📃Title: TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook
📅Date: 2026-05-07
🔗References:
https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• mitre-att&ck="from-original-src"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Elastic"
• target-information="Brazil"
• sector="Bank"
mitre-attack-pattern=['T1010', 'T1185', 'T1115', 'T1574.002', 'T1622', 'T1140', 'T1562.001', 'T1105', 'T1056.001', 'T1114.001', 'T1218.007', 'T1106', 'T1027', 'T1059.001', 'T1057', 'T1055', 'T1053.005', 'T1113', 'T1566.001', 'T1497.001', 'T1082', 'T1614.001', 'T1529', 'T1497.003', 'T1056.003', 'T1071.001', 'T1102', 'T1059.003']
MISP event uuid: 31e26c64-8653-4eb8-9977-4da1d6c0cc22
📅Date: 2026-05-07
🔗References:
https://www.elastic.co/security-labs/tclbanker-brazilian-banking-trojan
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• mitre-att&ck="from-original-src"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Elastic"
• target-information="Brazil"
• sector="Bank"
mitre-attack-pattern=['T1010', 'T1185', 'T1115', 'T1574.002', 'T1622', 'T1140', 'T1562.001', 'T1105', 'T1056.001', 'T1114.001', 'T1218.007', 'T1106', 'T1027', 'T1059.001', 'T1057', 'T1055', 'T1053.005', 'T1113', 'T1566.001', 'T1497.001', 'T1082', 'T1614.001', 'T1529', 'T1497.003', 'T1056.003', 'T1071.001', 'T1102', 'T1059.003']
MISP event uuid: 31e26c64-8653-4eb8-9977-4da1d6c0cc22
www.elastic.co
TCLBANKER: Brazilian Banking Trojan Spreading via WhatsApp and Outlook — Elastic Security Labs
REF3076 uses a trojanized Logitech installer to deploy TCLBANKER, a Brazilian banking trojan with environment-gated payloads, WPF fraud overlays, and self-propagating WhatsApp and Outlook worm modules.
📃Title: AI-Assisted Lure Factory Targets Developers & Gamers
📅Date: 2026-03-23
🔗References:
https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Netskope"
mitre-attack-pattern=[]
MISP event uuid: 3877fbbc-045c-47b7-88fb-f08151c3461c
📅Date: 2026-03-23
🔗References:
https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Netskope"
mitre-attack-pattern=[]
MISP event uuid: 3877fbbc-045c-47b7-88fb-f08151c3461c
Netskope
OpenClaw Trap: AI-Assisted Lure Factory Targets Developers & Gamers
Netskope Threat Labs identified a link to a malware campaign operating across at multiple GitHub repositories, spanning over 300 delivery packages,
📃Title: Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns
📅Date: 2026-05-07
🔗References:
https://www.cyfirma.com/research/abuse-of-cloud-native-infrastructure-in-modern-phishing-campaigns/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="cloud"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Cyfirma"
mitre-attack-pattern=['T1557', 'T1059.007', 'T1566.002', 'T1566.001', 'T1119', 'T1567', 'T1583.004', 'T1114.003', 'T1584', 'T1102', 'T1528', 'T1027', 'T1078.004', 'T1556']
MISP event uuid: 47aa313e-d63c-41b0-9e9b-37dc020ba38e
📅Date: 2026-05-07
🔗References:
https://www.cyfirma.com/research/abuse-of-cloud-native-infrastructure-in-modern-phishing-campaigns/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="cloud"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Cyfirma"
mitre-attack-pattern=['T1557', 'T1059.007', 'T1566.002', 'T1566.001', 'T1119', 'T1567', 'T1583.004', 'T1114.003', 'T1584', 'T1102', 'T1528', 'T1027', 'T1078.004', 'T1556']
MISP event uuid: 47aa313e-d63c-41b0-9e9b-37dc020ba38e
CYFIRMA
Abuse of Cloud-Native Infrastructure in Modern Phishing Campaigns - CYFIRMA
EXECUTIVE SUMMARY An investigation into phishing activity over the past months has surfaced a decisive structural evolution in how threat...
📃Title: Technical Advisory: Breach of Instructure Canvas LMS
📅Date: 2026-05-09
🔗References:
https://businessinsights.bitdefender.com/technical-advisory-shinyhunters-breach-instructure-canvas-lms
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💥 Data Breach
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="targeted"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Bitdefender"
• target-information="United States"
• target-information="Australia"
• target-information="United Kingdom"
• threat-actor="ShinyHunters"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1594', 'T1530', 'T1550', 'T1589', 'T1586', 'T1528', 'T1591', 'T1590', 'T1199', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1485', 'T1078.004', 'T1556']
MISP event uuid: 8b1cc71b-0ea8-4adb-b274-dc6938e0a183
📅Date: 2026-05-09
🔗References:
https://businessinsights.bitdefender.com/technical-advisory-shinyhunters-breach-instructure-canvas-lms
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💥 Data Breach
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="targeted"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Bitdefender"
• target-information="United States"
• target-information="Australia"
• target-information="United Kingdom"
• threat-actor="ShinyHunters"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1594', 'T1530', 'T1550', 'T1589', 'T1586', 'T1528', 'T1591', 'T1590', 'T1199', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1485', 'T1078.004', 'T1556']
MISP event uuid: 8b1cc71b-0ea8-4adb-b274-dc6938e0a183
Bitdefender
Technical Advisory: ShinyHunters Breach of Instructure Canvas LMS
This security advisory details what organizations need to know about the second ShinyHunters attack against Instructure in an eight month span.
📃Title: OPERATION SILENTCANVAS: JPEG BASED MULTISTAGE POWERSHELL INTRUSION
📅Date: 2026-05-09
🔗References:
https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="malware-analysis"
• sub-category="campaign-analysis"
• target="broad-based"
• detection-rules="yara-from-src"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Cyfirma"
mitre-attack-pattern=['T1087', 'T1123', 'T1548.002', 'T1115', 'T1553.002', 'T1027.010', 'T1027.004', 'T1555', 'T1562.001', 'T1573', 'T1041', 'T1070.004', 'T1564.001', 'T1105', 'T1056', 'T1056.001', 'T1136.001', 'T1127.001', 'T1204.002', 'T1036.008', 'T1036.005', 'T1112', 'T1027', 'T1059.001', 'T1219', 'T1021', 'T1113', 'T1518.001', 'T1566.001', 'T1218', 'T1082', 'T1529', 'T1134.001', 'T1497', 'T1071.001', 'T1047', 'T1543.003']
MISP event uuid: 7cfaa038-80a3-4812-9a1a-2df64b55ab01
📅Date: 2026-05-09
🔗References:
https://www.cyfirma.com/research/operation-silentcanvas-jpeg-based-multistage-powershell-intrusion/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="malware-analysis"
• sub-category="campaign-analysis"
• target="broad-based"
• detection-rules="yara-from-src"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Cyfirma"
mitre-attack-pattern=['T1087', 'T1123', 'T1548.002', 'T1115', 'T1553.002', 'T1027.010', 'T1027.004', 'T1555', 'T1562.001', 'T1573', 'T1041', 'T1070.004', 'T1564.001', 'T1105', 'T1056', 'T1056.001', 'T1136.001', 'T1127.001', 'T1204.002', 'T1036.008', 'T1036.005', 'T1112', 'T1027', 'T1059.001', 'T1219', 'T1021', 'T1113', 'T1518.001', 'T1566.001', 'T1218', 'T1082', 'T1529', 'T1134.001', 'T1497', 'T1071.001', 'T1047', 'T1543.003']
MISP event uuid: 7cfaa038-80a3-4812-9a1a-2df64b55ab01
CYFIRMA
OPERATION SILENTCANVAS : JPEG BASED MULTISTAGE POWERSHELL INTRUSION - CYFIRMA
EXECUTIVE SUMMARY At CYFIRMA, we identified a highly sophisticated multi-stage intrusion campaign leveraging a weaponized PowerShell payload disguised as a...
📃Title: Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans
📅Date: 2026-05-11
🔗References:
https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment_cn/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💉 Vulnerability
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• sub-category="critical-vuln"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1059.007', 'T1119', 'T1005', 'T1140', 'T1190', 'T1219', 'T1070.006', 'T1505.003', 'T1083', 'T1552.003', 'T1552.001', 'T1041', 'T1136.003', 'T1098', 'T1059.004', 'T1078', 'T1027', 'T1567.002', 'T1071.001', 'T1543.002', 'T1136']
MISP event uuid: 2e1d4c8d-0459-4f69-be67-e0bc6a6633fd
📅Date: 2026-05-11
🔗References:
https://blog.xlab.qianxin.com/mr_rot13-the-elusive-6-year-hacker-group-weaponizing-critical-cpanel-flaws-for-backdoor-deployment_cn/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💉 Vulnerability
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• sub-category="critical-vuln"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1059.007', 'T1119', 'T1005', 'T1140', 'T1190', 'T1219', 'T1070.006', 'T1505.003', 'T1083', 'T1552.003', 'T1552.001', 'T1041', 'T1136.003', 'T1098', 'T1059.004', 'T1078', 'T1027', 'T1567.002', 'T1071.001', 'T1543.002', 'T1136']
MISP event uuid: 2e1d4c8d-0459-4f69-be67-e0bc6a6633fd
奇安信 X 实验室
秘密活动6年的神秘黑客组织Mr_Rot13正在利用cPanel高危漏洞部署后门木马
背景
CVE-2026-41940 是一个影响 cPanel & WHM 的高危未授权认证绕过漏洞。该产品广泛应用于 Linux 服务器运维与虚拟主机管理。漏洞 CVSS 评分高达 9.8(Critical),攻击者无需提供账号或密码,即可远程绕过身份认证并接管 cPanel / WHM 控制面板,可使未经过身份验证的远程攻击者获得受影响服务器的管理员权限。
自 2026 年 4 月 28 日漏洞公开披露以来,XLab大网威胁感知系统持续监测到大量黑灰产组织正在积极利用该漏洞实施网络攻击,相关行…
CVE-2026-41940 是一个影响 cPanel & WHM 的高危未授权认证绕过漏洞。该产品广泛应用于 Linux 服务器运维与虚拟主机管理。漏洞 CVSS 评分高达 9.8(Critical),攻击者无需提供账号或密码,即可远程绕过身份认证并接管 cPanel / WHM 控制面板,可使未经过身份验证的远程攻击者获得受影响服务器的管理员权限。
自 2026 年 4 月 28 日漏洞公开披露以来,XLab大网威胁感知系统持续监测到大量黑灰产组织正在积极利用该漏洞实施网络攻击,相关行…
📃Title: Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware
📅Date: 2026-05-11
🔗References:
https://beelzebub.ai/blog/needle-c2-crypto-stealer-analysis/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="malware-analysis"
• topic="crypto-related"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1056.001', 'T1539', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1005', 'T1140', 'T1185', 'T1112', 'T1555.003', 'T1497', 'T1041', 'T1547.001', 'T1056.002', 'T1027', 'T1573', 'T1518.001', 'T1071.001']
MISP event uuid: ddaa6a5b-b336-4e40-bd89-a509c2d2a561
📅Date: 2026-05-11
🔗References:
https://beelzebub.ai/blog/needle-c2-crypto-stealer-analysis/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="malware-analysis"
• topic="crypto-related"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1056.001', 'T1539', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1005', 'T1140', 'T1185', 'T1112', 'T1555.003', 'T1497', 'T1041', 'T1547.001', 'T1056.002', 'T1027', 'T1573', 'T1518.001', 'T1071.001']
MISP event uuid: ddaa6a5b-b336-4e40-bd89-a509c2d2a561
Beelzebub
Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware | AI-Native security platform
AI-Native security platform: Deceive, Detect, Respond. “We turn that hard truth into your tactical advantage. Our AI-based decoys, built using our open-source framework, deceive attackers during lateral movement within the network. While intruders interact…
📃Title: Inside a phishing panel
📅Date: 2026-05-07
🔗References:
https://pushsecurity.com/blog/inside-criminal-phishing-panel
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="infra-profile"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
MISP event uuid: 6a96a11f-279c-4a64-aef7-4be5b9f681a9
📅Date: 2026-05-07
🔗References:
https://pushsecurity.com/blog/inside-criminal-phishing-panel
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="infra-profile"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
MISP event uuid: 6a96a11f-279c-4a64-aef7-4be5b9f681a9
Push Security
Inside a phishing panel used by ShinyHunters and BlackFile
We got an inside look at a phishing panel used in criminal campaigns linked to operators like ShinyHunters and BlackFile. Here’s what we found.
📃Title: Honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers
📅Date: 2026-04-29
🔗References:
https://www.darktrace.com/blog/darktrace-malware-analysis-jenkins-honeypot-reveals-emerging-botnet-targeting-online-games
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1498.001', 'T1059.007', 'T1036.005', 'T1489', 'T1498.002', 'T1190', 'T1036', 'T1562.004', 'T1036.004', 'T1059.004', 'T1204.003', 'T1571', 'T1027', 'T1095', 'T1070.004', 'T1071.001', 'T1543.002', 'T1105']
MISP event uuid: 05b20c75-5ab1-49a2-9982-73d1a399edd9
📅Date: 2026-04-29
🔗References:
https://www.darktrace.com/blog/darktrace-malware-analysis-jenkins-honeypot-reveals-emerging-botnet-targeting-online-games
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1498.001', 'T1059.007', 'T1036.005', 'T1489', 'T1498.002', 'T1190', 'T1036', 'T1562.004', 'T1036.004', 'T1059.004', 'T1204.003', 'T1571', 'T1027', 'T1095', 'T1070.004', 'T1071.001', 'T1543.002', 'T1105']
MISP event uuid: 05b20c75-5ab1-49a2-9982-73d1a399edd9
Darktrace
Jenkins honeypot reveals botnet exploiting scriptText to launch DDoS attacks on game servers
Darktrace analysts observed attackers exploiting a Jenkins honeypot to deploy a new DDoS botnet targeting video game servers. Leveraging Jenkins scriptText abuse, the malware installs a multi-platform payload, evades detection, and launches UDP, TCP, and…
📃Title: Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America
📅Date: 2026-05-11
🔗References:
https://www.trendmicro.com/en_us/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• TA-category="APT"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Trend Micro"
• target-information="Brazil"
• target-information="Mexico"
• sector="Finance"
• sector="Government, Administration"
mitre-attack-pattern=['T1087', 'T1071', 'T1588.007', 'T1020', 'T1059', 'T1552.001', 'T1213', 'T1482', 'T1041', 'T1190', 'T1203', 'T1068', 'T1210', 'T1187', 'T1590', 'T1654', 'T1036', 'T1046', 'T1003', 'T1110.003', 'T1057', 'T1572', 'T1090', 'T1018', 'T1021.004', 'T1053', 'T1082', 'T1595', 'T1136.002', 'T1484.001', 'T1136.001', 'T1550.002', 'T1021.002']
MISP event uuid: 4bd6144b-8063-4593-be7f-804bc865ebf9
📅Date: 2026-05-11
🔗References:
https://www.trendmicro.com/en_us/research/26/e/vibe-hacking-two-ai-augmented-campaigns-target-government-and-financial-sectors-in-latin-america.html
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• TA-category="APT"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Trend Micro"
• target-information="Brazil"
• target-information="Mexico"
• sector="Finance"
• sector="Government, Administration"
mitre-attack-pattern=['T1087', 'T1071', 'T1588.007', 'T1020', 'T1059', 'T1552.001', 'T1213', 'T1482', 'T1041', 'T1190', 'T1203', 'T1068', 'T1210', 'T1187', 'T1590', 'T1654', 'T1036', 'T1046', 'T1003', 'T1110.003', 'T1057', 'T1572', 'T1090', 'T1018', 'T1021.004', 'T1053', 'T1082', 'T1595', 'T1136.002', 'T1484.001', 'T1136.001', 'T1550.002', 'T1021.002']
MISP event uuid: 4bd6144b-8063-4593-be7f-804bc865ebf9
Trend Micro
Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America
TrendAI™ Research has identified two emerging threat campaigns—SHADOW-AETHER-040 and SHADOW-AETHER-064—that use agentic AI to drive intrusion operations against government and financial organizations in Latin America, marking these among the first cases we…
📃Title: Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware
📅Date: 2026-05-11
🔗References:
https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• TA-category="Ransomware"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="The DFIR Report"
• malpedia="EtherRAT"
• ransomware="the gentlemen"
mitre-attack-pattern=['T1069', 'T1082', 'T1218.007', 'T1567', 'T1219', 'T1055', 'T1021.002', 'T1070.001', 'T1003.001', 'T1087', 'T1482', 'T1204', 'T1059.001', 'T1547.001', 'T1566', 'T1027', 'T1486', 'T1059.003', 'T1018', 'T1021.001', 'T1003.003', 'T1558.003', 'T1490']
MISP event uuid: c9a7d245-784e-435c-8a24-809ff55ecb70
📅Date: 2026-05-11
🔗References:
https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• TA-category="Ransomware"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="The DFIR Report"
• malpedia="EtherRAT"
• ransomware="the gentlemen"
mitre-attack-pattern=['T1069', 'T1082', 'T1218.007', 'T1567', 'T1219', 'T1055', 'T1021.002', 'T1070.001', 'T1003.001', 'T1087', 'T1482', 'T1204', 'T1059.001', 'T1547.001', 'T1566', 'T1027', 'T1486', 'T1059.003', 'T1018', 'T1021.001', 'T1003.003', 'T1558.003', 'T1490']
MISP event uuid: c9a7d245-784e-435c-8a24-809ff55ecb70
The DFIR Report
Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware - The DFIR Report
In April, we observed an intrusion linked to the Atos-reported campaign where an EtherRAT was installed via a malicious MSI masquerading as a Sysinternals tool. Later in the intrusion, we observed the deployment of a new malware framework named TukTuk, first…
📃Title: Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication
📅Date: 2026-05-07
🔗References:
https://www.levelblue.com/blogs/spiderlabs-blog/unmasking-a-multi-stage-loader-autoit-abuse-leading-to-vidar-stealer-command-and-control-communication
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• malpedia="Vidar"
• malpedia="Zebrocy (AutoIT)"
mitre-attack-pattern=['T1489', 'T1204.002', 'T1082', 'T1071', 'T1140', 'T1036', 'T1055', 'T1218', 'T1059', 'T1083', 'T1497', 'T1057', 'T1041', 'T1562.001', 'T1027', 'T1573', 'T1059.003', 'T1070.004', 'T1071.001', 'T1105']
MISP event uuid: 1a9ab7c4-5788-46dd-b491-c8faf4fe0781
📅Date: 2026-05-07
🔗References:
https://www.levelblue.com/blogs/spiderlabs-blog/unmasking-a-multi-stage-loader-autoit-abuse-leading-to-vidar-stealer-command-and-control-communication
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• malpedia="Vidar"
• malpedia="Zebrocy (AutoIT)"
mitre-attack-pattern=['T1489', 'T1204.002', 'T1082', 'T1071', 'T1140', 'T1036', 'T1055', 'T1218', 'T1059', 'T1083', 'T1497', 'T1057', 'T1041', 'T1562.001', 'T1027', 'T1573', 'T1059.003', 'T1070.004', 'T1071.001', 'T1105']
MISP event uuid: 1a9ab7c4-5788-46dd-b491-c8faf4fe0781
Levelblue
Unmasking a Multi-Stage Loader: AutoIt Abuse Leading to Vidar Stealer Command-and-Control Communication
In this Threat Analysis report, we investigate a multi-stage malware execution chain identified through proactive threat hunting activities within a client environment.
📃Title: Website installer incident (May 2026)
📅Date: 2026-05-11
🔗References:
https://jdownloader.org/incident_8.5.2026.html?v=20260508277000
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• topic="supply-chain"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1036.005', 'T1204.002', 'T1608.001', 'T1195', 'T1036', 'T1505.003', 'T1059', 'T1608', 'T1204', 'T1554', 'T1566', 'T1059.004', 'T1078', 'T1027', 'T1486', 'T1195.002', 'T1505', 'T1485', 'T1189', 'T1490']
MISP event uuid: 60647f90-8d16-4246-8004-22427c2e3a19
📅Date: 2026-05-11
🔗References:
https://jdownloader.org/incident_8.5.2026.html?v=20260508277000
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• topic="supply-chain"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1036.005', 'T1204.002', 'T1608.001', 'T1195', 'T1036', 'T1505.003', 'T1059', 'T1608', 'T1204', 'T1554', 'T1566', 'T1059.004', 'T1078', 'T1027', 'T1486', 'T1195.002', 'T1505', 'T1485', 'T1189', 'T1490']
MISP event uuid: 60647f90-8d16-4246-8004-22427c2e3a19
jdownloader.org
JDownloader — Website installer incident (May 2026)
Self-contained information on jdownloader.org about the May 2026 incident affecting some installer downloads: timeline, scope, and how to check your system.
📃Title: Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw
📅Date: 2026-04-30
🔗References:
https://www.acronis.com/en/tru/posts/poisoning-the-well-ai-supply-chain-attacks-on-hugging-face-and-openclaw
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• malpedia="AMOS"
mitre-attack-pattern=['T1053.005', 'T1218.011', 'T1082', 'T1106', 'T1140', 'T1036', 'T1055', 'T1112', 'T1497', 'T1204', 'T1059.001', 'T1547.001', 'T1566', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1070.004', 'T1071.001', 'T1564.001']
MISP event uuid: d687c053-f835-4b54-b42e-236245f54439
📅Date: 2026-04-30
🔗References:
https://www.acronis.com/en/tru/posts/poisoning-the-well-ai-supply-chain-attacks-on-hugging-face-and-openclaw
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• malpedia="AMOS"
mitre-attack-pattern=['T1053.005', 'T1218.011', 'T1082', 'T1106', 'T1140', 'T1036', 'T1055', 'T1112', 'T1497', 'T1204', 'T1059.001', 'T1547.001', 'T1566', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1070.004', 'T1071.001', 'T1564.001']
MISP event uuid: d687c053-f835-4b54-b42e-236245f54439
Acronis
Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw
Acronis TRU uncovered active abuse of AI platforms like Hugging Face and ClawHub for malware delivery, where attackers exploit trust in AI ecosystems and agents, and potentially trigger further malicious actions through AI-driven workflows.
📃Title: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
📅Date: 2026-05-12
🔗References:
https://www.security.com/threat-intelligence/iran-seedworm-electronics
🔖Rectifyq Taxonomies:
Relevancy: 🟡 Somewhat Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Symantec"
• target-information="Argentina"
• target-information="Bahrain"
• target-information="Brazil"
• target-information="Chile"
• target-information="Colombia"
• target-information="Indonesia"
• target-information="Kuwait"
• target-information="Malaysia"
• target-information="Mexico"
• target-information="Oman"
• target-information="Philippines"
• target-information="Qatar"
• target-information="Saudi Arabia"
• target-information="Singapore"
• target-information="Thailand"
• target-information="United Arab Emirates"
• country="iran"
• target-information="South Korea"
• threat-actor="MuddyWater"
• sector="Education"
• sector="Electronic"
• sector="Finance"
• sector="Industrial"
• sector="Manufacturing"
• region="035 - South-eastern Asia"
mitre-attack-pattern=['T1113', 'T1033', 'T1003.002', 'T1087.002', 'T1087.001', 'T1135', 'T1082', 'T1003.001', 'T1016', 'T1049', 'T1552.001', 'T1041', 'T1059.001', 'T1547.001', 'T1078', 'T1068', 'T1567.002', 'T1518.001', 'T1543.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1055.001', 'T1090.001']
MISP event uuid: d2f29648-4ca4-4b5d-82e6-43bdb7cb4c34
📅Date: 2026-05-12
🔗References:
https://www.security.com/threat-intelligence/iran-seedworm-electronics
🔖Rectifyq Taxonomies:
Relevancy: 🟡 Somewhat Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Symantec"
• target-information="Argentina"
• target-information="Bahrain"
• target-information="Brazil"
• target-information="Chile"
• target-information="Colombia"
• target-information="Indonesia"
• target-information="Kuwait"
• target-information="Malaysia"
• target-information="Mexico"
• target-information="Oman"
• target-information="Philippines"
• target-information="Qatar"
• target-information="Saudi Arabia"
• target-information="Singapore"
• target-information="Thailand"
• target-information="United Arab Emirates"
• country="iran"
• target-information="South Korea"
• threat-actor="MuddyWater"
• sector="Education"
• sector="Electronic"
• sector="Finance"
• sector="Industrial"
• sector="Manufacturing"
• region="035 - South-eastern Asia"
mitre-attack-pattern=['T1113', 'T1033', 'T1003.002', 'T1087.002', 'T1087.001', 'T1135', 'T1082', 'T1003.001', 'T1016', 'T1049', 'T1552.001', 'T1041', 'T1059.001', 'T1547.001', 'T1078', 'T1068', 'T1567.002', 'T1518.001', 'T1543.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1055.001', 'T1090.001']
MISP event uuid: d2f29648-4ca4-4b5d-82e6-43bdb7cb4c34
Security
Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service.
📃Title: TanStack npm Packages Compromised in Ongoing Supply-Chain Attack
📅Date: 2026-05-11
🔗References:
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• malpedia="Shai-Hulud"
mitre-attack-pattern=['T1059.007', 'T1552.005', 'T1036.005', 'T1543.003', 'T1574.006', 'T1552.001', 'T1528', 'T1098.001', 'T1087.004', 'T1136.003', 'T1204.003', 'T1195.002', 'T1573.002', 'T1071.001', 'T1105', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 6f0fb181-17f2-47c8-b4ce-24d302f8d931
📅Date: 2026-05-11
🔗References:
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• malpedia="Shai-Hulud"
mitre-attack-pattern=['T1059.007', 'T1552.005', 'T1036.005', 'T1543.003', 'T1574.006', 'T1552.001', 'T1528', 'T1098.001', 'T1087.004', 'T1136.003', 'T1204.003', 'T1195.002', 'T1573.002', 'T1071.001', 'T1105', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 6f0fb181-17f2-47c8-b4ce-24d302f8d931
Socket
TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud...
Socket detected 84 compromised TanStack npm package artifacts modified with suspected CI credential-stealing malware.
📃Title: LBIOC-20260071 - The Gentlemens Leak
📅Date: 2026-05-13
🔗References:
https://radar.offseq.com/threat/lbioc-20260071-the-gentlemens-leak-c18cd0f4
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="TA-profile"
• sub-category="campaign-analysis"
• TA-category="Ransomware"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• ransomware="the gentlemen"
mitre-attack-pattern=['T1071', 'T1059', 'T1486', 'T1573', 'T1083', 'T1105', 'T1490', 'T1027', 'T1057', 'T1090', 'T1018', 'T1489', 'T1082', 'T1016', 'T1049', 'T1569', 'T1529', 'T1204', 'T1497', 'T1047']
MISP event uuid: 7deedbeb-d693-43a5-a067-afbaf9b06834
📅Date: 2026-05-13
🔗References:
https://radar.offseq.com/threat/lbioc-20260071-the-gentlemens-leak-c18cd0f4
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="TA-profile"
• sub-category="campaign-analysis"
• TA-category="Ransomware"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• ransomware="the gentlemen"
mitre-attack-pattern=['T1071', 'T1059', 'T1486', 'T1573', 'T1083', 'T1105', 'T1490', 'T1027', 'T1057', 'T1090', 'T1018', 'T1489', 'T1082', 'T1016', 'T1049', 'T1569', 'T1529', 'T1204', 'T1497', 'T1047']
MISP event uuid: 7deedbeb-d693-43a5-a067-afbaf9b06834
OffSeq Threat Radar
LBIOC-20260071 - The Gentlemens Leak - Live Threat Intelligence - Threat Radar | OffSeq.com
Detailed information about LBIOC-20260071 - The Gentlemens Leak. Get real-time updates, technical details, and mitigation strategies.
📃Title: Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
📅Date: 2026-05-13
🔗References:
https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1059.006', 'T1566']
MISP event uuid: faffe042-8de6-4d2b-8e2b-960e0afc09c7
📅Date: 2026-05-13
🔗References:
https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1059.006', 'T1566']
MISP event uuid: faffe042-8de6-4d2b-8e2b-960e0afc09c7
www.genians.co.kr
Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
A suspected APT37-linked threat campaign has been identified, combining batch file obfuscation techniques with Compiled Python-based malware.
📃Title: ClickFix Evolves with PySoxy Proxying
📅Date: 2026-05-12
🔗References:
https://reliaquest.com/blog/threat-spotlight-clickfix-evolves-with-pysoxy-proxying
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1053.005', 'T1033', 'T1074.001', 'T1087.002', 'T1204.002', 'T1573.001', 'T1069.002', 'T1135', 'T1140', 'T1090', 'T1482', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.006', 'T1070.004', 'T1071.001', 'T1018', 'T1105']
MISP event uuid: 1af217fa-683f-4945-a924-640716449a80
📅Date: 2026-05-12
🔗References:
https://reliaquest.com/blog/threat-spotlight-clickfix-evolves-with-pysoxy-proxying
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1053.005', 'T1033', 'T1074.001', 'T1087.002', 'T1204.002', 'T1573.001', 'T1069.002', 'T1135', 'T1140', 'T1090', 'T1482', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.006', 'T1070.004', 'T1071.001', 'T1018', 'T1105']
MISP event uuid: 1af217fa-683f-4945-a924-640716449a80
ReliaQuest
ClickFix Evolves with PySoxy Proxying | ReliaQuest Threat Research
ClickFix just got more dangerous. Discover how one pasted command creates persistent, redundant access—and how to detect it before the damage spreads.
📃Title: Thus Spoke…The Gentlemen
📅Date: 2026-05-13
🔗References:
https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="TA-profile"
• TA-category="Ransomware"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Check Point"
• target-information="United Kingdom"
• ransomware="the gentlemen"
mitre-attack-pattern=['T1003', 'T1133', 'T1489', 'T1562', 'T1190', 'T1219', 'T1550', 'T1560', 'T1021', 'T1070', 'T1083', 'T1049', 'T1210', 'T1048', 'T1566', 'T1078', 'T1068', 'T1486', 'T1018', 'T1490']
MISP event uuid: 60c42d6c-2f80-48b1-bb63-f22d18770621
📅Date: 2026-05-13
🔗References:
https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="TA-profile"
• TA-category="Ransomware"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Check Point"
• target-information="United Kingdom"
• ransomware="the gentlemen"
mitre-attack-pattern=['T1003', 'T1133', 'T1489', 'T1562', 'T1190', 'T1219', 'T1550', 'T1560', 'T1021', 'T1070', 'T1083', 'T1049', 'T1210', 'T1048', 'T1566', 'T1078', 'T1068', 'T1486', 'T1018', 'T1490']
MISP event uuid: 60c42d6c-2f80-48b1-bb63-f22d18770621
Check Point Research
Thus Spoke…The Gentlemen - Check Point Research
Key Points Introduction The Gentlemen ransomware‑as‑a‑service (RaaS) operation is a relatively new group that emerged around mid‑2025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and inviting…
📃Title: Disclosing new PebbleDash-based tools
📅Date: 2026-05-14
🔗References:
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Kaspersky"
• threat-actor="Kimsuky"
• target-information="Brazil"
• target-information="Germany"
• target-information="South Korea"
• sector="Defense"
• sector="Government, Administration"
• malpedia="Appleseed"
• malpedia="PEBBLEDASH"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1132.001', 'T1056.001', 'T1204.002', 'T1573.001', 'T1543.003', 'T1566.001', 'T1005', 'T1140', 'T1219', 'T1055', 'T1112', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.003', 'T1071.001', 'T1090.001']
MISP event uuid: 0d8d2f88-341b-4ee7-ae73-5113a3f9d3db
📅Date: 2026-05-14
🔗References:
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Kaspersky"
• threat-actor="Kimsuky"
• target-information="Brazil"
• target-information="Germany"
• target-information="South Korea"
• sector="Defense"
• sector="Government, Administration"
• malpedia="Appleseed"
• malpedia="PEBBLEDASH"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1132.001', 'T1056.001', 'T1204.002', 'T1573.001', 'T1543.003', 'T1566.001', 'T1005', 'T1140', 'T1219', 'T1055', 'T1112', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.003', 'T1071.001', 'T1090.001']
MISP event uuid: 0d8d2f88-341b-4ee7-ae73-5113a3f9d3db