📃Title: 9 Year-Old PHP Vulnerability Keeps Swinging As One of the Most Targeted Vulnerabilities
📅Date: 2026-05-19
🔗References:
https://www.vulncheck.com/blog/cve-2017-9841
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💉 Vulnerability
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="critical-vuln"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1133', 'T1082', 'T1071', 'T1608.001', 'T1190', 'T1595.002', 'T1505.003', 'T1595', 'T1087', 'T1059', 'T1083', 'T1608', 'T1059.004', 'T1027', 'T1505', 'T1071.001', 'T1018', 'T1046', 'T1105']
MISP event uuid: aa2425c7-fd98-4e8e-84c7-d5a56208bbfe
📅Date: 2026-05-19
🔗References:
https://www.vulncheck.com/blog/cve-2017-9841
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: 💉 Vulnerability
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="critical-vuln"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1133', 'T1082', 'T1071', 'T1608.001', 'T1190', 'T1595.002', 'T1505.003', 'T1595', 'T1087', 'T1059', 'T1083', 'T1608', 'T1059.004', 'T1027', 'T1505', 'T1071.001', 'T1018', 'T1046', 'T1105']
MISP event uuid: aa2425c7-fd98-4e8e-84c7-d5a56208bbfe
VulnCheck
VulnCheck - Outpace Adversaries
Vulnerability intelligence that predicts avenues of attack with speed and accuracy.
📃Title: [Ransomware] Unconfirmed: Sha******** Met***
📅Date: 2026-05-29
🔗References: https://www.ransomware.live/id/U2hhbnBvb3JuYW0gTWV0YWxzQGxhbWFzaHR1
🔖Rectifyq Taxonomies:
Relevancy: 🔴 Highly Relevant
Category: 💥 Data Breach
- TA-category="Ransomware"
🔖MISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: f2f56dd8-e0fe-45c7-9e83-de9237df5602
📅Date: 2026-05-29
🔗References: https://www.ransomware.live/id/U2hhbnBvb3JuYW0gTWV0YWxzQGxhbWFzaHR1
🔖Rectifyq Taxonomies:
Relevancy: 🔴 Highly Relevant
Category: 💥 Data Breach
- TA-category="Ransomware"
🔖MISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: f2f56dd8-e0fe-45c7-9e83-de9237df5602
Ransomware.live
Victim: Shanpoornam Metals – lamashtu
Ransomware.live discovered on 2026-05-29 that Shanpoornam Metals has been claimed by Lamashtu ransomware group
Rectifyq Cybersecurity News 🇲🇾 pinned «📃Title: [Ransomware] Unconfirmed: Sha******** Met*** 📅Date: 2026-05-29 🔗References: https://www.ransomware.live/id/U2hhbnBvb3JuYW0gTWV0YWxzQGxhbWFzaHR1 🔖Rectifyq Taxonomies: Relevancy: 🔴 Highly Relevant Category: 💥 Data Breach - TA-category="Ransomware"…»
📃Title: New burrowing techniques
📅Date: 2026-05-20
🔗References:
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• sub-category="TA-profile"
• sub-category="campaign-analysis"
• target="broad-based"
• TA-category="APT"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="ESET"
• target-information="Belgium"
• target-information="Czech Republic"
• target-information="Hungary"
• target-information="Italy"
• target-information="Nigeria"
• target-information="Poland"
• target-information="Serbia"
• target-information="South Africa"
• target-information="Spain"
• threat-actor="Webworm"
• online-service="7347d685-8e08-4ed9-9f34-264e5e4b567a"
• online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1550.001', 'T1573.002', 'T1102.002', 'T1078.004', 'T1021.007', 'T1005', 'T1027.013', 'T1041', 'T1567.002', 'T1090.002', 'T1070.004', 'T1090.001', 'T1074.001', 'T1112', 'T1090.003', 'T1547.001', 'T1074.002', 'T1053.005', 'T1583.004', 'T1132.001', 'T1070.006', 'T1608.002', 'T1583.003', 'T1588.006', 'T1595.002', 'T1071.001', 'T1584.006', 'T1059.003', 'T1595.003']
MISP event uuid: 55a58703-da62-4330-bd76-3189d2635e28
📅Date: 2026-05-20
🔗References:
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• sub-category="TA-profile"
• sub-category="campaign-analysis"
• target="broad-based"
• TA-category="APT"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="ESET"
• target-information="Belgium"
• target-information="Czech Republic"
• target-information="Hungary"
• target-information="Italy"
• target-information="Nigeria"
• target-information="Poland"
• target-information="Serbia"
• target-information="South Africa"
• target-information="Spain"
• threat-actor="Webworm"
• online-service="7347d685-8e08-4ed9-9f34-264e5e4b567a"
• online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1550.001', 'T1573.002', 'T1102.002', 'T1078.004', 'T1021.007', 'T1005', 'T1027.013', 'T1041', 'T1567.002', 'T1090.002', 'T1070.004', 'T1090.001', 'T1074.001', 'T1112', 'T1090.003', 'T1547.001', 'T1074.002', 'T1053.005', 'T1583.004', 'T1132.001', 'T1070.006', 'T1608.002', 'T1583.003', 'T1588.006', 'T1595.002', 'T1071.001', 'T1584.006', 'T1059.003', 'T1595.003']
MISP event uuid: 55a58703-da62-4330-bd76-3189d2635e28
Welivesecurity
Webworm: New burrowing techniques
ESET researchers describe new tools and techniques that the Webworm APT group recently added to its arsenal.
📃Title: PureLogs: Delivery via PawsRunner Steganography
📅Date: 2026-05-15
🔗References:
https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Fortinet"
• malpedia="PureLogs Stealer"
mitre-attack-pattern=[]
MISP event uuid: 3c80a5eb-e55b-46df-87f5-aa09ba9bb5d2
📅Date: 2026-05-15
🔗References:
https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Fortinet"
• malpedia="PureLogs Stealer"
mitre-attack-pattern=[]
MISP event uuid: 3c80a5eb-e55b-46df-87f5-aa09ba9bb5d2
Fortinet Blog
PureLogs: Delivery via PawsRunner Steganography
FortiGuard Labs has analyzed a steganography-based malware campaign that uses PawsRunner to deliver the PureLogs infostealer, highlighting evolving delivery methods and detection strategies.…
📃Title: The Worm That Keeps on Digging: Latest Wave
📅Date: 2026-05-19
🔗References:
https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Wiz Blog"
• malpedia="Shai-Hulud"
• online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.003', 'T1552.004', 'T1552.001', 'T1567.001', 'T1552.006', 'T1102.003', 'T1574.010', 'T1195.002', 'T1102.002', 'T1059.006', 'T1543.001', 'T1071.001', 'T1543.002', 'T1105', 'T1102.001']
MISP event uuid: a8121f4e-198f-47f3-a649-0b881e64d745
📅Date: 2026-05-19
🔗References:
https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Wiz Blog"
• malpedia="Shai-Hulud"
• online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.003', 'T1552.004', 'T1552.001', 'T1567.001', 'T1552.006', 'T1102.003', 'T1574.010', 'T1195.002', 'T1102.002', 'T1059.006', 'T1543.001', 'T1071.001', 'T1543.002', 'T1105', 'T1102.001']
MISP event uuid: a8121f4e-198f-47f3-a649-0b881e64d745
wiz.io
The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave | Wiz Blog
Multi-ecosystem supply chain compromise by TeamPCP targets GitHub, NPM, and VSCode to steal credentials and establish persistence.
📃Title: Fresh mischief and digital shenanigans
📅Date: 2026-05-14
🔗References:
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="ESET"
• target-information="Lithuania"
• target-information="Poland"
• target-information="Ukraine"
• threat-actor="FrostyNeighbor"
• region="151 - Eastern Europe"
• sector="Government, Administration"
• sector="Military"
• malpedia="Cobalt Strike"
• malpedia="PicassoLoader"
mitre-attack-pattern=['T1053.005', 'T1583', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1059', 'T1608', 'T1057', 'T1041', 'T1060', 'T1588.002', 'T1027', 'T1071.001', 'T1027.009']
MISP event uuid: 62c6b987-cf0c-4a4b-9c57-a5a107789688
📅Date: 2026-05-14
🔗References:
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="ESET"
• target-information="Lithuania"
• target-information="Poland"
• target-information="Ukraine"
• threat-actor="FrostyNeighbor"
• region="151 - Eastern Europe"
• sector="Government, Administration"
• sector="Military"
• malpedia="Cobalt Strike"
• malpedia="PicassoLoader"
mitre-attack-pattern=['T1053.005', 'T1583', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1059', 'T1608', 'T1057', 'T1041', 'T1060', 'T1588.002', 'T1027', 'T1071.001', 'T1027.009']
MISP event uuid: 62c6b987-cf0c-4a4b-9c57-a5a107789688
Welivesecurity
FrostyNeighbor: Fresh mischief and digital shenanigans
ESET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the group’s continual cyberespionage operations.
📃Title: Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks
📅Date: 2026-05-21
🔗References:
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• sub-category="critical-vuln"
• sub-category="campaign-analysis"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1218.011', 'T1132.001', 'T1059.007', 'T1140', 'T1190', 'T1583.001', 'T1055', 'T1102', 'T1583.006', 'T1204', 'T1059.001', 'T1212', 'T1547.001', 'T1566', 'T1027', 'T1573', 'T1059.003', 'T1071.001', 'T1105']
MISP event uuid: 63a2d681-adb1-4ca3-a1ae-f2d332ea8de5
📅Date: 2026-05-21
🔗References:
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• sub-category="critical-vuln"
• sub-category="campaign-analysis"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
mitre-attack-pattern=['T1218.011', 'T1132.001', 'T1059.007', 'T1140', 'T1190', 'T1583.001', 'T1055', 'T1102', 'T1583.006', 'T1204', 'T1059.001', 'T1212', 'T1547.001', 'T1566', 'T1027', 'T1573', 'T1059.003', 'T1071.001', 'T1105']
MISP event uuid: 63a2d681-adb1-4ca3-a1ae-f2d332ea8de5
奇安信 X 实验室
Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks
Background
On May 7, 2026, XLab detected a poisoning incident targeting Ghost CMS belonging to one of important clients. The attacker exploited the high-risk SQL injection vulnerability CVE-2026-26980 in Ghost CMS to obtain the target site's Admin API Key…
On May 7, 2026, XLab detected a poisoning incident targeting Ghost CMS belonging to one of important clients. The attacker exploited the high-risk SQL injection vulnerability CVE-2026-26980 in Ghost CMS to obtain the target site's Admin API Key…
📃Title: SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
📅Date: 2026-05-21
🔗References:
https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="EclecticIQ"
• target-information="United States"
• target-information="United Kingdom"
mitre-attack-pattern=['T1552.001', 'T1555.003', 'T1552.002', 'T1005', 'T1140', 'T1562.001', 'T1189', 'T1573', 'T1041', 'T1083', 'T1562.006', 'T1105', 'T1204.002', 'T1204.001', 'T1027', 'T1059.001', 'T1057', 'T1608.006', 'T1539', 'T1218', 'T1497.001', 'T1071.001', 'T1555.004']
MISP event uuid: 6c37649e-5ce2-4c1b-8fb0-c90e251a93a2
📅Date: 2026-05-21
🔗References:
https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="EclecticIQ"
• target-information="United States"
• target-information="United Kingdom"
mitre-attack-pattern=['T1552.001', 'T1555.003', 'T1552.002', 'T1005', 'T1140', 'T1562.001', 'T1189', 'T1573', 'T1041', 'T1083', 'T1562.006', 'T1105', 'T1204.002', 'T1204.001', 'T1027', 'T1059.001', 'T1057', 'T1608.006', 'T1539', 'T1218', 'T1497.001', 'T1071.001', 'T1555.004']
MISP event uuid: 6c37649e-5ce2-4c1b-8fb0-c90e251a93a2
Eclecticiq
SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
Financially motivated eCrime actors will likely continue to expand opportunistic campaigns by impersonating AI platforms. These campaigns generate direct supply chain risk for enterprises, as threat actors target software developer tooling, including AI coding…
📃Title: Politicians to Ditch Signal for Homegrown Apps
📅Date: 2026-05-21
🔗References:
https://news.risky.biz/srsly-risky-biz-politicians-to-ditch-signal-for-homegrown-apps/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="report"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• target-information="United States"
• target-information="Belgium"
• target-information="France"
• target-information="Germany"
• target-information="Poland"
• target-information="United Kingdom"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1530', 'T1552', 'T1185', 'T1534', 'T1566', 'T1056', 'T1213']
MISP event uuid: 73a9fa17-bb23-41c0-90a6-f3aa48fc2617
📅Date: 2026-05-21
🔗References:
https://news.risky.biz/srsly-risky-biz-politicians-to-ditch-signal-for-homegrown-apps/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="report"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• target-information="United States"
• target-information="Belgium"
• target-information="France"
• target-information="Germany"
• target-information="Poland"
• target-information="United Kingdom"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1530', 'T1552', 'T1185', 'T1534', 'T1566', 'T1056', 'T1213']
MISP event uuid: 73a9fa17-bb23-41c0-90a6-f3aa48fc2617
Risky.Biz
Srsly Risky Biz: Politicians to Ditch Signal for Homegrown Apps
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Push Security.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your…
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your…
📃Title: Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise
📅Date: 2026-05-20
🔗References:
https://www.fortinet.com/blog/threat-research/misconfigured-enrolled-and-dormant-anatomy-of-a-p2pinfect-kubernetes-compromise
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• workflow="enrichment"
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• topic="cloud"
• target="targeted"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
🔖MISP Galaxies:
• producer="Fortinet"
• branded-vulnerability="b2c5ca09-8d99-4138-ace7-99615894ab71"
mitre-attack-pattern=['T1110.001', 'T1133', 'T1071.004', 'T1053', 'T1190', 'T1036', 'T1563', 'T1070', 'T1552.001', 'T1098', 'T1059.004', 'T1571', 'T1027', 'T1486', 'T1573', 'T1496', 'T1027.002', 'T1071.001', 'T1105', 'T1090.001']
MISP event uuid: 6e45460a-4428-4eb4-865e-3a5a170b8b01
📅Date: 2026-05-20
🔗References:
https://www.fortinet.com/blog/threat-research/misconfigured-enrolled-and-dormant-anatomy-of-a-p2pinfect-kubernetes-compromise
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• workflow="enrichment"
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• topic="cloud"
• target="targeted"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
🔖MISP Galaxies:
• producer="Fortinet"
• branded-vulnerability="b2c5ca09-8d99-4138-ace7-99615894ab71"
mitre-attack-pattern=['T1110.001', 'T1133', 'T1071.004', 'T1053', 'T1190', 'T1036', 'T1563', 'T1070', 'T1552.001', 'T1098', 'T1059.004', 'T1571', 'T1027', 'T1486', 'T1573', 'T1496', 'T1027.002', 'T1071.001', 'T1105', 'T1090.001']
MISP event uuid: 6e45460a-4428-4eb4-865e-3a5a170b8b01
Fortinet Blog
Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise
FortiGuard Labs analyzed several P2PInfect compromises in GKE clusters, showing how exposed Redis instances can enable persistent botnet enrollment, dormancy, and cloud runtime risk.…
📃Title: Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft
📅Date: 2026-05-20
🔗References:
https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Microsoft"
• malpedia="Shai-Hulud"
mitre-attack-pattern=['T1132.001', 'T1059.007', 'T1548.003', 'T1069.003', 'T1195.001', 'T1036.005', 'T1140', 'T1552.004', 'T1562.006', 'T1552.001', 'T1098.001', 'T1087.004', 'T1098', 'T1068', 'T1027', 'T1195.002', 'T1567.002', 'T1071.001', 'T1105', 'T1078.004']
MISP event uuid: ce69c87f-4292-4c48-9907-0aea83122aed
📅Date: 2026-05-20
🔗References:
https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Microsoft"
• malpedia="Shai-Hulud"
mitre-attack-pattern=['T1132.001', 'T1059.007', 'T1548.003', 'T1069.003', 'T1195.001', 'T1036.005', 'T1140', 'T1552.004', 'T1562.006', 'T1552.001', 'T1098.001', 'T1087.004', 'T1098', 'T1068', 'T1027', 'T1195.002', 'T1567.002', 'T1071.001', 'T1105', 'T1078.004']
MISP event uuid: ce69c87f-4292-4c48-9907-0aea83122aed
Microsoft News
Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft
Compromised @antv npm packages deploy the Mini Shai-Hulud payload to steal CI/CD secrets from Linux-based automation environments. The malware executes during npm install and targets credentials across GitHub, AWS, Kubernetes, Vault, npm, and 1Password platforms.
📃Title: Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure
📅Date: 2026-05-20
🔗References:
https://www.seqrite.com/blog/operation-dragon-whistle-ung002-targets-chinese-academia-via-weaponized-institutional-lure/
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Seqrite"
• target-information="China"
• malpedia="Cobalt Strike"
mitre-attack-pattern=['T1574.002', 'T1005', 'T1622', 'T1564.001', 'T1105', 'T1204.002', 'T1036', 'T1106', 'T1027', 'T1057', 'T1620', 'T1129', 'T1566.001', 'T1218', 'T1497.001', 'T1497', 'T1059.005', 'T1071.001']
MISP event uuid: 271f7352-0846-4ffc-9841-b0e792521cbc
📅Date: 2026-05-20
🔗References:
https://www.seqrite.com/blog/operation-dragon-whistle-ung002-targets-chinese-academia-via-weaponized-institutional-lure/
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Seqrite"
• target-information="China"
• malpedia="Cobalt Strike"
mitre-attack-pattern=['T1574.002', 'T1005', 'T1622', 'T1564.001', 'T1105', 'T1204.002', 'T1036', 'T1106', 'T1027', 'T1057', 'T1620', 'T1129', 'T1566.001', 'T1218', 'T1497.001', 'T1497', 'T1059.005', 'T1071.001']
MISP event uuid: 271f7352-0846-4ffc-9841-b0e792521cbc
Seqrite Labs
Operation Dragon Whistle: UNG0002 Targets Chinese Academia via Weaponized Institutional Lure
<p>Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys & Spear phishing Email: Technical Analysis: Stage1: Analysis of LNK File. Stage2: Analysis of VBS. Stage3: DLL Side Loading. Infrastructural…
📃Title: Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign
📅Date: 2026-05-20
🔗References:
https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign
🔖Rectifyq Taxonomies:
Relevancy: 🔴 Highly Relevant
Category: ⚔ Threat
• sub-category="campaign-analysis"
• topic="mobile-attack"
• target="broad-based"
• mitre-att&ck="from-original-src"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="x"
• action-taken="linkedin"
🔖MISP Galaxies:
• target-information="Croatia"
• target-information="Malaysia"
• target-information="Romania"
• target-information="Thailand"
• producer="Zimperium"
• online-service="b0c71d51-34fd-47b5-9eb4-dd406ffc607f"
mitre-attack-pattern=['T1412', 'T1476', 'T1646', 'T1643', 'T1417', 'T1582', 'T1603', 'T1628.001', 'T1426', 'T1422', 'T1437.001']
MISP event uuid: 441a0a60-4abf-4afc-8318-eee24dbf5b68
📅Date: 2026-05-20
🔗References:
https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign
🔖Rectifyq Taxonomies:
Relevancy: 🔴 Highly Relevant
Category: ⚔ Threat
• sub-category="campaign-analysis"
• topic="mobile-attack"
• target="broad-based"
• mitre-att&ck="from-original-src"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="x"
• action-taken="linkedin"
🔖MISP Galaxies:
• target-information="Croatia"
• target-information="Malaysia"
• target-information="Romania"
• target-information="Thailand"
• producer="Zimperium"
• online-service="b0c71d51-34fd-47b5-9eb4-dd406ffc607f"
mitre-attack-pattern=['T1412', 'T1476', 'T1646', 'T1643', 'T1417', 'T1582', 'T1603', 'T1628.001', 'T1426', 'T1422', 'T1437.001']
MISP event uuid: 441a0a60-4abf-4afc-8318-eee24dbf5b68
Zimperium
Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign
true
📃Title: Tracking TamperedChef Clusters via Certificate and Code Reuse
📅Date: 2026-05-20
🔗References:
https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Palo Alto"
• malpedia="TamperedChef"
• target-information="Israel"
• target-information="United States"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1033', 'T1539', 'T1204.002', 'T1566.002', 'T1553.002', 'T1082', 'T1140', 'T1555.003', 'T1016', 'T1083', 'T1102', 'T1057', 'T1547.001', 'T1027', 'T1518.001', 'T1027.002', 'T1071.001', 'T1105', 'T1124']
MISP event uuid: 5bc9258d-74d3-4847-aa11-ec0c8b67e156
📅Date: 2026-05-20
🔗References:
https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Palo Alto"
• malpedia="TamperedChef"
• target-information="Israel"
• target-information="United States"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1033', 'T1539', 'T1204.002', 'T1566.002', 'T1553.002', 'T1082', 'T1140', 'T1555.003', 'T1016', 'T1083', 'T1102', 'T1057', 'T1547.001', 'T1027', 'T1518.001', 'T1027.002', 'T1071.001', 'T1105', 'T1124']
MISP event uuid: 5bc9258d-74d3-4847-aa11-ec0c8b67e156
Unit 42
Tracking TamperedChef Clusters via Certificate and Code Reuse
Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to targets.
📃Title: Volume Obfuscation Game: The Lead Data Brokers Out To Waste Your Time
📅Date: 2026-05-20
🔗References:
https://www.group-ib.com/blog/lead-data-obfuscation-brokers/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Group-IB"
• country="china"
• online-service="b0c71d51-34fd-47b5-9eb4-dd406ffc607f"
mitre-attack-pattern=[]
MISP event uuid: a2f1ae5e-505c-4075-a3d6-991e1637c63c
📅Date: 2026-05-20
🔗References:
https://www.group-ib.com/blog/lead-data-obfuscation-brokers/
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Group-IB"
• country="china"
• online-service="b0c71d51-34fd-47b5-9eb4-dd406ffc607f"
mitre-attack-pattern=[]
MISP event uuid: a2f1ae5e-505c-4075-a3d6-991e1637c63c
Group-IB
Volume Obfuscation Game: The Lead Data Brokers Out To Waste Your Time
An increasing number of data brokers active in Chinese-speaking dark web forums and Telegram channels are advertising large volumes of purportedly stolen data from organizations worldwide. But are they credible?
📃Title: Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia
📅Date: 2026-05-19
🔗References:
https://www.group-ib.com/blog/indonesia-tax-impersonation-goldfactory-malware/
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="Cybercrime"
• target="broad-based"
• topic="mobile-attack"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Group-IB"
• target-information="Indonesia"
• target-information="Peru"
• target-information="Philippines"
• target-information="South Africa"
• target-information="Thailand"
• malpedia="Gigabud"
• sector="Bank"
• sector="Finance"
• sector="Government, Administration"
• malpedia="GoldDigger"
• malpedia="Remo"
• threat-actor="GoldFactory"
mitre-attack-pattern=['T1414', 'T1646', 'T1541', 'T1417.002', 'T1516', 'T1417.001', 'T1660', 'T1513', 'T1426', 'T1437.001', 'T1626', 'T1417', 'T1418', 'T1422']
MISP event uuid: 88e3ed61-0d4d-462b-9c4c-2298d7d7b9c3
📅Date: 2026-05-19
🔗References:
https://www.group-ib.com/blog/indonesia-tax-impersonation-goldfactory-malware/
🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="Cybercrime"
• target="broad-based"
• topic="mobile-attack"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Group-IB"
• target-information="Indonesia"
• target-information="Peru"
• target-information="Philippines"
• target-information="South Africa"
• target-information="Thailand"
• malpedia="Gigabud"
• sector="Bank"
• sector="Finance"
• sector="Government, Administration"
• malpedia="GoldDigger"
• malpedia="Remo"
• threat-actor="GoldFactory"
mitre-attack-pattern=['T1414', 'T1646', 'T1541', 'T1417.002', 'T1516', 'T1417.001', 'T1660', 'T1513', 'T1426', 'T1437.001', 'T1626', 'T1417', 'T1418', 'T1422']
MISP event uuid: 88e3ed61-0d4d-462b-9c4c-2298d7d7b9c3
Group-IB
Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia
It’s tax season in Indonesia and fraudsters are observed to be ramping up the fraud campaign involving fake Coretax apps, but behind it lies an industrialized MaaS infrastructure ready to strike anywhere.
📃Title: Popular node-ipc npm Package Infected with Credential Stealer
📅Date: 2026-05-14
🔗References:
https://socket.dev/blog/node-ipc-package-compromised
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1195.002', 'T1078', 'T1136', 'T1098', 'T1071.004', 'T1048.003', 'T1041', 'T1567', 'T1005', 'T1552.001', 'T1552.004', 'T1087', 'T1082', 'T1083', 'T1119', 'T1074.001', 'T1560.001', 'T1027', 'T1027.002', 'T1059.007']
MISP event uuid: ba313d52-d178-491a-ab42-0a79bdd9755b
📅Date: 2026-05-14
🔗References:
https://socket.dev/blog/node-ipc-package-compromised
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1195.002', 'T1078', 'T1136', 'T1098', 'T1071.004', 'T1048.003', 'T1041', 'T1567', 'T1005', 'T1552.001', 'T1552.004', 'T1087', 'T1082', 'T1083', 'T1119', 'T1074.001', 'T1560.001', 'T1027', 'T1027.002', 'T1059.007']
MISP event uuid: ba313d52-d178-491a-ab42-0a79bdd9755b
Socket
Popular node-ipc npm Package Infected with Credential Steale...
Socket detected malicious node-ipc versions with obfuscated stealer/backdoor behavior in a developing npm supply chain attack.
📃Title: Inside a Tor Backed Supply Chain Worm
📅Date: 2026-05-14
🔗References:
https://www.cloudsek.com/blog/inside-a-tor-backed-supply-chain-worm
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="CloudSEK"
mitre-attack-pattern=['T1195.002', 'T1554', 'T1543.002', 'T1027', 'T1078.004', 'T1078.001', 'T1087.001', 'T1552.001', 'T1552.006', 'T1563', 'T1098', 'T1036.005', 'T1090.003', 'T1071.001', 'T1059.006', 'T1548.001', 'T1496', 'T1005', 'T1041']
MISP event uuid: 76c07ddc-0f70-481e-9f63-c99aef0650b6
📅Date: 2026-05-14
🔗References:
https://www.cloudsek.com/blog/inside-a-tor-backed-supply-chain-worm
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="CloudSEK"
mitre-attack-pattern=['T1195.002', 'T1554', 'T1543.002', 'T1027', 'T1078.004', 'T1078.001', 'T1087.001', 'T1552.001', 'T1552.006', 'T1563', 'T1098', 'T1036.005', 'T1090.003', 'T1071.001', 'T1059.006', 'T1548.001', 'T1496', 'T1005', 'T1041']
MISP event uuid: 76c07ddc-0f70-481e-9f63-c99aef0650b6
Cloudsek
Inside a Tor Backed Supply Chain Worm | CloudSEK
CloudSEK TRIAD uncovered a sophisticated npm supply chain attack using a typosquatted package, crypto-javascri, to mimic crypto-js. The malware steals npm and GitHub credentials, hijacks maintainer accounts, republishes trojanized packages, and uses Tor-based…
📃Title: The Evolution of ClickFix: From Cleartext to Server Side Polymorphism
📅Date: 2026-05-14
🔗References:
https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• workflow="enrichment"
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
🔖MISP Galaxies:
• malpedia="Vidar"
• malpedia="DeerStealer"
mitre-attack-pattern=['T1204.001', 'T1566.002', 'T1059.001', 'T1027', 'T1140', 'T1071.001', 'T1105', 'T1055', 'T1112', 'T1497', 'T1070.004', 'T1082', 'T1555.003', 'T1555', 'T1539', 'T1005', 'T1041', 'T1027.002']
MISP event uuid: 6d14d444-58c0-45da-92e5-fca9cdcd7637
📅Date: 2026-05-14
🔗References:
https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• workflow="enrichment"
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
🔖MISP Galaxies:
• malpedia="Vidar"
• malpedia="DeerStealer"
mitre-attack-pattern=['T1204.001', 'T1566.002', 'T1059.001', 'T1027', 'T1140', 'T1071.001', 'T1105', 'T1055', 'T1112', 'T1497', 'T1070.004', 'T1082', 'T1555.003', 'T1555', 'T1539', 'T1005', 'T1041', 'T1027.002']
MISP event uuid: 6d14d444-58c0-45da-92e5-fca9cdcd7637
Menlosecurity
The Evolution of ClickFix: From Cleartext to Server Side Polymorphism - Blog | Menlo Security
Menlo has identified ~4,500 domains that belong to a Polymorphism campaign, demonstrating a massive infrastructure powering these evasive ClickFix attacks.
📃Title: Infostealer Campaign Using Trading App as Lure
📅Date: 2026-05-20
🔗References:
https://hybrid-analysis.blogspot.com/2026/05/velvet-chollima-infostealer-campaign.html?m=1
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Hybrid Analysis"
mitre-attack-pattern=['T1566', 'T1204', 'T1036', 'T1553.002', 'T1547.001', 'T1053.005', 'T1059.001', 'T1027', 'T1105', 'T1082', 'T1012', 'T1518.001', 'T1056.001', 'T1555.003', 'T1567.001', 'T1071.001', 'T1132', 'T1497', 'T1497.001', 'T1614']
MISP event uuid: 08b137bc-104f-4dcc-a5ab-09ec9ce19b7b
📅Date: 2026-05-20
🔗References:
https://hybrid-analysis.blogspot.com/2026/05/velvet-chollima-infostealer-campaign.html?m=1
🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"
🔖MISP Galaxies:
• producer="Hybrid Analysis"
mitre-attack-pattern=['T1566', 'T1204', 'T1036', 'T1553.002', 'T1547.001', 'T1053.005', 'T1059.001', 'T1027', 'T1105', 'T1082', 'T1012', 'T1518.001', 'T1056.001', 'T1555.003', 'T1567.001', 'T1071.001', 'T1132', 'T1497', 'T1497.001', 'T1614']
MISP event uuid: 08b137bc-104f-4dcc-a5ab-09ec9ce19b7b