f83ceb", "value": "23.27.143.170", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593360", "to_ids": true, "type": "ip-dst", "uuid": "c3f3cbb2-ef56-46b2-ba50-48bbf0e94614", "value": "38.60.214.92", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593381", "to_ids": true, "type": "ip-dst", "uuid": "4c2a3b4e-97ab-4f97-ad58-e5e0c27862ab", "value": "71.80.85.135", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593402", "to_ids": true, "type": "ip-dst", "uuid": "964144cc-7848-4de8-90e3-9536e0b647e7", "value": "83.229.126.195", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593424", "to_ids": true, "type": "ip-dst", "uuid": "2c7c1c7f-7e69-4d68-872e-b941fdb8693c", "value": "89.125.244.33", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593445", "to_ids": true, "type": "ip-dst", "uuid": "53c70437-e8e3-4cdc-9faa-10ad64ae8663", "value": "89.125.244.51", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593466", "to_ids": true, "type": "url", "uuid": "dae757d9-c17b-4b07-8305-1d26183f54ed", "value": "http://83.229.126.195:8081/config.json", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593487", "to_ids": true, "type": "url", "uuid": "db78e15a-f0d8-4451-83ed-4334a642df60", "value": "https://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev/download", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593508", "to_ids": true, "type": "hostname", "uuid": "6d10cea8-2704-450d-ac7f-8dfec6ffcb29", "value": "1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593529", "to_ids": true, "type": "hostname", "uuid": "6e808760-638a-45c7-97fc-782a73395a1d", "value": "a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593550", "to_ids": true, "type": "ip-dst", "uuid": "bf1edc15-8a13-4e92-becd-2ea2af2b4a3f", "value": "212.83.162.37", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593572", "to_ids": true, "type": "ip-dst", "uuid": "4689b0b7-620b-41ba-8ec6-3766de4b0444", "value": "65.20.67.134", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593593", "to_ids": true, "type": "ip-dst", "uuid": "508d5540-7e7e-430c-9494-8d8fe0c379dd", "value": "194.233.100.40", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 4445", "deleted": false, "disable_correlation": false, "timestamp": "1778981685", "to_ids": true, "type": "ip-dst|port", "uuid": "305508e3-32a1-402c-b34d-1821c14677ab", "value": "194.163.175.135|4445" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593614", "to_ids": true, "type": "ip-dst", "uuid": "8dc1199e-c782-4adc-99b6-47c1fb3463b5", "value": "194.163.175.135", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1779593635", "to_ids": true, "type": "url", "uuid": "2760a64f-26fa-4481-81cd-c53d9a61c689", "value": "mtls://23.27.143.170", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593657", "to_ids": true, "type": "url", "uuid": "73798591-aba6-431a-b18f-8047ce9f55b6", "value": "http://83.229.126.195:8081/xmrig", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593678", "to_ids": true, "type": "ip-dst", "uuid": "aea03b49-e817-4e5d-98bf-fb4513176174", "value": "79.135.105.208", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 5004", "deleted": false, "disable_correlation": false, "timestamp": "1779593699", "to_ids": true, "type": "url", "uuid": "c155cb45-fd28-458e-a782-3879d86d96cc", "value": "http://13.62.52.206", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779593720", "to_ids": true, "type": "ip-dst", "uuid": "cb5ae033-62b1-44fd-a2b3-17b356807479", "value": "13.62.52.206", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779593741", "uuid": "15a11d5c-9e8b-4033-8edc-f56d2e3a4126", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779593741", "to_ids": true, "type": "md5", "uuid": "40cbf795-467e-48cd-a7dc-150e912cd79d", "value": "d75cb9920d1d3d280518ddccfe4789d2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593083", "to_ids": true, "type": "sha1", "uuid": "cf98d17e-d1e3-4649-b656-8a606a611fd5", "value": "18821dbb53892d6faa14b1f063517a0302057290", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593083", "to_ids": true, "type": "sha256", "uuid": "253a50bb-bc81-4429-a05f-c7c063442532", "value": "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779589948", "to_ids": true, "type": "ssdeep", "uuid": "8e6f5c0c-b4d8-412c-b21a-eaf68e8030ff", "value": "49152:T0idKbBedbWCCQZLyOgk/KszcixmYw2Y30scw+G2oT+uoNNyZlrhcSueVu7VwTCI:T0PbiWCPyOgk/pzcixmf2sp2pu/Zlr+L" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779589948", "to_ids": false, "type": "size-in-bytes", "uuid": "e2447049-63a0-44d6-91a9-1fad42c0487e", "value": "2833840" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779589948", "to_ids": true, "type": "vhash", "uuid": "436a8213-28c8-4b8d-b7d5-5147c2b7cb6d", "value": "ede930dca3d3f800330fd1201e95582c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779589948", "to_ids": true, "type": "filename", "uuid": "a37e0b7c-6414-43e6-a847-bca394eef035", "value": "defunct" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 23/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779589948", "to_ids": false, "type": "text", "uuid": "52c12a8d-4af9-4f20-8542-ae40e7a51c77", "value": "Type Description: ELF\nMicrosoft: HackTool:Linux/GsNetcat.A!MTB\nVT Total Detection:41/64\nFirst Submission:2024-08-16T18:52:27.000000+00:00\nLast Submission:2026-05-23T08:33:04.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779593762", "uuid": "61e55611-7be0-49be-a6cb-9e79fc2e0ebd", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779593762", "to_ids": true, "type": "md5", "uuid": "c3277148-a181-422f-b43a-91136a89e8d0", "value": "cf127d66124c390ca0f0b42c6385c3c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593085", "to_ids": true, "type": "sha1", "uuid": "4166c511-dd64-48af-90a6-22044000aa1b", "value": "01e3dce00ea45829bd9f6a583004976ac63973a0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593085", "to_ids": true, "type": "sha256", "uuid": "111e2ccc-23ed-48c2-91b1-482ecef4ca13", "value": "96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779589970", "to_ids": true, "type": "ssdeep", "uuid": "3b0db6b1-eda5-41a9-973e-fff7ee90dc45", "value": "98304:nEmfCLfqpp1Si7ukqzX0WtP7cmNfCADtExRPERsbKP+gKTowL+TBOMV9qg2glMy2:CissbKWmTLJMmtNpfD+I/Ay+" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779589970", "to_ids": false, "type": "size-in-bytes", "uuid": "1cb580b7-0182-4be3-8ba3-2f89e9869db9", "value": "8334576" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779589970", "to_ids": true, "type": "vhash", "uuid": "5c417ae8-4974-44a2-9e48-5a3704a6189f", "value": "2aba7b5117383e28704df982a389e959" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779589970", "to_ids": true, "type": "filename", "uuid": "7c84bda4-86d2-46c5-b3ea-65ef54ad527d", "value": "xmrig" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 24/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779589970", "to_ids": false, "type": "text", "uuid": "991bdf0a-94ce-4b45-9d79-78b3dfb536e2", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/CoinMiner.C12\nVT Total Detection:38/64\nFirst Submission:2025-12-26T01:22:42.000000+00:00\nLast Submission:2026-04-24T09:52:17.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779593783", "uuid": "14548be5-116e-47d5-a9d3-81b75df8e9cc", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779593783", "to_ids": true, "type": "md5", "uuid": "1d5792ec-d079-4c65-a46d-c1b02027ecc8", "value": "e22d1b625ee309b60caf0252c5df7656", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593087", "to_ids": true, "type": "sha1", "uuid": "6946c5cd-6f08-454e-8d46-d525523fde34", "value": "d0a851f0b871df60c73d2c7d3f55b031c45e4c2e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593087", "to_ids": true, "type": "sha256", "uuid": "1b08b9e3-f65f-4062-aa3a-5db7f4fcce80", "value": "02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779589992", "to_ids": true, "type": "ssdeep", "uuid": "30851c82-e6c2-47d4-ac1f-9a006b4d4b41", "value": "196608:gJC1tf+WJu+LzqG0uK5Brt5Fttg1hHwcu:wC1tfXJu+X0uKrfmzJu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779589992", "to_ids": false, "type": "size-in-bytes", "uuid": "102cdd9e-3884-427f-8a82-ffb24d70edc8", "value": "16601496" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779589992", "to_ids": true, "type": "vhash", "uuid": "aba78c29-3ac1-4601-9603-65659fd7ed8d", "value": "e42a67018b3855d62fce873ae4c2c148" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779589992", "to_ids": true, "type": "filename", "uuid": "1764a3a2-360c-4541-8ff4-51f53d6f2f14", "value": "2026-03-30_e22d1b625ee309b60caf0252c5df7656_dosia_glassworm_poet-rat_qnapcrypt_sliver" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 24/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779589992", "to_ids": false, "type": "text", "uuid": "9749b009-dfc9-4d7e-8d4e-49474f6ad2b0", "value": "Type Description: ELF\nMicrosoft: VirTool:Linux/Sliver.A!MTB\nVT Total Detection:36/64\nFirst Submission:2026-03-26T18:06:14.000000+00:00\nLast Submission:2026-03-30T05:53:58.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779593805", "uuid": "ae9cf6f2-7308-45a5-a83e-4726a7d07c10", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779593805", "to_ids": true, "type": "md5", "uuid": "8b5db2a0-9b84-4b7e-812b-0c610a94d919", "value": "92a3cdf36745b01fb5080d15b4b169b6", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779593088", "to_ids": true, "type": "sha1", "uuid": "19fa55b2-b029-4a8d-b7c5-84368828cd7f", "value": "5c5c5fc0a60c1df322a81a01654a18c55f618a06", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779593088", "to_ids": true, "type": "sha256", "uuid": "18debac8-0844-441b-b10d-8203881ba81a", "value": "18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1779590098", "to_ids": true, "type": "ssdeep", "uuid": "b489d0ee-5666-4715-b4ba-906870bca6b5", "value": "196608:TOcsBB8512E4S9iy6vEYVpWP5+PqQ+oTEo+SE0+nlc7lJWHR6:TXMhaifllPp+oYTJGqR6" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1779590098", "to_ids": false, "type": "size-in-bytes", "uuid": "faf2e2e0-253c-47fb-a980-ec4bdc4fd374", "value": "8715836" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1779590098", "to_ids": true, "type": "vhash", "uuid": "3bd2595a-b6cc-4d6b-9352-915d1e07401b", "value": "7d11600aad665e8f8f414fb84cc86722" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1779590098", "to_ids": true, "type": "filename", "uuid": "ccbd2fce-9876-4fdc-9e61-0bfefdb05813", "value": "rvi1zt.exe" }, { "category": "Other", "comment": "Checked: 24/05/2026\nLast-scan\t: 24/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1779590098", "to_ids": false, "type": "text", "uuid": "ca457de1-9523-4543-87f9-175e58fc4506", "value": "Type Description: ELF\nMicrosoft: Trojan:Linux/Multiverze!rfn\nVT Total Detection:32/65\nFirst Submission:2026-02-27T02:44:08.000000+00:00\nLast Submission:2026-02-27T02:44:08.000000+00:00" } ] } ] } }