πTitle: Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw
π Date: 2026-04-30
πReferences:
https://www.acronis.com/en/tru/posts/poisoning-the-well-ai-supply-chain-attacks-on-hugging-face-and-openclaw
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="AMOS"
mitre-attack-pattern=['T1053.005', 'T1218.011', 'T1082', 'T1106', 'T1140', 'T1036', 'T1055', 'T1112', 'T1497', 'T1204', 'T1059.001', 'T1547.001', 'T1566', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1070.004', 'T1071.001', 'T1564.001']
MISP event uuid: d687c053-f835-4b54-b42e-236245f54439
π Date: 2026-04-30
πReferences:
https://www.acronis.com/en/tru/posts/poisoning-the-well-ai-supply-chain-attacks-on-hugging-face-and-openclaw
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="AMOS"
mitre-attack-pattern=['T1053.005', 'T1218.011', 'T1082', 'T1106', 'T1140', 'T1036', 'T1055', 'T1112', 'T1497', 'T1204', 'T1059.001', 'T1547.001', 'T1566', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1070.004', 'T1071.001', 'T1564.001']
MISP event uuid: d687c053-f835-4b54-b42e-236245f54439
Acronis
Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw
Acronis TRU uncovered active abuse of AI platforms like Hugging Face and ClawHub for malware delivery, where attackers exploit trust in AI ecosystems and agents, and potentially trigger further malicious actions through AI-driven workflows.
πTitle: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
π Date: 2026-05-12
πReferences:
https://www.security.com/threat-intelligence/iran-seedworm-electronics
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Symantec"
β’ target-information="Argentina"
β’ target-information="Bahrain"
β’ target-information="Brazil"
β’ target-information="Chile"
β’ target-information="Colombia"
β’ target-information="Indonesia"
β’ target-information="Kuwait"
β’ target-information="Malaysia"
β’ target-information="Mexico"
β’ target-information="Oman"
β’ target-information="Philippines"
β’ target-information="Qatar"
β’ target-information="Saudi Arabia"
β’ target-information="Singapore"
β’ target-information="Thailand"
β’ target-information="United Arab Emirates"
β’ country="iran"
β’ target-information="South Korea"
β’ threat-actor="MuddyWater"
β’ sector="Education"
β’ sector="Electronic"
β’ sector="Finance"
β’ sector="Industrial"
β’ sector="Manufacturing"
β’ region="035 - South-eastern Asia"
mitre-attack-pattern=['T1113', 'T1033', 'T1003.002', 'T1087.002', 'T1087.001', 'T1135', 'T1082', 'T1003.001', 'T1016', 'T1049', 'T1552.001', 'T1041', 'T1059.001', 'T1547.001', 'T1078', 'T1068', 'T1567.002', 'T1518.001', 'T1543.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1055.001', 'T1090.001']
MISP event uuid: d2f29648-4ca4-4b5d-82e6-43bdb7cb4c34
π Date: 2026-05-12
πReferences:
https://www.security.com/threat-intelligence/iran-seedworm-electronics
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Symantec"
β’ target-information="Argentina"
β’ target-information="Bahrain"
β’ target-information="Brazil"
β’ target-information="Chile"
β’ target-information="Colombia"
β’ target-information="Indonesia"
β’ target-information="Kuwait"
β’ target-information="Malaysia"
β’ target-information="Mexico"
β’ target-information="Oman"
β’ target-information="Philippines"
β’ target-information="Qatar"
β’ target-information="Saudi Arabia"
β’ target-information="Singapore"
β’ target-information="Thailand"
β’ target-information="United Arab Emirates"
β’ country="iran"
β’ target-information="South Korea"
β’ threat-actor="MuddyWater"
β’ sector="Education"
β’ sector="Electronic"
β’ sector="Finance"
β’ sector="Industrial"
β’ sector="Manufacturing"
β’ region="035 - South-eastern Asia"
mitre-attack-pattern=['T1113', 'T1033', 'T1003.002', 'T1087.002', 'T1087.001', 'T1135', 'T1082', 'T1003.001', 'T1016', 'T1049', 'T1552.001', 'T1041', 'T1059.001', 'T1547.001', 'T1078', 'T1068', 'T1567.002', 'T1518.001', 'T1543.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1055.001', 'T1090.001']
MISP event uuid: d2f29648-4ca4-4b5d-82e6-43bdb7cb4c34
Security
Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service.
πTitle: TanStack npm Packages Compromised in Ongoing Supply-Chain Attack
π Date: 2026-05-11
πReferences:
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1059.007', 'T1552.005', 'T1036.005', 'T1543.003', 'T1574.006', 'T1552.001', 'T1528', 'T1098.001', 'T1087.004', 'T1136.003', 'T1204.003', 'T1195.002', 'T1573.002', 'T1071.001', 'T1105', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 6f0fb181-17f2-47c8-b4ce-24d302f8d931
π Date: 2026-05-11
πReferences:
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1059.007', 'T1552.005', 'T1036.005', 'T1543.003', 'T1574.006', 'T1552.001', 'T1528', 'T1098.001', 'T1087.004', 'T1136.003', 'T1204.003', 'T1195.002', 'T1573.002', 'T1071.001', 'T1105', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 6f0fb181-17f2-47c8-b4ce-24d302f8d931
Socket
TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud...
Socket detected 84 compromised TanStack npm package artifacts modified with suspected CI credential-stealing malware.
πTitle: LBIOC-20260071 - The Gentlemens Leak
π Date: 2026-05-13
πReferences:
https://radar.offseq.com/threat/lbioc-20260071-the-gentlemens-leak-c18cd0f4
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1071', 'T1059', 'T1486', 'T1573', 'T1083', 'T1105', 'T1490', 'T1027', 'T1057', 'T1090', 'T1018', 'T1489', 'T1082', 'T1016', 'T1049', 'T1569', 'T1529', 'T1204', 'T1497', 'T1047']
MISP event uuid: 7deedbeb-d693-43a5-a067-afbaf9b06834
π Date: 2026-05-13
πReferences:
https://radar.offseq.com/threat/lbioc-20260071-the-gentlemens-leak-c18cd0f4
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1071', 'T1059', 'T1486', 'T1573', 'T1083', 'T1105', 'T1490', 'T1027', 'T1057', 'T1090', 'T1018', 'T1489', 'T1082', 'T1016', 'T1049', 'T1569', 'T1529', 'T1204', 'T1497', 'T1047']
MISP event uuid: 7deedbeb-d693-43a5-a067-afbaf9b06834
OffSeq Threat Radar
LBIOC-20260071 - The Gentlemens Leak - Live Threat Intelligence - Threat Radar | OffSeq.com
Detailed information about LBIOC-20260071 - The Gentlemens Leak. Get real-time updates, technical details, and mitigation strategies.
πTitle: Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
π Date: 2026-05-13
πReferences:
https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1059.006', 'T1566']
MISP event uuid: faffe042-8de6-4d2b-8e2b-960e0afc09c7
π Date: 2026-05-13
πReferences:
https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1059.006', 'T1566']
MISP event uuid: faffe042-8de6-4d2b-8e2b-960e0afc09c7
www.genians.co.kr
Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
A suspected APT37-linked threat campaign has been identified, combining batch file obfuscation techniques with Compiled Python-based malware.
πTitle: ClickFix Evolves with PySoxy Proxying
π Date: 2026-05-12
πReferences:
https://reliaquest.com/blog/threat-spotlight-clickfix-evolves-with-pysoxy-proxying
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1053.005', 'T1033', 'T1074.001', 'T1087.002', 'T1204.002', 'T1573.001', 'T1069.002', 'T1135', 'T1140', 'T1090', 'T1482', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.006', 'T1070.004', 'T1071.001', 'T1018', 'T1105']
MISP event uuid: 1af217fa-683f-4945-a924-640716449a80
π Date: 2026-05-12
πReferences:
https://reliaquest.com/blog/threat-spotlight-clickfix-evolves-with-pysoxy-proxying
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1053.005', 'T1033', 'T1074.001', 'T1087.002', 'T1204.002', 'T1573.001', 'T1069.002', 'T1135', 'T1140', 'T1090', 'T1482', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.006', 'T1070.004', 'T1071.001', 'T1018', 'T1105']
MISP event uuid: 1af217fa-683f-4945-a924-640716449a80
ReliaQuest
ClickFix Evolves with PySoxy Proxying | ReliaQuest Threat Research
ClickFix just got more dangerous. Discover how one pasted command creates persistent, redundant accessβand how to detect it before the damage spreads.
πTitle: Thus Spokeβ¦The Gentlemen
π Date: 2026-05-13
πReferences:
https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Check Point"
β’ target-information="United Kingdom"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1003', 'T1133', 'T1489', 'T1562', 'T1190', 'T1219', 'T1550', 'T1560', 'T1021', 'T1070', 'T1083', 'T1049', 'T1210', 'T1048', 'T1566', 'T1078', 'T1068', 'T1486', 'T1018', 'T1490']
MISP event uuid: 60c42d6c-2f80-48b1-bb63-f22d18770621
π Date: 2026-05-13
πReferences:
https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Check Point"
β’ target-information="United Kingdom"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1003', 'T1133', 'T1489', 'T1562', 'T1190', 'T1219', 'T1550', 'T1560', 'T1021', 'T1070', 'T1083', 'T1049', 'T1210', 'T1048', 'T1566', 'T1078', 'T1068', 'T1486', 'T1018', 'T1490']
MISP event uuid: 60c42d6c-2f80-48b1-bb63-f22d18770621
Check Point Research
Thus Spokeβ¦The Gentlemen - Check Point Research
Key Points Introduction The Gentlemen ransomwareβasβaβservice (RaaS) operation is a relatively new group that emerged around midβ2025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and invitingβ¦
πTitle: Disclosing new PebbleDash-based tools
π Date: 2026-05-14
πReferences:
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ threat-actor="Kimsuky"
β’ target-information="Brazil"
β’ target-information="Germany"
β’ target-information="South Korea"
β’ sector="Defense"
β’ sector="Government, Administration"
β’ malpedia="Appleseed"
β’ malpedia="PEBBLEDASH"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1132.001', 'T1056.001', 'T1204.002', 'T1573.001', 'T1543.003', 'T1566.001', 'T1005', 'T1140', 'T1219', 'T1055', 'T1112', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.003', 'T1071.001', 'T1090.001']
MISP event uuid: 0d8d2f88-341b-4ee7-ae73-5113a3f9d3db
π Date: 2026-05-14
πReferences:
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ threat-actor="Kimsuky"
β’ target-information="Brazil"
β’ target-information="Germany"
β’ target-information="South Korea"
β’ sector="Defense"
β’ sector="Government, Administration"
β’ malpedia="Appleseed"
β’ malpedia="PEBBLEDASH"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1132.001', 'T1056.001', 'T1204.002', 'T1573.001', 'T1543.003', 'T1566.001', 'T1005', 'T1140', 'T1219', 'T1055', 'T1112', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.003', 'T1071.001', 'T1090.001']
MISP event uuid: 0d8d2f88-341b-4ee7-ae73-5113a3f9d3db
πTitle: Device Code Phishing is an Evolution in Identity Takeover
π Date: 2026-05-13
πReferences:
https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Proofpoint"
mitre-attack-pattern=['T1539', 'T1114', 'T1204.002', 'T1566.002', 'T1598.003', 'T1566.001', 'T1185', 'T1087', 'T1528', 'T1204', 'T1534', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1204.001', 'T1078.004', 'T1566.003']
MISP event uuid: 402e1b2f-0ec7-4c71-a016-c3cc30ff9204
π Date: 2026-05-13
πReferences:
https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Proofpoint"
mitre-attack-pattern=['T1539', 'T1114', 'T1204.002', 'T1566.002', 'T1598.003', 'T1566.001', 'T1185', 'T1087', 'T1528', 'T1204', 'T1534', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1204.001', 'T1078.004', 'T1566.003']
MISP event uuid: 402e1b2f-0ec7-4c71-a016-c3cc30ff9204
Proofpoint
Device Code Phishing is an Evolution in Identity Takeover | Proofpoint US
Key Findings Device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week. The spike in device code phishing
πTitle: Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
π Date: 2026-05-15
πReferences:
https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ malpedia="Gremlin"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1115', 'T1082', 'T1106', 'T1005', 'T1140', 'T1567', 'T1552', 'T1032', 'T1185', 'T1555.003', 'T1027.001', 'T1528', 'T1041', 'T1027', 'T1081', 'T1567.002', 'T1027.002', 'T1071.001']
MISP event uuid: 6cc3f205-3931-4e73-a46d-b5a657ab4949
π Date: 2026-05-15
πReferences:
https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ malpedia="Gremlin"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1115', 'T1082', 'T1106', 'T1005', 'T1140', 'T1567', 'T1552', 'T1032', 'T1185', 'T1555.003', 'T1027.001', 'T1528', 'T1041', 'T1027', 'T1081', 'T1567.002', 'T1027.002', 'T1071.001']
MISP event uuid: 6cc3f205-3931-4e73-a46d-b5a657ab4949
Unit 42
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Unit 42 analyzes the evolution of Gremlin stealer. This variant uses advanced obfuscation, crypto clipping and session hijacking to compromise data.
πTitle: Kazuar: Anatomy of a nation-state botnet
π Date: 2026-05-14
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ TA-category="State-Sponsored"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ target-information="Ukraine"
β’ malpedia="Kazuar"
β’ threat-actor="Turla"
mitre-attack-pattern=['T1113', 'T1056.001', 'T1114', 'T1074.001', 'T1082', 'T1071', 'T1005', 'T1055', 'T1071.003', 'T1090', 'T1059', 'T1083', 'T1497', 'T1102', 'T1057', 'T1041', 'T1562.001', 'T1027', 'T1114.002', 'T1573', 'T1095', 'T1132', 'T1027.002', 'T1071.001']
MISP event uuid: 5df6c3a9-4e93-4dc5-bc9f-d50b8ac31856
π Date: 2026-05-14
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ TA-category="State-Sponsored"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ target-information="Ukraine"
β’ malpedia="Kazuar"
β’ threat-actor="Turla"
mitre-attack-pattern=['T1113', 'T1056.001', 'T1114', 'T1074.001', 'T1082', 'T1071', 'T1005', 'T1055', 'T1071.003', 'T1090', 'T1059', 'T1083', 'T1497', 'T1102', 'T1057', 'T1041', 'T1562.001', 'T1027', 'T1114.002', 'T1573', 'T1095', 'T1132', 'T1027.002', 'T1071.001']
MISP event uuid: 5df6c3a9-4e93-4dc5-bc9f-d50b8ac31856
Microsoft News
Kazuar: Anatomy of a nation-state botnet
Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for years and continues to evolve in support of espionage-focused operations. Over time, Kazuar has expanded from a relativelyβ¦
πTitle: [Ransomware] Unconfirmed: PNS* Ins****** Bro**** Sdn Bhd
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/UE5TQiBJbnN1cmFuY2UgQnJva2VycyBTZG4gQmhkQHFpbGlu
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Finance"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: 1cfaf58b-285e-4477-bac1-1ab80f7da206
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/UE5TQiBJbnN1cmFuY2UgQnJva2VycyBTZG4gQmhkQHFpbGlu
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Finance"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: 1cfaf58b-285e-4477-bac1-1ab80f7da206
Ransomware.live
Victim: PNSB Insurance Brokers Sdn Bhd β qilin
Ransomware.live discovered on 2026-05-17 that PNSB Insurance Brokers Sdn Bhd has been claimed by Qilin ransomware group
πTitle: [Ransomware] Unconfirmed: Int************ (+ Tsk************** + Ame******************** + Woo*************
π Date: 2026-05-13
πReferences: https://www.ransomware.live/id/SW50ZWNlbmcuY29tLm15ICgrIFRza3N5bmVyZ3kuY29tLm15ICsgQW1lbWFudWZhY3R1cmluZy5jb20ubXkgKyBXb29kbm92YS5jb20ubXkpQHBheWxvYWQ=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="payload"
mitre-attack-pattern=[]
MISP event uuid: 8958fe77-93e2-4663-9b9f-1fddb1d6bed6
π Date: 2026-05-13
πReferences: https://www.ransomware.live/id/SW50ZWNlbmcuY29tLm15ICgrIFRza3N5bmVyZ3kuY29tLm15ICsgQW1lbWFudWZhY3R1cmluZy5jb20ubXkgKyBXb29kbm92YS5jb20ubXkpQHBheWxvYWQ=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="payload"
mitre-attack-pattern=[]
MISP event uuid: 8958fe77-93e2-4663-9b9f-1fddb1d6bed6
Ransomware.live
Victim: Inteceng.com.my (+ Tsksynergy.com.my + Amemanufacturing.com.my + Woodnova.com.my) β payload
Ransomware.live discovered on 2026-05-13 that Inteceng.com.my (+ Tsksynergy.com.my + Amemanufacturing.com.my + Woodnova.com.my) has been claimed by Payload ransomware group
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: PNS* Ins****** Bro**** Sdn Bhd π
Date: 2026-05-17 πReferences: https://www.ransomware.live/id/UE5TQiBJbnN1cmFuY2UgQnJva2VycyBTZG4gQmhkQHFpbGlu πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach - TAβ¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: Int************ (+ Tsk************** + Ame******************** + Woo************* π
Date: 2026-05-13 πReferences: https://www.ransomware.live/id/SW50ZWNlbmcuY29tLm15ICgrIFRza3N5bmVyZ3kuY29tLm15ICsgQW1lbWFudWZhY3R1cmluZy5jbβ¦Β»
πTitle: [Ransomware] Unconfirmed: Maj*** Per******** Alo* Gaj**
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/TWFqbGlzIFBlcmJhbmRhcmFuIEFsb3IgR2FqYWhAcWlsaW4=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Public Sector"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: c842284d-499a-41d9-82a5-631ed5a1f5ca
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/TWFqbGlzIFBlcmJhbmRhcmFuIEFsb3IgR2FqYWhAcWlsaW4=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Public Sector"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: c842284d-499a-41d9-82a5-631ed5a1f5ca
Ransomware.live
Victim: Majlis Perbandaran Alor Gajah β qilin
Ransomware.live discovered on 2026-05-17 that Majlis Perbandaran Alor Gajah has been claimed by Qilin ransomware group
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: Maj*** Per******** Alo* Gaj** π
Date: 2026-05-17 πReferences: https://www.ransomware.live/id/TWFqbGlzIFBlcmJhbmRhcmFuIEFsb3IgR2FqYWhAcWlsaW4= πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach - TAβ¦Β»
πTitle: [Ransomware] Unconfirmed: MSC Gro**
π Date: 2026-05-18
πReferences: https://www.ransomware.live/id/TVNDIEdyb3VwQGxhbWFzaHR1
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Logistic"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: 47843fe4-1296-4293-8487-a6e1566e00e2
π Date: 2026-05-18
πReferences: https://www.ransomware.live/id/TVNDIEdyb3VwQGxhbWFzaHR1
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Logistic"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: 47843fe4-1296-4293-8487-a6e1566e00e2
Ransomware.live
Victim: MSC Group β lamashtu
Ransomware.live discovered on 2026-05-18 that MSC Group has been claimed by Lamashtu ransomware group
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: MSC Gro** π
Date: 2026-05-18 πReferences: https://www.ransomware.live/id/TVNDIEdyb3VwQGxhbWFzaHR1 πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach - TA-category="Ransomware" πMISP Galaxies: - targetβ¦Β»
πTitle: Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
π Date: 2026-05-14
πReferences:
https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
mitre-attack-pattern=['T1003', 'T1552.005', 'T1021.004', 'T1005', 'T1190', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1098', 'T1059.004', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1496', 'T1070.004', 'T1071.001', 'T1136', 'T1018']
MISP event uuid: fbb6cb43-042c-4d70-99d5-c92d71587c91
π Date: 2026-05-14
πReferences:
https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
mitre-attack-pattern=['T1003', 'T1552.005', 'T1021.004', 'T1005', 'T1190', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1098', 'T1059.004', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1496', 'T1070.004', 'T1071.001', 'T1136', 'T1018']
MISP event uuid: fbb6cb43-042c-4d70-99d5-c92d71587c91
Cisco Talos
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.
πTitle: Spring harvest - Leek Likho group's campaign to hunt for documents
π Date: 2026-05-15
πReferences:
https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="ai"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ sector="Government, Administration"
β’ target-information="Belarus"
β’ target-information="Russia"
mitre-attack-pattern=['T1547', 'T1090', 'T1059']
MISP event uuid: 8483102e-5129-4460-b958-d38750a66fe4
π Date: 2026-05-15
πReferences:
https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="ai"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ sector="Government, Administration"
β’ target-information="Belarus"
β’ target-information="Russia"
mitre-attack-pattern=['T1547', 'T1090', 'T1059']
MISP event uuid: 8483102e-5129-4460-b958-d38750a66fe4