πTitle: Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed
π Date: 2026-05-05
πReferences:
https://hunt.io/blog/iranian-nexus-oman-government-intrusion
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="infra-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ country="iran"
β’ target-information="Oman"
β’ sector="Government, Administration"
β’ threat-actor="MuddyWater"
β’ threat-actor="OilRig"
mitre-attack-pattern=['T1053.005', 'T1110.001', 'T1133', 'T1548.002', 'T1003.002', 'T1087.002', 'T1543.003', 'T1074.002', 'T1190', 'T1567', 'T1572', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1041', 'T1059.001', 'T1098', 'T1078', 'T1059.003', 'T1071.001', 'T1136']
MISP event uuid: 1d22e8ac-9b2e-42be-8bcc-f3e462b6f63a
π Date: 2026-05-05
πReferences:
https://hunt.io/blog/iranian-nexus-oman-government-intrusion
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="infra-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ country="iran"
β’ target-information="Oman"
β’ sector="Government, Administration"
β’ threat-actor="MuddyWater"
β’ threat-actor="OilRig"
mitre-attack-pattern=['T1053.005', 'T1110.001', 'T1133', 'T1548.002', 'T1003.002', 'T1087.002', 'T1543.003', 'T1074.002', 'T1190', 'T1567', 'T1572', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1041', 'T1059.001', 'T1098', 'T1078', 'T1059.003', 'T1071.001', 'T1136']
MISP event uuid: 1d22e8ac-9b2e-42be-8bcc-f3e462b6f63a
hunt.io
Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed
An exposed UAE-hosted VPS revealed an Iranian-nexus operation against Oman's government, with 26,000 citizen records pulled from the Justice Ministry.
πTitle: Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
π Date: 2026-05-05
πReferences:
https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Zscaler"
β’ malpedia="Remcos"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.001', 'T1204.002', 'T1497.001', 'T1218.007', 'T1005', 'T1552.004', 'T1056.002', 'T1059.004', 'T1562.001', 'T1027', 'T1195.002', 'T1059.003', 'T1071.001', 'T1574.002']
MISP event uuid: f4b731dc-f335-424d-883c-086d4f415791
π Date: 2026-05-05
πReferences:
https://www.zscaler.com/blogs/security-research/malicious-openclaw-skill-distributes-remcos-rat-and-ghostloader
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Zscaler"
β’ malpedia="Remcos"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.001', 'T1204.002', 'T1497.001', 'T1218.007', 'T1005', 'T1552.004', 'T1056.002', 'T1059.004', 'T1562.001', 'T1027', 'T1195.002', 'T1059.003', 'T1071.001', 'T1574.002']
MISP event uuid: f4b731dc-f335-424d-883c-086d4f415791
Zscaler
OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz
Technical analysis of a fake OpenClaw βDeepSeek-Clawβ skill that tricks AI agents and developers into running hidden payloads that deploy Remcos RAT and GhostLoader.
πTitle: Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned Aviation Sector Ahead of Moscow Summit
π Date: 2026-05-06
πReferences:
https://www.seqrite.com/blog/operation-silent-rotor-rust-malware-unmanned-aviation-sector/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Seqrite"
β’ target-information="Russia"
β’ target-information="Tajikistan"
β’ sector="Civil Aviation"
β’ region="143 - Central Asia"
mitre-attack-pattern=['T1033', 'T1204.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1016', 'T1083', 'T1036.004', 'T1041', 'T1027', 'T1059.003', 'T1071.001', 'T1105', 'T1090.001']
MISP event uuid: 879be2a3-1617-4328-910c-155eac2ec686
π Date: 2026-05-06
πReferences:
https://www.seqrite.com/blog/operation-silent-rotor-rust-malware-unmanned-aviation-sector/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Seqrite"
β’ target-information="Russia"
β’ target-information="Tajikistan"
β’ sector="Civil Aviation"
β’ region="143 - Central Asia"
mitre-attack-pattern=['T1033', 'T1204.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1016', 'T1083', 'T1036.004', 'T1041', 'T1027', 'T1059.003', 'T1071.001', 'T1105', 'T1090.001']
MISP event uuid: 879be2a3-1617-4328-910c-155eac2ec686
Seqrite Labs
Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit
<p>Table of Content Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Documents Technical Analysis Stage 1 β Analysis of Malicious Executable Stage 2 β Second stage payload dropper Infrastructureβ¦
πTitle: OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI
π Date: 2026-05-06
πReferences:
https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
mitre-attack-pattern=['T1132.001', 'T1195.001', 'T1036.005', 'T1204.002', 'T1574.001', 'T1106', 'T1140', 'T1055', 'T1547.001', 'T1059.004', 'T1027', 'T1102.002', 'T1059.006', 'T1070.004', 'T1027.002', 'T1071.001']
MISP event uuid: 25b75e79-d053-4462-b023-07d0549f2905
π Date: 2026-05-06
πReferences:
https://securelist.com/oceanlotus-suspected-pypi-zichatbot-campaign/119603/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
mitre-attack-pattern=['T1132.001', 'T1195.001', 'T1036.005', 'T1204.002', 'T1574.001', 'T1106', 'T1140', 'T1055', 'T1547.001', 'T1059.004', 'T1027', 'T1102.002', 'T1059.006', 'T1070.004', 'T1027.002', 'T1071.001']
MISP event uuid: 25b75e79-d053-4462-b023-07d0549f2905
πTitle: Data Extortion Groups Intensify Pressure On Global Aerospace Supply Chains
π Date: 2026-05-06
πReferences:
https://cyberpress.org/aerospace-supply-chains-targeted/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ topic="supply-chain"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ ransomware="lockbit5"
β’ sector="Aerospace"
mitre-attack-pattern=['T1583', 'T1133', 'T1082', 'T1071', 'T1562', 'T1195', 'T1190', 'T1567', 'T1589', 'T1021', 'T1070', 'T1041', 'T1199', 'T1566', 'T1078', 'T1027', 'T1486', 'T1598', 'T1588', 'T1213']
MISP event uuid: a7d2cb24-3c7b-4553-9fea-d3228368f8a1
π Date: 2026-05-06
πReferences:
https://cyberpress.org/aerospace-supply-chains-targeted/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ topic="supply-chain"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ ransomware="lockbit5"
β’ sector="Aerospace"
mitre-attack-pattern=['T1583', 'T1133', 'T1082', 'T1071', 'T1562', 'T1195', 'T1190', 'T1567', 'T1589', 'T1021', 'T1070', 'T1041', 'T1199', 'T1566', 'T1078', 'T1027', 'T1486', 'T1598', 'T1588', 'T1213']
MISP event uuid: a7d2cb24-3c7b-4553-9fea-d3228368f8a1
Cyber Security News
Data Extortion Groups Intensify Pressure On Global Aerospace Supply Chains
Cyber risk in the global aviation and aerospace sector is rapidly evolving, with a marked shift toward ransomware, identity-based intrusions.
πTitle: Threat Actors Weaponize Tiflux RMMs in Malspam Attacks
π Date: 2026-05-07
πReferences:
https://www.huntress.com/blog/tiflux-rmm-install
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Huntress"
mitre-attack-pattern=['T1113', 'T1036.005', 'T1204.002', 'T1543.003', 'T1566.002', 'T1082', 'T1219', 'T1112', 'T1070.001', 'T1552.001', 'T1547.001', 'T1562.001', 'T1078', 'T1068', 'T1027', 'T1573', 'T1071.001', 'T1574.002']
MISP event uuid: 66e683a8-e077-43de-b903-1a8d01c2429d
π Date: 2026-05-07
πReferences:
https://www.huntress.com/blog/tiflux-rmm-install
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Huntress"
mitre-attack-pattern=['T1113', 'T1036.005', 'T1204.002', 'T1543.003', 'T1566.002', 'T1082', 'T1219', 'T1112', 'T1070.001', 'T1552.001', 'T1547.001', 'T1562.001', 'T1078', 'T1068', 'T1027', 'T1573', 'T1071.001', 'T1574.002']
MISP event uuid: 66e683a8-e077-43de-b903-1a8d01c2429d
Huntress
Threat Actors Weaponize Tiflux RMMs in Malspam Attacks | Huntress
We dug into a recent malspam campaign that involved an installer for a commercially sold remote monitoring and management (RMM) tool called Tiflux.
πTitle: PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale
π Date: 2026-05-07
πReferences:
https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="SentinelOne"
mitre-attack-pattern=['T1613', 'T1132.001', 'T1552.005', 'T1053.003', 'T1021.004', 'T1190', 'T1525', 'T1552.004', 'T1087', 'T1609', 'T1083', 'T1552.001', 'T1041', 'T1212', 'T1059.004', 'T1078', 'T1027', 'T1570', 'T1059.006', 'T1071.001', 'T1543.002', 'T1046', 'T1105', 'T1552.007']
MISP event uuid: 695fc11f-d4b5-4df4-8563-1b8a8a3a8c7d
π Date: 2026-05-07
πReferences:
https://www.sentinelone.com/labs/cloud-worm-evicts-teampcp-and-steals-credentials-at-scale/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="SentinelOne"
mitre-attack-pattern=['T1613', 'T1132.001', 'T1552.005', 'T1053.003', 'T1021.004', 'T1190', 'T1525', 'T1552.004', 'T1087', 'T1609', 'T1083', 'T1552.001', 'T1041', 'T1212', 'T1059.004', 'T1078', 'T1027', 'T1570', 'T1059.006', 'T1071.001', 'T1543.002', 'T1046', 'T1105', 'T1552.007']
MISP event uuid: 695fc11f-d4b5-4df4-8563-1b8a8a3a8c7d
SentinelOne
PCPJacked | A Supply Chain Attacker Becomes the Target
Cloud attack framework skips cryptomining, harvests financial, messaging, and enterprise credentials for fraud, spam, and potential extortion.
β€1
πTitle: Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations
π Date: 2026-05-15
πReferences:
https://oasis-security.io/blog/malaysian-government-with-undisclosed-c2-infrastructure
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="infra-profile"
β’ target="targeted"
β’ mitre-att&ck="none-from-src"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Government, Administration"
β’ online-service="8206e5d7-9189-4d8b-855d-339fa45e9c47"
mitre-attack-pattern=['T1100', 'T1505.003', 'T1552.001', 'T1567.002', 'T1190', 'T1587.001', 'T1003.003', 'T1059.001', 'T1059.006', 'T1003.002', 'T1071.001', 'T1021.006']
MISP event uuid: a30d2c51-b056-4b55-ad4d-971722af82d8
π Date: 2026-05-15
πReferences:
https://oasis-security.io/blog/malaysian-government-with-undisclosed-c2-infrastructure
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="infra-profile"
β’ target="targeted"
β’ mitre-att&ck="none-from-src"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Government, Administration"
β’ online-service="8206e5d7-9189-4d8b-855d-339fa45e9c47"
mitre-attack-pattern=['T1100', 'T1505.003', 'T1552.001', 'T1567.002', 'T1190', 'T1587.001', 'T1003.003', 'T1059.001', 'T1059.006', 'T1003.002', 'T1071.001', 'T1021.006']
MISP event uuid: a30d2c51-b056-4b55-ad4d-971722af82d8
oasis-security.io
Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations
Oasis Security identified a targeted intrusion campaign against multiple Malaysian government organizations, characterized by purpose-built Python tooling per target for internal enumeration and data exfiltration, active webshell deployment, and previouslyβ¦
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: Zu*** Fi*** Malaysia Data Leak Claims π
Date: 2026-05-02 πReferences: https://x.com/DailyDarkWeb/status/2050382328489447468?s=20 πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach β’ sub-category="leak-forums" β’ target="targeted"β¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: Per****** Eko**** Malaysia (Malaysian Eco***** A**********) π
Date: 2026-05-02 πReferences: https://x.com/DailyDarkWeb/status/2050389330498130111?s=20 πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach β’ sub-category="leakβ¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations π
Date: 2026-05-15 πReferences: https://oasis-security.io/blog/malaysian-government-with-undisclosed-c2-infrastructure πRectifyq Taxonomies: Relevancy:β¦Β»
πTitle: 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer
π Date: 2026-05-06
πReferences:
https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1056.001', 'T1539', 'T1204.002', 'T1497.001', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1555.003', 'T1055.013', 'T1059', 'T1083', 'T1552.001', 'T1041', 'T1027', 'T1195.002', 'T1071.001']
MISP event uuid: fd4d5ee1-41ff-493f-bb7b-8f5a25b1c947
π Date: 2026-05-06
πReferences:
https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1056.001', 'T1539', 'T1204.002', 'T1497.001', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1555.003', 'T1055.013', 'T1059', 'T1083', 'T1552.001', 'T1041', 'T1027', 'T1195.002', 'T1071.001']
MISP event uuid: fd4d5ee1-41ff-493f-bb7b-8f5a25b1c947
Socket
5 Malicious NuGet Packages Impersonate Chinese UI Libraries ...
Five malicious NuGet packages impersonate Chinese .NET libraries to deploy a stealer targeting browser credentials, crypto wallets, SSH keys, and loca...
πTitle: Donuts and Beagles: Fake Claude site spreads backdoor
π Date: 2026-05-07
πReferences:
https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Sophos"
mitre-attack-pattern=['T1573.001', 'T1106', 'T1140', 'T1059', 'T1083', 'T1204', 'T1041', 'T1547.001', 'T1566', 'T1027', 'T1132', 'T1070.004', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 7865b246-7bcb-4626-aabe-c50b31d21a89
π Date: 2026-05-07
πReferences:
https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Sophos"
mitre-attack-pattern=['T1573.001', 'T1106', 'T1140', 'T1059', 'T1083', 'T1204', 'T1041', 'T1547.001', 'T1566', 'T1027', 'T1132', 'T1070.004', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 7865b246-7bcb-4626-aabe-c50b31d21a89
SOPHOS
Donuts and Beagles: Fake Claude site spreads backdoor
A malicious imitation of Anthropicβs Claude site leads to DLL sideloading β and a backdoor
πTitle: Fake call logs, real payments: How CallPhantom tricks Android users
π Date: 2026-05-07
πReferences:
https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ target-information="India"
β’ region="142 - Asia"
mitre-attack-pattern=['T1643', 'T1437.001']
MISP event uuid: ba57e423-eb23-4cc7-88af-cde6f2ad2e53
π Date: 2026-05-07
πReferences:
https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ target-information="India"
β’ region="142 - Asia"
mitre-attack-pattern=['T1643', 'T1437.001']
MISP event uuid: ba57e423-eb23-4cc7-88af-cde6f2ad2e53
Welivesecurity
Fake call logs, real payments: How CallPhantom tricks Android users
ESET researchers uncovered fraudulent apps on Google Play that claim to provide the call history βfor any numberβ and had been downloaded more than seven million times before being taken down.
πTitle: Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare
π Date: 2026-05-07
πReferences:
https://www.seqrite.com/blog/operation-grieflure-dissecting-an-apt-campaign-targeting-vietnams-military-telecom-philippine-healthcare/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Seqrite"
β’ target-information="Philippines"
β’ target-information="Vietnam"
β’ sector="Health"
β’ sector="Military"
β’ sector="Telecoms"
mitre-attack-pattern=['T1113', 'T1574.007', 'T1547', 'T1204.002', 'T1566.001', 'T1082', 'T1005', 'T1036', 'T1218', 'T1555.003', 'T1134.002', 'T1020', 'T1083', 'T1552.001', 'T1057', 'T1041', 'T1027', 'T1573', 'T1518.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1564.004', 'T1055.001']
MISP event uuid: 959e2151-f389-4d99-bea5-635a5f3fc2c8
π Date: 2026-05-07
πReferences:
https://www.seqrite.com/blog/operation-grieflure-dissecting-an-apt-campaign-targeting-vietnams-military-telecom-philippine-healthcare/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Seqrite"
β’ target-information="Philippines"
β’ target-information="Vietnam"
β’ sector="Health"
β’ sector="Military"
β’ sector="Telecoms"
mitre-attack-pattern=['T1113', 'T1574.007', 'T1547', 'T1204.002', 'T1566.001', 'T1082', 'T1005', 'T1036', 'T1218', 'T1555.003', 'T1134.002', 'T1020', 'T1083', 'T1552.001', 'T1057', 'T1041', 'T1027', 'T1573', 'T1518.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1564.004', 'T1055.001']
MISP event uuid: 959e2151-f389-4d99-bea5-635a5f3fc2c8
Seqrite Labs
Operation GriefLure: Dissecting an APT Campaign Targeting Vietnamβs Military Telecom & Philippine Healthcare
<p>Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys: Technical Analysis: Campaign-1: Stage-1: Ho so.rar Campaign: 2 Stage-1: download.zip Stage-2: The LNK & Batch file (Common in 1 & 2 both)β¦
πTitle: Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
π Date: 2026-05-06
πReferences:
https://unit42.paloaltonetworks.com/captive-portal-zero-day/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ sub-category="zero-day"
β’ target="broad-based"
β’ mitre-att&ck="from-original-src"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
mitre-attack-pattern=['T1498.001', 'T1087.002', 'T1021.004', 'T1071', 'T1190', 'T1055', 'T1572', 'T1070.001', 'T1016', 'T1090', 'T1098', 'T1562.001', 'T1078', 'T1068', 'T1078.002', 'T1070.004', 'T1071.001', 'T1018', 'T1105', 'T1021.001']
MISP event uuid: 8e814525-08af-4e45-a9b3-9402b98b3e88
π Date: 2026-05-06
πReferences:
https://unit42.paloaltonetworks.com/captive-portal-zero-day/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ sub-category="zero-day"
β’ target="broad-based"
β’ mitre-att&ck="from-original-src"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
mitre-attack-pattern=['T1498.001', 'T1087.002', 'T1021.004', 'T1071', 'T1190', 'T1055', 'T1572', 'T1070.001', 'T1016', 'T1090', 'T1098', 'T1562.001', 'T1078', 'T1068', 'T1078.002', 'T1070.004', 'T1071.001', 'T1018', 'T1105', 'T1021.001']
MISP event uuid: 8e814525-08af-4e45-a9b3-9402b98b3e88
Unit 42
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details.
πTitle: ClickFix campaign uses fake macOS utilities lures to deliver infostealers
π Date: 2026-05-06
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.001', 'T1082', 'T1059.002', 'T1005', 'T1140', 'T1036', 'T1560', 'T1543.004', 'T1555.003', 'T1087', 'T1083', 'T1552.001', 'T1204', 'T1041', 'T1574', 'T1027', 'T1614', 'T1543.001']
MISP event uuid: 8a797443-5fc5-4804-b43f-77813c7ad5e8
π Date: 2026-05-06
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.001', 'T1082', 'T1059.002', 'T1005', 'T1140', 'T1036', 'T1560', 'T1543.004', 'T1555.003', 'T1087', 'T1083', 'T1552.001', 'T1204', 'T1041', 'T1574', 'T1027', 'T1614', 'T1543.001']
MISP event uuid: 8a797443-5fc5-4804-b43f-77813c7ad5e8
Microsoft News
ClickFix campaign uses fake macOS utilities lures to deliver infostealers
Threat actors are targeting macOS users with fake utility fixes that trick them into running malicious Terminal commands. This campaign evades traditional defenses by stealing credentials, wallets, and sensitive data.
πTitle: TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook
π Date: 2026-05-07
πReferences:
https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ mitre-att&ck="from-original-src"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Elastic"
β’ target-information="Brazil"
β’ sector="Bank"
mitre-attack-pattern=['T1010', 'T1185', 'T1115', 'T1574.002', 'T1622', 'T1140', 'T1562.001', 'T1105', 'T1056.001', 'T1114.001', 'T1218.007', 'T1106', 'T1027', 'T1059.001', 'T1057', 'T1055', 'T1053.005', 'T1113', 'T1566.001', 'T1497.001', 'T1082', 'T1614.001', 'T1529', 'T1497.003', 'T1056.003', 'T1071.001', 'T1102', 'T1059.003']
MISP event uuid: 31e26c64-8653-4eb8-9977-4da1d6c0cc22
π Date: 2026-05-07
πReferences:
https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ mitre-att&ck="from-original-src"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Elastic"
β’ target-information="Brazil"
β’ sector="Bank"
mitre-attack-pattern=['T1010', 'T1185', 'T1115', 'T1574.002', 'T1622', 'T1140', 'T1562.001', 'T1105', 'T1056.001', 'T1114.001', 'T1218.007', 'T1106', 'T1027', 'T1059.001', 'T1057', 'T1055', 'T1053.005', 'T1113', 'T1566.001', 'T1497.001', 'T1082', 'T1614.001', 'T1529', 'T1497.003', 'T1056.003', 'T1071.001', 'T1102', 'T1059.003']
MISP event uuid: 31e26c64-8653-4eb8-9977-4da1d6c0cc22
www.elastic.co
TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook β Elastic Security Labs
REF3076 uses a trojanized Logitech installer to deploy TCLBANKER, a Brazilian banking trojan with environment-gated payloads, WPF fraud overlays, and self-propagating WhatsApp and Outlook worm modules.
πTitle: AI-Assisted Lure Factory Targets Developers & Gamers
π Date: 2026-03-23
πReferences:
https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Netskope"
mitre-attack-pattern=[]
MISP event uuid: 3877fbbc-045c-47b7-88fb-f08151c3461c
π Date: 2026-03-23
πReferences:
https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Netskope"
mitre-attack-pattern=[]
MISP event uuid: 3877fbbc-045c-47b7-88fb-f08151c3461c
Netskope
OpenClaw Trap: AI-Assisted Lure Factory Targets Developers & Gamers
Netskope Threat Labs identified a link to a malware campaign operating across at multiple GitHub repositories, spanning over 300 delivery packages,
πTitle: Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns
π Date: 2026-05-07
πReferences:
https://www.cyfirma.com/research/abuse-of-cloud-native-infrastructure-in-modern-phishing-campaigns/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cyfirma"
mitre-attack-pattern=['T1557', 'T1059.007', 'T1566.002', 'T1566.001', 'T1119', 'T1567', 'T1583.004', 'T1114.003', 'T1584', 'T1102', 'T1528', 'T1027', 'T1078.004', 'T1556']
MISP event uuid: 47aa313e-d63c-41b0-9e9b-37dc020ba38e
π Date: 2026-05-07
πReferences:
https://www.cyfirma.com/research/abuse-of-cloud-native-infrastructure-in-modern-phishing-campaigns/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cyfirma"
mitre-attack-pattern=['T1557', 'T1059.007', 'T1566.002', 'T1566.001', 'T1119', 'T1567', 'T1583.004', 'T1114.003', 'T1584', 'T1102', 'T1528', 'T1027', 'T1078.004', 'T1556']
MISP event uuid: 47aa313e-d63c-41b0-9e9b-37dc020ba38e
CYFIRMA
Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns - CYFIRMA
EXECUTIVE SUMMARY An investigation into phishing activity over the past months has surfaced a decisive structural evolution in how threat...
πTitle: Technical Advisory: Breach of Instructure Canvas LMS
π Date: 2026-05-09
πReferences:
https://businessinsights.bitdefender.com/technical-advisory-shinyhunters-breach-instructure-canvas-lms
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π₯ Data Breach
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Bitdefender"
β’ target-information="United States"
β’ target-information="Australia"
β’ target-information="United Kingdom"
β’ threat-actor="ShinyHunters"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1594', 'T1530', 'T1550', 'T1589', 'T1586', 'T1528', 'T1591', 'T1590', 'T1199', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1485', 'T1078.004', 'T1556']
MISP event uuid: 8b1cc71b-0ea8-4adb-b274-dc6938e0a183
π Date: 2026-05-09
πReferences:
https://businessinsights.bitdefender.com/technical-advisory-shinyhunters-breach-instructure-canvas-lms
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π₯ Data Breach
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Bitdefender"
β’ target-information="United States"
β’ target-information="Australia"
β’ target-information="United Kingdom"
β’ threat-actor="ShinyHunters"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1594', 'T1530', 'T1550', 'T1589', 'T1586', 'T1528', 'T1591', 'T1590', 'T1199', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1485', 'T1078.004', 'T1556']
MISP event uuid: 8b1cc71b-0ea8-4adb-b274-dc6938e0a183
Bitdefender
Technical Advisory: ShinyHunters Breach of Instructure Canvas LMS
This security advisory details what organizations need to know about the second ShinyHunters attack against Instructure in an eight month span.