๐Title: [Ransomware] Unconfirmed: Sha******** Met***
๐ Date: 2026-05-29
๐References: https://www.ransomware.live/id/U2hhbnBvb3JuYW0gTWV0YWxzQGxhbWFzaHR1
๐Rectifyq Taxonomies:
Relevancy: ๐ด Highly Relevant
Category: ๐ฅ Data Breach
- TA-category="Ransomware"
๐MISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: f2f56dd8-e0fe-45c7-9e83-de9237df5602
๐ Date: 2026-05-29
๐References: https://www.ransomware.live/id/U2hhbnBvb3JuYW0gTWV0YWxzQGxhbWFzaHR1
๐Rectifyq Taxonomies:
Relevancy: ๐ด Highly Relevant
Category: ๐ฅ Data Breach
- TA-category="Ransomware"
๐MISP Galaxies:
- target-information="Malaysia"
- sector="Manufacturing"
- ransomware="lamashtu"
mitre-attack-pattern=[]
MISP event uuid: f2f56dd8-e0fe-45c7-9e83-de9237df5602
Ransomware.live
Victim: Shanpoornam Metals โ lamashtu
Ransomware.live discovered on 2026-05-29 that Shanpoornam Metals has been claimed by Lamashtu ransomware group
Rectifyq Cybersecurity News ๐ฒ๐พ pinned ยซ๐Title: [Ransomware] Unconfirmed: Sha******** Met*** ๐
Date: 2026-05-29 ๐References: https://www.ransomware.live/id/U2hhbnBvb3JuYW0gTWV0YWxzQGxhbWFzaHR1 ๐Rectifyq Taxonomies: Relevancy: ๐ด Highly Relevant Category: ๐ฅ Data Breach - TA-category="Ransomware"โฆยป
๐Title: New burrowing techniques
๐ Date: 2026-05-20
๐References:
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข sub-category="TA-profile"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข TA-category="APT"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="ESET"
โข target-information="Belgium"
โข target-information="Czech Republic"
โข target-information="Hungary"
โข target-information="Italy"
โข target-information="Nigeria"
โข target-information="Poland"
โข target-information="Serbia"
โข target-information="South Africa"
โข target-information="Spain"
โข threat-actor="Webworm"
โข online-service="7347d685-8e08-4ed9-9f34-264e5e4b567a"
โข online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1550.001', 'T1573.002', 'T1102.002', 'T1078.004', 'T1021.007', 'T1005', 'T1027.013', 'T1041', 'T1567.002', 'T1090.002', 'T1070.004', 'T1090.001', 'T1074.001', 'T1112', 'T1090.003', 'T1547.001', 'T1074.002', 'T1053.005', 'T1583.004', 'T1132.001', 'T1070.006', 'T1608.002', 'T1583.003', 'T1588.006', 'T1595.002', 'T1071.001', 'T1584.006', 'T1059.003', 'T1595.003']
MISP event uuid: 55a58703-da62-4330-bd76-3189d2635e28
๐ Date: 2026-05-20
๐References:
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข sub-category="TA-profile"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข TA-category="APT"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="ESET"
โข target-information="Belgium"
โข target-information="Czech Republic"
โข target-information="Hungary"
โข target-information="Italy"
โข target-information="Nigeria"
โข target-information="Poland"
โข target-information="Serbia"
โข target-information="South Africa"
โข target-information="Spain"
โข threat-actor="Webworm"
โข online-service="7347d685-8e08-4ed9-9f34-264e5e4b567a"
โข online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1550.001', 'T1573.002', 'T1102.002', 'T1078.004', 'T1021.007', 'T1005', 'T1027.013', 'T1041', 'T1567.002', 'T1090.002', 'T1070.004', 'T1090.001', 'T1074.001', 'T1112', 'T1090.003', 'T1547.001', 'T1074.002', 'T1053.005', 'T1583.004', 'T1132.001', 'T1070.006', 'T1608.002', 'T1583.003', 'T1588.006', 'T1595.002', 'T1071.001', 'T1584.006', 'T1059.003', 'T1595.003']
MISP event uuid: 55a58703-da62-4330-bd76-3189d2635e28
Welivesecurity
Webworm: New burrowing techniques
ESET researchers describe new tools and techniques that the Webworm APT group recently added to its arsenal.
๐Title: PureLogs: Delivery via PawsRunner Steganography
๐ Date: 2026-05-15
๐References:
https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Fortinet"
โข malpedia="PureLogs Stealer"
mitre-attack-pattern=[]
MISP event uuid: 3c80a5eb-e55b-46df-87f5-aa09ba9bb5d2
๐ Date: 2026-05-15
๐References:
https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Fortinet"
โข malpedia="PureLogs Stealer"
mitre-attack-pattern=[]
MISP event uuid: 3c80a5eb-e55b-46df-87f5-aa09ba9bb5d2
Fortinet Blog
PureLogs: Delivery via PawsRunner Steganography
FortiGuard Labs has analyzed a steganography-based malware campaign that uses PawsRunner to deliver the PureLogs infostealer, highlighting evolving delivery methods and detection strategies.โฆ
๐Title: The Worm That Keeps on Digging: Latest Wave
๐ Date: 2026-05-19
๐References:
https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข topic="supply-chain"
โข target="broad-based"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Wiz Blog"
โข malpedia="Shai-Hulud"
โข online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.003', 'T1552.004', 'T1552.001', 'T1567.001', 'T1552.006', 'T1102.003', 'T1574.010', 'T1195.002', 'T1102.002', 'T1059.006', 'T1543.001', 'T1071.001', 'T1543.002', 'T1105', 'T1102.001']
MISP event uuid: a8121f4e-198f-47f3-a649-0b881e64d745
๐ Date: 2026-05-19
๐References:
https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข topic="supply-chain"
โข target="broad-based"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Wiz Blog"
โข malpedia="Shai-Hulud"
โข online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.003', 'T1552.004', 'T1552.001', 'T1567.001', 'T1552.006', 'T1102.003', 'T1574.010', 'T1195.002', 'T1102.002', 'T1059.006', 'T1543.001', 'T1071.001', 'T1543.002', 'T1105', 'T1102.001']
MISP event uuid: a8121f4e-198f-47f3-a649-0b881e64d745
wiz.io
The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave | Wiz Blog
Multi-ecosystem supply chain compromise by TeamPCP targets GitHub, NPM, and VSCode to steal credentials and establish persistence.
๐Title: Fresh mischief and digital shenanigans
๐ Date: 2026-05-14
๐References:
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
๐Rectifyq Taxonomies:
Relevancy: โซ Not Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข TA-category="APT"
โข target="broad-based"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="ESET"
โข target-information="Lithuania"
โข target-information="Poland"
โข target-information="Ukraine"
โข threat-actor="FrostyNeighbor"
โข region="151 - Eastern Europe"
โข sector="Government, Administration"
โข sector="Military"
โข malpedia="Cobalt Strike"
โข malpedia="PicassoLoader"
mitre-attack-pattern=['T1053.005', 'T1583', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1059', 'T1608', 'T1057', 'T1041', 'T1060', 'T1588.002', 'T1027', 'T1071.001', 'T1027.009']
MISP event uuid: 62c6b987-cf0c-4a4b-9c57-a5a107789688
๐ Date: 2026-05-14
๐References:
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/
๐Rectifyq Taxonomies:
Relevancy: โซ Not Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข TA-category="APT"
โข target="broad-based"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="ESET"
โข target-information="Lithuania"
โข target-information="Poland"
โข target-information="Ukraine"
โข threat-actor="FrostyNeighbor"
โข region="151 - Eastern Europe"
โข sector="Government, Administration"
โข sector="Military"
โข malpedia="Cobalt Strike"
โข malpedia="PicassoLoader"
mitre-attack-pattern=['T1053.005', 'T1583', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1059', 'T1608', 'T1057', 'T1041', 'T1060', 'T1588.002', 'T1027', 'T1071.001', 'T1027.009']
MISP event uuid: 62c6b987-cf0c-4a4b-9c57-a5a107789688
Welivesecurity
FrostyNeighbor: Fresh mischief and digital shenanigans
ESET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the groupโs continual cyberespionage operations.
๐Title: Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks
๐ Date: 2026-05-21
๐References:
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="intrusion-analysis"
โข sub-category="critical-vuln"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
mitre-attack-pattern=['T1218.011', 'T1132.001', 'T1059.007', 'T1140', 'T1190', 'T1583.001', 'T1055', 'T1102', 'T1583.006', 'T1204', 'T1059.001', 'T1212', 'T1547.001', 'T1566', 'T1027', 'T1573', 'T1059.003', 'T1071.001', 'T1105']
MISP event uuid: 63a2d681-adb1-4ca3-a1ae-f2d332ea8de5
๐ Date: 2026-05-21
๐References:
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="intrusion-analysis"
โข sub-category="critical-vuln"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
mitre-attack-pattern=['T1218.011', 'T1132.001', 'T1059.007', 'T1140', 'T1190', 'T1583.001', 'T1055', 'T1102', 'T1583.006', 'T1204', 'T1059.001', 'T1212', 'T1547.001', 'T1566', 'T1027', 'T1573', 'T1059.003', 'T1071.001', 'T1105']
MISP event uuid: 63a2d681-adb1-4ca3-a1ae-f2d332ea8de5
ๅฅๅฎไฟก X ๅฎ้ชๅฎค
Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks
Background
On May 7, 2026, XLab detected a poisoning incident targeting Ghost CMS belonging to one of important clients. The attacker exploited the high-risk SQL injection vulnerability CVE-2026-26980 in Ghost CMS to obtain the target site's Admin API Keyโฆ
On May 7, 2026, XLab detected a poisoning incident targeting Ghost CMS belonging to one of important clients. The attacker exploited the high-risk SQL injection vulnerability CVE-2026-26980 in Ghost CMS to obtain the target site's Admin API Keyโฆ
๐Title: SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
๐ Date: 2026-05-21
๐References:
https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข sub-category="campaign-analysis"
โข topic="ai"
โข target="broad-based"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="EclecticIQ"
โข target-information="United States"
โข target-information="United Kingdom"
mitre-attack-pattern=['T1552.001', 'T1555.003', 'T1552.002', 'T1005', 'T1140', 'T1562.001', 'T1189', 'T1573', 'T1041', 'T1083', 'T1562.006', 'T1105', 'T1204.002', 'T1204.001', 'T1027', 'T1059.001', 'T1057', 'T1608.006', 'T1539', 'T1218', 'T1497.001', 'T1071.001', 'T1555.004']
MISP event uuid: 6c37649e-5ce2-4c1b-8fb0-c90e251a93a2
๐ Date: 2026-05-21
๐References:
https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข sub-category="campaign-analysis"
โข topic="ai"
โข target="broad-based"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="EclecticIQ"
โข target-information="United States"
โข target-information="United Kingdom"
mitre-attack-pattern=['T1552.001', 'T1555.003', 'T1552.002', 'T1005', 'T1140', 'T1562.001', 'T1189', 'T1573', 'T1041', 'T1083', 'T1562.006', 'T1105', 'T1204.002', 'T1204.001', 'T1027', 'T1059.001', 'T1057', 'T1608.006', 'T1539', 'T1218', 'T1497.001', 'T1071.001', 'T1555.004']
MISP event uuid: 6c37649e-5ce2-4c1b-8fb0-c90e251a93a2
Eclecticiq
SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
Financially motivated eCrime actors will likely continue to expand opportunistic campaigns by impersonating AI platforms. These campaigns generate direct supply chain risk for enterprises, as threat actors target software developer tooling, including AI codingโฆ
๐Title: Politicians to Ditch Signal for Homegrown Apps
๐ Date: 2026-05-21
๐References:
https://news.risky.biz/srsly-risky-biz-politicians-to-ditch-signal-for-homegrown-apps/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="report"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข target-information="United States"
โข target-information="Belgium"
โข target-information="France"
โข target-information="Germany"
โข target-information="Poland"
โข target-information="United Kingdom"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1530', 'T1552', 'T1185', 'T1534', 'T1566', 'T1056', 'T1213']
MISP event uuid: 73a9fa17-bb23-41c0-90a6-f3aa48fc2617
๐ Date: 2026-05-21
๐References:
https://news.risky.biz/srsly-risky-biz-politicians-to-ditch-signal-for-homegrown-apps/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="report"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข target-information="United States"
โข target-information="Belgium"
โข target-information="France"
โข target-information="Germany"
โข target-information="Poland"
โข target-information="United Kingdom"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1530', 'T1552', 'T1185', 'T1534', 'T1566', 'T1056', 'T1213']
MISP event uuid: 73a9fa17-bb23-41c0-90a6-f3aa48fc2617
Risky.Biz
Srsly Risky Biz: Politicians to Ditch Signal for Homegrown Apps
Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Amberleigh Jack. This week's edition is sponsored by Push Security.
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in yourโฆ
You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in yourโฆ
๐Title: Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise
๐ Date: 2026-05-20
๐References:
https://www.fortinet.com/blog/threat-research/misconfigured-enrolled-and-dormant-anatomy-of-a-p2pinfect-kubernetes-compromise
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข workflow="enrichment"
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="intrusion-analysis"
โข topic="cloud"
โข target="targeted"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
๐MISP Galaxies:
โข producer="Fortinet"
โข branded-vulnerability="b2c5ca09-8d99-4138-ace7-99615894ab71"
mitre-attack-pattern=['T1110.001', 'T1133', 'T1071.004', 'T1053', 'T1190', 'T1036', 'T1563', 'T1070', 'T1552.001', 'T1098', 'T1059.004', 'T1571', 'T1027', 'T1486', 'T1573', 'T1496', 'T1027.002', 'T1071.001', 'T1105', 'T1090.001']
MISP event uuid: 6e45460a-4428-4eb4-865e-3a5a170b8b01
๐ Date: 2026-05-20
๐References:
https://www.fortinet.com/blog/threat-research/misconfigured-enrolled-and-dormant-anatomy-of-a-p2pinfect-kubernetes-compromise
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข workflow="enrichment"
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="intrusion-analysis"
โข topic="cloud"
โข target="targeted"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
๐MISP Galaxies:
โข producer="Fortinet"
โข branded-vulnerability="b2c5ca09-8d99-4138-ace7-99615894ab71"
mitre-attack-pattern=['T1110.001', 'T1133', 'T1071.004', 'T1053', 'T1190', 'T1036', 'T1563', 'T1070', 'T1552.001', 'T1098', 'T1059.004', 'T1571', 'T1027', 'T1486', 'T1573', 'T1496', 'T1027.002', 'T1071.001', 'T1105', 'T1090.001']
MISP event uuid: 6e45460a-4428-4eb4-865e-3a5a170b8b01
Fortinet Blog
Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise
FortiGuard Labs analyzed several P2PInfect compromises in GKE clusters, showing how exposed Redis instances can enable persistent botnet enrollment, dormancy, and cloud runtime risk.โฆ
๐Title: Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft
๐ Date: 2026-05-20
๐References:
https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข topic="supply-chain"
โข target="broad-based"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Microsoft"
โข malpedia="Shai-Hulud"
mitre-attack-pattern=['T1132.001', 'T1059.007', 'T1548.003', 'T1069.003', 'T1195.001', 'T1036.005', 'T1140', 'T1552.004', 'T1562.006', 'T1552.001', 'T1098.001', 'T1087.004', 'T1098', 'T1068', 'T1027', 'T1195.002', 'T1567.002', 'T1071.001', 'T1105', 'T1078.004']
MISP event uuid: ce69c87f-4292-4c48-9907-0aea83122aed
๐ Date: 2026-05-20
๐References:
https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข topic="supply-chain"
โข target="broad-based"
โข samples-found-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Microsoft"
โข malpedia="Shai-Hulud"
mitre-attack-pattern=['T1132.001', 'T1059.007', 'T1548.003', 'T1069.003', 'T1195.001', 'T1036.005', 'T1140', 'T1552.004', 'T1562.006', 'T1552.001', 'T1098.001', 'T1087.004', 'T1098', 'T1068', 'T1027', 'T1195.002', 'T1567.002', 'T1071.001', 'T1105', 'T1078.004']
MISP event uuid: ce69c87f-4292-4c48-9907-0aea83122aed
Microsoft News
Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft
Compromised @antv npm packages deploy the Mini Shai-Hulud payload to steal CI/CD secrets from Linux-based automation environments. The malware executes during npm install and targets credentials across GitHub, AWS, Kubernetes, Vault, npm, and 1Password platforms.
๐Title: Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure
๐ Date: 2026-05-20
๐References:
https://www.seqrite.com/blog/operation-dragon-whistle-ung002-targets-chinese-academia-via-weaponized-institutional-lure/
๐Rectifyq Taxonomies:
Relevancy: โซ Not Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข mitre-att&ck="from-OTX"
โข sub-category="intrusion-analysis"
โข target="targeted"
โข no-samples-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Seqrite"
โข target-information="China"
โข malpedia="Cobalt Strike"
mitre-attack-pattern=['T1574.002', 'T1005', 'T1622', 'T1564.001', 'T1105', 'T1204.002', 'T1036', 'T1106', 'T1027', 'T1057', 'T1620', 'T1129', 'T1566.001', 'T1218', 'T1497.001', 'T1497', 'T1059.005', 'T1071.001']
MISP event uuid: 271f7352-0846-4ffc-9841-b0e792521cbc
๐ Date: 2026-05-20
๐References:
https://www.seqrite.com/blog/operation-dragon-whistle-ung002-targets-chinese-academia-via-weaponized-institutional-lure/
๐Rectifyq Taxonomies:
Relevancy: โซ Not Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข mitre-att&ck="from-OTX"
โข sub-category="intrusion-analysis"
โข target="targeted"
โข no-samples-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Seqrite"
โข target-information="China"
โข malpedia="Cobalt Strike"
mitre-attack-pattern=['T1574.002', 'T1005', 'T1622', 'T1564.001', 'T1105', 'T1204.002', 'T1036', 'T1106', 'T1027', 'T1057', 'T1620', 'T1129', 'T1566.001', 'T1218', 'T1497.001', 'T1497', 'T1059.005', 'T1071.001']
MISP event uuid: 271f7352-0846-4ffc-9841-b0e792521cbc
Seqrite Labs
Operation Dragon Whistle: UNG0002 Targets Chinese Academia via Weaponized Institutional Lure
<p>Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys & Spear phishing Email: Technical Analysis: Stage1: Analysis of LNK File. Stage2: Analysis of VBS. Stage3: DLL Side Loading. Infrastructuralโฆ
๐Title: Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign
๐ Date: 2026-05-20
๐References:
https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign
๐Rectifyq Taxonomies:
Relevancy: ๐ด Highly Relevant
Category: โ Threat
โข sub-category="campaign-analysis"
โข topic="mobile-attack"
โข target="broad-based"
โข mitre-att&ck="from-original-src"
โข no-samples-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="x"
โข action-taken="linkedin"
๐MISP Galaxies:
โข target-information="Croatia"
โข target-information="Malaysia"
โข target-information="Romania"
โข target-information="Thailand"
โข producer="Zimperium"
โข online-service="b0c71d51-34fd-47b5-9eb4-dd406ffc607f"
mitre-attack-pattern=['T1412', 'T1476', 'T1646', 'T1643', 'T1417', 'T1582', 'T1603', 'T1628.001', 'T1426', 'T1422', 'T1437.001']
MISP event uuid: 441a0a60-4abf-4afc-8318-eee24dbf5b68
๐ Date: 2026-05-20
๐References:
https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign
๐Rectifyq Taxonomies:
Relevancy: ๐ด Highly Relevant
Category: โ Threat
โข sub-category="campaign-analysis"
โข topic="mobile-attack"
โข target="broad-based"
โข mitre-att&ck="from-original-src"
โข no-samples-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="x"
โข action-taken="linkedin"
๐MISP Galaxies:
โข target-information="Croatia"
โข target-information="Malaysia"
โข target-information="Romania"
โข target-information="Thailand"
โข producer="Zimperium"
โข online-service="b0c71d51-34fd-47b5-9eb4-dd406ffc607f"
mitre-attack-pattern=['T1412', 'T1476', 'T1646', 'T1643', 'T1417', 'T1582', 'T1603', 'T1628.001', 'T1426', 'T1422', 'T1437.001']
MISP event uuid: 441a0a60-4abf-4afc-8318-eee24dbf5b68
Zimperium
Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign
true
๐Title: Tracking TamperedChef Clusters via Certificate and Code Reuse
๐ Date: 2026-05-20
๐References:
https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Palo Alto"
โข malpedia="TamperedChef"
โข target-information="Israel"
โข target-information="United States"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1033', 'T1539', 'T1204.002', 'T1566.002', 'T1553.002', 'T1082', 'T1140', 'T1555.003', 'T1016', 'T1083', 'T1102', 'T1057', 'T1547.001', 'T1027', 'T1518.001', 'T1027.002', 'T1071.001', 'T1105', 'T1124']
MISP event uuid: 5bc9258d-74d3-4847-aa11-ec0c8b67e156
๐ Date: 2026-05-20
๐References:
https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Palo Alto"
โข malpedia="TamperedChef"
โข target-information="Israel"
โข target-information="United States"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1033', 'T1539', 'T1204.002', 'T1566.002', 'T1553.002', 'T1082', 'T1140', 'T1555.003', 'T1016', 'T1083', 'T1102', 'T1057', 'T1547.001', 'T1027', 'T1518.001', 'T1027.002', 'T1071.001', 'T1105', 'T1124']
MISP event uuid: 5bc9258d-74d3-4847-aa11-ec0c8b67e156
Unit 42
Tracking TamperedChef Clusters via Certificate and Code Reuse
Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to targets.
๐Title: Volume Obfuscation Game: The Lead Data Brokers Out To Waste Your Time
๐ Date: 2026-05-20
๐References:
https://www.group-ib.com/blog/lead-data-obfuscation-brokers/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Group-IB"
โข country="china"
โข online-service="b0c71d51-34fd-47b5-9eb4-dd406ffc607f"
mitre-attack-pattern=[]
MISP event uuid: a2f1ae5e-505c-4075-a3d6-991e1637c63c
๐ Date: 2026-05-20
๐References:
https://www.group-ib.com/blog/lead-data-obfuscation-brokers/
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Group-IB"
โข country="china"
โข online-service="b0c71d51-34fd-47b5-9eb4-dd406ffc607f"
mitre-attack-pattern=[]
MISP event uuid: a2f1ae5e-505c-4075-a3d6-991e1637c63c
Group-IB
Volume Obfuscation Game: The Lead Data Brokers Out To Waste Your Time
An increasing number of data brokers active in Chinese-speaking dark web forums and Telegram channels are advertising large volumes of purportedly stolen data from organizations worldwide. But are they credible?
๐Title: Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia
๐ Date: 2026-05-19
๐References:
https://www.group-ib.com/blog/indonesia-tax-impersonation-goldfactory-malware/
๐Rectifyq Taxonomies:
Relevancy: โซ Not Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข TA-category="Cybercrime"
โข target="broad-based"
โข topic="mobile-attack"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Group-IB"
โข target-information="Indonesia"
โข target-information="Peru"
โข target-information="Philippines"
โข target-information="South Africa"
โข target-information="Thailand"
โข malpedia="Gigabud"
โข sector="Bank"
โข sector="Finance"
โข sector="Government, Administration"
โข malpedia="GoldDigger"
โข malpedia="Remo"
โข threat-actor="GoldFactory"
mitre-attack-pattern=['T1414', 'T1646', 'T1541', 'T1417.002', 'T1516', 'T1417.001', 'T1660', 'T1513', 'T1426', 'T1437.001', 'T1626', 'T1417', 'T1418', 'T1422']
MISP event uuid: 88e3ed61-0d4d-462b-9c4c-2298d7d7b9c3
๐ Date: 2026-05-19
๐References:
https://www.group-ib.com/blog/indonesia-tax-impersonation-goldfactory-malware/
๐Rectifyq Taxonomies:
Relevancy: โซ Not Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข TA-category="Cybercrime"
โข target="broad-based"
โข topic="mobile-attack"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Group-IB"
โข target-information="Indonesia"
โข target-information="Peru"
โข target-information="Philippines"
โข target-information="South Africa"
โข target-information="Thailand"
โข malpedia="Gigabud"
โข sector="Bank"
โข sector="Finance"
โข sector="Government, Administration"
โข malpedia="GoldDigger"
โข malpedia="Remo"
โข threat-actor="GoldFactory"
mitre-attack-pattern=['T1414', 'T1646', 'T1541', 'T1417.002', 'T1516', 'T1417.001', 'T1660', 'T1513', 'T1426', 'T1437.001', 'T1626', 'T1417', 'T1418', 'T1422']
MISP event uuid: 88e3ed61-0d4d-462b-9c4c-2298d7d7b9c3
Group-IB
Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia
Itโs tax season in Indonesia and fraudsters are observed to be ramping up the fraud campaign involving fake Coretax apps, but behind it lies an industrialized MaaS infrastructure ready to strike anywhere.
๐Title: Popular node-ipc npm Package Infected with Credential Stealer
๐ Date: 2026-05-14
๐References:
https://socket.dev/blog/node-ipc-package-compromised
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข topic="supply-chain"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1195.002', 'T1078', 'T1136', 'T1098', 'T1071.004', 'T1048.003', 'T1041', 'T1567', 'T1005', 'T1552.001', 'T1552.004', 'T1087', 'T1082', 'T1083', 'T1119', 'T1074.001', 'T1560.001', 'T1027', 'T1027.002', 'T1059.007']
MISP event uuid: ba313d52-d178-491a-ab42-0a79bdd9755b
๐ Date: 2026-05-14
๐References:
https://socket.dev/blog/node-ipc-package-compromised
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข topic="supply-chain"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1195.002', 'T1078', 'T1136', 'T1098', 'T1071.004', 'T1048.003', 'T1041', 'T1567', 'T1005', 'T1552.001', 'T1552.004', 'T1087', 'T1082', 'T1083', 'T1119', 'T1074.001', 'T1560.001', 'T1027', 'T1027.002', 'T1059.007']
MISP event uuid: ba313d52-d178-491a-ab42-0a79bdd9755b
Socket
Popular node-ipc npm Package Infected with Credential Steale...
Socket detected malicious node-ipc versions with obfuscated stealer/backdoor behavior in a developing npm supply chain attack.
๐Title: Inside a Tor Backed Supply Chain Worm
๐ Date: 2026-05-14
๐References:
https://www.cloudsek.com/blog/inside-a-tor-backed-supply-chain-worm
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข topic="supply-chain"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="CloudSEK"
mitre-attack-pattern=['T1195.002', 'T1554', 'T1543.002', 'T1027', 'T1078.004', 'T1078.001', 'T1087.001', 'T1552.001', 'T1552.006', 'T1563', 'T1098', 'T1036.005', 'T1090.003', 'T1071.001', 'T1059.006', 'T1548.001', 'T1496', 'T1005', 'T1041']
MISP event uuid: 76c07ddc-0f70-481e-9f63-c99aef0650b6
๐ Date: 2026-05-14
๐References:
https://www.cloudsek.com/blog/inside-a-tor-backed-supply-chain-worm
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข topic="supply-chain"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="CloudSEK"
mitre-attack-pattern=['T1195.002', 'T1554', 'T1543.002', 'T1027', 'T1078.004', 'T1078.001', 'T1087.001', 'T1552.001', 'T1552.006', 'T1563', 'T1098', 'T1036.005', 'T1090.003', 'T1071.001', 'T1059.006', 'T1548.001', 'T1496', 'T1005', 'T1041']
MISP event uuid: 76c07ddc-0f70-481e-9f63-c99aef0650b6
Cloudsek
Inside a Tor Backed Supply Chain Worm | CloudSEK
CloudSEK TRIAD uncovered a sophisticated npm supply chain attack using a typosquatted package, crypto-javascri, to mimic crypto-js. The malware steals npm and GitHub credentials, hijacks maintainer accounts, republishes trojanized packages, and uses Tor-basedโฆ
๐Title: The Evolution of ClickFix: From Cleartext to Server Side Polymorphism
๐ Date: 2026-05-14
๐References:
https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข workflow="enrichment"
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
๐MISP Galaxies:
โข malpedia="Vidar"
โข malpedia="DeerStealer"
mitre-attack-pattern=['T1204.001', 'T1566.002', 'T1059.001', 'T1027', 'T1140', 'T1071.001', 'T1105', 'T1055', 'T1112', 'T1497', 'T1070.004', 'T1082', 'T1555.003', 'T1555', 'T1539', 'T1005', 'T1041', 'T1027.002']
MISP event uuid: 6d14d444-58c0-45da-92e5-fca9cdcd7637
๐ Date: 2026-05-14
๐References:
https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข workflow="enrichment"
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
๐MISP Galaxies:
โข malpedia="Vidar"
โข malpedia="DeerStealer"
mitre-attack-pattern=['T1204.001', 'T1566.002', 'T1059.001', 'T1027', 'T1140', 'T1071.001', 'T1105', 'T1055', 'T1112', 'T1497', 'T1070.004', 'T1082', 'T1555.003', 'T1555', 'T1539', 'T1005', 'T1041', 'T1027.002']
MISP event uuid: 6d14d444-58c0-45da-92e5-fca9cdcd7637
Menlosecurity
The Evolution of ClickFix: From Cleartext to Server Side Polymorphism - Blog | Menlo Security
Menlo has identified ~4,500 domains that belong to a Polymorphism campaign, demonstrating a massive infrastructure powering these evasive ClickFix attacks.
๐Title: Infostealer Campaign Using Trading App as Lure
๐ Date: 2026-05-20
๐References:
https://hybrid-analysis.blogspot.com/2026/05/velvet-chollima-infostealer-campaign.html?m=1
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Hybrid Analysis"
mitre-attack-pattern=['T1566', 'T1204', 'T1036', 'T1553.002', 'T1547.001', 'T1053.005', 'T1059.001', 'T1027', 'T1105', 'T1082', 'T1012', 'T1518.001', 'T1056.001', 'T1555.003', 'T1567.001', 'T1071.001', 'T1132', 'T1497', 'T1497.001', 'T1614']
MISP event uuid: 08b137bc-104f-4dcc-a5ab-09ec9ce19b7b
๐ Date: 2026-05-20
๐References:
https://hybrid-analysis.blogspot.com/2026/05/velvet-chollima-infostealer-campaign.html?m=1
๐Rectifyq Taxonomies:
Relevancy: ๐ต Potentially Relevant
Category: โ Threat
โข mitre-att&ck="none-from-src"
โข mitre-att&ck="from-OTX"
โข sub-category="campaign-analysis"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข samples-found-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Hybrid Analysis"
mitre-attack-pattern=['T1566', 'T1204', 'T1036', 'T1553.002', 'T1547.001', 'T1053.005', 'T1059.001', 'T1027', 'T1105', 'T1082', 'T1012', 'T1518.001', 'T1056.001', 'T1555.003', 'T1567.001', 'T1071.001', 'T1132', 'T1497', 'T1497.001', 'T1614']
MISP event uuid: 08b137bc-104f-4dcc-a5ab-09ec9ce19b7b
๐Title: APT Targets Azerbaijani Oil and Gas Industry
๐ Date: 2026-05-13
๐References:
https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry
๐Rectifyq Taxonomies:
Relevancy: โซ Not Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข mitre-att&ck="from-OTX"
โข sub-category="TA-profile"
โข sub-category="campaign-analysis"
โข TA-category="APT"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Bitdefender"
โข target-information="Azerbaijan"
โข threat-actor="GhostEmperor"
โข country="china"
โข malpedia="SNAPPYBEE"
โข sector="Gas"
โข sector="Oil"
mitre-attack-pattern=['T1190', 'T1505.003', 'T1543.003', 'T1574.002', 'T1140', 'T1562', 'T1569.002', 'T1059.001', 'T1021.001', 'T1021.002', 'T1071.001', 'T1014']
MISP event uuid: 4513c651-0f6c-417a-8390-6a800dc28872
๐ Date: 2026-05-13
๐References:
https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry
๐Rectifyq Taxonomies:
Relevancy: โซ Not Relevant
Category: โ Threat
โข mitre-att&ck="from-original-src"
โข mitre-att&ck="from-OTX"
โข sub-category="TA-profile"
โข sub-category="campaign-analysis"
โข TA-category="APT"
โข target="broad-based"
โข no-samples-in="MalwareBazaar"
โข no-samples-in="Tria.ge"
โข action-taken="VT-comment"
๐MISP Galaxies:
โข producer="Bitdefender"
โข target-information="Azerbaijan"
โข threat-actor="GhostEmperor"
โข country="china"
โข malpedia="SNAPPYBEE"
โข sector="Gas"
โข sector="Oil"
mitre-attack-pattern=['T1190', 'T1505.003', 'T1543.003', 'T1574.002', 'T1140', 'T1562', 'T1569.002', 'T1059.001', 'T1021.001', 'T1021.002', 'T1071.001', 'T1014']
MISP event uuid: 4513c651-0f6c-417a-8390-6a800dc28872
Bitdefender
FamousSparrow APT Targets Azerbaijani Oil and Gas Industry
Bitdefender Labs tracked APT activity targeting Azerbaijani oil and gas; the operation demonstrates notable technical and strategic characteristics.