πTitle: Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia
π Date: 2026-05-19
πReferences:
https://www.group-ib.com/blog/indonesia-tax-impersonation-goldfactory-malware/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ topic="mobile-attack"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Group-IB"
β’ target-information="Indonesia"
β’ target-information="Peru"
β’ target-information="Philippines"
β’ target-information="South Africa"
β’ target-information="Thailand"
β’ malpedia="Gigabud"
β’ sector="Bank"
β’ sector="Finance"
β’ sector="Government, Administration"
β’ malpedia="GoldDigger"
β’ malpedia="Remo"
β’ threat-actor="GoldFactory"
mitre-attack-pattern=['T1414', 'T1646', 'T1541', 'T1417.002', 'T1516', 'T1417.001', 'T1660', 'T1513', 'T1426', 'T1437.001', 'T1626', 'T1417', 'T1418', 'T1422']
MISP event uuid: 88e3ed61-0d4d-462b-9c4c-2298d7d7b9c3
π Date: 2026-05-19
πReferences:
https://www.group-ib.com/blog/indonesia-tax-impersonation-goldfactory-malware/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ topic="mobile-attack"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Group-IB"
β’ target-information="Indonesia"
β’ target-information="Peru"
β’ target-information="Philippines"
β’ target-information="South Africa"
β’ target-information="Thailand"
β’ malpedia="Gigabud"
β’ sector="Bank"
β’ sector="Finance"
β’ sector="Government, Administration"
β’ malpedia="GoldDigger"
β’ malpedia="Remo"
β’ threat-actor="GoldFactory"
mitre-attack-pattern=['T1414', 'T1646', 'T1541', 'T1417.002', 'T1516', 'T1417.001', 'T1660', 'T1513', 'T1426', 'T1437.001', 'T1626', 'T1417', 'T1418', 'T1422']
MISP event uuid: 88e3ed61-0d4d-462b-9c4c-2298d7d7b9c3
Group-IB
Beyond Tax Returns: How Shared Malware Infrastructure Scales Brand Abuse In Indonesia
Itβs tax season in Indonesia and fraudsters are observed to be ramping up the fraud campaign involving fake Coretax apps, but behind it lies an industrialized MaaS infrastructure ready to strike anywhere.
πTitle: Popular node-ipc npm Package Infected with Credential Stealer
π Date: 2026-05-14
πReferences:
https://socket.dev/blog/node-ipc-package-compromised
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1195.002', 'T1078', 'T1136', 'T1098', 'T1071.004', 'T1048.003', 'T1041', 'T1567', 'T1005', 'T1552.001', 'T1552.004', 'T1087', 'T1082', 'T1083', 'T1119', 'T1074.001', 'T1560.001', 'T1027', 'T1027.002', 'T1059.007']
MISP event uuid: ba313d52-d178-491a-ab42-0a79bdd9755b
π Date: 2026-05-14
πReferences:
https://socket.dev/blog/node-ipc-package-compromised
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1195.002', 'T1078', 'T1136', 'T1098', 'T1071.004', 'T1048.003', 'T1041', 'T1567', 'T1005', 'T1552.001', 'T1552.004', 'T1087', 'T1082', 'T1083', 'T1119', 'T1074.001', 'T1560.001', 'T1027', 'T1027.002', 'T1059.007']
MISP event uuid: ba313d52-d178-491a-ab42-0a79bdd9755b
Socket
Popular node-ipc npm Package Infected with Credential Steale...
Socket detected malicious node-ipc versions with obfuscated stealer/backdoor behavior in a developing npm supply chain attack.
πTitle: Inside a Tor Backed Supply Chain Worm
π Date: 2026-05-14
πReferences:
https://www.cloudsek.com/blog/inside-a-tor-backed-supply-chain-worm
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="CloudSEK"
mitre-attack-pattern=['T1195.002', 'T1554', 'T1543.002', 'T1027', 'T1078.004', 'T1078.001', 'T1087.001', 'T1552.001', 'T1552.006', 'T1563', 'T1098', 'T1036.005', 'T1090.003', 'T1071.001', 'T1059.006', 'T1548.001', 'T1496', 'T1005', 'T1041']
MISP event uuid: 76c07ddc-0f70-481e-9f63-c99aef0650b6
π Date: 2026-05-14
πReferences:
https://www.cloudsek.com/blog/inside-a-tor-backed-supply-chain-worm
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="CloudSEK"
mitre-attack-pattern=['T1195.002', 'T1554', 'T1543.002', 'T1027', 'T1078.004', 'T1078.001', 'T1087.001', 'T1552.001', 'T1552.006', 'T1563', 'T1098', 'T1036.005', 'T1090.003', 'T1071.001', 'T1059.006', 'T1548.001', 'T1496', 'T1005', 'T1041']
MISP event uuid: 76c07ddc-0f70-481e-9f63-c99aef0650b6
Cloudsek
Inside a Tor Backed Supply Chain Worm | CloudSEK
CloudSEK TRIAD uncovered a sophisticated npm supply chain attack using a typosquatted package, crypto-javascri, to mimic crypto-js. The malware steals npm and GitHub credentials, hijacks maintainer accounts, republishes trojanized packages, and uses Tor-basedβ¦
πTitle: The Evolution of ClickFix: From Cleartext to Server Side Polymorphism
π Date: 2026-05-14
πReferences:
https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ workflow="enrichment"
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
πMISP Galaxies:
β’ malpedia="Vidar"
β’ malpedia="DeerStealer"
mitre-attack-pattern=['T1204.001', 'T1566.002', 'T1059.001', 'T1027', 'T1140', 'T1071.001', 'T1105', 'T1055', 'T1112', 'T1497', 'T1070.004', 'T1082', 'T1555.003', 'T1555', 'T1539', 'T1005', 'T1041', 'T1027.002']
MISP event uuid: 6d14d444-58c0-45da-92e5-fca9cdcd7637
π Date: 2026-05-14
πReferences:
https://www.menlosecurity.com/blog/the-evolution-of-clickfix-from-cleartext-to-server-side-polymorphism
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ workflow="enrichment"
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
πMISP Galaxies:
β’ malpedia="Vidar"
β’ malpedia="DeerStealer"
mitre-attack-pattern=['T1204.001', 'T1566.002', 'T1059.001', 'T1027', 'T1140', 'T1071.001', 'T1105', 'T1055', 'T1112', 'T1497', 'T1070.004', 'T1082', 'T1555.003', 'T1555', 'T1539', 'T1005', 'T1041', 'T1027.002']
MISP event uuid: 6d14d444-58c0-45da-92e5-fca9cdcd7637
Menlosecurity
The Evolution of ClickFix: From Cleartext to Server Side Polymorphism - Blog | Menlo Security
Menlo has identified ~4,500 domains that belong to a Polymorphism campaign, demonstrating a massive infrastructure powering these evasive ClickFix attacks.
πTitle: Infostealer Campaign Using Trading App as Lure
π Date: 2026-05-20
πReferences:
https://hybrid-analysis.blogspot.com/2026/05/velvet-chollima-infostealer-campaign.html?m=1
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hybrid Analysis"
mitre-attack-pattern=['T1566', 'T1204', 'T1036', 'T1553.002', 'T1547.001', 'T1053.005', 'T1059.001', 'T1027', 'T1105', 'T1082', 'T1012', 'T1518.001', 'T1056.001', 'T1555.003', 'T1567.001', 'T1071.001', 'T1132', 'T1497', 'T1497.001', 'T1614']
MISP event uuid: 08b137bc-104f-4dcc-a5ab-09ec9ce19b7b
π Date: 2026-05-20
πReferences:
https://hybrid-analysis.blogspot.com/2026/05/velvet-chollima-infostealer-campaign.html?m=1
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hybrid Analysis"
mitre-attack-pattern=['T1566', 'T1204', 'T1036', 'T1553.002', 'T1547.001', 'T1053.005', 'T1059.001', 'T1027', 'T1105', 'T1082', 'T1012', 'T1518.001', 'T1056.001', 'T1555.003', 'T1567.001', 'T1071.001', 'T1132', 'T1497', 'T1497.001', 'T1614']
MISP event uuid: 08b137bc-104f-4dcc-a5ab-09ec9ce19b7b
πTitle: APT Targets Azerbaijani Oil and Gas Industry
π Date: 2026-05-13
πReferences:
https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Bitdefender"
β’ target-information="Azerbaijan"
β’ threat-actor="GhostEmperor"
β’ country="china"
β’ malpedia="SNAPPYBEE"
β’ sector="Gas"
β’ sector="Oil"
mitre-attack-pattern=['T1190', 'T1505.003', 'T1543.003', 'T1574.002', 'T1140', 'T1562', 'T1569.002', 'T1059.001', 'T1021.001', 'T1021.002', 'T1071.001', 'T1014']
MISP event uuid: 4513c651-0f6c-417a-8390-6a800dc28872
π Date: 2026-05-13
πReferences:
https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Bitdefender"
β’ target-information="Azerbaijan"
β’ threat-actor="GhostEmperor"
β’ country="china"
β’ malpedia="SNAPPYBEE"
β’ sector="Gas"
β’ sector="Oil"
mitre-attack-pattern=['T1190', 'T1505.003', 'T1543.003', 'T1574.002', 'T1140', 'T1562', 'T1569.002', 'T1059.001', 'T1021.001', 'T1021.002', 'T1071.001', 'T1014']
MISP event uuid: 4513c651-0f6c-417a-8390-6a800dc28872
Bitdefender
FamousSparrow APT Targets Azerbaijani Oil and Gas Industry
Bitdefender Labs tracked APT activity targeting Azerbaijani oil and gas; the operation demonstrates notable technical and strategic characteristics.
πTitle: Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
π Date: 2026-05-21
πReferences:
https://hunt.io/blog/middle-east-malicious-infrastructure-report
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="infra-profile"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
mitre-attack-pattern=['T1543', 'T1071.004', 'T1566.001', 'T1053', 'T1106', 'T1140', 'T1190', 'T1583.001', 'T1036', 'T1055', 'T1497', 'T1059.001', 'T1098', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1071.001', 'T1136', 'T1105', 'T1204.001']
MISP event uuid: c40393cf-c35a-4e9c-89f7-442e9743e034
π Date: 2026-05-21
πReferences:
https://hunt.io/blog/middle-east-malicious-infrastructure-report
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="infra-profile"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
mitre-attack-pattern=['T1543', 'T1071.004', 'T1566.001', 'T1053', 'T1106', 'T1140', 'T1190', 'T1583.001', 'T1036', 'T1055', 'T1497', 'T1059.001', 'T1098', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1071.001', 'T1136', 'T1105', 'T1204.001']
MISP event uuid: c40393cf-c35a-4e9c-89f7-442e9743e034
hunt.io
Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
We mapped 1,350+ active C2 servers across 98 Middle East providers. Here's what the infrastructure data reveals about the region's threat landscape.
πTitle: The Gentleman Ransomware | Defense Evasion TTPs Uncovered
π Date: 2026-05-21
πReferences:
https://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="intrusion-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Huntress"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1053.005', 'T1033', 'T1133', 'T1548.002', 'T1036.005', 'T1082', 'T1112', 'T1070.001', 'T1083', 'T1057', 'T1059.001', 'T1562.001', 'T1078', 'T1027', 'T1486', 'T1071.001', 'T1018', 'T1105', 'T1021.001', 'T1090.001']
MISP event uuid: bf870fb8-ded6-4287-a5f5-d67eb365e5e6
π Date: 2026-05-21
πReferences:
https://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="intrusion-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Huntress"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1053.005', 'T1033', 'T1133', 'T1548.002', 'T1036.005', 'T1082', 'T1112', 'T1070.001', 'T1083', 'T1057', 'T1059.001', 'T1562.001', 'T1078', 'T1027', 'T1486', 'T1071.001', 'T1018', 'T1105', 'T1021.001', 'T1090.001']
MISP event uuid: bf870fb8-ded6-4287-a5f5-d67eb365e5e6
Huntress
The Gentleman Ransomware | Defense Evasion TTPs Uncovered | Huntress
Two recent incidents involving The Gentlemen ransomware show the use of defense evasion tactics, including logs being cleared and attempts to add antivirus exclusions.
πTitle: One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud 'Patriot Bait' Campaign
π Date: 2026-05-21
πReferences:
https://www.trendmicro.com/en_us/research/26/e/inside-the-influence-and-fraud-patriot-bait-campaign.html
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="United States"
mitre-attack-pattern=[]
MISP event uuid: 955d2000-1779-4eef-85e8-245ce2a74d15
π Date: 2026-05-21
πReferences:
https://www.trendmicro.com/en_us/research/26/e/inside-the-influence-and-fraud-patriot-bait-campaign.html
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="United States"
mitre-attack-pattern=[]
MISP event uuid: 955d2000-1779-4eef-85e8-245ce2a74d15
Trend Micro
One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud βPatriot Baitβ Campaign
A solo Russian-speaking threat actor ran a 5-year Telegram channel and, starting September 2025, used AI to automate its content, credential theft, and a cryptocurrency fraud scheme targeting American audiences.
πTitle: KerjaExpress Campaign - Android Banking Trojan Targeting Malaysian Financial Institutions
π Date: 2026-05-23
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ sector="Finance"
β’ target-information="Malaysia"
mitre-attack-pattern=['T1476', 'T1437', 'T1406', 'T1660', 'T1453', 'T1636.002', 'T1412', 'T1512', 'T1429', 'T1417.001', 'T1430', 'T1657']
MISP event uuid: 375deb1c-52ff-499f-a96e-6229a2ed4673
π Date: 2026-05-23
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ sector="Finance"
β’ target-information="Malaysia"
mitre-attack-pattern=['T1476', 'T1437', 'T1406', 'T1660', 'T1453', 'T1636.002', 'T1412', 'T1512', 'T1429', 'T1417.001', 'T1430', 'T1657']
MISP event uuid: 375deb1c-52ff-499f-a96e-6229a2ed4673
πTitle: Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
π Date: 2026-05-26
πReferences:
https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Mandiant"
β’ target-information="Japan"
mitre-attack-pattern=['T1036.005', 'T1204.002', 'T1566.002', 'T1222.001', 'T1082', 'T1106', 'T1190', 'T1070.006', 'T1505.003', 'T1087', 'T1083', 'T1057', 'T1059.001', 'T1547.001', 'T1027.005', 'T1068', 'T1027', 'T1573', 'T1059.003', 'T1071.001']
MISP event uuid: 7d11ee85-edb4-4c0d-8857-1c31a3bbf632
π Date: 2026-05-26
πReferences:
https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Mandiant"
β’ target-information="Japan"
mitre-attack-pattern=['T1036.005', 'T1204.002', 'T1566.002', 'T1222.001', 'T1082', 'T1106', 'T1190', 'T1070.006', 'T1505.003', 'T1087', 'T1083', 'T1057', 'T1059.001', 'T1547.001', 'T1027.005', 'T1068', 'T1027', 'T1573', 'T1059.003', 'T1071.001']
MISP event uuid: 7d11ee85-edb4-4c0d-8857-1c31a3bbf632
Google Cloud Blog
Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability | Google Cloud Blog
πTitle: Laravel Lang Compromised with RCE Backdoor Across 700+ Versions
π Date: 2026-05-23
πReferences:
https://socket.dev/blog/laravel-lang-compromise
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1552.005', 'T1555.001', 'T1573.001', 'T1555.005', 'T1552.002', 'T1082', 'T1140', 'T1555.003', 'T1552.004', 'T1078.001', 'T1083', 'T1552.001', 'T1552.006', 'T1059.004', 'T1027', 'T1195.002', 'T1071.001', 'T1078.004', 'T1552.007']
MISP event uuid: 9fd4e771-9d30-4b3d-bdc9-9f5c6fa70541
π Date: 2026-05-23
πReferences:
https://socket.dev/blog/laravel-lang-compromise
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1552.005', 'T1555.001', 'T1573.001', 'T1555.005', 'T1552.002', 'T1082', 'T1140', 'T1555.003', 'T1552.004', 'T1078.001', 'T1083', 'T1552.001', 'T1552.006', 'T1059.004', 'T1027', 'T1195.002', 'T1071.001', 'T1078.004', 'T1552.007']
MISP event uuid: 9fd4e771-9d30-4b3d-bdc9-9f5c6fa70541
Socket
Laravel Lang Compromised with RCE Backdoor Across 700+ Versi...
Laravel Lang packages were compromised with an RCE backdoor across hundreds of versions, exposing cloud, CI/CD, and developer secrets.
πTitle: From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence
π Date: 2026-05-22
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/22/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ topic="cloud"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1557', 'T1222.002', 'T1021.004', 'T1071', 'T1005', 'T1190', 'T1083', 'T1059.004', 'T1187', 'T1078.002', 'T1059.006', 'T1505', 'T1105', 'T1043']
MISP event uuid: fd752467-0d11-47e9-a740-deaf9985264d
π Date: 2026-05-22
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/22/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ topic="cloud"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1557', 'T1222.002', 'T1021.004', 'T1071', 'T1005', 'T1190', 'T1083', 'T1059.004', 'T1187', 'T1078.002', 'T1059.006', 'T1505', 'T1105', 'T1043']
MISP event uuid: fd752467-0d11-47e9-a740-deaf9985264d
Microsoft News
From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence
A multi-stage attack on Linux devices began with an exposed F5 BIG-IP edge appliance and pivoted to an internal Confluence server for credential theft and identity compromise. Learn how the threat actor attempted Kerberos relay and lateral movement, and howβ¦
πTitle: Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict
π Date: 2026-05-22
πReferences:
https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Check Point"
β’ target-information="United States"
β’ target-information="Australia"
β’ target-information="Saudi Arabia"
β’ target-information="Israel"
β’ target-information="United Arab Emirates"
β’ threat-actor="UNC1549"
β’ country="iran"
mitre-attack-pattern=['T1053.005', 'T1033', 'T1132.001', 'T1036.005', 'T1204.002', 'T1573.001', 'T1566.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1083', 'T1057', 'T1041', 'T1027', 'T1059.003', 'T1189', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 5795b1d1-efb3-404b-91f4-3cc22a56ccd9
π Date: 2026-05-22
πReferences:
https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Check Point"
β’ target-information="United States"
β’ target-information="Australia"
β’ target-information="Saudi Arabia"
β’ target-information="Israel"
β’ target-information="United Arab Emirates"
β’ threat-actor="UNC1549"
β’ country="iran"
mitre-attack-pattern=['T1053.005', 'T1033', 'T1132.001', 'T1036.005', 'T1204.002', 'T1573.001', 'T1566.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1083', 'T1057', 'T1041', 'T1027', 'T1059.003', 'T1189', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 5795b1d1-efb3-404b-91f4-3cc22a56ccd9
Check Point Research
Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict - Check Point Research
Key Findings Introduction During the recent geopolitical tensions in the Middle East, we reported on multiple Iran-nexus threat actors advancing Iranβs strategic objectives through cyber operations. These activities included targeting internet-connected camerasβ¦
πTitle: Tracking Iranian APT Screening Serpensβ 2026 Espionage Campaigns
π Date: 2026-05-22
πReferences:
https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ target-information="United States"
β’ target-information="Israel"
β’ target-information="United Arab Emirates"
β’ country="iran"
β’ threat-actor="UNC1549"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1055', 'T1218', 'T1083', 'T1036.004', 'T1057', 'T1041', 'T1547.001', 'T1562.001', 'T1027', 'T1059.003', 'T1070.004', 'T1071.001', 'T1574.002']
MISP event uuid: cbfd6ef2-719f-4544-af73-580b5f764c5c
π Date: 2026-05-22
πReferences:
https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ target-information="United States"
β’ target-information="Israel"
β’ target-information="United Arab Emirates"
β’ country="iran"
β’ threat-actor="UNC1549"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1055', 'T1218', 'T1083', 'T1036.004', 'T1057', 'T1041', 'T1547.001', 'T1562.001', 'T1027', 'T1059.003', 'T1070.004', 'T1071.001', 'T1574.002']
MISP event uuid: cbfd6ef2-719f-4544-af73-580b5f764c5c
Unit 42
Tracking Iranian APT Screening Serpensβ 2026 Espionage Campaigns
Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns.
πTitle: Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload
π Date: 2026-05-22
πReferences:
https://securelist.com/cloud-atlas-2026/119895/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ target-information="Belarus"
β’ target-information="Russia"
β’ threat-actor="Inception Framework"
β’ sector="Diplomacy"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1003.002', 'T1074.001', 'T1087.002', 'T1204.002', 'T1566.001', 'T1005', 'T1140', 'T1055', 'T1572', 'T1090', 'T1482', 'T1059.001', 'T1547.001', 'T1078', 'T1027', 'T1573', 'T1071.001', 'T1018', 'T1021.001', 'T1558.003']
MISP event uuid: 7f23650f-d187-4f77-8965-5a32f48fdd80
π Date: 2026-05-22
πReferences:
https://securelist.com/cloud-atlas-2026/119895/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ target-information="Belarus"
β’ target-information="Russia"
β’ threat-actor="Inception Framework"
β’ sector="Diplomacy"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1003.002', 'T1074.001', 'T1087.002', 'T1204.002', 'T1566.001', 'T1005', 'T1140', 'T1055', 'T1572', 'T1090', 'T1482', 'T1059.001', 'T1547.001', 'T1078', 'T1027', 'T1573', 'T1071.001', 'T1018', 'T1021.001', 'T1558.003']
MISP event uuid: 7f23650f-d187-4f77-8965-5a32f48fdd80
πTitle: RemotePE: The Lazarus RAT that lives in memory
π Date: 2026-05-25
πReferences:
https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ threat-actor="Lazarus Group"
mitre-attack-pattern=['T1543.003', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1562.006', 'T1083', 'T1036.004', 'T1497', 'T1057', 'T1562.001', 'T1027', 'T1573', 'T1132', 'T1027.002', 'T1071.001', 'T1574.002', 'T1480.001']
MISP event uuid: 97638d90-a35a-4490-80dd-f2e3d548c42e
π Date: 2026-05-25
πReferences:
https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ threat-actor="Lazarus Group"
mitre-attack-pattern=['T1543.003', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1562.006', 'T1083', 'T1036.004', 'T1497', 'T1057', 'T1562.001', 'T1027', 'T1573', 'T1132', 'T1027.002', 'T1071.001', 'T1574.002', 'T1480.001']
MISP event uuid: 97638d90-a35a-4490-80dd-f2e3d548c42e
Fox-IT International blog
RemotePE: The Lazarus RAT that lives in memory
Authors: Yun Zheng Hu and Mick Koomen Summary Last year, we published research1 about a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations, encountered during multipβ¦
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign π
Date: 2026-05-20 πReferences: https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign πRectifyq Taxonomies: Relevancy:β¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: KerjaExpress Campaign - Android Banking Trojan Targeting Malaysian Financial Institutions π
Date: 2026-05-23 πReferences: πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: β Threat β’ sub-category="campaign-analysis" β’ topic="mobile-attack"β¦Β»
πTitle: MTNew-v3Campaign Advanced Banking Trojan Targeting Malaysian Financial Sector
π Date: 2026-05-24
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1660', 'T1476', 'T1406.002', 'T1437', 'T1437.001', 'T1406', 'T1417.001', 'T1412', 'T1513', 'T1429', 'T1446']
MISP event uuid: c3e3d1a1-2a9e-420d-b8f0-16a801149af0
π Date: 2026-05-24
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1660', 'T1476', 'T1406.002', 'T1437', 'T1437.001', 'T1406', 'T1417.001', 'T1412', 'T1513', 'T1429', 'T1446']
MISP event uuid: c3e3d1a1-2a9e-420d-b8f0-16a801149af0
πTitle: MaxTag Malware Family
π Date: 2026-05-25
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1429', 'T1412', 'T1417', 'T1516', 'T1411', 'T1461', 'T1444', 'T1406', 'T1582', 'T1603', 'T1513', 'T1481']
MISP event uuid: dcc49ea4-0a45-434b-ad1e-44d68b14b954
π Date: 2026-05-25
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1429', 'T1412', 'T1417', 'T1516', 'T1411', 'T1461', 'T1444', 'T1406', 'T1582', 'T1603', 'T1513', 'T1481']
MISP event uuid: dcc49ea4-0a45-434b-ad1e-44d68b14b954