📃Title: 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer
📅Date: 2026-05-06
🔗References:
https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="crypto-related"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1056.001', 'T1539', 'T1204.002', 'T1497.001', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1555.003', 'T1055.013', 'T1059', 'T1083', 'T1552.001', 'T1041', 'T1027', 'T1195.002', 'T1071.001']
MISP event uuid: fd4d5ee1-41ff-493f-bb7b-8f5a25b1c947
📅Date: 2026-05-06
🔗References:
https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="crypto-related"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1056.001', 'T1539', 'T1204.002', 'T1497.001', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1555.003', 'T1055.013', 'T1059', 'T1083', 'T1552.001', 'T1041', 'T1027', 'T1195.002', 'T1071.001']
MISP event uuid: fd4d5ee1-41ff-493f-bb7b-8f5a25b1c947
Socket
5 Malicious NuGet Packages Impersonate Chinese UI Libraries ...
Five malicious NuGet packages impersonate Chinese .NET libraries to deploy a stealer targeting browser credentials, crypto wallets, SSH keys, and loca...
📃Title: Donuts and Beagles: Fake Claude site spreads backdoor
📅Date: 2026-05-07
🔗References:
https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Sophos"
mitre-attack-pattern=['T1573.001', 'T1106', 'T1140', 'T1059', 'T1083', 'T1204', 'T1041', 'T1547.001', 'T1566', 'T1027', 'T1132', 'T1070.004', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 7865b246-7bcb-4626-aabe-c50b31d21a89
📅Date: 2026-05-07
🔗References:
https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Sophos"
mitre-attack-pattern=['T1573.001', 'T1106', 'T1140', 'T1059', 'T1083', 'T1204', 'T1041', 'T1547.001', 'T1566', 'T1027', 'T1132', 'T1070.004', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 7865b246-7bcb-4626-aabe-c50b31d21a89
SOPHOS
Donuts and Beagles: Fake Claude site spreads backdoor
A malicious imitation of Anthropic’s Claude site leads to DLL sideloading – and a backdoor
📃Title: Fake call logs, real payments: How CallPhantom tricks Android users
📅Date: 2026-05-07
🔗References:
https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/
🔖Rectifyq Taxonomies:
Relevancy: 🟡 Somewhat Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• sub-category="malware-analysis"
• topic="mobile-attack"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="ESET"
• target-information="India"
• region="142 - Asia"
mitre-attack-pattern=['T1643', 'T1437.001']
MISP event uuid: ba57e423-eb23-4cc7-88af-cde6f2ad2e53
📅Date: 2026-05-07
🔗References:
https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/
🔖Rectifyq Taxonomies:
Relevancy: 🟡 Somewhat Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• sub-category="malware-analysis"
• topic="mobile-attack"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="ESET"
• target-information="India"
• region="142 - Asia"
mitre-attack-pattern=['T1643', 'T1437.001']
MISP event uuid: ba57e423-eb23-4cc7-88af-cde6f2ad2e53
Welivesecurity
Fake call logs, real payments: How CallPhantom tricks Android users
ESET researchers uncovered fraudulent apps on Google Play that claim to provide the call history “for any number” and had been downloaded more than seven million times before being taken down.
📃Title: Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam's Military Telecom & Philippine Healthcare
📅Date: 2026-05-07
🔗References:
https://www.seqrite.com/blog/operation-grieflure-dissecting-an-apt-campaign-targeting-vietnams-military-telecom-philippine-healthcare/
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Seqrite"
• target-information="Philippines"
• target-information="Vietnam"
• sector="Health"
• sector="Military"
• sector="Telecoms"
mitre-attack-pattern=['T1113', 'T1574.007', 'T1547', 'T1204.002', 'T1566.001', 'T1082', 'T1005', 'T1036', 'T1218', 'T1555.003', 'T1134.002', 'T1020', 'T1083', 'T1552.001', 'T1057', 'T1041', 'T1027', 'T1573', 'T1518.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1564.004', 'T1055.001']
MISP event uuid: 959e2151-f389-4d99-bea5-635a5f3fc2c8
📅Date: 2026-05-07
🔗References:
https://www.seqrite.com/blog/operation-grieflure-dissecting-an-apt-campaign-targeting-vietnams-military-telecom-philippine-healthcare/
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Seqrite"
• target-information="Philippines"
• target-information="Vietnam"
• sector="Health"
• sector="Military"
• sector="Telecoms"
mitre-attack-pattern=['T1113', 'T1574.007', 'T1547', 'T1204.002', 'T1566.001', 'T1082', 'T1005', 'T1036', 'T1218', 'T1555.003', 'T1134.002', 'T1020', 'T1083', 'T1552.001', 'T1057', 'T1041', 'T1027', 'T1573', 'T1518.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1564.004', 'T1055.001']
MISP event uuid: 959e2151-f389-4d99-bea5-635a5f3fc2c8
Seqrite Labs
Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam’s Military Telecom & Philippine Healthcare
<p>Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys: Technical Analysis: Campaign-1: Stage-1: Ho so.rar Campaign: 2 Stage-1: download.zip Stage-2: The LNK & Batch file (Common in 1 & 2 both)…
📃Title: Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
📅Date: 2026-05-06
🔗References:
https://unit42.paloaltonetworks.com/captive-portal-zero-day/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💉 Vulnerability
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• sub-category="zero-day"
• target="broad-based"
• mitre-att&ck="from-original-src"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Palo Alto"
mitre-attack-pattern=['T1498.001', 'T1087.002', 'T1021.004', 'T1071', 'T1190', 'T1055', 'T1572', 'T1070.001', 'T1016', 'T1090', 'T1098', 'T1562.001', 'T1078', 'T1068', 'T1078.002', 'T1070.004', 'T1071.001', 'T1018', 'T1105', 'T1021.001']
MISP event uuid: 8e814525-08af-4e45-a9b3-9402b98b3e88
📅Date: 2026-05-06
🔗References:
https://unit42.paloaltonetworks.com/captive-portal-zero-day/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💉 Vulnerability
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• sub-category="zero-day"
• target="broad-based"
• mitre-att&ck="from-original-src"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Palo Alto"
mitre-attack-pattern=['T1498.001', 'T1087.002', 'T1021.004', 'T1071', 'T1190', 'T1055', 'T1572', 'T1070.001', 'T1016', 'T1090', 'T1098', 'T1562.001', 'T1078', 'T1068', 'T1078.002', 'T1070.004', 'T1071.001', 'T1018', 'T1105', 'T1021.001']
MISP event uuid: 8e814525-08af-4e45-a9b3-9402b98b3e88
Unit 42
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution
Unit 42 details CVE-2026-0300, a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal. Read now for details.
📃Title: ClickFix campaign uses fake macOS utilities lures to deliver infostealers
📅Date: 2026-05-06
🔗References:
https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Microsoft"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.001', 'T1082', 'T1059.002', 'T1005', 'T1140', 'T1036', 'T1560', 'T1543.004', 'T1555.003', 'T1087', 'T1083', 'T1552.001', 'T1204', 'T1041', 'T1574', 'T1027', 'T1614', 'T1543.001']
MISP event uuid: 8a797443-5fc5-4804-b43f-77813c7ad5e8
📅Date: 2026-05-06
🔗References:
https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Microsoft"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.001', 'T1082', 'T1059.002', 'T1005', 'T1140', 'T1036', 'T1560', 'T1543.004', 'T1555.003', 'T1087', 'T1083', 'T1552.001', 'T1204', 'T1041', 'T1574', 'T1027', 'T1614', 'T1543.001']
MISP event uuid: 8a797443-5fc5-4804-b43f-77813c7ad5e8
Microsoft News
ClickFix campaign uses fake macOS utilities lures to deliver infostealers
Threat actors are targeting macOS users with fake utility fixes that trick them into running malicious Terminal commands. This campaign evades traditional defenses by stealing credentials, wallets, and sensitive data.
📃Title: TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook
📅Date: 2026-05-07
🔗References:
https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• mitre-att&ck="from-original-src"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Elastic"
• target-information="Brazil"
• sector="Bank"
mitre-attack-pattern=['T1010', 'T1185', 'T1115', 'T1574.002', 'T1622', 'T1140', 'T1562.001', 'T1105', 'T1056.001', 'T1114.001', 'T1218.007', 'T1106', 'T1027', 'T1059.001', 'T1057', 'T1055', 'T1053.005', 'T1113', 'T1566.001', 'T1497.001', 'T1082', 'T1614.001', 'T1529', 'T1497.003', 'T1056.003', 'T1071.001', 'T1102', 'T1059.003']
MISP event uuid: 31e26c64-8653-4eb8-9977-4da1d6c0cc22
📅Date: 2026-05-07
🔗References:
https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• mitre-att&ck="from-original-src"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Elastic"
• target-information="Brazil"
• sector="Bank"
mitre-attack-pattern=['T1010', 'T1185', 'T1115', 'T1574.002', 'T1622', 'T1140', 'T1562.001', 'T1105', 'T1056.001', 'T1114.001', 'T1218.007', 'T1106', 'T1027', 'T1059.001', 'T1057', 'T1055', 'T1053.005', 'T1113', 'T1566.001', 'T1497.001', 'T1082', 'T1614.001', 'T1529', 'T1497.003', 'T1056.003', 'T1071.001', 'T1102', 'T1059.003']
MISP event uuid: 31e26c64-8653-4eb8-9977-4da1d6c0cc22
www.elastic.co
TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Elastic Security Labs
REF3076 uses a trojanized Logitech installer to deploy TCLBANKER, a Brazilian banking trojan with environment-gated payloads, WPF fraud overlays, and self-propagating WhatsApp and Outlook worm modules.
📃Title: AI-Assisted Lure Factory Targets Developers & Gamers
📅Date: 2026-03-23
🔗References:
https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Netskope"
mitre-attack-pattern=[]
MISP event uuid: 3877fbbc-045c-47b7-88fb-f08151c3461c
📅Date: 2026-03-23
🔗References:
https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Netskope"
mitre-attack-pattern=[]
MISP event uuid: 3877fbbc-045c-47b7-88fb-f08151c3461c
Netskope
OpenClaw Trap: AI-Assisted Lure Factory Targets Developers & Gamers
Netskope Threat Labs identified a link to a malware campaign operating across at multiple GitHub repositories, spanning over 300 delivery packages,
📃Title: Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns
📅Date: 2026-05-07
🔗References:
https://www.cyfirma.com/research/abuse-of-cloud-native-infrastructure-in-modern-phishing-campaigns/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="cloud"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Cyfirma"
mitre-attack-pattern=['T1557', 'T1059.007', 'T1566.002', 'T1566.001', 'T1119', 'T1567', 'T1583.004', 'T1114.003', 'T1584', 'T1102', 'T1528', 'T1027', 'T1078.004', 'T1556']
MISP event uuid: 47aa313e-d63c-41b0-9e9b-37dc020ba38e
📅Date: 2026-05-07
🔗References:
https://www.cyfirma.com/research/abuse-of-cloud-native-infrastructure-in-modern-phishing-campaigns/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="cloud"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Cyfirma"
mitre-attack-pattern=['T1557', 'T1059.007', 'T1566.002', 'T1566.001', 'T1119', 'T1567', 'T1583.004', 'T1114.003', 'T1584', 'T1102', 'T1528', 'T1027', 'T1078.004', 'T1556']
MISP event uuid: 47aa313e-d63c-41b0-9e9b-37dc020ba38e
CYFIRMA
Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns - CYFIRMA
EXECUTIVE SUMMARY An investigation into phishing activity over the past months has surfaced a decisive structural evolution in how threat...
📃Title: Technical Advisory: Breach of Instructure Canvas LMS
📅Date: 2026-05-09
🔗References:
https://businessinsights.bitdefender.com/technical-advisory-shinyhunters-breach-instructure-canvas-lms
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💥 Data Breach
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="targeted"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Bitdefender"
• target-information="United States"
• target-information="Australia"
• target-information="United Kingdom"
• threat-actor="ShinyHunters"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1594', 'T1530', 'T1550', 'T1589', 'T1586', 'T1528', 'T1591', 'T1590', 'T1199', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1485', 'T1078.004', 'T1556']
MISP event uuid: 8b1cc71b-0ea8-4adb-b274-dc6938e0a183
📅Date: 2026-05-09
🔗References:
https://businessinsights.bitdefender.com/technical-advisory-shinyhunters-breach-instructure-canvas-lms
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💥 Data Breach
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="targeted"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Bitdefender"
• target-information="United States"
• target-information="Australia"
• target-information="United Kingdom"
• threat-actor="ShinyHunters"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1594', 'T1530', 'T1550', 'T1589', 'T1586', 'T1528', 'T1591', 'T1590', 'T1199', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1485', 'T1078.004', 'T1556']
MISP event uuid: 8b1cc71b-0ea8-4adb-b274-dc6938e0a183
Bitdefender
Technical Advisory: ShinyHunters Breach of Instructure Canvas LMS
This security advisory details what organizations need to know about the second ShinyHunters attack against Instructure in an eight month span.
📃Title: OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION
📅Date: 2026-05-09
🔗References:
https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="malware-analysis"
• sub-category="campaign-analysis"
• target="broad-based"
• detection-rules="yara-from-src"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Cyfirma"
mitre-attack-pattern=['T1087', 'T1123', 'T1548.002', 'T1115', 'T1553.002', 'T1027.010', 'T1027.004', 'T1555', 'T1562.001', 'T1573', 'T1041', 'T1070.004', 'T1564.001', 'T1105', 'T1056', 'T1056.001', 'T1136.001', 'T1127.001', 'T1204.002', 'T1036.008', 'T1036.005', 'T1112', 'T1027', 'T1059.001', 'T1219', 'T1021', 'T1113', 'T1518.001', 'T1566.001', 'T1218', 'T1082', 'T1529', 'T1134.001', 'T1497', 'T1071.001', 'T1047', 'T1543.003']
MISP event uuid: 7cfaa038-80a3-4812-9a1a-2df64b55ab01
📅Date: 2026-05-09
🔗References:
https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="malware-analysis"
• sub-category="campaign-analysis"
• target="broad-based"
• detection-rules="yara-from-src"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Cyfirma"
mitre-attack-pattern=['T1087', 'T1123', 'T1548.002', 'T1115', 'T1553.002', 'T1027.010', 'T1027.004', 'T1555', 'T1562.001', 'T1573', 'T1041', 'T1070.004', 'T1564.001', 'T1105', 'T1056', 'T1056.001', 'T1136.001', 'T1127.001', 'T1204.002', 'T1036.008', 'T1036.005', 'T1112', 'T1027', 'T1059.001', 'T1219', 'T1021', 'T1113', 'T1518.001', 'T1566.001', 'T1218', 'T1082', 'T1529', 'T1134.001', 'T1497', 'T1071.001', 'T1047', 'T1543.003']
MISP event uuid: 7cfaa038-80a3-4812-9a1a-2df64b55ab01
CYFIRMA
OPERATION SILENTCANVAS : JPEG BASED MULTISTAGE POWERSHELL INTRUSION - CYFIRMA
EXECUTIVE SUMMARY At CYFIRMA, we identified a highly sophisticated multi-stage intrusion campaign leveraging a weaponized PowerShell payload disguised as a...
📃Title: Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans
📅Date: 2026-05-11
🔗References:
https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment_cn/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💉 Vulnerability
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• sub-category="critical-vuln"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1059.007', 'T1119', 'T1005', 'T1140', 'T1190', 'T1219', 'T1070.006', 'T1505.003', 'T1083', 'T1552.003', 'T1552.001', 'T1041', 'T1136.003', 'T1098', 'T1059.004', 'T1078', 'T1027', 'T1567.002', 'T1071.001', 'T1543.002', 'T1136']
MISP event uuid: 2e1d4c8d-0459-4f69-be67-e0bc6a6633fd
📅Date: 2026-05-11
🔗References:
https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment_cn/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💉 Vulnerability
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• sub-category="critical-vuln"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1059.007', 'T1119', 'T1005', 'T1140', 'T1190', 'T1219', 'T1070.006', 'T1505.003', 'T1083', 'T1552.003', 'T1552.001', 'T1041', 'T1136.003', 'T1098', 'T1059.004', 'T1078', 'T1027', 'T1567.002', 'T1071.001', 'T1543.002', 'T1136']
MISP event uuid: 2e1d4c8d-0459-4f69-be67-e0bc6a6633fd
奇安信 X 实验室
秘密活动6年的神秘黑客组织Mr_Rot13正在利用cPanel高危漏洞部署后门木马
背景
CVE-2026-41940 是一个影响 cPanel & WHM 的高危未授权认证绕过漏洞。该产品广泛应用于 Linux 服务器运维与虚拟主机管理。漏洞 CVSS 评分高达 9.8(Critical),攻击者无需提供账号或密码,即可远程绕过身份认证并接管 cPanel / WHM 控制面板,可使未经过身份验证的远程攻击者获得受影响服务器的管理员权限。
自 2026 年 4 月 28 日漏洞公开披露以来,XLab大网威胁感知系统持续监测到大量黑灰产组织正在积极利用该漏洞实施网络攻击,相关行…
CVE-2026-41940 是一个影响 cPanel & WHM 的高危未授权认证绕过漏洞。该产品广泛应用于 Linux 服务器运维与虚拟主机管理。漏洞 CVSS 评分高达 9.8(Critical),攻击者无需提供账号或密码,即可远程绕过身份认证并接管 cPanel / WHM 控制面板,可使未经过身份验证的远程攻击者获得受影响服务器的管理员权限。
自 2026 年 4 月 28 日漏洞公开披露以来,XLab大网威胁感知系统持续监测到大量黑灰产组织正在积极利用该漏洞实施网络攻击,相关行…
📃Title: Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware
📅Date: 2026-05-11
🔗References:
https://beelzebub.ai/blog/needle-c2-crypto-stealer-analysis/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="malware-analysis"
• topic="crypto-related"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1056.001', 'T1539', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1005', 'T1140', 'T1185', 'T1112', 'T1555.003', 'T1497', 'T1041', 'T1547.001', 'T1056.002', 'T1027', 'T1573', 'T1518.001', 'T1071.001']
MISP event uuid: ddaa6a5b-b336-4e40-bd89-a509c2d2a561
📅Date: 2026-05-11
🔗References:
https://beelzebub.ai/blog/needle-c2-crypto-stealer-analysis/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="malware-analysis"
• topic="crypto-related"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1056.001', 'T1539', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1005', 'T1140', 'T1185', 'T1112', 'T1555.003', 'T1497', 'T1041', 'T1547.001', 'T1056.002', 'T1027', 'T1573', 'T1518.001', 'T1071.001']
MISP event uuid: ddaa6a5b-b336-4e40-bd89-a509c2d2a561
Beelzebub
Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware | AI-Native security platform
AI-Native security platform: Deceive, Detect, Respond. “We turn that hard truth into your tactical advantage. Our AI-based decoys, built using our open-source framework, deceive attackers during lateral movement within the network. While intruders interact…
📃Title: Inside a phishing panel
📅Date: 2026-05-07
🔗References:
https://pushsecurity.com/blog/inside-criminal-phishing-panel
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="infra-profile"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
MISP event uuid: 6a96a11f-279c-4a64-aef7-4be5b9f681a9
📅Date: 2026-05-07
🔗References:
https://pushsecurity.com/blog/inside-criminal-phishing-panel
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="infra-profile"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
MISP event uuid: 6a96a11f-279c-4a64-aef7-4be5b9f681a9
Push Security
Inside a phishing panel used by ShinyHunters and BlackFile
We got an inside look at a phishing panel used in criminal campaigns linked to operators like ShinyHunters and BlackFile. Here’s what we found.
📃Title: Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers
📅Date: 2026-04-29
🔗References:
https://www.darktrace.com/blog/darktrace-malware-analysis-jenkins-honeypot-reveals-emerging-botnet-targeting-online-games
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1498.001', 'T1059.007', 'T1036.005', 'T1489', 'T1498.002', 'T1190', 'T1036', 'T1562.004', 'T1036.004', 'T1059.004', 'T1204.003', 'T1571', 'T1027', 'T1095', 'T1070.004', 'T1071.001', 'T1543.002', 'T1105']
MISP event uuid: 05b20c75-5ab1-49a2-9982-73d1a399edd9
📅Date: 2026-04-29
🔗References:
https://www.darktrace.com/blog/darktrace-malware-analysis-jenkins-honeypot-reveals-emerging-botnet-targeting-online-games
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1498.001', 'T1059.007', 'T1036.005', 'T1489', 'T1498.002', 'T1190', 'T1036', 'T1562.004', 'T1036.004', 'T1059.004', 'T1204.003', 'T1571', 'T1027', 'T1095', 'T1070.004', 'T1071.001', 'T1543.002', 'T1105']
MISP event uuid: 05b20c75-5ab1-49a2-9982-73d1a399edd9
Darktrace
Jenkins honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers
Darktrace analysts observed attackers exploiting a Jenkins honeypot to deploy a new DDoS botnet targeting video game servers. Leveraging Jenkins scriptText abuse, the malware installs a multi-platform payload, evades detection, and launches UDP, TCP, and…
📃Title: Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America
📅Date: 2026-05-11
🔗References:
https://www.trendmicro.com/en_us/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• TA-category="APT"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Trend Micro"
• target-information="Brazil"
• target-information="Mexico"
• sector="Finance"
• sector="Government, Administration"
mitre-attack-pattern=['T1087', 'T1071', 'T1588.007', 'T1020', 'T1059', 'T1552.001', 'T1213', 'T1482', 'T1041', 'T1190', 'T1203', 'T1068', 'T1210', 'T1187', 'T1590', 'T1654', 'T1036', 'T1046', 'T1003', 'T1110.003', 'T1057', 'T1572', 'T1090', 'T1018', 'T1021.004', 'T1053', 'T1082', 'T1595', 'T1136.002', 'T1484.001', 'T1136.001', 'T1550.002', 'T1021.002']
MISP event uuid: 4bd6144b-8063-4593-be7f-804bc865ebf9
📅Date: 2026-05-11
🔗References:
https://www.trendmicro.com/en_us/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• TA-category="APT"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Trend Micro"
• target-information="Brazil"
• target-information="Mexico"
• sector="Finance"
• sector="Government, Administration"
mitre-attack-pattern=['T1087', 'T1071', 'T1588.007', 'T1020', 'T1059', 'T1552.001', 'T1213', 'T1482', 'T1041', 'T1190', 'T1203', 'T1068', 'T1210', 'T1187', 'T1590', 'T1654', 'T1036', 'T1046', 'T1003', 'T1110.003', 'T1057', 'T1572', 'T1090', 'T1018', 'T1021.004', 'T1053', 'T1082', 'T1595', 'T1136.002', 'T1484.001', 'T1136.001', 'T1550.002', 'T1021.002']
MISP event uuid: 4bd6144b-8063-4593-be7f-804bc865ebf9
Trend Micro
Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America
TrendAI™ Research has identified two emerging threat campaigns—SHADOW-AETHER-040 and SHADOW-AETHER-064—that use agentic AI to drive intrusion operations against government and financial organizations in Latin America, marking these among the first cases we…
📃Title: Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware
📅Date: 2026-05-11
🔗References:
https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• TA-category="Ransomware"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="The DFIR Report"
• malpedia="EtherRAT"
• ransomware="the gentlemen"
mitre-attack-pattern=['T1069', 'T1082', 'T1218.007', 'T1567', 'T1219', 'T1055', 'T1021.002', 'T1070.001', 'T1003.001', 'T1087', 'T1482', 'T1204', 'T1059.001', 'T1547.001', 'T1566', 'T1027', 'T1486', 'T1059.003', 'T1018', 'T1021.001', 'T1003.003', 'T1558.003', 'T1490']
MISP event uuid: c9a7d245-784e-435c-8a24-809ff55ecb70
📅Date: 2026-05-11
🔗References:
https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• TA-category="Ransomware"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="The DFIR Report"
• malpedia="EtherRAT"
• ransomware="the gentlemen"
mitre-attack-pattern=['T1069', 'T1082', 'T1218.007', 'T1567', 'T1219', 'T1055', 'T1021.002', 'T1070.001', 'T1003.001', 'T1087', 'T1482', 'T1204', 'T1059.001', 'T1547.001', 'T1566', 'T1027', 'T1486', 'T1059.003', 'T1018', 'T1021.001', 'T1003.003', 'T1558.003', 'T1490']
MISP event uuid: c9a7d245-784e-435c-8a24-809ff55ecb70
The DFIR Report
Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware - The DFIR Report
In April, we observed an intrusion linked to the Atos-reported campaign where an EtherRAT was installed via a malicious MSI masquerading as a Sysinternals tool. Later in the intrusion, we observed the deployment of a new malware framework named TukTuk, first…
📃Title: Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication
📅Date: 2026-05-07
🔗References:
https://www.levelblue.com/blogs/spiderlabs-blog/unmasking-a-multi-stage-loader-autoit-abuse-leading-to-vidar-stealer-command-and-control-communication
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• malpedia="Vidar"
• malpedia="Zebrocy (AutoIT)"
mitre-attack-pattern=['T1489', 'T1204.002', 'T1082', 'T1071', 'T1140', 'T1036', 'T1055', 'T1218', 'T1059', 'T1083', 'T1497', 'T1057', 'T1041', 'T1562.001', 'T1027', 'T1573', 'T1059.003', 'T1070.004', 'T1071.001', 'T1105']
MISP event uuid: 1a9ab7c4-5788-46dd-b491-c8faf4fe0781
📅Date: 2026-05-07
🔗References:
https://www.levelblue.com/blogs/spiderlabs-blog/unmasking-a-multi-stage-loader-autoit-abuse-leading-to-vidar-stealer-command-and-control-communication
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• malpedia="Vidar"
• malpedia="Zebrocy (AutoIT)"
mitre-attack-pattern=['T1489', 'T1204.002', 'T1082', 'T1071', 'T1140', 'T1036', 'T1055', 'T1218', 'T1059', 'T1083', 'T1497', 'T1057', 'T1041', 'T1562.001', 'T1027', 'T1573', 'T1059.003', 'T1070.004', 'T1071.001', 'T1105']
MISP event uuid: 1a9ab7c4-5788-46dd-b491-c8faf4fe0781
Levelblue
Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication
In this Threat Analysis report, we investigate a multi-stage malware execution chain identified through proactive threat hunting activities within a client environment.
📃Title: Website installer incident (May 2026)
📅Date: 2026-05-11
🔗References:
https://jdownloader.org/incident_8.5.2026.html?v=20260508277000
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• topic="supply-chain"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1036.005', 'T1204.002', 'T1608.001', 'T1195', 'T1036', 'T1505.003', 'T1059', 'T1608', 'T1204', 'T1554', 'T1566', 'T1059.004', 'T1078', 'T1027', 'T1486', 'T1195.002', 'T1505', 'T1485', 'T1189', 'T1490']
MISP event uuid: 60647f90-8d16-4246-8004-22427c2e3a19
📅Date: 2026-05-11
🔗References:
https://jdownloader.org/incident_8.5.2026.html?v=20260508277000
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• topic="supply-chain"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1036.005', 'T1204.002', 'T1608.001', 'T1195', 'T1036', 'T1505.003', 'T1059', 'T1608', 'T1204', 'T1554', 'T1566', 'T1059.004', 'T1078', 'T1027', 'T1486', 'T1195.002', 'T1505', 'T1485', 'T1189', 'T1490']
MISP event uuid: 60647f90-8d16-4246-8004-22427c2e3a19
jdownloader.org
JDownloader — Website installer incident (May 2026)
Self-contained information on jdownloader.org about the May 2026 incident affecting some installer downloads: timeline, scope, and how to check your system.
📃Title: Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw
📅Date: 2026-04-30
🔗References:
https://www.acronis.com/en/tru/posts/poisoning-the-well-ai-supply-chain-attacks-on-hugging-face-and-openclaw
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• malpedia="AMOS"
mitre-attack-pattern=['T1053.005', 'T1218.011', 'T1082', 'T1106', 'T1140', 'T1036', 'T1055', 'T1112', 'T1497', 'T1204', 'T1059.001', 'T1547.001', 'T1566', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1070.004', 'T1071.001', 'T1564.001']
MISP event uuid: d687c053-f835-4b54-b42e-236245f54439
📅Date: 2026-04-30
🔗References:
https://www.acronis.com/en/tru/posts/poisoning-the-well-ai-supply-chain-attacks-on-hugging-face-and-openclaw
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• malpedia="AMOS"
mitre-attack-pattern=['T1053.005', 'T1218.011', 'T1082', 'T1106', 'T1140', 'T1036', 'T1055', 'T1112', 'T1497', 'T1204', 'T1059.001', 'T1547.001', 'T1566', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1070.004', 'T1071.001', 'T1564.001']
MISP event uuid: d687c053-f835-4b54-b42e-236245f54439
Acronis
Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw
Acronis TRU uncovered active abuse of AI platforms like Hugging Face and ClawHub for malware delivery, where attackers exploit trust in AI ecosystems and agents, and potentially trigger further malicious actions through AI-driven workflows.
📃Title: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
📅Date: 2026-05-12
🔗References:
https://www.security.com/threat-intelligence/iran-seedworm-electronics
🔖Rectifyq Taxonomies:
Relevancy: 🟡 Somewhat Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Symantec"
• target-information="Argentina"
• target-information="Bahrain"
• target-information="Brazil"
• target-information="Chile"
• target-information="Colombia"
• target-information="Indonesia"
• target-information="Kuwait"
• target-information="Malaysia"
• target-information="Mexico"
• target-information="Oman"
• target-information="Philippines"
• target-information="Qatar"
• target-information="Saudi Arabia"
• target-information="Singapore"
• target-information="Thailand"
• target-information="United Arab Emirates"
• country="iran"
• target-information="South Korea"
• threat-actor="MuddyWater"
• sector="Education"
• sector="Electronic"
• sector="Finance"
• sector="Industrial"
• sector="Manufacturing"
• region="035 - South-eastern Asia"
mitre-attack-pattern=['T1113', 'T1033', 'T1003.002', 'T1087.002', 'T1087.001', 'T1135', 'T1082', 'T1003.001', 'T1016', 'T1049', 'T1552.001', 'T1041', 'T1059.001', 'T1547.001', 'T1078', 'T1068', 'T1567.002', 'T1518.001', 'T1543.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1055.001', 'T1090.001']
MISP event uuid: d2f29648-4ca4-4b5d-82e6-43bdb7cb4c34
📅Date: 2026-05-12
🔗References:
https://www.security.com/threat-intelligence/iran-seedworm-electronics
🔖Rectifyq Taxonomies:
Relevancy: 🟡 Somewhat Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Symantec"
• target-information="Argentina"
• target-information="Bahrain"
• target-information="Brazil"
• target-information="Chile"
• target-information="Colombia"
• target-information="Indonesia"
• target-information="Kuwait"
• target-information="Malaysia"
• target-information="Mexico"
• target-information="Oman"
• target-information="Philippines"
• target-information="Qatar"
• target-information="Saudi Arabia"
• target-information="Singapore"
• target-information="Thailand"
• target-information="United Arab Emirates"
• country="iran"
• target-information="South Korea"
• threat-actor="MuddyWater"
• sector="Education"
• sector="Electronic"
• sector="Finance"
• sector="Industrial"
• sector="Manufacturing"
• region="035 - South-eastern Asia"
mitre-attack-pattern=['T1113', 'T1033', 'T1003.002', 'T1087.002', 'T1087.001', 'T1135', 'T1082', 'T1003.001', 'T1016', 'T1049', 'T1552.001', 'T1041', 'T1059.001', 'T1547.001', 'T1078', 'T1068', 'T1567.002', 'T1518.001', 'T1543.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1055.001', 'T1090.001']
MISP event uuid: d2f29648-4ca4-4b5d-82e6-43bdb7cb4c34
Security
Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service.