📃Title: New burrowing techniques
📅Date: 2026-05-20
🔗References:
https://www.welivesecurity.com/en/eset-research/webworm-new-burrowing-techniques/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• sub-category="TA-profile"
• sub-category="campaign-analysis"
• target="broad-based"
• TA-category="APT"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="ESET"
• target-information="Belgium"
• target-information="Czech Republic"
• target-information="Hungary"
• target-information="Italy"
• target-information="Nigeria"
• target-information="Poland"
• target-information="Serbia"
• target-information="South Africa"
• target-information="Spain"
• threat-actor="Webworm"
• online-service="7347d685-8e08-4ed9-9f34-264e5e4b567a"
• online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1550.001', 'T1573.002', 'T1102.002', 'T1078.004', 'T1021.007', 'T1005', 'T1027.013', 'T1041', 'T1567.002', 'T1090.002', 'T1070.004', 'T1090.001', 'T1074.001', 'T1112', 'T1090.003', 'T1547.001', 'T1074.002', 'T1053.005', 'T1583.004', 'T1132.001', 'T1070.006', 'T1608.002', 'T1583.003', 'T1588.006', 'T1595.002', 'T1071.001', 'T1584.006', 'T1059.003', 'T1595.003']

MISP event uuid: 55a58703-da62-4330-bd76-3189d2635e28

📃Title: PureLogs: Delivery via PawsRunner Steganography
📅Date: 2026-05-15
🔗References:
https://www.fortinet.com/blog/threat-research/purelogs-delivery-via-pawsrunner-steganography

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Fortinet"
• malpedia="PureLogs Stealer"
mitre-attack-pattern=[]

MISP event uuid: 3c80a5eb-e55b-46df-87f5-aa09ba9bb5d2

📃Title: The Worm That Keeps on Digging: Latest Wave
📅Date: 2026-05-19
🔗References:
https://www.wiz.io/blog/mini-shai-hulud-teampcp-hits-antv-supply-chain

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Wiz Blog"
• malpedia="Shai-Hulud"
• online-service="3b16bb5a-eb4f-4603-a909-bebc5df4a46d"
mitre-attack-pattern=['T1059.007', 'T1539', 'T1555.003', 'T1552.004', 'T1552.001', 'T1567.001', 'T1552.006', 'T1102.003', 'T1574.010', 'T1195.002', 'T1102.002', 'T1059.006', 'T1543.001', 'T1071.001', 'T1543.002', 'T1105', 'T1102.001']

MISP event uuid: a8121f4e-198f-47f3-a649-0b881e64d745

📃Title: Fresh mischief and digital shenanigans
📅Date: 2026-05-14
🔗References:
https://www.welivesecurity.com/en/eset-research/frostyneighbor-fresh-mischief-digital-shenanigans/

🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="ESET"
• target-information="Lithuania"
• target-information="Poland"
• target-information="Ukraine"
• threat-actor="FrostyNeighbor"
• region="151 - Eastern Europe"
• sector="Government, Administration"
• sector="Military"
• malpedia="Cobalt Strike"
• malpedia="PicassoLoader"
mitre-attack-pattern=['T1053.005', 'T1583', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1059', 'T1608', 'T1057', 'T1041', 'T1060', 'T1588.002', 'T1027', 'T1071.001', 'T1027.009']

MISP event uuid: 62c6b987-cf0c-4a4b-9c57-a5a107789688

📃Title: Ghost CMS Mass Compromised via CVE-2026-26980, Now Fueling ClickFix Attacks
📅Date: 2026-05-21
🔗References:
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• sub-category="critical-vuln"
• sub-category="campaign-analysis"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
mitre-attack-pattern=['T1218.011', 'T1132.001', 'T1059.007', 'T1140', 'T1190', 'T1583.001', 'T1055', 'T1102', 'T1583.006', 'T1204', 'T1059.001', 'T1212', 'T1547.001', 'T1566', 'T1027', 'T1573', 'T1059.003', 'T1071.001', 'T1105']

MISP event uuid: 63a2d681-adb1-4ca3-a1ae-f2d332ea8de5

📃Title: SEO poisoning campaign leverages Gemini and Claude Code impersonation to deliver infostealer
📅Date: 2026-05-21
🔗References:
https://blog.eclecticiq.com/seo-poisoning-campaign-leverages-gemini-and-claude-code-impersonation-to-deliver-infostealer

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• sub-category="campaign-analysis"
• topic="ai"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="EclecticIQ"
• target-information="United States"
• target-information="United Kingdom"
mitre-attack-pattern=['T1552.001', 'T1555.003', 'T1552.002', 'T1005', 'T1140', 'T1562.001', 'T1189', 'T1573', 'T1041', 'T1083', 'T1562.006', 'T1105', 'T1204.002', 'T1204.001', 'T1027', 'T1059.001', 'T1057', 'T1608.006', 'T1539', 'T1218', 'T1497.001', 'T1071.001', 'T1555.004']

MISP event uuid: 6c37649e-5ce2-4c1b-8fb0-c90e251a93a2

📃Title: Politicians to Ditch Signal for Homegrown Apps
📅Date: 2026-05-21
🔗References:
https://news.risky.biz/srsly-risky-biz-politicians-to-ditch-signal-for-homegrown-apps/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="report"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• target-information="United States"
• target-information="Belgium"
• target-information="France"
• target-information="Germany"
• target-information="Poland"
• target-information="United Kingdom"
mitre-attack-pattern=['T1557', 'T1539', 'T1114', 'T1530', 'T1552', 'T1185', 'T1534', 'T1566', 'T1056', 'T1213']

MISP event uuid: 73a9fa17-bb23-41c0-90a6-f3aa48fc2617

📃Title: Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise
📅Date: 2026-05-20
🔗References:
https://www.fortinet.com/blog/threat-research/misconfigured-enrolled-and-dormant-anatomy-of-a-p2pinfect-kubernetes-compromise

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• workflow="enrichment"
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• topic="cloud"
• target="targeted"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"

🔖MISP Galaxies:
• producer="Fortinet"
• branded-vulnerability="b2c5ca09-8d99-4138-ace7-99615894ab71"
mitre-attack-pattern=['T1110.001', 'T1133', 'T1071.004', 'T1053', 'T1190', 'T1036', 'T1563', 'T1070', 'T1552.001', 'T1098', 'T1059.004', 'T1571', 'T1027', 'T1486', 'T1573', 'T1496', 'T1027.002', 'T1071.001', 'T1105', 'T1090.001']

MISP event uuid: 6e45460a-4428-4eb4-865e-3a5a170b8b01

📃Title: Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft
📅Date: 2026-05-20
🔗References:
https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• samples-found-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Microsoft"
• malpedia="Shai-Hulud"
mitre-attack-pattern=['T1132.001', 'T1059.007', 'T1548.003', 'T1069.003', 'T1195.001', 'T1036.005', 'T1140', 'T1552.004', 'T1562.006', 'T1552.001', 'T1098.001', 'T1087.004', 'T1098', 'T1068', 'T1027', 'T1195.002', 'T1567.002', 'T1071.001', 'T1105', 'T1078.004']

MISP event uuid: ce69c87f-4292-4c48-9907-0aea83122aed

📃Title: Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure
📅Date: 2026-05-20
🔗References:
https://www.seqrite.com/blog/operation-dragon-whistle-ung002-targets-chinese-academia-via-weaponized-institutional-lure/

🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="intrusion-analysis"
• target="targeted"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Seqrite"
• target-information="China"
• malpedia="Cobalt Strike"
mitre-attack-pattern=['T1574.002', 'T1005', 'T1622', 'T1564.001', 'T1105', 'T1204.002', 'T1036', 'T1106', 'T1027', 'T1057', 'T1620', 'T1129', 'T1566.001', 'T1218', 'T1497.001', 'T1497', 'T1059.005', 'T1071.001']

MISP event uuid: 271f7352-0846-4ffc-9841-b0e792521cbc

📃Title: Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign
📅Date: 2026-05-20
🔗References:
https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign

🔖Rectifyq Taxonomies:
Relevancy: 🔴 Highly Relevant
Category: ⚔ Threat
• sub-category="campaign-analysis"
• topic="mobile-attack"
• target="broad-based"
• mitre-att&ck="from-original-src"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="x"
• action-taken="linkedin"

🔖MISP Galaxies:
• target-information="Croatia"
• target-information="Malaysia"
• target-information="Romania"
• target-information="Thailand"
• producer="Zimperium"
• online-service="b0c71d51-34fd-47b5-9eb4-dd406ffc607f"
mitre-attack-pattern=['T1412', 'T1476', 'T1646', 'T1643', 'T1417', 'T1582', 'T1603', 'T1628.001', 'T1426', 'T1422', 'T1437.001']

MISP event uuid: 441a0a60-4abf-4afc-8318-eee24dbf5b68

📃Title: Tracking TamperedChef Clusters via Certificate and Code Reuse
📅Date: 2026-05-20
🔗References:
https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Palo Alto"
• malpedia="TamperedChef"
• target-information="Israel"
• target-information="United States"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1033', 'T1539', 'T1204.002', 'T1566.002', 'T1553.002', 'T1082', 'T1140', 'T1555.003', 'T1016', 'T1083', 'T1102', 'T1057', 'T1547.001', 'T1027', 'T1518.001', 'T1027.002', 'T1071.001', 'T1105', 'T1124']

MISP event uuid: 5bc9258d-74d3-4847-aa11-ec0c8b67e156

📃Title: Volume Obfuscation Game: The Lead Data Brokers Out To Waste Your Time
📅Date: 2026-05-20
🔗References:
https://www.group-ib.com/blog/lead-data-obfuscation-brokers/

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Group-IB"
• country="china"
• online-service="b0c71d51-34fd-47b5-9eb4-dd406ffc607f"
mitre-attack-pattern=[]

MISP event uuid: a2f1ae5e-505c-4075-a3d6-991e1637c63c

📃Title: Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia
📅Date: 2026-05-19
🔗References:
https://www.group-ib.com/blog/indonesia-tax-impersonation-goldfactory-malware/

🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• TA-category="Cybercrime"
• target="broad-based"
• topic="mobile-attack"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Group-IB"
• target-information="Indonesia"
• target-information="Peru"
• target-information="Philippines"
• target-information="South Africa"
• target-information="Thailand"
• malpedia="Gigabud"
• sector="Bank"
• sector="Finance"
• sector="Government, Administration"
• malpedia="GoldDigger"
• malpedia="Remo"
• threat-actor="GoldFactory"
mitre-attack-pattern=['T1414', 'T1646', 'T1541', 'T1417.002', 'T1516', 'T1417.001', 'T1660', 'T1513', 'T1426', 'T1437.001', 'T1626', 'T1417', 'T1418', 'T1422']

MISP event uuid: 88e3ed61-0d4d-462b-9c4c-2298d7d7b9c3

📃Title: Popular node-ipc npm Package Infected with Credential Stealer
📅Date: 2026-05-14
🔗References:
https://socket.dev/blog/node-ipc-package-compromised

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1195.002', 'T1078', 'T1136', 'T1098', 'T1071.004', 'T1048.003', 'T1041', 'T1567', 'T1005', 'T1552.001', 'T1552.004', 'T1087', 'T1082', 'T1083', 'T1119', 'T1074.001', 'T1560.001', 'T1027', 'T1027.002', 'T1059.007']

MISP event uuid: ba313d52-d178-491a-ab42-0a79bdd9755b

📃Title: Inside a Tor Backed Supply Chain Worm
📅Date: 2026-05-14
🔗References:
https://www.cloudsek.com/blog/inside-a-tor-backed-supply-chain-worm

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• topic="supply-chain"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="CloudSEK"
mitre-attack-pattern=['T1195.002', 'T1554', 'T1543.002', 'T1027', 'T1078.004', 'T1078.001', 'T1087.001', 'T1552.001', 'T1552.006', 'T1563', 'T1098', 'T1036.005', 'T1090.003', 'T1071.001', 'T1059.006', 'T1548.001', 'T1496', 'T1005', 'T1041']

MISP event uuid: 76c07ddc-0f70-481e-9f63-c99aef0650b6

📃Title: The Evolution of ClickFix: From Cleartext to Server Side Polymorphism
📅Date: 2026-05-14
🔗References:
https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• workflow="enrichment"
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"

🔖MISP Galaxies:
• malpedia="Vidar"
• malpedia="DeerStealer"
mitre-attack-pattern=['T1204.001', 'T1566.002', 'T1059.001', 'T1027', 'T1140', 'T1071.001', 'T1105', 'T1055', 'T1112', 'T1497', 'T1070.004', 'T1082', 'T1555.003', 'T1555', 'T1539', 'T1005', 'T1041', 'T1027.002']

MISP event uuid: 6d14d444-58c0-45da-92e5-fca9cdcd7637

📃Title: Infostealer Campaign Using Trading App as Lure
📅Date: 2026-05-20
🔗References:
https://hybrid-analysis.blogspot.com/2026/05/velvet-chollima-infostealer-campaign.html?m=1

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="campaign-analysis"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• samples-found-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Hybrid Analysis"
mitre-attack-pattern=['T1566', 'T1204', 'T1036', 'T1553.002', 'T1547.001', 'T1053.005', 'T1059.001', 'T1027', 'T1105', 'T1082', 'T1012', 'T1518.001', 'T1056.001', 'T1555.003', 'T1567.001', 'T1071.001', 'T1132', 'T1497', 'T1497.001', 'T1614']

MISP event uuid: 08b137bc-104f-4dcc-a5ab-09ec9ce19b7b

📃Title: APT Targets Azerbaijani Oil and Gas Industry
📅Date: 2026-05-13
🔗References:
https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry

🔖Rectifyq Taxonomies:
Relevancy: ⚫ Not Relevant
Category: ⚔ Threat
• mitre-att&ck="from-original-src"
• mitre-att&ck="from-OTX"
• sub-category="TA-profile"
• sub-category="campaign-analysis"
• TA-category="APT"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Bitdefender"
• target-information="Azerbaijan"
• threat-actor="GhostEmperor"
• country="china"
• malpedia="SNAPPYBEE"
• sector="Gas"
• sector="Oil"
mitre-attack-pattern=['T1190', 'T1505.003', 'T1543.003', 'T1574.002', 'T1140', 'T1562', 'T1569.002', 'T1059.001', 'T1021.001', 'T1021.002', 'T1071.001', 'T1014']

MISP event uuid: 4513c651-0f6c-417a-8390-6a800dc28872

📃Title: Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
📅Date: 2026-05-21
🔗References:
https://hunt.io/blog/middle-east-malicious-infrastructure-report

🔖Rectifyq Taxonomies:
Relevancy: 🔵 Potentially Relevant
Category: ⚔ Threat
• mitre-att&ck="none-from-src"
• mitre-att&ck="from-OTX"
• sub-category="infra-profile"
• target="broad-based"
• no-samples-in="MalwareBazaar"
• no-samples-in="Tria.ge"
• action-taken="VT-comment"

🔖MISP Galaxies:
• producer="Hunt.io"
mitre-attack-pattern=['T1543', 'T1071.004', 'T1566.001', 'T1053', 'T1106', 'T1140', 'T1190', 'T1583.001', 'T1036', 'T1055', 'T1497', 'T1059.001', 'T1098', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1071.001', 'T1136', 'T1105', 'T1204.001']

MISP event uuid: c40393cf-c35a-4e9c-89f7-442e9743e034