πTitle: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
π Date: 2026-05-12
πReferences:
https://www.security.com/threat-intelligence/iran-seedworm-electronics
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Symantec"
β’ target-information="Argentina"
β’ target-information="Bahrain"
β’ target-information="Brazil"
β’ target-information="Chile"
β’ target-information="Colombia"
β’ target-information="Indonesia"
β’ target-information="Kuwait"
β’ target-information="Malaysia"
β’ target-information="Mexico"
β’ target-information="Oman"
β’ target-information="Philippines"
β’ target-information="Qatar"
β’ target-information="Saudi Arabia"
β’ target-information="Singapore"
β’ target-information="Thailand"
β’ target-information="United Arab Emirates"
β’ country="iran"
β’ target-information="South Korea"
β’ threat-actor="MuddyWater"
β’ sector="Education"
β’ sector="Electronic"
β’ sector="Finance"
β’ sector="Industrial"
β’ sector="Manufacturing"
β’ region="035 - South-eastern Asia"
mitre-attack-pattern=['T1113', 'T1033', 'T1003.002', 'T1087.002', 'T1087.001', 'T1135', 'T1082', 'T1003.001', 'T1016', 'T1049', 'T1552.001', 'T1041', 'T1059.001', 'T1547.001', 'T1078', 'T1068', 'T1567.002', 'T1518.001', 'T1543.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1055.001', 'T1090.001']
MISP event uuid: d2f29648-4ca4-4b5d-82e6-43bdb7cb4c34
π Date: 2026-05-12
πReferences:
https://www.security.com/threat-intelligence/iran-seedworm-electronics
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Symantec"
β’ target-information="Argentina"
β’ target-information="Bahrain"
β’ target-information="Brazil"
β’ target-information="Chile"
β’ target-information="Colombia"
β’ target-information="Indonesia"
β’ target-information="Kuwait"
β’ target-information="Malaysia"
β’ target-information="Mexico"
β’ target-information="Oman"
β’ target-information="Philippines"
β’ target-information="Qatar"
β’ target-information="Saudi Arabia"
β’ target-information="Singapore"
β’ target-information="Thailand"
β’ target-information="United Arab Emirates"
β’ country="iran"
β’ target-information="South Korea"
β’ threat-actor="MuddyWater"
β’ sector="Education"
β’ sector="Electronic"
β’ sector="Finance"
β’ sector="Industrial"
β’ sector="Manufacturing"
β’ region="035 - South-eastern Asia"
mitre-attack-pattern=['T1113', 'T1033', 'T1003.002', 'T1087.002', 'T1087.001', 'T1135', 'T1082', 'T1003.001', 'T1016', 'T1049', 'T1552.001', 'T1041', 'T1059.001', 'T1547.001', 'T1078', 'T1068', 'T1567.002', 'T1518.001', 'T1543.001', 'T1059.003', 'T1071.001', 'T1574.002', 'T1055.001', 'T1090.001']
MISP event uuid: d2f29648-4ca4-4b5d-82e6-43bdb7cb4c34
Security
Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign
Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service.
πTitle: TanStack npm Packages Compromised in Ongoing Supply-Chain Attack
π Date: 2026-05-11
πReferences:
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1059.007', 'T1552.005', 'T1036.005', 'T1543.003', 'T1574.006', 'T1552.001', 'T1528', 'T1098.001', 'T1087.004', 'T1136.003', 'T1204.003', 'T1195.002', 'T1573.002', 'T1071.001', 'T1105', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 6f0fb181-17f2-47c8-b4ce-24d302f8d931
π Date: 2026-05-11
πReferences:
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1059.007', 'T1552.005', 'T1036.005', 'T1543.003', 'T1574.006', 'T1552.001', 'T1528', 'T1098.001', 'T1087.004', 'T1136.003', 'T1204.003', 'T1195.002', 'T1573.002', 'T1071.001', 'T1105', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 6f0fb181-17f2-47c8-b4ce-24d302f8d931
Socket
TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud...
Socket detected 84 compromised TanStack npm package artifacts modified with suspected CI credential-stealing malware.
πTitle: LBIOC-20260071 - The Gentlemens Leak
π Date: 2026-05-13
πReferences:
https://radar.offseq.com/threat/lbioc-20260071-the-gentlemens-leak-c18cd0f4
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1071', 'T1059', 'T1486', 'T1573', 'T1083', 'T1105', 'T1490', 'T1027', 'T1057', 'T1090', 'T1018', 'T1489', 'T1082', 'T1016', 'T1049', 'T1569', 'T1529', 'T1204', 'T1497', 'T1047']
MISP event uuid: 7deedbeb-d693-43a5-a067-afbaf9b06834
π Date: 2026-05-13
πReferences:
https://radar.offseq.com/threat/lbioc-20260071-the-gentlemens-leak-c18cd0f4
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1071', 'T1059', 'T1486', 'T1573', 'T1083', 'T1105', 'T1490', 'T1027', 'T1057', 'T1090', 'T1018', 'T1489', 'T1082', 'T1016', 'T1049', 'T1569', 'T1529', 'T1204', 'T1497', 'T1047']
MISP event uuid: 7deedbeb-d693-43a5-a067-afbaf9b06834
OffSeq Threat Radar
LBIOC-20260071 - The Gentlemens Leak - Live Threat Intelligence - Threat Radar | OffSeq.com
Detailed information about LBIOC-20260071 - The Gentlemens Leak. Get real-time updates, technical details, and mitigation strategies.
πTitle: Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
π Date: 2026-05-13
πReferences:
https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1059.006', 'T1566']
MISP event uuid: faffe042-8de6-4d2b-8e2b-960e0afc09c7
π Date: 2026-05-13
πReferences:
https://www.genians.co.kr/en/blog/threat_intelligence/python?hsCtaAttrib=343278473915
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1059.006', 'T1566']
MISP event uuid: faffe042-8de6-4d2b-8e2b-960e0afc09c7
www.genians.co.kr
Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign
A suspected APT37-linked threat campaign has been identified, combining batch file obfuscation techniques with Compiled Python-based malware.
πTitle: ClickFix Evolves with PySoxy Proxying
π Date: 2026-05-12
πReferences:
https://reliaquest.com/blog/threat-spotlight-clickfix-evolves-with-pysoxy-proxying
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1053.005', 'T1033', 'T1074.001', 'T1087.002', 'T1204.002', 'T1573.001', 'T1069.002', 'T1135', 'T1140', 'T1090', 'T1482', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.006', 'T1070.004', 'T1071.001', 'T1018', 'T1105']
MISP event uuid: 1af217fa-683f-4945-a924-640716449a80
π Date: 2026-05-12
πReferences:
https://reliaquest.com/blog/threat-spotlight-clickfix-evolves-with-pysoxy-proxying
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1053.005', 'T1033', 'T1074.001', 'T1087.002', 'T1204.002', 'T1573.001', 'T1069.002', 'T1135', 'T1140', 'T1090', 'T1482', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.006', 'T1070.004', 'T1071.001', 'T1018', 'T1105']
MISP event uuid: 1af217fa-683f-4945-a924-640716449a80
ReliaQuest
ClickFix Evolves with PySoxy Proxying | ReliaQuest Threat Research
ClickFix just got more dangerous. Discover how one pasted command creates persistent, redundant accessβand how to detect it before the damage spreads.
πTitle: Thus Spokeβ¦The Gentlemen
π Date: 2026-05-13
πReferences:
https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Check Point"
β’ target-information="United Kingdom"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1003', 'T1133', 'T1489', 'T1562', 'T1190', 'T1219', 'T1550', 'T1560', 'T1021', 'T1070', 'T1083', 'T1049', 'T1210', 'T1048', 'T1566', 'T1078', 'T1068', 'T1486', 'T1018', 'T1490']
MISP event uuid: 60c42d6c-2f80-48b1-bb63-f22d18770621
π Date: 2026-05-13
πReferences:
https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Check Point"
β’ target-information="United Kingdom"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1003', 'T1133', 'T1489', 'T1562', 'T1190', 'T1219', 'T1550', 'T1560', 'T1021', 'T1070', 'T1083', 'T1049', 'T1210', 'T1048', 'T1566', 'T1078', 'T1068', 'T1486', 'T1018', 'T1490']
MISP event uuid: 60c42d6c-2f80-48b1-bb63-f22d18770621
Check Point Research
Thus Spokeβ¦The Gentlemen - Check Point Research
Key Points Introduction The Gentlemen ransomwareβasβaβservice (RaaS) operation is a relatively new group that emerged around midβ2025. Its operators advertise the service across multiple underground forums, promoting their ransomware platform and invitingβ¦
πTitle: Disclosing new PebbleDash-based tools
π Date: 2026-05-14
πReferences:
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ threat-actor="Kimsuky"
β’ target-information="Brazil"
β’ target-information="Germany"
β’ target-information="South Korea"
β’ sector="Defense"
β’ sector="Government, Administration"
β’ malpedia="Appleseed"
β’ malpedia="PEBBLEDASH"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1132.001', 'T1056.001', 'T1204.002', 'T1573.001', 'T1543.003', 'T1566.001', 'T1005', 'T1140', 'T1219', 'T1055', 'T1112', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.003', 'T1071.001', 'T1090.001']
MISP event uuid: 0d8d2f88-341b-4ee7-ae73-5113a3f9d3db
π Date: 2026-05-14
πReferences:
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ threat-actor="Kimsuky"
β’ target-information="Brazil"
β’ target-information="Germany"
β’ target-information="South Korea"
β’ sector="Defense"
β’ sector="Government, Administration"
β’ malpedia="Appleseed"
β’ malpedia="PEBBLEDASH"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1132.001', 'T1056.001', 'T1204.002', 'T1573.001', 'T1543.003', 'T1566.001', 'T1005', 'T1140', 'T1219', 'T1055', 'T1112', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.003', 'T1071.001', 'T1090.001']
MISP event uuid: 0d8d2f88-341b-4ee7-ae73-5113a3f9d3db
πTitle: Device Code Phishing is an Evolution in Identity Takeover
π Date: 2026-05-13
πReferences:
https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Proofpoint"
mitre-attack-pattern=['T1539', 'T1114', 'T1204.002', 'T1566.002', 'T1598.003', 'T1566.001', 'T1185', 'T1087', 'T1528', 'T1204', 'T1534', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1204.001', 'T1078.004', 'T1566.003']
MISP event uuid: 402e1b2f-0ec7-4c71-a016-c3cc30ff9204
π Date: 2026-05-13
πReferences:
https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Proofpoint"
mitre-attack-pattern=['T1539', 'T1114', 'T1204.002', 'T1566.002', 'T1598.003', 'T1566.001', 'T1185', 'T1087', 'T1528', 'T1204', 'T1534', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1204.001', 'T1078.004', 'T1566.003']
MISP event uuid: 402e1b2f-0ec7-4c71-a016-c3cc30ff9204
Proofpoint
Device Code Phishing is an Evolution in Identity Takeover | Proofpoint US
Key Findings Device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week. The spike in device code phishing
πTitle: Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
π Date: 2026-05-15
πReferences:
https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ malpedia="Gremlin"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1115', 'T1082', 'T1106', 'T1005', 'T1140', 'T1567', 'T1552', 'T1032', 'T1185', 'T1555.003', 'T1027.001', 'T1528', 'T1041', 'T1027', 'T1081', 'T1567.002', 'T1027.002', 'T1071.001']
MISP event uuid: 6cc3f205-3931-4e73-a46d-b5a657ab4949
π Date: 2026-05-15
πReferences:
https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ malpedia="Gremlin"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1115', 'T1082', 'T1106', 'T1005', 'T1140', 'T1567', 'T1552', 'T1032', 'T1185', 'T1555.003', 'T1027.001', 'T1528', 'T1041', 'T1027', 'T1081', 'T1567.002', 'T1027.002', 'T1071.001']
MISP event uuid: 6cc3f205-3931-4e73-a46d-b5a657ab4949
Unit 42
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Unit 42 analyzes the evolution of Gremlin stealer. This variant uses advanced obfuscation, crypto clipping and session hijacking to compromise data.
πTitle: Kazuar: Anatomy of a nation-state botnet
π Date: 2026-05-14
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ TA-category="State-Sponsored"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ target-information="Ukraine"
β’ malpedia="Kazuar"
β’ threat-actor="Turla"
mitre-attack-pattern=['T1113', 'T1056.001', 'T1114', 'T1074.001', 'T1082', 'T1071', 'T1005', 'T1055', 'T1071.003', 'T1090', 'T1059', 'T1083', 'T1497', 'T1102', 'T1057', 'T1041', 'T1562.001', 'T1027', 'T1114.002', 'T1573', 'T1095', 'T1132', 'T1027.002', 'T1071.001']
MISP event uuid: 5df6c3a9-4e93-4dc5-bc9f-d50b8ac31856
π Date: 2026-05-14
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ TA-category="State-Sponsored"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ target-information="Ukraine"
β’ malpedia="Kazuar"
β’ threat-actor="Turla"
mitre-attack-pattern=['T1113', 'T1056.001', 'T1114', 'T1074.001', 'T1082', 'T1071', 'T1005', 'T1055', 'T1071.003', 'T1090', 'T1059', 'T1083', 'T1497', 'T1102', 'T1057', 'T1041', 'T1562.001', 'T1027', 'T1114.002', 'T1573', 'T1095', 'T1132', 'T1027.002', 'T1071.001']
MISP event uuid: 5df6c3a9-4e93-4dc5-bc9f-d50b8ac31856
Microsoft News
Kazuar: Anatomy of a nation-state botnet
Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for years and continues to evolve in support of espionage-focused operations. Over time, Kazuar has expanded from a relativelyβ¦
πTitle: [Ransomware] Unconfirmed: PNS* Ins****** Bro**** Sdn Bhd
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/UE5TQiBJbnN1cmFuY2UgQnJva2VycyBTZG4gQmhkQHFpbGlu
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Finance"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: 1cfaf58b-285e-4477-bac1-1ab80f7da206
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/UE5TQiBJbnN1cmFuY2UgQnJva2VycyBTZG4gQmhkQHFpbGlu
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Finance"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: 1cfaf58b-285e-4477-bac1-1ab80f7da206
Ransomware.live
Victim: PNSB Insurance Brokers Sdn Bhd β qilin
Ransomware.live discovered on 2026-05-17 that PNSB Insurance Brokers Sdn Bhd has been claimed by Qilin ransomware group
πTitle: [Ransomware] Unconfirmed: Int************ (+ Tsk************** + Ame******************** + Woo*************
π Date: 2026-05-13
πReferences: https://www.ransomware.live/id/SW50ZWNlbmcuY29tLm15ICgrIFRza3N5bmVyZ3kuY29tLm15ICsgQW1lbWFudWZhY3R1cmluZy5jb20ubXkgKyBXb29kbm92YS5jb20ubXkpQHBheWxvYWQ=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="payload"
mitre-attack-pattern=[]
MISP event uuid: 8958fe77-93e2-4663-9b9f-1fddb1d6bed6
π Date: 2026-05-13
πReferences: https://www.ransomware.live/id/SW50ZWNlbmcuY29tLm15ICgrIFRza3N5bmVyZ3kuY29tLm15ICsgQW1lbWFudWZhY3R1cmluZy5jb20ubXkgKyBXb29kbm92YS5jb20ubXkpQHBheWxvYWQ=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="payload"
mitre-attack-pattern=[]
MISP event uuid: 8958fe77-93e2-4663-9b9f-1fddb1d6bed6
Ransomware.live
Victim: Inteceng.com.my (+ Tsksynergy.com.my + Amemanufacturing.com.my + Woodnova.com.my) β payload
Ransomware.live discovered on 2026-05-13 that Inteceng.com.my (+ Tsksynergy.com.my + Amemanufacturing.com.my + Woodnova.com.my) has been claimed by Payload ransomware group
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: PNS* Ins****** Bro**** Sdn Bhd π
Date: 2026-05-17 πReferences: https://www.ransomware.live/id/UE5TQiBJbnN1cmFuY2UgQnJva2VycyBTZG4gQmhkQHFpbGlu πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach - TAβ¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: Int************ (+ Tsk************** + Ame******************** + Woo************* π
Date: 2026-05-13 πReferences: https://www.ransomware.live/id/SW50ZWNlbmcuY29tLm15ICgrIFRza3N5bmVyZ3kuY29tLm15ICsgQW1lbWFudWZhY3R1cmluZy5jbβ¦Β»
πTitle: [Ransomware] Unconfirmed: Maj*** Per******** Alo* Gaj**
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/TWFqbGlzIFBlcmJhbmRhcmFuIEFsb3IgR2FqYWhAcWlsaW4=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Public Sector"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: c842284d-499a-41d9-82a5-631ed5a1f5ca
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/TWFqbGlzIFBlcmJhbmRhcmFuIEFsb3IgR2FqYWhAcWlsaW4=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Public Sector"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: c842284d-499a-41d9-82a5-631ed5a1f5ca
Ransomware.live
Victim: Majlis Perbandaran Alor Gajah β qilin
Ransomware.live discovered on 2026-05-17 that Majlis Perbandaran Alor Gajah has been claimed by Qilin ransomware group
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: Maj*** Per******** Alo* Gaj** π
Date: 2026-05-17 πReferences: https://www.ransomware.live/id/TWFqbGlzIFBlcmJhbmRhcmFuIEFsb3IgR2FqYWhAcWlsaW4= πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach - TAβ¦Β»
πTitle: [Ransomware] Unconfirmed: MSC Gro**
π Date: 2026-05-18
πReferences: https://www.ransomware.live/id/TVNDIEdyb3VwQGxhbWFzaHR1
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Logistic"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: 47843fe4-1296-4293-8487-a6e1566e00e2
π Date: 2026-05-18
πReferences: https://www.ransomware.live/id/TVNDIEdyb3VwQGxhbWFzaHR1
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Logistic"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: 47843fe4-1296-4293-8487-a6e1566e00e2
Ransomware.live
Victim: MSC Group β lamashtu
Ransomware.live discovered on 2026-05-18 that MSC Group has been claimed by Lamashtu ransomware group
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: MSC Gro** π
Date: 2026-05-18 πReferences: https://www.ransomware.live/id/TVNDIEdyb3VwQGxhbWFzaHR1 πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach - TA-category="Ransomware" πMISP Galaxies: - targetβ¦Β»
πTitle: Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
π Date: 2026-05-14
πReferences:
https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
mitre-attack-pattern=['T1003', 'T1552.005', 'T1021.004', 'T1005', 'T1190', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1098', 'T1059.004', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1496', 'T1070.004', 'T1071.001', 'T1136', 'T1018']
MISP event uuid: fbb6cb43-042c-4d70-99d5-c92d71587c91
π Date: 2026-05-14
πReferences:
https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
mitre-attack-pattern=['T1003', 'T1552.005', 'T1021.004', 'T1005', 'T1190', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1098', 'T1059.004', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1496', 'T1070.004', 'T1071.001', 'T1136', 'T1018']
MISP event uuid: fbb6cb43-042c-4d70-99d5-c92d71587c91
Cisco Talos
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.
πTitle: Spring harvest - Leek Likho group's campaign to hunt for documents
π Date: 2026-05-15
πReferences:
https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="ai"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ sector="Government, Administration"
β’ target-information="Belarus"
β’ target-information="Russia"
mitre-attack-pattern=['T1547', 'T1090', 'T1059']
MISP event uuid: 8483102e-5129-4460-b958-d38750a66fe4
π Date: 2026-05-15
πReferences:
https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="ai"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ sector="Government, Administration"
β’ target-information="Belarus"
β’ target-information="Russia"
mitre-attack-pattern=['T1547', 'T1090', 'T1059']
MISP event uuid: 8483102e-5129-4460-b958-d38750a66fe4
πTitle: Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
π Date: 2026-05-14
πReferences:
https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ country="china"
β’ region="142 - Asia"
mitre-attack-pattern=['T1007', 'T1027', 'T1030', 'T1053', 'T1071', 'T1082', 'T1095', 'T1140', 'T1547', 'T1574', 'T1127', 'T1562', 'T1499', 'T1195', 'T1490', 'T1056', 'T1123', 'T1059', 'T1134', 'T1055', 'T1574.001', 'T1106', 'T1547.001', 'T1053.005']
MISP event uuid: 4583b718-a906-4818-8811-97ba5fae34a6
π Date: 2026-05-14
πReferences:
https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ country="china"
β’ region="142 - Asia"
mitre-attack-pattern=['T1007', 'T1027', 'T1030', 'T1053', 'T1071', 'T1082', 'T1095', 'T1140', 'T1547', 'T1574', 'T1127', 'T1562', 'T1499', 'T1195', 'T1490', 'T1056', 'T1123', 'T1059', 'T1134', 'T1055', 'T1574.001', 'T1106', 'T1547.001', 'T1053.005']
MISP event uuid: 4583b718-a906-4818-8811-97ba5fae34a6
Darktrace
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Darktrace researchers identified a Twill Typhoonβlinked Chinaβnexus campaign targeting APJ customers. The activity observed includes CDN impersonation, legitimate binaries, and DLL sideloading to deploy a modular .NET RAT.