Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: MSC Gro** π
Date: 2026-05-18 πReferences: https://www.ransomware.live/id/TVNDIEdyb3VwQGxhbWFzaHR1 πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach - TA-category="Ransomware" πMISP Galaxies: - targetβ¦Β»
πTitle: Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
π Date: 2026-05-14
πReferences:
https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
mitre-attack-pattern=['T1003', 'T1552.005', 'T1021.004', 'T1005', 'T1190', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1098', 'T1059.004', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1496', 'T1070.004', 'T1071.001', 'T1136', 'T1018']
MISP event uuid: fbb6cb43-042c-4d70-99d5-c92d71587c91
π Date: 2026-05-14
πReferences:
https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Cisco Talos Intelligence Group"
mitre-attack-pattern=['T1003', 'T1552.005', 'T1021.004', 'T1005', 'T1190', 'T1505.003', 'T1090', 'T1083', 'T1552.001', 'T1098', 'T1059.004', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1496', 'T1070.004', 'T1071.001', 'T1136', 'T1018']
MISP event uuid: fbb6cb43-042c-4d70-99d5-c92d71587c91
Cisco Talos
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.
πTitle: Spring harvest - Leek Likho group's campaign to hunt for documents
π Date: 2026-05-15
πReferences:
https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="ai"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ sector="Government, Administration"
β’ target-information="Belarus"
β’ target-information="Russia"
mitre-attack-pattern=['T1547', 'T1090', 'T1059']
MISP event uuid: 8483102e-5129-4460-b958-d38750a66fe4
π Date: 2026-05-15
πReferences:
https://securelist.ru/tr/leek-likho-hunting-for-data-with-tor-and-llms/115601/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="ai"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ sector="Government, Administration"
β’ target-information="Belarus"
β’ target-information="Russia"
mitre-attack-pattern=['T1547', 'T1090', 'T1059']
MISP event uuid: 8483102e-5129-4460-b958-d38750a66fe4
πTitle: Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
π Date: 2026-05-14
πReferences:
https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ country="china"
β’ region="142 - Asia"
mitre-attack-pattern=['T1007', 'T1027', 'T1030', 'T1053', 'T1071', 'T1082', 'T1095', 'T1140', 'T1547', 'T1574', 'T1127', 'T1562', 'T1499', 'T1195', 'T1490', 'T1056', 'T1123', 'T1059', 'T1134', 'T1055', 'T1574.001', 'T1106', 'T1547.001', 'T1053.005']
MISP event uuid: 4583b718-a906-4818-8811-97ba5fae34a6
π Date: 2026-05-14
πReferences:
https://www.darktrace.com/blog/chinese-apt-campaign-targets-entities-with-updated-fdmtp-backdoor
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ country="china"
β’ region="142 - Asia"
mitre-attack-pattern=['T1007', 'T1027', 'T1030', 'T1053', 'T1071', 'T1082', 'T1095', 'T1140', 'T1547', 'T1574', 'T1127', 'T1562', 'T1499', 'T1195', 'T1490', 'T1056', 'T1123', 'T1059', 'T1134', 'T1055', 'T1574.001', 'T1106', 'T1547.001', 'T1053.005']
MISP event uuid: 4583b718-a906-4818-8811-97ba5fae34a6
Darktrace
Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor
Darktrace researchers identified a Twill Typhoonβlinked Chinaβnexus campaign targeting APJ customers. The activity observed includes CDN impersonation, legitimate binaries, and DLL sideloading to deploy a modular .NET RAT.
πTitle: Cato CTRL Threat Research: Suspected China-Linked Threat Actor Targets Global Manufacturer with Undocumented TencShell Malware
π Date: 2026-05-13
πReferences:
https://www.catonetworks.com/blog/cato-ctrl-suspected-china-linked-threat-actor-targets-global-manufacturer/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1005', 'T1036', 'T1041', 'T1055', 'T1057', 'T1059', 'T1071', 'T1082', 'T1083', 'T1090', 'T1102', 'T1105', 'T1106', 'T1113', 'T1129', 'T1547', 'T1548', 'T1548.002', 'T1070.004', 'T1090.001', 'T1036.008', 'T1571', 'T1620', 'T1547.001', 'T1071.001', 'T1059.003']
MISP event uuid: 2a009741-12ae-4be9-8bd5-9f1fb78483bf
π Date: 2026-05-13
πReferences:
https://www.catonetworks.com/blog/cato-ctrl-suspected-china-linked-threat-actor-targets-global-manufacturer/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1005', 'T1036', 'T1041', 'T1055', 'T1057', 'T1059', 'T1071', 'T1082', 'T1083', 'T1090', 'T1102', 'T1105', 'T1106', 'T1113', 'T1129', 'T1547', 'T1548', 'T1548.002', 'T1070.004', 'T1090.001', 'T1036.008', 'T1571', 'T1620', 'T1547.001', 'T1071.001', 'T1059.003']
MISP event uuid: 2a009741-12ae-4be9-8bd5-9f1fb78483bf
πTitle: Vidar v1.5 in Go: same family, new language, heavy sandbox checks
π Date: 2026-05-16
πReferences:
https://www.derp.ca/research/vidar-go-sandbox-dead-drop/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Vidar"
mitre-attack-pattern=['T1497']
MISP event uuid: 086035cf-56d1-42da-82a8-35dfa8c0e324
π Date: 2026-05-16
πReferences:
https://www.derp.ca/research/vidar-go-sandbox-dead-drop/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Vidar"
mitre-attack-pattern=['T1497']
MISP event uuid: 086035cf-56d1-42da-82a8-35dfa8c0e324
Derp
Vidar v1.5 in Go: same family, new language, heavy sandbox checks
A Go 1.25.4 Vidar v1.5 sample uses a twelve-category sandbox scoring system, Telegram and Steam dead-drop C2 discovery, and process injection APIs.
πTitle: FlowerStorm unleashes the KrakVM: PhaaS operators turn to VM-based obfuscation
π Date: 2026-05-14
πReferences:
https://sublime.security/blog/flowerstorm-unleashes-the-krakvm-phaas-operators-turn-to-vm-based-obfuscation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="tool-profile"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1566']
MISP event uuid: 0e1d220e-d9da-4f25-ac9e-469b98eadcad
π Date: 2026-05-14
πReferences:
https://sublime.security/blog/flowerstorm-unleashes-the-krakvm-phaas-operators-turn-to-vm-based-obfuscation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="tool-profile"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1566']
MISP event uuid: 0e1d220e-d9da-4f25-ac9e-469b98eadcad
πTitle: macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain
π Date: 2026-05-18
πReferences:
https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="SentinelOne"
mitre-attack-pattern=['T1560.001', 'T1539', 'T1074.001', 'T1036.005', 'T1555.001', 'T1204.002', 'T1082', 'T1059.002', 'T1005', 'T1555.003', 'T1083', 'T1566', 'T1059.004', 'T1027', 'T1567.002', 'T1543.001', 'T1070.004', 'T1071.001', 'T1102.001']
MISP event uuid: 9f05b1a5-3943-44f0-9c7a-e5523c92663d
π Date: 2026-05-18
πReferences:
https://www.sentinelone.com/blog/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="SentinelOne"
mitre-attack-pattern=['T1560.001', 'T1539', 'T1074.001', 'T1036.005', 'T1555.001', 'T1204.002', 'T1082', 'T1059.002', 'T1005', 'T1555.003', 'T1083', 'T1566', 'T1059.004', 'T1027', 'T1567.002', 'T1543.001', 'T1070.004', 'T1071.001', 'T1102.001']
MISP event uuid: 9f05b1a5-3943-44f0-9c7a-e5523c92663d
SentinelOne
SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain
SHub Reaper bypasses Apple's Terminal mitigation, steals credentials and documents, and plants a persistent backdoor for continued access after infection.
πTitle: Active Supply Chain Attack Compromises Packages on npm
π Date: 2026-05-19
πReferences:
https://socket.dev/blog/antv-packages-compromised
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1059.007', 'T1552.005', 'T1573.001', 'T1106', 'T1219', 'T1552.004', 'T1552.001', 'T1567.001', 'T1059.004', 'T1027', 'T1195.002', 'T1070.004', 'T1071.001', 'T1543.002', 'T1105', 'T1078.004', 'T1552.007']
MISP event uuid: 05e5980c-095e-4789-a521-73f3eb7e7b31
π Date: 2026-05-19
πReferences:
https://socket.dev/blog/antv-packages-compromised
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1059.007', 'T1552.005', 'T1573.001', 'T1106', 'T1219', 'T1552.004', 'T1552.001', 'T1567.001', 'T1059.004', 'T1027', 'T1195.002', 'T1070.004', 'T1071.001', 'T1543.002', 'T1105', 'T1078.004', 'T1552.007']
MISP event uuid: 05e5980c-095e-4789-a521-73f3eb7e7b31
Socket
Mini Shai-Hulud Hits @antv Ecosystem, 639 Compromised npm Pa...
Active npm supply chain attack compromises @antv packages in a fast-moving malicious publish wave tied to Mini Shai-Hulud.
πTitle: Copycat hits another npm package
π Date: 2026-05-18
πReferences:
https://www.theregister.com/cyber-crime/2026/05/18/shai-hulud-copycat-hits-another-npm-package/5242180
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1543', 'T1082', 'T1053', 'T1005', 'T1140', 'T1567', 'T1552.004', 'T1016', 'T1087', 'T1059', 'T1552.001', 'T1027', 'T1573', 'T1195.002', 'T1496', 'T1485', 'T1498', 'T1071.001', 'T1552.007']
MISP event uuid: e1975520-e8cf-4ff6-91ab-31ba2c8ec017
π Date: 2026-05-18
πReferences:
https://www.theregister.com/cyber-crime/2026/05/18/shai-hulud-copycat-hits-another-npm-package/5242180
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=['T1543', 'T1082', 'T1053', 'T1005', 'T1140', 'T1567', 'T1552.004', 'T1016', 'T1087', 'T1059', 'T1552.001', 'T1027', 'T1573', 'T1195.002', 'T1496', 'T1485', 'T1498', 'T1071.001', 'T1552.007']
MISP event uuid: e1975520-e8cf-4ff6-91ab-31ba2c8ec017
theregister
Shai-Hulud copycat worm infects yet another npm package
Plus three other stealers in three other packages, all from the same scumbag
πTitle: Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor
π Date: 2026-05-20
πReferences:
https://socket.dev/blog/popular-go-decimal-library-typosquat-dns-backdoor
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1071.004', 'T1583.001', 'T1572', 'T1059', 'T1568', 'T1195.002']
MISP event uuid: dc882c2c-c7f2-45d3-b3fb-29500dcf9b18
π Date: 2026-05-20
πReferences:
https://socket.dev/blog/popular-go-decimal-library-typosquat-dns-backdoor
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1071.004', 'T1583.001', 'T1572', 'T1059', 'T1568', 'T1195.002']
MISP event uuid: dc882c2c-c7f2-45d3-b3fb-29500dcf9b18
Socket
Popular Go Decimal Library Targeted by Long-Running Typosqua...
A long-running Go typosquat impersonated the popular shopspring/decimal library and used DNS TXT records to execute commands.
πTitle: Inside Banana RAT: From Build Server to Banking Fraud
π Date: 2026-05-19
πReferences:
https://www.trendmicro.com/en_us/research/26/e/banana-rat.html
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Brazil"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1056.001', 'T1036.005', 'T1204.002', 'T1573.001', 'T1115', 'T1082', 'T1140', 'T1055', 'T1185', 'T1112', 'T1083', 'T1041', 'T1059.001', 'T1566', 'T1001', 'T1027', 'T1071.001', 'T1564.001']
MISP event uuid: 0b84e4bb-274b-4d06-a180-f52c8b474e6d
π Date: 2026-05-19
πReferences:
https://www.trendmicro.com/en_us/research/26/e/banana-rat.html
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Brazil"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1056.001', 'T1036.005', 'T1204.002', 'T1573.001', 'T1115', 'T1082', 'T1140', 'T1055', 'T1185', 'T1112', 'T1083', 'T1041', 'T1059.001', 'T1566', 'T1001', 'T1027', 'T1071.001', 'T1564.001']
MISP event uuid: 0b84e4bb-274b-4d06-a180-f52c8b474e6d
Trend Micro
Inside SHADOW-WATER-063βs Banana RAT: From Build Server to Banking Fraud
πTitle: Latest PyPi Compromise
π Date: 2026-05-19
πReferences:
https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Wiz Blog"
mitre-attack-pattern=['T1195.001', 'T1555.005', 'T1106', 'T1005', 'T1555.003', 'T1552.004', 'T1083', 'T1552.001', 'T1552.006', 'T1087.004', 'T1547.001', 'T1078', 'T1027', 'T1195.002', 'T1573.002', 'T1570', 'T1059.006', 'T1071.001', 'T1021.001', 'T1552.007']
MISP event uuid: 1e57b118-ee0f-4afc-a1fb-2b6687f960df
π Date: 2026-05-19
πReferences:
https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Wiz Blog"
mitre-attack-pattern=['T1195.001', 'T1555.005', 'T1106', 'T1005', 'T1555.003', 'T1552.004', 'T1083', 'T1552.001', 'T1552.006', 'T1087.004', 'T1547.001', 'T1078', 'T1027', 'T1195.002', 'T1573.002', 'T1570', 'T1059.006', 'T1071.001', 'T1021.001', 'T1552.007']
MISP event uuid: 1e57b118-ee0f-4afc-a1fb-2b6687f960df
wiz.io
durabletask: TeamPCP's Latest PyPi Compromise | Wiz Blog
Discover the latest on malicious versions of the pypi package durabletask, matching TeamPCP tactics.
πTitle: Exposing Fox Tempest: A malware-signing service operation
π Date: 2026-05-19
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="tool-profile"
β’ TA-category="Cybercrime"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ target-information="United States"
β’ target-information="British Indian Ocean Territory"
β’ target-information="China"
β’ target-information="France"
β’ target-information="India"
mitre-attack-pattern=['T1204.002', 'T1553.002', 'T1082', 'T1140', 'T1567', 'T1218', 'T1136.001', 'T1083', 'T1059.001', 'T1566', 'T1562.001', 'T1078', 'T1027', 'T1036.001', 'T1486', 'T1195.002', 'T1189', 'T1071.001', 'T1105', 'T1021.001']
MISP event uuid: 7d52bcc6-a889-4f8a-a841-d5ae3b3714c5
π Date: 2026-05-19
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="tool-profile"
β’ TA-category="Cybercrime"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ target-information="United States"
β’ target-information="British Indian Ocean Territory"
β’ target-information="China"
β’ target-information="France"
β’ target-information="India"
mitre-attack-pattern=['T1204.002', 'T1553.002', 'T1082', 'T1140', 'T1567', 'T1218', 'T1136.001', 'T1083', 'T1059.001', 'T1566', 'T1562.001', 'T1078', 'T1027', 'T1036.001', 'T1486', 'T1195.002', 'T1189', 'T1071.001', 'T1105', 'T1021.001']
MISP event uuid: 7d52bcc6-a889-4f8a-a841-d5ae3b3714c5
Microsoft News
Exposing Fox Tempest: A malware-signing service operation
Fox Tempest is a financially motivated threat actor operating a malwareβsigningβasβaβservice (MSaaS) used by other cybercriminals, including Vanilla Tempest and Storm groups, to more effectively distribute malicious code, including ransomware.
πTitle: 9 Year-Old PHP Vulnerability Keeps Swinging As One of the Most Targeted Vulnerabilities
π Date: 2026-05-19
πReferences:
https://www.vulncheck.com/blog/cve-2017-9841
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1133', 'T1082', 'T1071', 'T1608.001', 'T1190', 'T1595.002', 'T1505.003', 'T1595', 'T1087', 'T1059', 'T1083', 'T1608', 'T1059.004', 'T1027', 'T1505', 'T1071.001', 'T1018', 'T1046', 'T1105']
MISP event uuid: aa2425c7-fd98-4e8e-84c7-d5a56208bbfe
π Date: 2026-05-19
πReferences:
https://www.vulncheck.com/blog/cve-2017-9841
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: π Vulnerability
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1133', 'T1082', 'T1071', 'T1608.001', 'T1190', 'T1595.002', 'T1505.003', 'T1595', 'T1087', 'T1059', 'T1083', 'T1608', 'T1059.004', 'T1027', 'T1505', 'T1071.001', 'T1018', 'T1046', 'T1105']
MISP event uuid: aa2425c7-fd98-4e8e-84c7-d5a56208bbfe
VulnCheck
VulnCheck - Outpace Adversaries
Vulnerability intelligence that predicts avenues of attack with speed and accuracy.
πTitle: [Ransomware] Unconfirmed: Sha******** Met***
π Date: 2026-05-29
πReferences: https://www.ransomware.live/id/U2hhbnBvb3JuYW0gTWV0YWxzQGxhbWFzaHR1
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: f2f56dd8-e0fe-45c7-9e83-de9237df5602
π Date: 2026-05-29
πReferences: https://www.ransomware.live/id/U2hhbnBvb3JuYW0gTWV0YWxzQGxhbWFzaHR1
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: π₯ Data Breach
- TA-category="Ransomware"
πMISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: f2f56dd8-e0fe-45c7-9e83-de9237df5602
Ransomware.live
Victim: Shanpoornam Metals β lamashtu
Ransomware.live discovered on 2026-05-29 that Shanpoornam Metals has been claimed by Lamashtu ransomware group
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: [Ransomware] Unconfirmed: Sha******** Met*** π
Date: 2026-05-29 πReferences: https://www.ransomware.live/id/U2hhbnBvb3JuYW0gTWV0YWxzQGxhbWFzaHR1 πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: π₯ Data Breach - TA-category="Ransomware"β¦Β»
πTitle: New burrowing techniques
π Date: 2026-05-20
πReferences:
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ TA-category="APT"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ target-information="Belgium"
β’ target-information="Czech Republic"
β’ target-information="Hungary"
β’ target-information="Italy"
β’ target-information="Nigeria"
β’ target-information="Poland"
β’ target-information="Serbia"
β’ target-information="South Africa"
β’ target-information="Spain"
β’ threat-actor="Webworm"
β’ online-service="7347d685-8e08-4ed9-9f34-264e5e4b567a"
β’ online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1550.001', 'T1573.002', 'T1102.002', 'T1078.004', 'T1021.007', 'T1005', 'T1027.013', 'T1041', 'T1567.002', 'T1090.002', 'T1070.004', 'T1090.001', 'T1074.001', 'T1112', 'T1090.003', 'T1547.001', 'T1074.002', 'T1053.005', 'T1583.004', 'T1132.001', 'T1070.006', 'T1608.002', 'T1583.003', 'T1588.006', 'T1595.002', 'T1071.001', 'T1584.006', 'T1059.003', 'T1595.003']
MISP event uuid: 55a58703-da62-4330-bd76-3189d2635e28
π Date: 2026-05-20
πReferences:
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ TA-category="APT"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ target-information="Belgium"
β’ target-information="Czech Republic"
β’ target-information="Hungary"
β’ target-information="Italy"
β’ target-information="Nigeria"
β’ target-information="Poland"
β’ target-information="Serbia"
β’ target-information="South Africa"
β’ target-information="Spain"
β’ threat-actor="Webworm"
β’ online-service="7347d685-8e08-4ed9-9f34-264e5e4b567a"
β’ online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1550.001', 'T1573.002', 'T1102.002', 'T1078.004', 'T1021.007', 'T1005', 'T1027.013', 'T1041', 'T1567.002', 'T1090.002', 'T1070.004', 'T1090.001', 'T1074.001', 'T1112', 'T1090.003', 'T1547.001', 'T1074.002', 'T1053.005', 'T1583.004', 'T1132.001', 'T1070.006', 'T1608.002', 'T1583.003', 'T1588.006', 'T1595.002', 'T1071.001', 'T1584.006', 'T1059.003', 'T1595.003']
MISP event uuid: 55a58703-da62-4330-bd76-3189d2635e28
Welivesecurity
Webworm: New burrowing techniques
ESET researchers describe new tools and techniques that the Webworm APT group recently added to its arsenal.
πTitle: PureLogs: Delivery via PawsRunner Steganography
π Date: 2026-05-15
πReferences:
https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Fortinet"
β’ malpedia="PureLogs Stealer"
mitre-attack-pattern=[]
MISP event uuid: 3c80a5eb-e55b-46df-87f5-aa09ba9bb5d2
π Date: 2026-05-15
πReferences:
https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Fortinet"
β’ malpedia="PureLogs Stealer"
mitre-attack-pattern=[]
MISP event uuid: 3c80a5eb-e55b-46df-87f5-aa09ba9bb5d2
Fortinet Blog
PureLogs: Delivery via PawsRunner Steganography
FortiGuard Labs has analyzed a steganography-based malware campaign that uses PawsRunner to deliver the PureLogs infostealer, highlighting evolving delivery methods and detection strategies.β¦
πTitle: The Worm That Keeps on Digging: Latest Wave
π Date: 2026-05-19
πReferences:
https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Wiz Blog"
β’ malpedia="Shai-Hulud"
β’ online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.003', 'T1552.004', 'T1552.001', 'T1567.001', 'T1552.006', 'T1102.003', 'T1574.010', 'T1195.002', 'T1102.002', 'T1059.006', 'T1543.001', 'T1071.001', 'T1543.002', 'T1105', 'T1102.001']
MISP event uuid: a8121f4e-198f-47f3-a649-0b881e64d745
π Date: 2026-05-19
πReferences:
https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Wiz Blog"
β’ malpedia="Shai-Hulud"
β’ online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.003', 'T1552.004', 'T1552.001', 'T1567.001', 'T1552.006', 'T1102.003', 'T1574.010', 'T1195.002', 'T1102.002', 'T1059.006', 'T1543.001', 'T1071.001', 'T1543.002', 'T1105', 'T1102.001']
MISP event uuid: a8121f4e-198f-47f3-a649-0b881e64d745
wiz.io
The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave | Wiz Blog
Multi-ecosystem supply chain compromise by TeamPCP targets GitHub, NPM, and VSCode to steal credentials and establish persistence.
πTitle: Fresh mischief and digital shenanigans
π Date: 2026-05-14
πReferences:
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ target-information="Lithuania"
β’ target-information="Poland"
β’ target-information="Ukraine"
β’ threat-actor="FrostyNeighbor"
β’ region="151 - Eastern Europe"
β’ sector="Government, Administration"
β’ sector="Military"
β’ malpedia="Cobalt Strike"
β’ malpedia="PicassoLoader"
mitre-attack-pattern=['T1053.005', 'T1583', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1059', 'T1608', 'T1057', 'T1041', 'T1060', 'T1588.002', 'T1027', 'T1071.001', 'T1027.009']
MISP event uuid: 62c6b987-cf0c-4a4b-9c57-a5a107789688
π Date: 2026-05-14
πReferences:
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ target-information="Lithuania"
β’ target-information="Poland"
β’ target-information="Ukraine"
β’ threat-actor="FrostyNeighbor"
β’ region="151 - Eastern Europe"
β’ sector="Government, Administration"
β’ sector="Military"
β’ malpedia="Cobalt Strike"
β’ malpedia="PicassoLoader"
mitre-attack-pattern=['T1053.005', 'T1583', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1059', 'T1608', 'T1057', 'T1041', 'T1060', 'T1588.002', 'T1027', 'T1071.001', 'T1027.009']
MISP event uuid: 62c6b987-cf0c-4a4b-9c57-a5a107789688
Welivesecurity
FrostyNeighbor: Fresh mischief and digital shenanigans
ESET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the groupβs continual cyberespionage operations.