πTitle: APT Targets Azerbaijani Oil and Gas Industry
π Date: 2026-05-13
πReferences:
https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Bitdefender"
β’ target-information="Azerbaijan"
β’ threat-actor="GhostEmperor"
β’ country="china"
β’ malpedia="SNAPPYBEE"
β’ sector="Gas"
β’ sector="Oil"
mitre-attack-pattern=['T1190', 'T1505.003', 'T1543.003', 'T1574.002', 'T1140', 'T1562', 'T1569.002', 'T1059.001', 'T1021.001', 'T1021.002', 'T1071.001', 'T1014']
MISP event uuid: 4513c651-0f6c-417a-8390-6a800dc28872
π Date: 2026-05-13
πReferences:
https://businessinsights.bitdefender.com/famoussparrow-apt-targets-azerbaijani-oil-gas-industry
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Bitdefender"
β’ target-information="Azerbaijan"
β’ threat-actor="GhostEmperor"
β’ country="china"
β’ malpedia="SNAPPYBEE"
β’ sector="Gas"
β’ sector="Oil"
mitre-attack-pattern=['T1190', 'T1505.003', 'T1543.003', 'T1574.002', 'T1140', 'T1562', 'T1569.002', 'T1059.001', 'T1021.001', 'T1021.002', 'T1071.001', 'T1014']
MISP event uuid: 4513c651-0f6c-417a-8390-6a800dc28872
Bitdefender
FamousSparrow APT Targets Azerbaijani Oil and Gas Industry
Bitdefender Labs tracked APT activity targeting Azerbaijani oil and gas; the operation demonstrates notable technical and strategic characteristics.
πTitle: Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
π Date: 2026-05-21
πReferences:
https://hunt.io/blog/middle-east-malicious-infrastructure-report
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="infra-profile"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
mitre-attack-pattern=['T1543', 'T1071.004', 'T1566.001', 'T1053', 'T1106', 'T1140', 'T1190', 'T1583.001', 'T1036', 'T1055', 'T1497', 'T1059.001', 'T1098', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1071.001', 'T1136', 'T1105', 'T1204.001']
MISP event uuid: c40393cf-c35a-4e9c-89f7-442e9743e034
π Date: 2026-05-21
πReferences:
https://hunt.io/blog/middle-east-malicious-infrastructure-report
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="infra-profile"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
mitre-attack-pattern=['T1543', 'T1071.004', 'T1566.001', 'T1053', 'T1106', 'T1140', 'T1190', 'T1583.001', 'T1036', 'T1055', 'T1497', 'T1059.001', 'T1098', 'T1562.001', 'T1078', 'T1027', 'T1573', 'T1071.001', 'T1136', 'T1105', 'T1204.001']
MISP event uuid: c40393cf-c35a-4e9c-89f7-442e9743e034
hunt.io
Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
We mapped 1,350+ active C2 servers across 98 Middle East providers. Here's what the infrastructure data reveals about the region's threat landscape.
πTitle: The Gentleman Ransomware | Defense Evasion TTPs Uncovered
π Date: 2026-05-21
πReferences:
https://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="intrusion-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Huntress"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1053.005', 'T1033', 'T1133', 'T1548.002', 'T1036.005', 'T1082', 'T1112', 'T1070.001', 'T1083', 'T1057', 'T1059.001', 'T1562.001', 'T1078', 'T1027', 'T1486', 'T1071.001', 'T1018', 'T1105', 'T1021.001', 'T1090.001']
MISP event uuid: bf870fb8-ded6-4287-a5f5-d67eb365e5e6
π Date: 2026-05-21
πReferences:
https://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="intrusion-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Huntress"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1053.005', 'T1033', 'T1133', 'T1548.002', 'T1036.005', 'T1082', 'T1112', 'T1070.001', 'T1083', 'T1057', 'T1059.001', 'T1562.001', 'T1078', 'T1027', 'T1486', 'T1071.001', 'T1018', 'T1105', 'T1021.001', 'T1090.001']
MISP event uuid: bf870fb8-ded6-4287-a5f5-d67eb365e5e6
Huntress
The Gentleman Ransomware | Defense Evasion TTPs Uncovered | Huntress
Two recent incidents involving The Gentlemen ransomware show the use of defense evasion tactics, including logs being cleared and attempts to add antivirus exclusions.
πTitle: One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud 'Patriot Bait' Campaign
π Date: 2026-05-21
πReferences:
https://www.trendmicro.com/en_us/research/26/e/inside-the-influence-and-fraud-patriot-bait-campaign.html
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="United States"
mitre-attack-pattern=[]
MISP event uuid: 955d2000-1779-4eef-85e8-245ce2a74d15
π Date: 2026-05-21
πReferences:
https://www.trendmicro.com/en_us/research/26/e/inside-the-influence-and-fraud-patriot-bait-campaign.html
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="United States"
mitre-attack-pattern=[]
MISP event uuid: 955d2000-1779-4eef-85e8-245ce2a74d15
Trend Micro
One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud βPatriot Baitβ Campaign
A solo Russian-speaking threat actor ran a 5-year Telegram channel and, starting September 2025, used AI to automate its content, credential theft, and a cryptocurrency fraud scheme targeting American audiences.
πTitle: KerjaExpress Campaign - Android Banking Trojan Targeting Malaysian Financial Institutions
π Date: 2026-05-23
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ sector="Finance"
β’ target-information="Malaysia"
mitre-attack-pattern=['T1476', 'T1437', 'T1406', 'T1660', 'T1453', 'T1636.002', 'T1412', 'T1512', 'T1429', 'T1417.001', 'T1430', 'T1657']
MISP event uuid: 375deb1c-52ff-499f-a96e-6229a2ed4673
π Date: 2026-05-23
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ sector="Finance"
β’ target-information="Malaysia"
mitre-attack-pattern=['T1476', 'T1437', 'T1406', 'T1660', 'T1453', 'T1636.002', 'T1412', 'T1512', 'T1429', 'T1417.001', 'T1430', 'T1657']
MISP event uuid: 375deb1c-52ff-499f-a96e-6229a2ed4673
πTitle: Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
π Date: 2026-05-26
πReferences:
https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Mandiant"
β’ target-information="Japan"
mitre-attack-pattern=['T1036.005', 'T1204.002', 'T1566.002', 'T1222.001', 'T1082', 'T1106', 'T1190', 'T1070.006', 'T1505.003', 'T1087', 'T1083', 'T1057', 'T1059.001', 'T1547.001', 'T1027.005', 'T1068', 'T1027', 'T1573', 'T1059.003', 'T1071.001']
MISP event uuid: 7d11ee85-edb4-4c0d-8857-1c31a3bbf632
π Date: 2026-05-26
πReferences:
https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Mandiant"
β’ target-information="Japan"
mitre-attack-pattern=['T1036.005', 'T1204.002', 'T1566.002', 'T1222.001', 'T1082', 'T1106', 'T1190', 'T1070.006', 'T1505.003', 'T1087', 'T1083', 'T1057', 'T1059.001', 'T1547.001', 'T1027.005', 'T1068', 'T1027', 'T1573', 'T1059.003', 'T1071.001']
MISP event uuid: 7d11ee85-edb4-4c0d-8857-1c31a3bbf632
Google Cloud Blog
Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability | Google Cloud Blog
πTitle: Laravel Lang Compromised with RCE Backdoor Across 700+ Versions
π Date: 2026-05-23
πReferences:
https://socket.dev/blog/laravel-lang-compromise
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1552.005', 'T1555.001', 'T1573.001', 'T1555.005', 'T1552.002', 'T1082', 'T1140', 'T1555.003', 'T1552.004', 'T1078.001', 'T1083', 'T1552.001', 'T1552.006', 'T1059.004', 'T1027', 'T1195.002', 'T1071.001', 'T1078.004', 'T1552.007']
MISP event uuid: 9fd4e771-9d30-4b3d-bdc9-9f5c6fa70541
π Date: 2026-05-23
πReferences:
https://socket.dev/blog/laravel-lang-compromise
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
mitre-attack-pattern=['T1552.005', 'T1555.001', 'T1573.001', 'T1555.005', 'T1552.002', 'T1082', 'T1140', 'T1555.003', 'T1552.004', 'T1078.001', 'T1083', 'T1552.001', 'T1552.006', 'T1059.004', 'T1027', 'T1195.002', 'T1071.001', 'T1078.004', 'T1552.007']
MISP event uuid: 9fd4e771-9d30-4b3d-bdc9-9f5c6fa70541
Socket
Laravel Lang Compromised with RCE Backdoor Across 700+ Versi...
Laravel Lang packages were compromised with an RCE backdoor across hundreds of versions, exposing cloud, CI/CD, and developer secrets.
πTitle: From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence
π Date: 2026-05-22
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/22/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ topic="cloud"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1557', 'T1222.002', 'T1021.004', 'T1071', 'T1005', 'T1190', 'T1083', 'T1059.004', 'T1187', 'T1078.002', 'T1059.006', 'T1505', 'T1105', 'T1043']
MISP event uuid: fd752467-0d11-47e9-a740-deaf9985264d
π Date: 2026-05-22
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/22/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ topic="cloud"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1557', 'T1222.002', 'T1021.004', 'T1071', 'T1005', 'T1190', 'T1083', 'T1059.004', 'T1187', 'T1078.002', 'T1059.006', 'T1505', 'T1105', 'T1043']
MISP event uuid: fd752467-0d11-47e9-a740-deaf9985264d
Microsoft News
From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence
A multi-stage attack on Linux devices began with an exposed F5 BIG-IP edge appliance and pivoted to an internal Confluence server for credential theft and identity compromise. Learn how the threat actor attempted Kerberos relay and lateral movement, and howβ¦
πTitle: Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict
π Date: 2026-05-22
πReferences:
https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Check Point"
β’ target-information="United States"
β’ target-information="Australia"
β’ target-information="Saudi Arabia"
β’ target-information="Israel"
β’ target-information="United Arab Emirates"
β’ threat-actor="UNC1549"
β’ country="iran"
mitre-attack-pattern=['T1053.005', 'T1033', 'T1132.001', 'T1036.005', 'T1204.002', 'T1573.001', 'T1566.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1083', 'T1057', 'T1041', 'T1027', 'T1059.003', 'T1189', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 5795b1d1-efb3-404b-91f4-3cc22a56ccd9
π Date: 2026-05-22
πReferences:
https://research.checkpoint.com/2026/fast-and-furious-nimbus-manticore-operations-during-the-iranian-conflict/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Check Point"
β’ target-information="United States"
β’ target-information="Australia"
β’ target-information="Saudi Arabia"
β’ target-information="Israel"
β’ target-information="United Arab Emirates"
β’ threat-actor="UNC1549"
β’ country="iran"
mitre-attack-pattern=['T1053.005', 'T1033', 'T1132.001', 'T1036.005', 'T1204.002', 'T1573.001', 'T1566.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1083', 'T1057', 'T1041', 'T1027', 'T1059.003', 'T1189', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 5795b1d1-efb3-404b-91f4-3cc22a56ccd9
Check Point Research
Fast and Furious - Nimbus Manticore Operations During the Iranian Conflict - Check Point Research
Key Findings Introduction During the recent geopolitical tensions in the Middle East, we reported on multiple Iran-nexus threat actors advancing Iranβs strategic objectives through cyber operations. These activities included targeting internet-connected camerasβ¦
πTitle: Tracking Iranian APT Screening Serpensβ 2026 Espionage Campaigns
π Date: 2026-05-22
πReferences:
https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ target-information="United States"
β’ target-information="Israel"
β’ target-information="United Arab Emirates"
β’ country="iran"
β’ threat-actor="UNC1549"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1055', 'T1218', 'T1083', 'T1036.004', 'T1057', 'T1041', 'T1547.001', 'T1562.001', 'T1027', 'T1059.003', 'T1070.004', 'T1071.001', 'T1574.002']
MISP event uuid: cbfd6ef2-719f-4544-af73-580b5f764c5c
π Date: 2026-05-22
πReferences:
https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ target-information="United States"
β’ target-information="Israel"
β’ target-information="United Arab Emirates"
β’ country="iran"
β’ threat-actor="UNC1549"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1055', 'T1218', 'T1083', 'T1036.004', 'T1057', 'T1041', 'T1547.001', 'T1562.001', 'T1027', 'T1059.003', 'T1070.004', 'T1071.001', 'T1574.002']
MISP event uuid: cbfd6ef2-719f-4544-af73-580b5f764c5c
Unit 42
Tracking Iranian APT Screening Serpensβ 2026 Espionage Campaigns
Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns.
πTitle: Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload
π Date: 2026-05-22
πReferences:
https://securelist.com/cloud-atlas-2026/119895/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ target-information="Belarus"
β’ target-information="Russia"
β’ threat-actor="Inception Framework"
β’ sector="Diplomacy"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1003.002', 'T1074.001', 'T1087.002', 'T1204.002', 'T1566.001', 'T1005', 'T1140', 'T1055', 'T1572', 'T1090', 'T1482', 'T1059.001', 'T1547.001', 'T1078', 'T1027', 'T1573', 'T1071.001', 'T1018', 'T1021.001', 'T1558.003']
MISP event uuid: 7f23650f-d187-4f77-8965-5a32f48fdd80
π Date: 2026-05-22
πReferences:
https://securelist.com/cloud-atlas-2026/119895/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ target-information="Belarus"
β’ target-information="Russia"
β’ threat-actor="Inception Framework"
β’ sector="Diplomacy"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1003.002', 'T1074.001', 'T1087.002', 'T1204.002', 'T1566.001', 'T1005', 'T1140', 'T1055', 'T1572', 'T1090', 'T1482', 'T1059.001', 'T1547.001', 'T1078', 'T1027', 'T1573', 'T1071.001', 'T1018', 'T1021.001', 'T1558.003']
MISP event uuid: 7f23650f-d187-4f77-8965-5a32f48fdd80
πTitle: RemotePE: The Lazarus RAT that lives in memory
π Date: 2026-05-25
πReferences:
https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ threat-actor="Lazarus Group"
mitre-attack-pattern=['T1543.003', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1562.006', 'T1083', 'T1036.004', 'T1497', 'T1057', 'T1562.001', 'T1027', 'T1573', 'T1132', 'T1027.002', 'T1071.001', 'T1574.002', 'T1480.001']
MISP event uuid: 97638d90-a35a-4490-80dd-f2e3d548c42e
π Date: 2026-05-25
πReferences:
https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ threat-actor="Lazarus Group"
mitre-attack-pattern=['T1543.003', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1562.006', 'T1083', 'T1036.004', 'T1497', 'T1057', 'T1562.001', 'T1027', 'T1573', 'T1132', 'T1027.002', 'T1071.001', 'T1574.002', 'T1480.001']
MISP event uuid: 97638d90-a35a-4490-80dd-f2e3d548c42e
Fox-IT International blog
RemotePE: The Lazarus RAT that lives in memory
Authors: Yun Zheng Hu and Mick Koomen Summary Last year, we published research1 about a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations, encountered during multipβ¦
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign π
Date: 2026-05-20 πReferences: https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign πRectifyq Taxonomies: Relevancy:β¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: KerjaExpress Campaign - Android Banking Trojan Targeting Malaysian Financial Institutions π
Date: 2026-05-23 πReferences: πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: β Threat β’ sub-category="campaign-analysis" β’ topic="mobile-attack"β¦Β»
πTitle: MTNew-v3Campaign Advanced Banking Trojan Targeting Malaysian Financial Sector
π Date: 2026-05-24
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1660', 'T1476', 'T1406.002', 'T1437', 'T1437.001', 'T1406', 'T1417.001', 'T1412', 'T1513', 'T1429', 'T1446']
MISP event uuid: c3e3d1a1-2a9e-420d-b8f0-16a801149af0
π Date: 2026-05-24
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1660', 'T1476', 'T1406.002', 'T1437', 'T1437.001', 'T1406', 'T1417.001', 'T1412', 'T1513', 'T1429', 'T1446']
MISP event uuid: c3e3d1a1-2a9e-420d-b8f0-16a801149af0
πTitle: MaxTag Malware Family
π Date: 2026-05-25
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1429', 'T1412', 'T1417', 'T1516', 'T1411', 'T1461', 'T1444', 'T1406', 'T1582', 'T1603', 'T1513', 'T1481']
MISP event uuid: dcc49ea4-0a45-434b-ad1e-44d68b14b954
π Date: 2026-05-25
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1429', 'T1412', 'T1417', 'T1516', 'T1411', 'T1461', 'T1444', 'T1406', 'T1582', 'T1603', 'T1513', 'T1481']
MISP event uuid: dcc49ea4-0a45-434b-ad1e-44d68b14b954
πTitle: The GHOST STADIUM Score: Billions At Stake At The Worldβs Largest Football Tournament
π Date: 2026-05-27
πReferences:
https://www.group-ib.com/blog/ghost-stadium-football-fraud/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Group-IB"
β’ target-information="United States"
β’ target-information="Argentina"
β’ target-information="Brazil"
β’ target-information="Canada"
β’ target-information="Colombia"
β’ target-information="Mexico"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1588.004', 'T1566.002', 'T1598.003', 'T1586.002', 'T1583.001', 'T1185', 'T1555.003', 'T1003.001', 'T1102', 'T1566', 'T1078', 'T1585.001', 'T1027', 'T1573', 'T1598', 'T1189', 'T1071.001', 'T1590.001']
MISP event uuid: e4437cb1-34ec-4e07-b01f-92303168362f
π Date: 2026-05-27
πReferences:
https://www.group-ib.com/blog/ghost-stadium-football-fraud/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Group-IB"
β’ target-information="United States"
β’ target-information="Argentina"
β’ target-information="Brazil"
β’ target-information="Canada"
β’ target-information="Colombia"
β’ target-information="Mexico"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1588.004', 'T1566.002', 'T1598.003', 'T1586.002', 'T1583.001', 'T1185', 'T1555.003', 'T1003.001', 'T1102', 'T1566', 'T1078', 'T1585.001', 'T1027', 'T1573', 'T1598', 'T1189', 'T1071.001', 'T1590.001']
MISP event uuid: e4437cb1-34ec-4e07-b01f-92303168362f
Group-IB
The GHOST STADIUM Score: Billions At Stake At The Worldβs Largest Football Tournament
With the 2026 FIFA World Cup just weeks away, Group-IB researchers have uncovered six distinct fraud schemes, four independent threat actors, and over 4,300 fraudulent domains impersonating FIFA's official web presence β including a sophisticated phishingβ¦
πTitle: From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
π Date: 2026-05-26
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1497.001', 'T1082', 'T1218.007', 'T1140', 'T1219', 'T1547.009', 'T1497.003', 'T1112', 'T1059.001', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1189', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 375002f5-d1e7-4371-93ed-5a833e8595b0
π Date: 2026-05-26
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1497.001', 'T1082', 'T1218.007', 'T1140', 'T1219', 'T1547.009', 'T1497.003', 'T1112', 'T1059.001', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1189', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 375002f5-d1e7-4371-93ed-5a833e8595b0
Microsoft News
From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
Microsoft exposes a cryptojacking campaign using SEO poisoning and ScreenConnect to target high-performance PCs, with malicious sites also surfaced through AI chatbots.
πTitle: Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
π Date: 2026-05-26
πReferences:
https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="web3"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Switzerland"
β’ malpedia="SectopRAT"
mitre-attack-pattern=['T1539', 'T1036.005', 'T1204.002', 'T1497.001', 'T1140', 'T1185', 'T1555.003', 'T1055.002', 'T1102', 'T1059.001', 'T1055.012', 'T1027', 'T1012', 'T1518.001', 'T1059.006', 'T1189', 'T1071.001', 'T1105', 'T1056.004']
MISP event uuid: ead1cc2e-5a16-47f9-b9e0-6e8cd5ff1dfc
π Date: 2026-05-26
πReferences:
https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="web3"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Switzerland"
β’ malpedia="SectopRAT"
mitre-attack-pattern=['T1539', 'T1036.005', 'T1204.002', 'T1497.001', 'T1140', 'T1185', 'T1555.003', 'T1055.002', 'T1102', 'T1059.001', 'T1055.012', 'T1027', 'T1012', 'T1518.001', 'T1059.006', 'T1189', 'T1071.001', 'T1105', 'T1056.004']
MISP event uuid: ead1cc2e-5a16-47f9-b9e0-6e8cd5ff1dfc
Trend Micro
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
TrendAIβ’ Research analyzed an intrusion where threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. The attack chain ended with two simultaneously deployed stealers, SectopRATβ¦
πTitle: Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
π Date: 2026-05-26
πReferences:
https://www.fortinet.com/blog/threat-research/phishing-campaign-deploys-javascript-driven-purelogs-variant-to-steal-sensitive-data
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ topic="crypto-related"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Fortinet"
β’ malpedia="PureLogs Stealer"
mitre-attack-pattern=['T1113', 'T1033', 'T1218.011', 'T1059.007', 'T1539', 'T1566.001', 'T1115', 'T1082', 'T1005', 'T1140', 'T1555', 'T1055', 'T1218', 'T1555.003', 'T1041', 'T1059.001', 'T1566', 'T1055.012', 'T1027', 'T1573', 'T1027.002', 'T1071.001', 'T1105']
MISP event uuid: 75c62da8-6ae9-45ed-bdaa-1558105b9bf4
π Date: 2026-05-26
πReferences:
https://www.fortinet.com/blog/threat-research/phishing-campaign-deploys-javascript-driven-purelogs-variant-to-steal-sensitive-data
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ topic="crypto-related"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Fortinet"
β’ malpedia="PureLogs Stealer"
mitre-attack-pattern=['T1113', 'T1033', 'T1218.011', 'T1059.007', 'T1539', 'T1566.001', 'T1115', 'T1082', 'T1005', 'T1140', 'T1555', 'T1055', 'T1218', 'T1555.003', 'T1041', 'T1059.001', 'T1566', 'T1055.012', 'T1027', 'T1573', 'T1027.002', 'T1071.001', 'T1105']
MISP event uuid: 75c62da8-6ae9-45ed-bdaa-1558105b9bf4
Fortinet Blog
Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
FortiGuard Labs analyzed a new phishing campaign that uses obfuscated JavaScript, PowerShell, process hollowing, and PureLogs to steal sensitive dataβ¦
πTitle: Pinduoduo (ζΌε€ε€) Android APK Static Analysis & Verdict
π Date: 2026-05-27
πReferences:
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1437', 'T1544', 'T1521', 'T1417', 'T1430', 'T1429', 'T1424', 'T1406', 'T1512', 'T1636.003']
MISP event uuid: 9c3282c7-b7dd-4fcd-bb2f-427f58b9f7b8
π Date: 2026-05-27
πReferences:
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1437', 'T1544', 'T1521', 'T1417', 'T1430', 'T1429', 'T1424', 'T1406', 'T1512', 'T1636.003']
MISP event uuid: 9c3282c7-b7dd-4fcd-bb2f-427f58b9f7b8