πTitle: Disclosing new PebbleDash-based tools
π Date: 2026-05-14
πReferences:
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ threat-actor="Kimsuky"
β’ target-information="Brazil"
β’ target-information="Germany"
β’ target-information="South Korea"
β’ sector="Defense"
β’ sector="Government, Administration"
β’ malpedia="Appleseed"
β’ malpedia="PEBBLEDASH"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1132.001', 'T1056.001', 'T1204.002', 'T1573.001', 'T1543.003', 'T1566.001', 'T1005', 'T1140', 'T1219', 'T1055', 'T1112', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.003', 'T1071.001', 'T1090.001']
MISP event uuid: 0d8d2f88-341b-4ee7-ae73-5113a3f9d3db
π Date: 2026-05-14
πReferences:
https://securelist.com/kimsuky-appleseed-pebbledash-campaigns/119785/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ threat-actor="Kimsuky"
β’ target-information="Brazil"
β’ target-information="Germany"
β’ target-information="South Korea"
β’ sector="Defense"
β’ sector="Government, Administration"
β’ malpedia="Appleseed"
β’ malpedia="PEBBLEDASH"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1132.001', 'T1056.001', 'T1204.002', 'T1573.001', 'T1543.003', 'T1566.001', 'T1005', 'T1140', 'T1219', 'T1055', 'T1112', 'T1041', 'T1059.001', 'T1547.001', 'T1027', 'T1059.003', 'T1071.001', 'T1090.001']
MISP event uuid: 0d8d2f88-341b-4ee7-ae73-5113a3f9d3db
πTitle: Device Code Phishing is an Evolution in Identity Takeover
π Date: 2026-05-13
πReferences:
https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Proofpoint"
mitre-attack-pattern=['T1539', 'T1114', 'T1204.002', 'T1566.002', 'T1598.003', 'T1566.001', 'T1185', 'T1087', 'T1528', 'T1204', 'T1534', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1204.001', 'T1078.004', 'T1566.003']
MISP event uuid: 402e1b2f-0ec7-4c71-a016-c3cc30ff9204
π Date: 2026-05-13
πReferences:
https://www.proofpoint.com/us/blog/threat-insight/device-code-phishing-evolution-identity-takeover
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Proofpoint"
mitre-attack-pattern=['T1539', 'T1114', 'T1204.002', 'T1566.002', 'T1598.003', 'T1566.001', 'T1185', 'T1087', 'T1528', 'T1204', 'T1534', 'T1566', 'T1078', 'T1486', 'T1598', 'T1213', 'T1204.001', 'T1078.004', 'T1566.003']
MISP event uuid: 402e1b2f-0ec7-4c71-a016-c3cc30ff9204
Proofpoint
Device Code Phishing is an Evolution in Identity Takeover | Proofpoint US
Key Findings Device code phishing is exploding across the threat landscape, with new device code phishing tools emerging every week. The spike in device code phishing
πTitle: Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
π Date: 2026-05-15
πReferences:
https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ malpedia="Gremlin"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1115', 'T1082', 'T1106', 'T1005', 'T1140', 'T1567', 'T1552', 'T1032', 'T1185', 'T1555.003', 'T1027.001', 'T1528', 'T1041', 'T1027', 'T1081', 'T1567.002', 'T1027.002', 'T1071.001']
MISP event uuid: 6cc3f205-3931-4e73-a46d-b5a657ab4949
π Date: 2026-05-15
πReferences:
https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ malpedia="Gremlin"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1115', 'T1082', 'T1106', 'T1005', 'T1140', 'T1567', 'T1552', 'T1032', 'T1185', 'T1555.003', 'T1027.001', 'T1528', 'T1041', 'T1027', 'T1081', 'T1567.002', 'T1027.002', 'T1071.001']
MISP event uuid: 6cc3f205-3931-4e73-a46d-b5a657ab4949
Unit 42
Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files
Unit 42 analyzes the evolution of Gremlin stealer. This variant uses advanced obfuscation, crypto clipping and session hijacking to compromise data.
πTitle: Kazuar: Anatomy of a nation-state botnet
π Date: 2026-05-14
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ TA-category="State-Sponsored"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ target-information="Ukraine"
β’ malpedia="Kazuar"
β’ threat-actor="Turla"
mitre-attack-pattern=['T1113', 'T1056.001', 'T1114', 'T1074.001', 'T1082', 'T1071', 'T1005', 'T1055', 'T1071.003', 'T1090', 'T1059', 'T1083', 'T1497', 'T1102', 'T1057', 'T1041', 'T1562.001', 'T1027', 'T1114.002', 'T1573', 'T1095', 'T1132', 'T1027.002', 'T1071.001']
MISP event uuid: 5df6c3a9-4e93-4dc5-bc9f-d50b8ac31856
π Date: 2026-05-14
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ TA-category="State-Sponsored"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ target-information="Ukraine"
β’ malpedia="Kazuar"
β’ threat-actor="Turla"
mitre-attack-pattern=['T1113', 'T1056.001', 'T1114', 'T1074.001', 'T1082', 'T1071', 'T1005', 'T1055', 'T1071.003', 'T1090', 'T1059', 'T1083', 'T1497', 'T1102', 'T1057', 'T1041', 'T1562.001', 'T1027', 'T1114.002', 'T1573', 'T1095', 'T1132', 'T1027.002', 'T1071.001']
MISP event uuid: 5df6c3a9-4e93-4dc5-bc9f-d50b8ac31856
Microsoft News
Kazuar: Anatomy of a nation-state botnet
Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for years and continues to evolve in support of espionage-focused operations. Over time, Kazuar has expanded from a relativelyβ¦
πTitle: [Ransomware] Unconfirmed: PNS* Ins****** Bro**** Sdn Bhd
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/UE5TQiBJbnN1cmFuY2UgQnJva2VycyBTZG4gQmhkQHFpbGlu
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Finance"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: 1cfaf58b-285e-4477-bac1-1ab80f7da206
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/UE5TQiBJbnN1cmFuY2UgQnJva2VycyBTZG4gQmhkQHFpbGlu
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Finance"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: 1cfaf58b-285e-4477-bac1-1ab80f7da206
Ransomware.live
Victim: PNSB Insurance Brokers Sdn Bhd β qilin
Ransomware.live discovered on 2026-05-17 that PNSB Insurance Brokers Sdn Bhd has been claimed by Qilin ransomware group
πTitle: [Ransomware] Unconfirmed: Int************ (+ Tsk************** + Ame******************** + Woo*************
π Date: 2026-05-13
πReferences: https://www.ransomware.live/id/SW50ZWNlbmcuY29tLm15ICgrIFRza3N5bmVyZ3kuY29tLm15ICsgQW1lbWFudWZhY3R1cmluZy5jb20ubXkgKyBXb29kbm92YS5jb20ubXkpQHBheWxvYWQ=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="payload"
mitre-attack-pattern=[]
MISP event uuid: 8958fe77-93e2-4663-9b9f-1fddb1d6bed6
π Date: 2026-05-13
πReferences: https://www.ransomware.live/id/SW50ZWNlbmcuY29tLm15ICgrIFRza3N5bmVyZ3kuY29tLm15ICsgQW1lbWFudWZhY3R1cmluZy5jb20ubXkgKyBXb29kbm92YS5jb20ubXkpQHBheWxvYWQ=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="payload"
mitre-attack-pattern=[]
MISP event uuid: 8958fe77-93e2-4663-9b9f-1fddb1d6bed6
Ransomware.live
Victim: Inteceng.com.my (+ Tsksynergy.com.my + Amemanufacturing.com.my + Woodnova.com.my) β payload
Ransomware.live discovered on 2026-05-13 that Inteceng.com.my (+ Tsksynergy.com.my + Amemanufacturing.com.my + Woodnova.com.my) has been claimed by Payload ransomware group
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: PNS* Ins****** Bro**** Sdn Bhd π
Date: 2026-05-17 πReferences: https://www.ransomware.live/id/UE5TQiBJbnN1cmFuY2UgQnJva2VycyBTZG4gQmhkQHFpbGlu πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach - TAβ¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: Int************ (+ Tsk************** + Ame******************** + Woo************* π
Date: 2026-05-13 πReferences: https://www.ransomware.live/id/SW50ZWNlbmcuY29tLm15ICgrIFRza3N5bmVyZ3kuY29tLm15ICsgQW1lbWFudWZhY3R1cmluZy5jbβ¦Β»
πTitle: [Ransomware] Unconfirmed: Maj*** Per******** Alo* Gaj**
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/TWFqbGlzIFBlcmJhbmRhcmFuIEFsb3IgR2FqYWhAcWlsaW4=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Public Sector"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: c842284d-499a-41d9-82a5-631ed5a1f5ca
π Date: 2026-05-17
πReferences: https://www.ransomware.live/id/TWFqbGlzIFBlcmJhbmRhcmFuIEFsb3IgR2FqYWhAcWlsaW4=
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Public Sector"
- ransomware="Qilin"
mitre-attack-pattern=[]
MISP event uuid: c842284d-499a-41d9-82a5-631ed5a1f5ca
Ransomware.live
Victim: Majlis Perbandaran Alor Gajah β qilin
Ransomware.live discovered on 2026-05-17 that Majlis Perbandaran Alor Gajah has been claimed by Qilin ransomware group
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: Maj*** Per******** Alo* Gaj** π
Date: 2026-05-17 πReferences: https://www.ransomware.live/id/TWFqbGlzIFBlcmJhbmRhcmFuIEFsb3IgR2FqYWhAcWlsaW4= πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach - TAβ¦Β»
πTitle: [Ransomware] Unconfirmed: MSC Gro**
π Date: 2026-05-18
πReferences: https://www.ransomware.live/id/TVNDIEdyb3VwQGxhbWFzaHR1
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Logistic"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: 47843fe4-1296-4293-8487-a6e1566e00e2
π Date: 2026-05-18
πReferences: https://www.ransomware.live/id/TVNDIEdyb3VwQGxhbWFzaHR1
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Logistic"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: 47843fe4-1296-4293-8487-a6e1566e00e2
Ransomware.live
Victim: MSC Group β lamashtu
Ransomware.live discovered on 2026-05-18 that MSC Group has been claimed by Lamashtu ransomware group
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: MSC Gro** π
Date: 2026-05-18 πReferences: https://www.ransomware.live/id/TVNDIEdyb3VwQGxhbWFzaHR1 πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach - TA-category="Ransomware" πMISP Galaxies: - targetβ¦Β»
πTitle: Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
π Date: 2026-05-14
πReferences:
https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
mitre-attack-pattern=['T1003', 'T1552.005', 'T1021.004', 'T1005', 'T1190', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1098', 'T1059.004', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1496', 'T1070.004', 'T1071.001', 'T1136', 'T1018']
MISP event uuid: fbb6cb43-042c-4d70-99d5-c92d71587c91
π Date: 2026-05-14
πReferences:
https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
mitre-attack-pattern=['T1003', 'T1552.005', 'T1021.004', 'T1005', 'T1190', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1098', 'T1059.004', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1496', 'T1070.004', 'T1071.001', 'T1136', 'T1018']
MISP event uuid: fbb6cb43-042c-4d70-99d5-c92d71587c91
Cisco Talos
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.
πTitle: Spring harvest - Leek Likho group's campaign to hunt for documents
π Date: 2026-05-15
πReferences:
https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="ai"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ sector="Government, Administration"
β’ target-information="Belarus"
β’ target-information="Russia"
mitre-attack-pattern=['T1547', 'T1090', 'T1059']
MISP event uuid: 8483102e-5129-4460-b958-d38750a66fe4
π Date: 2026-05-15
πReferences:
https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="ai"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ sector="Government, Administration"
β’ target-information="Belarus"
β’ target-information="Russia"
mitre-attack-pattern=['T1547', 'T1090', 'T1059']
MISP event uuid: 8483102e-5129-4460-b958-d38750a66fe4
πTitle: Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
π Date: 2026-05-14
πReferences:
https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ country="china"
β’ region="142 - Asia"
mitre-attack-pattern=['T1007', 'T1027', 'T1030', 'T1053', 'T1071', 'T1082', 'T1095', 'T1140', 'T1547', 'T1574', 'T1127', 'T1562', 'T1499', 'T1195', 'T1490', 'T1056', 'T1123', 'T1059', 'T1134', 'T1055', 'T1574.001', 'T1106', 'T1547.001', 'T1053.005']
MISP event uuid: 4583b718-a906-4818-8811-97ba5fae34a6
π Date: 2026-05-14
πReferences:
https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ country="china"
β’ region="142 - Asia"
mitre-attack-pattern=['T1007', 'T1027', 'T1030', 'T1053', 'T1071', 'T1082', 'T1095', 'T1140', 'T1547', 'T1574', 'T1127', 'T1562', 'T1499', 'T1195', 'T1490', 'T1056', 'T1123', 'T1059', 'T1134', 'T1055', 'T1574.001', 'T1106', 'T1547.001', 'T1053.005']
MISP event uuid: 4583b718-a906-4818-8811-97ba5fae34a6
Darktrace
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Darktrace researchers identified a Twill Typhoonβlinked Chinaβnexus campaign targeting APJ customers. The activity observed includes CDN impersonation, legitimate binaries, and DLL sideloading to deploy a modular .NET RAT.
πTitle: Cato CTRL Threat Research: Suspected China-Linked Threat Actor Targets Global Manufacturer with Undocumented TencShell Malware
π Date: 2026-05-13
πReferences:
https://www.catonetworks.com/blog/cato-ctrl-suspected-china-linked-threat-actor-targets-global-manufacturer/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1005', 'T1036', 'T1041', 'T1055', 'T1057', 'T1059', 'T1071', 'T1082', 'T1083', 'T1090', 'T1102', 'T1105', 'T1106', 'T1113', 'T1129', 'T1547', 'T1548', 'T1548.002', 'T1070.004', 'T1090.001', 'T1036.008', 'T1571', 'T1620', 'T1547.001', 'T1071.001', 'T1059.003']
MISP event uuid: 2a009741-12ae-4be9-8bd5-9f1fb78483bf
π Date: 2026-05-13
πReferences:
https://www.catonetworks.com/blog/cato-ctrl-suspected-china-linked-threat-actor-targets-global-manufacturer/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1005', 'T1036', 'T1041', 'T1055', 'T1057', 'T1059', 'T1071', 'T1082', 'T1083', 'T1090', 'T1102', 'T1105', 'T1106', 'T1113', 'T1129', 'T1547', 'T1548', 'T1548.002', 'T1070.004', 'T1090.001', 'T1036.008', 'T1571', 'T1620', 'T1547.001', 'T1071.001', 'T1059.003']
MISP event uuid: 2a009741-12ae-4be9-8bd5-9f1fb78483bf
πTitle: Vidar v1.5 in Go: same family, new language, heavy sandbox checks
π Date: 2026-05-16
πReferences:
https://www.derp.ca/research/vidar-go-sandbox-dead-drop/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Vidar"
mitre-attack-pattern=['T1497']
MISP event uuid: 086035cf-56d1-42da-82a8-35dfa8c0e324
π Date: 2026-05-16
πReferences:
https://www.derp.ca/research/vidar-go-sandbox-dead-drop/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Vidar"
mitre-attack-pattern=['T1497']
MISP event uuid: 086035cf-56d1-42da-82a8-35dfa8c0e324
Derp
Vidar v1.5 in Go: same family, new language, heavy sandbox checks
A Go 1.25.4 Vidar v1.5 sample uses a twelve-category sandbox scoring system, Telegram and Steam dead-drop C2 discovery, and process injection APIs.
πTitle: FlowerStorm unleashes the KrakVM: PhaaS operators turn to VM-based obfuscation
π Date: 2026-05-14
πReferences:
https://sublime.security/blog/flowerstorm-unleashes-the-krakvm-phaas-operators-turn-to-vm-based-obfuscation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="tool-profile"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1566']
MISP event uuid: 0e1d220e-d9da-4f25-ac9e-469b98eadcad
π Date: 2026-05-14
πReferences:
https://sublime.security/blog/flowerstorm-unleashes-the-krakvm-phaas-operators-turn-to-vm-based-obfuscation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="tool-profile"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1566']
MISP event uuid: 0e1d220e-d9da-4f25-ac9e-469b98eadcad
πTitle: macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain
π Date: 2026-05-18
πReferences:
https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="SentinelOne"
mitre-attack-pattern=['T1560.001', 'T1539', 'T1074.001', 'T1036.005', 'T1555.001', 'T1204.002', 'T1082', 'T1059.002', 'T1005', 'T1555.003', 'T1083', 'T1566', 'T1059.004', 'T1027', 'T1567.002', 'T1543.001', 'T1070.004', 'T1071.001', 'T1102.001']
MISP event uuid: 9f05b1a5-3943-44f0-9c7a-e5523c92663d
π Date: 2026-05-18
πReferences:
https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="SentinelOne"
mitre-attack-pattern=['T1560.001', 'T1539', 'T1074.001', 'T1036.005', 'T1555.001', 'T1204.002', 'T1082', 'T1059.002', 'T1005', 'T1555.003', 'T1083', 'T1566', 'T1059.004', 'T1027', 'T1567.002', 'T1543.001', 'T1070.004', 'T1071.001', 'T1102.001']
MISP event uuid: 9f05b1a5-3943-44f0-9c7a-e5523c92663d
SentinelOne
SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain
SHub Reaper bypasses Apple's Terminal mitigation, steals credentials and documents, and plants a persistent backdoor for continued access after infection.
πTitle: Active Supply Chain Attack Compromises Packages on npm
π Date: 2026-05-19
πReferences:
https://socket.dev/blog/antv-packages-compromised
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1059.007', 'T1552.005', 'T1573.001', 'T1106', 'T1219', 'T1552.004', 'T1552.001', 'T1567.001', 'T1059.004', 'T1027', 'T1195.002', 'T1070.004', 'T1071.001', 'T1543.002', 'T1105', 'T1078.004', 'T1552.007']
MISP event uuid: 05e5980c-095e-4789-a521-73f3eb7e7b31
π Date: 2026-05-19
πReferences:
https://socket.dev/blog/antv-packages-compromised
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1059.007', 'T1552.005', 'T1573.001', 'T1106', 'T1219', 'T1552.004', 'T1552.001', 'T1567.001', 'T1059.004', 'T1027', 'T1195.002', 'T1070.004', 'T1071.001', 'T1543.002', 'T1105', 'T1078.004', 'T1552.007']
MISP event uuid: 05e5980c-095e-4789-a521-73f3eb7e7b31
Socket
Mini Shai-Hulud Hits @antv Ecosystem, 639 Compromised npm Pa...
Active npm supply chain attack compromises @antv packages in a fast-moving malicious publish wave tied to Mini Shai-Hulud.
πTitle: Copycat hits another npm package
π Date: 2026-05-18
πReferences:
https://www.theregister.com/cyber-crime/2026/05/18/shai-hulud-copycat-hits-another-npm-package/5242180
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1543', 'T1082', 'T1053', 'T1005', 'T1140', 'T1567', 'T1552.004', 'T1016', 'T1087', 'T1059', 'T1552.001', 'T1027', 'T1573', 'T1195.002', 'T1496', 'T1485', 'T1498', 'T1071.001', 'T1552.007']
MISP event uuid: e1975520-e8cf-4ff6-91ab-31ba2c8ec017
π Date: 2026-05-18
πReferences:
https://www.theregister.com/cyber-crime/2026/05/18/shai-hulud-copycat-hits-another-npm-package/5242180
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1543', 'T1082', 'T1053', 'T1005', 'T1140', 'T1567', 'T1552.004', 'T1016', 'T1087', 'T1059', 'T1552.001', 'T1027', 'T1573', 'T1195.002', 'T1496', 'T1485', 'T1498', 'T1071.001', 'T1552.007']
MISP event uuid: e1975520-e8cf-4ff6-91ab-31ba2c8ec017
theregister
Shai-Hulud copycat worm infects yet another npm package
Plus three other stealers in three other packages, all from the same scumbag