{ "Event": { "analysis": "1", "date": "2026-04-01", "extends_uuid": "", "info": "[Threat Intel] Detections for the Axios supply chain compromise", "protected": false, "publish_timestamp": "1776072055", "published": true, "threat_level_id": "2", "timestamp": "1776072054", "uuid": "ff850a92-34b2-4802-8470-53e26c63a478", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#5f1b93", "local": false, "name": "misp-galaxy:producer=\"Elastic\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#89bea3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"AppleScript - T1059.002\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#4bc785", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Hollowing - T1055.012\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#e2a873", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steganography - T1027.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#15723e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Launch Agent - T1543.001\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#1a8d0c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Time Discovery - T1124\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1775617206", "to_ids": false, "type": "link", "uuid": "31efc85b-8dc8-4229-8ac7-bc46e17706c5", "value": "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1775617206", "to_ids": false, "type": "text", "uuid": "6d6059b0-2dad-41b5-a96e-ec83fe922692", "value": "A supply chain attack targeting Axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency (plain-crypto-js@4.2.1) that executed during installation. The attack deploys cross-platform payloads across Linux, Windows, and macOS through a consistent pattern: Node.js spawns OS-native shells to retrieve and execute remote payloads in detached or hidden contexts. Linux victims receive a Python-based RAT, Windows systems get a PowerShell backdoor with registry persistence, and macOS hosts are compromised with a Mach-O binary backdoor. All variants beacon to the same C2 infrastructure, performing host fingerprinting, process enumeration, filesystem reconnaissance, and arbitrary code execution. The malicious activity is reliably detected through behavioral signatures focusing on unusual Node.js process ancestry and remote payload retrieval rather than static indicators." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1775617207", "to_ids": false, "type": "text", "uuid": "7fed72c4-00d6-4499-a4ff-14884561555b", "value": "Name: Detections for the Axios supply chain compromise\nAuthor: AlienVault\nAdversary: \nTags: [\"supply chain attack\", \"post-install execution\", \"axios\"]\nTgtd countries: []\nMlwr families: [\"plain-crypto-js\", \"ld.py\", \"wt.exe\", \"com.apple.act.mond\"]\nAttack_ids: [\"T1132.001\", \"T1036.005\", \"T1082\", \"T1059.002\", \"T1140\", \"T1083\", \"T1057\", \"T1059.001\", \"T1547.001\", \"T1059.004\", \"T1055.012\", \"T1195.002\", \"T1027.003\", \"T1518.001\", \"T1543.001\", \"T1071.001\", \"T1105\", \"T1124\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776018299", "to_ids": true, "type": "md5", "uuid": "5d19e723-1531-4ba6-a4f1-7af63ef97806", "value": "e56bafda15a624b60ac967111d227bf8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776018300", "to_ids": true, "type": "sha1", "uuid": "e420563c-fb1b-4639-b240-c2d0faab8280", "value": "d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:12/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776018301", "to_ids": true, "type": "sha256", "uuid": "95b55119-7bd1-4852-a766-5ab5c1356ceb", "value": "59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776018850", "to_ids": true, "type": "ip-dst", "uuid": "2e0f4877-e3b3-4dda-bcb7-eb9b629ab45d", "value": "142.11.206.73", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776018871", "to_ids": true, "type": "url", "uuid": "33676da9-0e29-4860-ac72-e2cce5d49fad", "value": "http://sfrclak.com:8000/6202033", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776018893", "to_ids": true, "type": "domain", "uuid": "172584c9-700d-4151-a470-57e6eea33e32", "value": "process.name", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776018914", "to_ids": true, "type": "domain", "uuid": "ddb327ef-a10a-44c2-b9d2-77673529592e", "value": "sfrclak.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776018935", "to_ids": true, "type": "hostname", "uuid": "e75c7434-30d5-4ee4-942d-0a962330aa61", "value": "process.parent.name", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776018956", "to_ids": true, "type": "url", "uuid": "d73949bc-ebe8-45c9-be35-3eaac2572337", "value": "packages.npm.org/product0", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776018977", "to_ids": true, "type": "url", "uuid": "7d8d1965-3d5f-4501-a0b9-95b1f028c975", "value": "packages.npm.org/product1", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776018998", "to_ids": true, "type": "url", "uuid": "325330b9-c101-41ab-a216-daf7f75ecf4d", "value": "packages.npm.org/product2", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776019019", "uuid": "49da49b4-85f5-44bd-a45f-8318c3c29bd1", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776019019", "to_ids": true, "type": "md5", "uuid": "da474b38-7125-408f-801c-1fccbde96c04", "value": "7658962ae060a222c0058cd4e979bfa1", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776018292", "to_ids": true, "type": "sha1", "uuid": "56347455-986a-48c2-b6c5-83b69f21d337", "value": "b0e0f12f1be57dc67fa375e860cedd19553c464d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776018292", "to_ids": true, "type": "sha256", "uuid": "d27d2285-c84b-47af-a041-ff2623e4436a", "value": "e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776008999", "to_ids": true, "type": "ssdeep", "uuid": "fe87704e-19fe-443b-9dc1-579ab0006e31", "value": "96:V0BwY31H/x2Nov7NMUtjlNU0kCsSuckO6Jg5yD8pm:V07H/x2NSBNxjl4S9t5yopm" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776008999", "to_ids": false, "type": "size-in-bytes", "uuid": "a30269a5-f11f-4844-9b8e-f372f8240ca5", "value": "4209" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776008999", "to_ids": true, "type": "vhash", "uuid": "056d22ae-4add-436c-bb80-882c4edb939a", "value": "38941ec9dea7b975f11cc8643b2a9926" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776008999", "to_ids": true, "type": "filename", "uuid": "3be3552d-9b1f-4b26-b636-daa3ec0f4e96", "value": "setup.js" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 12/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776008999", "to_ids": false, "type": "text", "uuid": "edb57f19-5344-43f8-a81d-0d6e8f4871b6", "value": "Type Description: JavaScript\nMicrosoft: TrojanDownloader:JS/TalonStrike.D!dha\nVT Total Detection:35/64\nFirst Submission:2026-03-31T04:19:15.000000+00:00\nLast Submission:2026-04-10T03:39:09.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776019040", "uuid": "ea03f2be-3150-45a0-a939-89e794a8de37", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776019040", "to_ids": true, "type": "md5", "uuid": "efd9a888-e07e-4e0b-a8e1-e9726488a8f3", "value": "7a9ddef00f69477b96252ca234fcbeeb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776018293", "to_ids": true, "type": "sha1", "uuid": "cd003135-e377-474e-9c0c-ef2618453eb3", "value": "13ab317c5dcab9af2d1bdb22118b9f09f8a4038e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776018293", "to_ids": true, "type": "sha256", "uuid": "a803543d-9152-4a7f-9e03-32032b4109ea", "value": "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776009021", "to_ids": true, "type": "ssdeep", "uuid": "b6543598-3b8e-445c-8a53-3994f32cc54a", "value": "6144:xjazCtUlrLxJnzsOOAx2Y+AktJgRESAtxVZS63vYdCzsbAkuNjepym:xjazCtyJcYKgRESAT93AdUjepym" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776009021", "to_ids": false, "type": "size-in-bytes", "uuid": "a4efbc8d-9e2e-49dc-a803-ded2915aa070", "value": "657424" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776009021", "to_ids": true, "type": "vhash", "uuid": "8412a7ca-46f7-4797-ba0e-5ef663b05939", "value": "5888402d25bc5f77c7c3d92ca5d30997" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776009021", "to_ids": true, "type": "filename", "uuid": "b8636cc0-ff8a-4fe8-81f5-9fcb7090c512", "value": "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a.macho" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 12/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776009021", "to_ids": false, "type": "text", "uuid": "4942b29e-0d1f-42a7-bf1b-7272b6c4765f", "value": "Type Description: Mach-O\nMicrosoft: Backdoor:MacOS/TalonStrike.A!dha\nVT Total Detection:36/64\nFirst Submission:2026-03-31T01:05:29.000000+00:00\nLast Submission:2026-04-08T14:55:14.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776019061", "uuid": "475eb131-356e-43c4-9e1b-0dd73589011f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776019061", "to_ids": true, "type": "md5", "uuid": "a3964e4a-2f0f-4991-a505-ddd3ade0be36", "value": "8c782b59a786f18520673e8d669e3b0a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776018294", "to_ids": true, "type": "sha1", "uuid": "0b279207-baab-4ff1-9bc0-4ba3d08475fd", "value": "ae39c4c550ad656622736134035f17ca7a66a742", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776018294", "to_ids": true, "type": "sha256", "uuid": "793dfe13-719e-49d8-b147-b74b015d02ee", "value": "e49c2732fb9861548208a78e72996b9c3c470b6b562576924bcc3a9fb75bf9ff", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776009043", "to_ids": true, "type": "ssdeep", "uuid": "a878c5bd-029d-4065-9810-19255fa67d70", "value": "6:rz8SFXF+RLgyKBM3S1z+ILh8JkziCVAV2o4VhRUaeq:X8+ERLgyaIS1HGuziCqVMhXn" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776009043", "to_ids": false, "type": "size-in-bytes", "uuid": "c7e8122a-d66e-4126-a7eb-ab858f0c3c0f", "value": "203" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776009043", "to_ids": true, "type": "filename", "uuid": "e16a561e-254c-4ae3-98a4-766821dbda43", "value": "system.bat" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 09/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776009043", "to_ids": false, "type": "text", "uuid": "1a40a7c3-a097-4b92-97b6-582b36ace811", "value": "Type Description: Powershell\nMicrosoft: TrojanDownloader:PowerShell/TalonStrike!MTB\nVT Total Detection:29/62\nFirst Submission:2026-03-31T00:45:40.000000+00:00\nLast Submission:2026-03-31T14:42:40.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776019083", "uuid": "f4866ab9-2b63-48e6-90b2-29aefd8f3ea4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776019083", "to_ids": true, "type": "md5", "uuid": "e5f2986b-6eb3-4607-b47e-fe1cb17f6b43", "value": "90e8e227ba8bef0ea7e0212b5b1e0d4c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776018296", "to_ids": true, "type": "sha1", "uuid": "b73361f6-f978-4b7c-a80f-8fb9d17c8233", "value": "dbd62d788ce8dcaa96116a73f70ee24813d59428", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776018296", "to_ids": true, "type": "sha256", "uuid": "ddcbade2-f625-4a3d-805b-b13ec63c5e76", "value": "ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776009064", "to_ids": true, "type": "ssdeep", "uuid": "f2d9c743-57c5-4c75-a3ce-385b17b443ed", "value": "192:b9u9gG89mD+SOzuahCnGX1pybp0j5PWFmFBiMluIY266b7cTOXAWnTvfOkFHPL:b4KG8MwzuaEnGDPWFsBiM9YChLf1HD" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776009064", "to_ids": false, "type": "size-in-bytes", "uuid": "4d69c240-6605-4ab7-8dac-d6a46d08683e", "value": "10656" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776009064", "to_ids": true, "type": "vhash", "uuid": "42909e3b-44c1-47f3-9367-335c3a64c337", "value": "6999d755f2fc6f1ce13e39107e15280c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776009064", "to_ids": true, "type": "filename", "uuid": "d471c403-6963-405e-887a-f8d74461ba58", "value": "ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c.ps1" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 12/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776009064", "to_ids": false, "type": "text", "uuid": "652ee202-a978-4f7a-9051-56833d9a6c75", "value": "Type Description: Powershell\nMicrosoft: Backdoor:PowerShell/TalonStrike.B!dha\nVT Total Detection:30/62\nFirst Submission:2026-03-31T00:39:55.000000+00:00\nLast Submission:2026-04-02T07:10:47.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776019104", "uuid": "df8a138f-929d-4b66-8f29-a29574216c3a", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776019104", "to_ids": true, "type": "md5", "uuid": "32e8669c-a7a8-4197-a8a7-ecc0556fdd8e", "value": "db7f4c82c732e8b107492cae419740ab", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776018297", "to_ids": true, "type": "sha1", "uuid": "2dabb347-b446-4ea5-9222-eeadb08a766a", "value": "07d889e2dadce6f3910dcbc253317d28ca61c766", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776018297", "to_ids": true, "type": "sha256", "uuid": "594c274e-1909-4b68-ab9a-47d89e7e3b4c", "value": "58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776009086", "to_ids": true, "type": "ssdeep", "uuid": "50ace66d-93c1-4b60-83bb-17031f155424", "value": "1536:uXG6U0Qn6xK9yaoMZ2NUX6KX1hkKAqFlsaPXOdV2VLbgQvMjCtVpWl+0iium82FM:uWD6MIMAiDXoL6wQg9jQVElKI82Te" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776009086", "to_ids": false, "type": "size-in-bytes", "uuid": "43d7bb2f-c565-46e1-bf2a-90ae71fde804", "value": "89868" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776009086", "to_ids": true, "type": "vhash", "uuid": "2500fa7d-cf91-44ef-82e8-eba517af77cf", "value": "cd8e4404877b2b40dc62d177414fd4bb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776009086", "to_ids": true, "type": "filename", "uuid": "eca5e401-8b32-4542-a421-9b4f63536852", "value": "58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668.gz" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 12/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776009086", "to_ids": false, "type": "text", "uuid": "ba01cfb6-d851-467d-866c-bb717c73d283", "value": "Type Description: GZIP\nMicrosoft: TrojanDownloader:JS/TalonStrike.D!dha\nVT Total Detection:35/63\nFirst Submission:2026-03-31T02:57:22.000000+00:00\nLast Submission:2026-04-08T05:57:15.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776019125", "uuid": "9ea857e6-b6ab-4b90-8743-87b45e86c335", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776019125", "to_ids": true, "type": "md5", "uuid": "c9fae232-edf2-4a05-bcf1-262a4d100039", "value": "ea7057982ac2c7788f5142eb54577e6d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776018298", "to_ids": true, "type": "sha1", "uuid": "e517b775-bd75-49c6-9655-0754635f275d", "value": "6b27b6dde93553aceda8b904cc4d4d18cbb65c2b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776018298", "to_ids": true, "type": "sha256", "uuid": "d6270575-c61f-490c-9fcb-e672e3dbb8ed", "value": "6483c004e207137385f480909d6edecf1b699087378aa91745ecba7c3394f9d7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776009171", "to_ids": true, "type": "ssdeep", "uuid": "95866a64-b992-4207-9dc6-dc371663c16b", "value": "12:boI4/qwSVATAN4nv3StO4/KRoJMxnFG5Rk4FCDYFjoAnkUrtywRNG2epetIpzv3o:UImqwSVA0N4nPStO4/ioCTcR9Wijbvr9" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776009171", "to_ids": false, "type": "size-in-bytes", "uuid": "8a84953d-df73-488d-8074-20b5e352eadd", "value": "766" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776009171", "to_ids": true, "type": "filename", "uuid": "f30b9fd1-7a12-45d6-9325-651c3f4df028", "value": "ld.py" }, { "category": "Other", "comment": "Checked: 12/04/2026\nLast-scan\t: 10/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776009171", "to_ids": false, "type": "text", "uuid": "c3db21d7-c2ad-4048-989a-c4c48d209e97", "value": "Type Description: Python\nMicrosoft: Trojan:Python/Malscript!MSR\nVT Total Detection:1/63\nFirst Submission:2026-03-31T09:24:16.000000+00:00\nLast Submission:2026-03-31T09:24:16.000000+00:00" } ] } ] } }