πTitle: βSay My Nameβ: How MioLab is building MacOS Stealer Empire
π Date: 2026-03-20
πReferences:
https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="tool-profile"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ detection-rules="sigma-from-src"
β’ detection-rules="snort-from-src"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1113', 'T1539', 'T1114', 'T1555.001', 'T1204.002', 'T1566.002', 'T1119', 'T1059.002', 'T1005', 'T1140', 'T1555.003', 'T1552.001', 'T1041', 'T1056.002', 'T1059.004', 'T1078', 'T1027', 'T1567.002', 'T1564.003', 'T1027.002', 'T1204']
MISP event uuid: 5b7c96e9-0252-4c03-bdd3-240bf79ec517
π Date: 2026-03-20
πReferences:
https://www.levelblue.com/blogs/spiderlabs-blog/say-my-name-how-miolab-is-building-macos-stealer-empire
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="tool-profile"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ detection-rules="sigma-from-src"
β’ detection-rules="snort-from-src"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1113', 'T1539', 'T1114', 'T1555.001', 'T1204.002', 'T1566.002', 'T1119', 'T1059.002', 'T1005', 'T1140', 'T1555.003', 'T1552.001', 'T1041', 'T1056.002', 'T1059.004', 'T1078', 'T1027', 'T1567.002', 'T1564.003', 'T1027.002', 'T1204']
MISP event uuid: 5b7c96e9-0252-4c03-bdd3-240bf79ec517
Levelblue
βSay My Nameβ: How MioLab is building MacOS Stealer Empire
As Apple computerβs market share continues to grow, threat actors are increasingly shifting their focus toward MacOS environments.
πTitle: A rigged game: compromises gaming platform in a supply-chain attack
π Date: 2026-05-05
πReferences:
https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ threat-actor="APT37"
β’ target-information="China"
mitre-attack-pattern=['T1585', 'T1046', 'T1497', 'T1480.001', 'T1083', 'T1082', 'T1555', 'T1005', 'T1587.001', 'T1056', 'T1140', 'T1584.004', 'T1070.004', 'T1195.002', 'T1112', 'T1113', 'T1090', 'T1608.001', 'T1027', 'T1059.003', 'T1115', 'T1420', 'T1532', 'T1429', 'T1481.002', 'T1636.002', 'T1474.003', 'T1636.003', 'T1533', 'T1407', 'T1646', 'T1541', 'T1430', 'T1406', 'T1636.004', 'T1513', 'T1426', 'T1422', 'T1437.001']
MISP event uuid: db7f9dfd-de5e-49e9-93c9-ad0a6887cd52
π Date: 2026-05-05
πReferences:
https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ threat-actor="APT37"
β’ target-information="China"
mitre-attack-pattern=['T1585', 'T1046', 'T1497', 'T1480.001', 'T1083', 'T1082', 'T1555', 'T1005', 'T1587.001', 'T1056', 'T1140', 'T1584.004', 'T1070.004', 'T1195.002', 'T1112', 'T1113', 'T1090', 'T1608.001', 'T1027', 'T1059.003', 'T1115', 'T1420', 'T1532', 'T1429', 'T1481.002', 'T1636.002', 'T1474.003', 'T1636.003', 'T1533', 'T1407', 'T1646', 'T1541', 'T1430', 'T1406', 'T1636.004', 'T1513', 'T1426', 'T1422', 'T1437.001']
MISP event uuid: db7f9dfd-de5e-49e9-93c9-ad0a6887cd52
Welivesecurity
A rigged game: ScarCruft compromises gaming platform in a supply-chain attack
ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games.
πTitle: Lorem Ipsum Malware: Trojanized MS Teams Installers
π Date: 2026-05-04
πReferences:
https://www.bluevoyant.com/blog/lorem-ipsum-trojanized-microsoft-teams-installers-multi-stage-loader-backdoor
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="United States"
mitre-attack-pattern=['T1583', 'T1587.001', 'T1564', 'T1140', 'T1195', 'T1055', 'T1608.002', 'T1584', 'T1102', 'T1608', 'T1583.006', 'T1547.001', 'T1588.002', 'T1562.001', 'T1584.006', 'T1027.004', 'T1071.001', 'T1518', 'T1102.001', 'T1127', 'T1592.003']
MISP event uuid: 7f88d213-40af-4515-80ca-76c2c7e04ded
π Date: 2026-05-04
πReferences:
https://www.bluevoyant.com/blog/lorem-ipsum-trojanized-microsoft-teams-installers-multi-stage-loader-backdoor
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="United States"
mitre-attack-pattern=['T1583', 'T1587.001', 'T1564', 'T1140', 'T1195', 'T1055', 'T1608.002', 'T1584', 'T1102', 'T1608', 'T1583.006', 'T1547.001', 'T1588.002', 'T1562.001', 'T1584.006', 'T1027.004', 'T1071.001', 'T1518', 'T1102.001', 'T1127', 'T1592.003']
MISP event uuid: 7f88d213-40af-4515-80ca-76c2c7e04ded
BlueVoyant
Lorem Ipsum Malware: Trojanized MS Teams Installers Deliverβ¦
BlueVoyant's Threat Fusion Cell discuss Lorem Ipsum, a campaign using SEO poisoning to distribute trojanized Microsoft Teams installers that deploy aβ¦
πTitle: Breaking the code: Multi-stage 'code of conduct' phishing campaign leads to AiTM token compromise
π Date: 2026-05-04
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ target-information="United States"
mitre-attack-pattern=['T1557', 'T1539', 'T1204.002', 'T1588.006', 'T1566.002', 'T1598.003', 'T1566.001', 'T1583.005', 'T1071', 'T1583.001', 'T1090', 'T1608.005', 'T1204', 'T1566', 'T1078', 'T1027', 'T1598', 'T1071.001', 'T1078.004', 'T1557.001']
MISP event uuid: 8175eed5-358d-4fa1-8078-eb1ffbbb5bf9
π Date: 2026-05-04
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/04/breaking-the-code-multi-stage-code-of-conduct-phishing-campaign-leads-to-aitm-token-compromise/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ target-information="United States"
mitre-attack-pattern=['T1557', 'T1539', 'T1204.002', 'T1588.006', 'T1566.002', 'T1598.003', 'T1566.001', 'T1583.005', 'T1071', 'T1583.001', 'T1090', 'T1608.005', 'T1204', 'T1566', 'T1078', 'T1027', 'T1598', 'T1071.001', 'T1078.004', 'T1557.001']
MISP event uuid: 8175eed5-358d-4fa1-8078-eb1ffbbb5bf9
Microsoft News
Breaking the code: Multi-stage βcode of conductβ phishing campaign leads to AiTM token compromise
Microsoft Defender Research observed a large-scale credential theft campaign that exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attackerβ¦
πTitle: Four published versions of a fake "tanstack" package uploaded in 27 minutes that want to steal your .env files
π Date: 2026-04-29
πReferences:
https://www.aikido.dev/blog/fake-tanstack-packages-steal-env-files
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1059.007', 'T1036.005', 'T1082', 'T1005', 'T1552.001', 'T1027', 'T1195.002', 'T1567.002', 'T1213', 'T1071.001', 'T1105']
MISP event uuid: e7c079a3-fcc8-49de-a399-d94d074031cc
π Date: 2026-04-29
πReferences:
https://www.aikido.dev/blog/fake-tanstack-packages-steal-env-files
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1059.007', 'T1036.005', 'T1082', 'T1005', 'T1552.001', 'T1027', 'T1195.002', 'T1567.002', 'T1213', 'T1071.001', 'T1105']
MISP event uuid: e7c079a3-fcc8-49de-a399-d94d074031cc
www.aikido.dev
Four published versions of a fake "tanstack" package uploaded in 27 minutes that want to steal your .env files
A fake "tanstack" npm package published four malicious versions in 27 minutes today, exfiltrating .env files via a postinstall hook. Here's what happened, who was affected, and how to rotate your credentials.
πTitle: Popular DAEMON Tools software compromised
π Date: 2026-05-05
πReferences:
https://securelist.com/tr/daemon-tools-backdoor/119654/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ target-information="Belarus"
β’ target-information="Russia"
β’ target-information="Thailand"
β’ target-information="Brazil"
β’ target-information="China"
β’ target-information="France"
β’ target-information="Germany"
β’ target-information="Italy"
β’ target-information="Spain"
β’ target-information="Turkey"
mitre-attack-pattern=['T1033', 'T1218.011', 'T1071.004', 'T1573.001', 'T1082', 'T1140', 'T1016', 'T1057', 'T1059.001', 'T1547.001', 'T1055.012', 'T1027', 'T1195.002', 'T1001.003', 'T1518.001', 'T1059.003', 'T1070.004', 'T1071.001', 'T1105', 'T1055.001']
MISP event uuid: 21f675fc-977d-426a-9622-aed934c463c8
π Date: 2026-05-05
πReferences:
https://securelist.com/tr/daemon-tools-backdoor/119654/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ target-information="Belarus"
β’ target-information="Russia"
β’ target-information="Thailand"
β’ target-information="Brazil"
β’ target-information="China"
β’ target-information="France"
β’ target-information="Germany"
β’ target-information="Italy"
β’ target-information="Spain"
β’ target-information="Turkey"
mitre-attack-pattern=['T1033', 'T1218.011', 'T1071.004', 'T1573.001', 'T1082', 'T1140', 'T1016', 'T1057', 'T1059.001', 'T1547.001', 'T1055.012', 'T1027', 'T1195.002', 'T1001.003', 'T1518.001', 'T1059.003', 'T1070.004', 'T1071.001', 'T1105', 'T1055.001']
MISP event uuid: 21f675fc-977d-426a-9622-aed934c463c8
πTitle: CloudZ RAT potentially steals OTP messages using Pheno plugin
π Date: 2026-05-05
πReferences:
https://blog.talosintelligence.com/cloudz-pheno-infostealer/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1033', 'T1497.001', 'T1082', 'T1005', 'T1140', 'T1036', 'T1055', 'T1497.003', 'T1555.003', 'T1083', 'T1041', 'T1059.001', 'T1027', 'T1573', 'T1218.009', 'T1059.003', 'T1071.001', 'T1105']
MISP event uuid: 552c3029-2b75-4490-beb5-ef279efdd44e
π Date: 2026-05-05
πReferences:
https://blog.talosintelligence.com/cloudz-pheno-infostealer/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1033', 'T1497.001', 'T1082', 'T1005', 'T1140', 'T1036', 'T1055', 'T1497.003', 'T1555.003', 'T1083', 'T1041', 'T1059.001', 'T1027', 'T1573', 'T1218.009', 'T1059.003', 'T1071.001', 'T1105']
MISP event uuid: 552c3029-2b75-4490-beb5-ef279efdd44e
Cisco Talos
CloudZ RAT potentially steals OTP messages using Pheno plugin
Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called βPheno.β
πTitle: UAT-8302 and its box full of malware
π Date: 2026-05-05
πReferences:
https://blog.talosintelligence.com/uat-8302/
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
β’ target-information="Japan"
β’ target-information="Russia"
β’ malpedia="SNAPPYBEE"
β’ malpedia="DracuLoader"
β’ malpedia="SNOWLIGHT"
β’ threat-actor="Earth Estries"
β’ threat-actor="LongNosedGoblin"
β’ threat-actor="REF7707"
β’ threat-actor="UNC5174"
β’ malpedia="Vshell"
β’ malpedia="STOWAWAY"
β’ region="005 - South America"
β’ region="035 - South-eastern Asia"
β’ sector="Government, Administration"
β’ region="039 - Southern Europe"
mitre-attack-pattern=['T1053.005', 'T1003', 'T1069', 'T1071.004', 'T1087.002', 'T1087.001', 'T1135', 'T1190', 'T1055', 'T1090', 'T1482', 'T1083', 'T1059.001', 'T1078', 'T1027', 'T1570', 'T1071.001', 'T1018', 'T1574.002', 'T1105']
MISP event uuid: 8fc2d3cc-7ec3-45b7-84f8-38e23b894b54
π Date: 2026-05-05
πReferences:
https://blog.talosintelligence.com/uat-8302/
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
β’ target-information="Japan"
β’ target-information="Russia"
β’ malpedia="SNAPPYBEE"
β’ malpedia="DracuLoader"
β’ malpedia="SNOWLIGHT"
β’ threat-actor="Earth Estries"
β’ threat-actor="LongNosedGoblin"
β’ threat-actor="REF7707"
β’ threat-actor="UNC5174"
β’ malpedia="Vshell"
β’ malpedia="STOWAWAY"
β’ region="005 - South America"
β’ region="035 - South-eastern Asia"
β’ sector="Government, Administration"
β’ region="039 - Southern Europe"
mitre-attack-pattern=['T1053.005', 'T1003', 'T1069', 'T1071.004', 'T1087.002', 'T1087.001', 'T1135', 'T1190', 'T1055', 'T1090', 'T1482', 'T1083', 'T1059.001', 'T1078', 'T1027', 'T1570', 'T1071.001', 'T1018', 'T1574.002', 'T1105']
MISP event uuid: 8fc2d3cc-7ec3-45b7-84f8-38e23b894b54
Cisco Talos
UAT-8302 and its box full of malware
Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025.
πTitle: Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed
π Date: 2026-05-05
πReferences:
https://hunt.io/blog/iranian-nexus-oman-government-intrusion
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="infra-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ country="iran"
β’ target-information="Oman"
β’ sector="Government, Administration"
β’ threat-actor="MuddyWater"
β’ threat-actor="OilRig"
mitre-attack-pattern=['T1053.005', 'T1110.001', 'T1133', 'T1548.002', 'T1003.002', 'T1087.002', 'T1543.003', 'T1074.002', 'T1190', 'T1567', 'T1572', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1041', 'T1059.001', 'T1098', 'T1078', 'T1059.003', 'T1071.001', 'T1136']
MISP event uuid: 1d22e8ac-9b2e-42be-8bcc-f3e462b6f63a
π Date: 2026-05-05
πReferences:
https://hunt.io/blog/iranian-nexus-oman-government-intrusion
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="infra-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ country="iran"
β’ target-information="Oman"
β’ sector="Government, Administration"
β’ threat-actor="MuddyWater"
β’ threat-actor="OilRig"
mitre-attack-pattern=['T1053.005', 'T1110.001', 'T1133', 'T1548.002', 'T1003.002', 'T1087.002', 'T1543.003', 'T1074.002', 'T1190', 'T1567', 'T1572', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1041', 'T1059.001', 'T1098', 'T1078', 'T1059.003', 'T1071.001', 'T1136']
MISP event uuid: 1d22e8ac-9b2e-42be-8bcc-f3e462b6f63a
hunt.io
Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed
An exposed UAE-hosted VPS revealed an Iranian-nexus operation against Oman's government, with 26,000 citizen records pulled from the Justice Ministry.
πTitle: Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
π Date: 2026-05-05
πReferences:
https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Zscaler"
β’ malpedia="Remcos"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.001', 'T1204.002', 'T1497.001', 'T1218.007', 'T1005', 'T1552.004', 'T1056.002', 'T1059.004', 'T1562.001', 'T1027', 'T1195.002', 'T1059.003', 'T1071.001', 'T1574.002']
MISP event uuid: f4b731dc-f335-424d-883c-086d4f415791
π Date: 2026-05-05
πReferences:
https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Zscaler"
β’ malpedia="Remcos"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.001', 'T1204.002', 'T1497.001', 'T1218.007', 'T1005', 'T1552.004', 'T1056.002', 'T1059.004', 'T1562.001', 'T1027', 'T1195.002', 'T1059.003', 'T1071.001', 'T1574.002']
MISP event uuid: f4b731dc-f335-424d-883c-086d4f415791
Zscaler
OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz
Technical analysis of a fake OpenClaw βDeepSeek-Clawβ skill that tricks AI agents and developers into running hidden payloads that deploy Remcos RAT and GhostLoader.
πTitle: Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit
π Date: 2026-05-06
πReferences:
https://www.seqrite.com/blog/operation-silent-rotor-rust-malware-unmanned-aviation-sector/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Seqrite"
β’ target-information="Russia"
β’ target-information="Tajikistan"
β’ sector="Civil Aviation"
β’ region="143 - Central Asia"
mitre-attack-pattern=['T1033', 'T1204.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1016', 'T1083', 'T1036.004', 'T1041', 'T1027', 'T1059.003', 'T1071.001', 'T1105', 'T1090.001']
MISP event uuid: 879be2a3-1617-4328-910c-155eac2ec686
π Date: 2026-05-06
πReferences:
https://www.seqrite.com/blog/operation-silent-rotor-rust-malware-unmanned-aviation-sector/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Seqrite"
β’ target-information="Russia"
β’ target-information="Tajikistan"
β’ sector="Civil Aviation"
β’ region="143 - Central Asia"
mitre-attack-pattern=['T1033', 'T1204.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1016', 'T1083', 'T1036.004', 'T1041', 'T1027', 'T1059.003', 'T1071.001', 'T1105', 'T1090.001']
MISP event uuid: 879be2a3-1617-4328-910c-155eac2ec686
Seqrite Labs
Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit
<p>Table of Content Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Documents Technical Analysis Stage 1 β Analysis of Malicious Executable Stage 2 β Second stage payload dropper Infrastructureβ¦
πTitle: OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI
π Date: 2026-05-06
πReferences:
https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
mitre-attack-pattern=['T1132.001', 'T1195.001', 'T1036.005', 'T1204.002', 'T1574.001', 'T1106', 'T1140', 'T1055', 'T1547.001', 'T1059.004', 'T1027', 'T1102.002', 'T1059.006', 'T1070.004', 'T1027.002', 'T1071.001']
MISP event uuid: 25b75e79-d053-4462-b023-07d0549f2905
π Date: 2026-05-06
πReferences:
https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
mitre-attack-pattern=['T1132.001', 'T1195.001', 'T1036.005', 'T1204.002', 'T1574.001', 'T1106', 'T1140', 'T1055', 'T1547.001', 'T1059.004', 'T1027', 'T1102.002', 'T1059.006', 'T1070.004', 'T1027.002', 'T1071.001']
MISP event uuid: 25b75e79-d053-4462-b023-07d0549f2905
πTitle: Data Extortion Groups Intensify Pressure On Global Aerospace Supply Chains
π Date: 2026-05-06
πReferences:
https://cyberpress.org/aerospace-supply-chains-targeted/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ topic="supply-chain"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ ransomware="lockbit5"
β’ sector="Aerospace"
mitre-attack-pattern=['T1583', 'T1133', 'T1082', 'T1071', 'T1562', 'T1195', 'T1190', 'T1567', 'T1589', 'T1021', 'T1070', 'T1041', 'T1199', 'T1566', 'T1078', 'T1027', 'T1486', 'T1598', 'T1588', 'T1213']
MISP event uuid: a7d2cb24-3c7b-4553-9fea-d3228368f8a1
π Date: 2026-05-06
πReferences:
https://cyberpress.org/aerospace-supply-chains-targeted/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ topic="supply-chain"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ ransomware="lockbit5"
β’ sector="Aerospace"
mitre-attack-pattern=['T1583', 'T1133', 'T1082', 'T1071', 'T1562', 'T1195', 'T1190', 'T1567', 'T1589', 'T1021', 'T1070', 'T1041', 'T1199', 'T1566', 'T1078', 'T1027', 'T1486', 'T1598', 'T1588', 'T1213']
MISP event uuid: a7d2cb24-3c7b-4553-9fea-d3228368f8a1
Cyber Security News
Data Extortion Groups Intensify Pressure On Global Aerospace Supply Chains
Cyber risk in the global aviation and aerospace sector is rapidly evolving, with a marked shift toward ransomware, identity-based intrusions.
πTitle: Threat Actors Weaponize Tiflux RMMs in Malspam Attacks
π Date: 2026-05-07
πReferences:
https://www.huntress.com/blog/tiflux-rmm-install
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Huntress"
mitre-attack-pattern=['T1113', 'T1036.005', 'T1204.002', 'T1543.003', 'T1566.002', 'T1082', 'T1219', 'T1112', 'T1070.001', 'T1552.001', 'T1547.001', 'T1562.001', 'T1078', 'T1068', 'T1027', 'T1573', 'T1071.001', 'T1574.002']
MISP event uuid: 66e683a8-e077-43de-b903-1a8d01c2429d
π Date: 2026-05-07
πReferences:
https://www.huntress.com/blog/tiflux-rmm-install
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Huntress"
mitre-attack-pattern=['T1113', 'T1036.005', 'T1204.002', 'T1543.003', 'T1566.002', 'T1082', 'T1219', 'T1112', 'T1070.001', 'T1552.001', 'T1547.001', 'T1562.001', 'T1078', 'T1068', 'T1027', 'T1573', 'T1071.001', 'T1574.002']
MISP event uuid: 66e683a8-e077-43de-b903-1a8d01c2429d
Huntress
Threat Actors Weaponize Tiflux RMMs in Malspam Attacks | Huntress
We dug into a recent malspam campaign that involved an installer for a commercially sold remote monitoring and management (RMM) tool called Tiflux.
πTitle: PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
π Date: 2026-05-07
πReferences:
https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="SentinelOne"
mitre-attack-pattern=['T1613', 'T1132.001', 'T1552.005', 'T1053.003', 'T1021.004', 'T1190', 'T1525', 'T1552.004', 'T1087', 'T1609', 'T1083', 'T1552.001', 'T1041', 'T1212', 'T1059.004', 'T1078', 'T1027', 'T1570', 'T1059.006', 'T1071.001', 'T1543.002', 'T1046', 'T1105', 'T1552.007']
MISP event uuid: 695fc11f-d4b5-4df4-8563-1b8a8a3a8c7d
π Date: 2026-05-07
πReferences:
https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="SentinelOne"
mitre-attack-pattern=['T1613', 'T1132.001', 'T1552.005', 'T1053.003', 'T1021.004', 'T1190', 'T1525', 'T1552.004', 'T1087', 'T1609', 'T1083', 'T1552.001', 'T1041', 'T1212', 'T1059.004', 'T1078', 'T1027', 'T1570', 'T1059.006', 'T1071.001', 'T1543.002', 'T1046', 'T1105', 'T1552.007']
MISP event uuid: 695fc11f-d4b5-4df4-8563-1b8a8a3a8c7d
SentinelOne
PCPJacked | A Supply Chain Attacker Becomes the Target
Cloud attack framework skips cryptomining, harvests financial, messaging, and enterprise credentials for fraud, spam, and potential extortion.
β€1
πTitle: Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations
π Date: 2026-05-15
πReferences:
https://oasis-security.io/blog/malaysian-government-with-undisclosed-c2-infrastructure
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="infra-profile"
β’ target="targeted"
β’ mitre-att&ck="none-from-src"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Government, Administration"
β’ online-service="8206e5d7-9189-4d8b-855d-339fa45e9c47"
mitre-attack-pattern=['T1100', 'T1505.003', 'T1552.001', 'T1567.002', 'T1190', 'T1587.001', 'T1003.003', 'T1059.001', 'T1059.006', 'T1003.002', 'T1071.001', 'T1021.006']
MISP event uuid: a30d2c51-b056-4b55-ad4d-971722af82d8
π Date: 2026-05-15
πReferences:
https://oasis-security.io/blog/malaysian-government-with-undisclosed-c2-infrastructure
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="infra-profile"
β’ target="targeted"
β’ mitre-att&ck="none-from-src"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Government, Administration"
β’ online-service="8206e5d7-9189-4d8b-855d-339fa45e9c47"
mitre-attack-pattern=['T1100', 'T1505.003', 'T1552.001', 'T1567.002', 'T1190', 'T1587.001', 'T1003.003', 'T1059.001', 'T1059.006', 'T1003.002', 'T1071.001', 'T1021.006']
MISP event uuid: a30d2c51-b056-4b55-ad4d-971722af82d8
oasis-security.io
Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations
Oasis Security identified a targeted intrusion campaign against multiple Malaysian government organizations, characterized by purpose-built Python tooling per target for internal enumeration and data exfiltration, active webshell deployment, and previouslyβ¦
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: Zu*** Fi*** Malaysia Data Leak Claims π
Date: 2026-05-02 πReferences: https://x.com/DailyDarkWeb/status/2050382328489447468?s=20 πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach β’ sub-category="leak-forums" β’ target="targeted"β¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: Per****** Eko**** Malaysia (Malaysian Eco***** A**********) π
Date: 2026-05-02 πReferences: https://x.com/DailyDarkWeb/status/2050389330498130111?s=20 πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach β’ sub-category="leakβ¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations π
Date: 2026-05-15 πReferences: https://oasis-security.io/blog/malaysian-government-with-undisclosed-c2-infrastructure πRectifyq Taxonomies: Relevancy:β¦Β»
πTitle: 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer
π Date: 2026-05-06
πReferences:
https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1056.001', 'T1539', 'T1204.002', 'T1497.001', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1555.003', 'T1055.013', 'T1059', 'T1083', 'T1552.001', 'T1041', 'T1027', 'T1195.002', 'T1071.001']
MISP event uuid: fd4d5ee1-41ff-493f-bb7b-8f5a25b1c947
π Date: 2026-05-06
πReferences:
https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1056.001', 'T1539', 'T1204.002', 'T1497.001', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1555.003', 'T1055.013', 'T1059', 'T1083', 'T1552.001', 'T1041', 'T1027', 'T1195.002', 'T1071.001']
MISP event uuid: fd4d5ee1-41ff-493f-bb7b-8f5a25b1c947
Socket
5 Malicious NuGet Packages Impersonate Chinese UI Libraries ...
Five malicious NuGet packages impersonate Chinese .NET libraries to deploy a stealer targeting browser credentials, crypto wallets, SSH keys, and loca...
πTitle: Donuts and Beagles: Fake Claude site spreads backdoor
π Date: 2026-05-07
πReferences:
https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Sophos"
mitre-attack-pattern=['T1573.001', 'T1106', 'T1140', 'T1059', 'T1083', 'T1204', 'T1041', 'T1547.001', 'T1566', 'T1027', 'T1132', 'T1070.004', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 7865b246-7bcb-4626-aabe-c50b31d21a89
π Date: 2026-05-07
πReferences:
https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Sophos"
mitre-attack-pattern=['T1573.001', 'T1106', 'T1140', 'T1059', 'T1083', 'T1204', 'T1041', 'T1547.001', 'T1566', 'T1027', 'T1132', 'T1070.004', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 7865b246-7bcb-4626-aabe-c50b31d21a89
SOPHOS
Donuts and Beagles: Fake Claude site spreads backdoor
A malicious imitation of Anthropicβs Claude site leads to DLL sideloading β and a backdoor