πTitle: Tracking Iranian APT Screening Serpensβ 2026 Espionage Campaigns
π Date: 2026-05-22
πReferences:
https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ target-information="United States"
β’ target-information="Israel"
β’ target-information="United Arab Emirates"
β’ country="iran"
β’ threat-actor="UNC1549"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1055', 'T1218', 'T1083', 'T1036.004', 'T1057', 'T1041', 'T1547.001', 'T1562.001', 'T1027', 'T1059.003', 'T1070.004', 'T1071.001', 'T1574.002']
MISP event uuid: cbfd6ef2-719f-4544-af73-580b5f764c5c
π Date: 2026-05-22
πReferences:
https://unit42.paloaltonetworks.com/tracking-iran-apt-screening-serpens/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
β’ target-information="United States"
β’ target-information="Israel"
β’ target-information="United Arab Emirates"
β’ country="iran"
β’ threat-actor="UNC1549"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1204.002', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1055', 'T1218', 'T1083', 'T1036.004', 'T1057', 'T1041', 'T1547.001', 'T1562.001', 'T1027', 'T1059.003', 'T1070.004', 'T1071.001', 'T1574.002']
MISP event uuid: cbfd6ef2-719f-4544-af73-580b5f764c5c
Unit 42
Tracking Iranian APT Screening Serpensβ 2026 Espionage Campaigns
Unit 42 details Screening Serpens' use of AppDomainManager hijacking and new RAT variants to target tech and defense sectors in recent campaigns.
πTitle: Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload
π Date: 2026-05-22
πReferences:
https://securelist.com/cloud-atlas-2026/119895/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ target-information="Belarus"
β’ target-information="Russia"
β’ threat-actor="Inception Framework"
β’ sector="Diplomacy"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1003.002', 'T1074.001', 'T1087.002', 'T1204.002', 'T1566.001', 'T1005', 'T1140', 'T1055', 'T1572', 'T1090', 'T1482', 'T1059.001', 'T1547.001', 'T1078', 'T1027', 'T1573', 'T1071.001', 'T1018', 'T1021.001', 'T1558.003']
MISP event uuid: 7f23650f-d187-4f77-8965-5a32f48fdd80
π Date: 2026-05-22
πReferences:
https://securelist.com/cloud-atlas-2026/119895/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ target-information="Belarus"
β’ target-information="Russia"
β’ threat-actor="Inception Framework"
β’ sector="Diplomacy"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1003.002', 'T1074.001', 'T1087.002', 'T1204.002', 'T1566.001', 'T1005', 'T1140', 'T1055', 'T1572', 'T1090', 'T1482', 'T1059.001', 'T1547.001', 'T1078', 'T1027', 'T1573', 'T1071.001', 'T1018', 'T1021.001', 'T1558.003']
MISP event uuid: 7f23650f-d187-4f77-8965-5a32f48fdd80
πTitle: RemotePE: The Lazarus RAT that lives in memory
π Date: 2026-05-25
πReferences:
https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ threat-actor="Lazarus Group"
mitre-attack-pattern=['T1543.003', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1562.006', 'T1083', 'T1036.004', 'T1497', 'T1057', 'T1562.001', 'T1027', 'T1573', 'T1132', 'T1027.002', 'T1071.001', 'T1574.002', 'T1480.001']
MISP event uuid: 97638d90-a35a-4490-80dd-f2e3d548c42e
π Date: 2026-05-25
πReferences:
https://blog.fox-it.com/2026/05/22/remotepe-the-lazarus-rat-that-lives-in-memory/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ threat-actor="Lazarus Group"
mitre-attack-pattern=['T1543.003', 'T1082', 'T1106', 'T1005', 'T1140', 'T1055', 'T1560', 'T1562.006', 'T1083', 'T1036.004', 'T1497', 'T1057', 'T1562.001', 'T1027', 'T1573', 'T1132', 'T1027.002', 'T1071.001', 'T1574.002', 'T1480.001']
MISP event uuid: 97638d90-a35a-4490-80dd-f2e3d548c42e
Fox-IT International blog
RemotePE: The Lazarus RAT that lives in memory
Authors: Yun Zheng Hu and Mick Koomen Summary Last year, we published research1 about a North Korean Lazarus subgroup targeting financial and cryptocurrency organizations, encountered during multipβ¦
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign π
Date: 2026-05-20 πReferences: https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign πRectifyq Taxonomies: Relevancy:β¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: KerjaExpress Campaign - Android Banking Trojan Targeting Malaysian Financial Institutions π
Date: 2026-05-23 πReferences: πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: β Threat β’ sub-category="campaign-analysis" β’ topic="mobile-attack"β¦Β»
πTitle: MTNew-v3Campaign Advanced Banking Trojan Targeting Malaysian Financial Sector
π Date: 2026-05-24
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1660', 'T1476', 'T1406.002', 'T1437', 'T1437.001', 'T1406', 'T1417.001', 'T1412', 'T1513', 'T1429', 'T1446']
MISP event uuid: c3e3d1a1-2a9e-420d-b8f0-16a801149af0
π Date: 2026-05-24
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1660', 'T1476', 'T1406.002', 'T1437', 'T1437.001', 'T1406', 'T1417.001', 'T1412', 'T1513', 'T1429', 'T1446']
MISP event uuid: c3e3d1a1-2a9e-420d-b8f0-16a801149af0
πTitle: MaxTag Malware Family
π Date: 2026-05-25
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1429', 'T1412', 'T1417', 'T1516', 'T1411', 'T1461', 'T1444', 'T1406', 'T1582', 'T1603', 'T1513', 'T1481']
MISP event uuid: dcc49ea4-0a45-434b-ad1e-44d68b14b954
π Date: 2026-05-25
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1429', 'T1412', 'T1417', 'T1516', 'T1411', 'T1461', 'T1444', 'T1406', 'T1582', 'T1603', 'T1513', 'T1481']
MISP event uuid: dcc49ea4-0a45-434b-ad1e-44d68b14b954
πTitle: The GHOST STADIUM Score: Billions At Stake At The Worldβs Largest Football Tournament
π Date: 2026-05-27
πReferences:
https://www.group-ib.com/blog/ghost-stadium-football-fraud/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Group-IB"
β’ target-information="United States"
β’ target-information="Argentina"
β’ target-information="Brazil"
β’ target-information="Canada"
β’ target-information="Colombia"
β’ target-information="Mexico"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1588.004', 'T1566.002', 'T1598.003', 'T1586.002', 'T1583.001', 'T1185', 'T1555.003', 'T1003.001', 'T1102', 'T1566', 'T1078', 'T1585.001', 'T1027', 'T1573', 'T1598', 'T1189', 'T1071.001', 'T1590.001']
MISP event uuid: e4437cb1-34ec-4e07-b01f-92303168362f
π Date: 2026-05-27
πReferences:
https://www.group-ib.com/blog/ghost-stadium-football-fraud/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Group-IB"
β’ target-information="United States"
β’ target-information="Argentina"
β’ target-information="Brazil"
β’ target-information="Canada"
β’ target-information="Colombia"
β’ target-information="Mexico"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1588.004', 'T1566.002', 'T1598.003', 'T1586.002', 'T1583.001', 'T1185', 'T1555.003', 'T1003.001', 'T1102', 'T1566', 'T1078', 'T1585.001', 'T1027', 'T1573', 'T1598', 'T1189', 'T1071.001', 'T1590.001']
MISP event uuid: e4437cb1-34ec-4e07-b01f-92303168362f
Group-IB
The GHOST STADIUM Score: Billions At Stake At The Worldβs Largest Football Tournament
With the 2026 FIFA World Cup just weeks away, Group-IB researchers have uncovered six distinct fraud schemes, four independent threat actors, and over 4,300 fraudulent domains impersonating FIFA's official web presence β including a sophisticated phishingβ¦
πTitle: From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
π Date: 2026-05-26
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1497.001', 'T1082', 'T1218.007', 'T1140', 'T1219', 'T1547.009', 'T1497.003', 'T1112', 'T1059.001', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1189', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 375002f5-d1e7-4371-93ed-5a833e8595b0
π Date: 2026-05-26
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1497.001', 'T1082', 'T1218.007', 'T1140', 'T1219', 'T1547.009', 'T1497.003', 'T1112', 'T1059.001', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1189', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 375002f5-d1e7-4371-93ed-5a833e8595b0
Microsoft News
From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
Microsoft exposes a cryptojacking campaign using SEO poisoning and ScreenConnect to target high-performance PCs, with malicious sites also surfaced through AI chatbots.
πTitle: Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
π Date: 2026-05-26
πReferences:
https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="web3"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Switzerland"
β’ malpedia="SectopRAT"
mitre-attack-pattern=['T1539', 'T1036.005', 'T1204.002', 'T1497.001', 'T1140', 'T1185', 'T1555.003', 'T1055.002', 'T1102', 'T1059.001', 'T1055.012', 'T1027', 'T1012', 'T1518.001', 'T1059.006', 'T1189', 'T1071.001', 'T1105', 'T1056.004']
MISP event uuid: ead1cc2e-5a16-47f9-b9e0-6e8cd5ff1dfc
π Date: 2026-05-26
πReferences:
https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="web3"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Switzerland"
β’ malpedia="SectopRAT"
mitre-attack-pattern=['T1539', 'T1036.005', 'T1204.002', 'T1497.001', 'T1140', 'T1185', 'T1555.003', 'T1055.002', 'T1102', 'T1059.001', 'T1055.012', 'T1027', 'T1012', 'T1518.001', 'T1059.006', 'T1189', 'T1071.001', 'T1105', 'T1056.004']
MISP event uuid: ead1cc2e-5a16-47f9-b9e0-6e8cd5ff1dfc
Trend Micro
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
TrendAIβ’ Research analyzed an intrusion where threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. The attack chain ended with two simultaneously deployed stealers, SectopRATβ¦
πTitle: Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
π Date: 2026-05-26
πReferences:
https://www.fortinet.com/blog/threat-research/phishing-campaign-deploys-javascript-driven-purelogs-variant-to-steal-sensitive-data
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ topic="crypto-related"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Fortinet"
β’ malpedia="PureLogs Stealer"
mitre-attack-pattern=['T1113', 'T1033', 'T1218.011', 'T1059.007', 'T1539', 'T1566.001', 'T1115', 'T1082', 'T1005', 'T1140', 'T1555', 'T1055', 'T1218', 'T1555.003', 'T1041', 'T1059.001', 'T1566', 'T1055.012', 'T1027', 'T1573', 'T1027.002', 'T1071.001', 'T1105']
MISP event uuid: 75c62da8-6ae9-45ed-bdaa-1558105b9bf4
π Date: 2026-05-26
πReferences:
https://www.fortinet.com/blog/threat-research/phishing-campaign-deploys-javascript-driven-purelogs-variant-to-steal-sensitive-data
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ topic="crypto-related"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Fortinet"
β’ malpedia="PureLogs Stealer"
mitre-attack-pattern=['T1113', 'T1033', 'T1218.011', 'T1059.007', 'T1539', 'T1566.001', 'T1115', 'T1082', 'T1005', 'T1140', 'T1555', 'T1055', 'T1218', 'T1555.003', 'T1041', 'T1059.001', 'T1566', 'T1055.012', 'T1027', 'T1573', 'T1027.002', 'T1071.001', 'T1105']
MISP event uuid: 75c62da8-6ae9-45ed-bdaa-1558105b9bf4
Fortinet Blog
Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
FortiGuard Labs analyzed a new phishing campaign that uses obfuscated JavaScript, PowerShell, process hollowing, and PureLogs to steal sensitive dataβ¦
πTitle: Pinduoduo (ζΌε€ε€) Android APK Static Analysis & Verdict
π Date: 2026-05-27
πReferences:
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1437', 'T1544', 'T1521', 'T1417', 'T1430', 'T1429', 'T1424', 'T1406', 'T1512', 'T1636.003']
MISP event uuid: 9c3282c7-b7dd-4fcd-bb2f-427f58b9f7b8
π Date: 2026-05-27
πReferences:
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1437', 'T1544', 'T1521', 'T1417', 'T1430', 'T1429', 'T1424', 'T1406', 'T1512', 'T1636.003']
MISP event uuid: 9c3282c7-b7dd-4fcd-bb2f-427f58b9f7b8
πTitle: Windows and macOS Malware Spreads via Fake βClaude Codeβ Google Ads
π Date: 2026-03-11
πReferences:
https://www.bitdefender.com/en-us/blog/labs/fake-claude-code-google-ads-malware
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ mitre-att&ck="none-from-src"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ producer="Bitdefender"
mitre-attack-pattern=['T1170', 'T1218.005']
MISP event uuid: 19961acf-73c8-4594-8698-6294f9b2d5ca
π Date: 2026-03-11
πReferences:
https://www.bitdefender.com/en-us/blog/labs/fake-claude-code-google-ads-malware
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ mitre-att&ck="none-from-src"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ producer="Bitdefender"
mitre-attack-pattern=['T1170', 'T1218.005']
MISP event uuid: 19961acf-73c8-4594-8698-6294f9b2d5ca
Bitdefender
Windows and macOS Malware Spreads via Fake βClaude Codeβ Google Ads
Bitdefender has discovered a malicious Google Ads campaign targeting anyone searching for downloads related to Claude
πTitle: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
π Date: 2026-05-05
πReferences:
https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ mitre-att&ck="from-original-src"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="x"
β’ action-taken="linkedin"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Malaysia"
β’ target-information="Netherlands"
β’ target-information="Thailand"
β’ target-information="United States"
β’ sector="Education"
β’ sector="Electronic"
β’ sector="Food"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1559.001', 'T1562', 'T1583.008', 'T1218.005', 'T1027', 'T1059.001', 'T1566.002', 'T1059.005']
MISP event uuid: e30b1a07-b830-46e2-bf69-e67eee29d4af
π Date: 2026-05-05
πReferences:
https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ mitre-att&ck="from-original-src"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="x"
β’ action-taken="linkedin"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Malaysia"
β’ target-information="Netherlands"
β’ target-information="Thailand"
β’ target-information="United States"
β’ sector="Education"
β’ sector="Electronic"
β’ sector="Food"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1559.001', 'T1562', 'T1583.008', 'T1218.005', 'T1027', 'T1059.001', 'T1566.002', 'T1059.005']
MISP event uuid: e30b1a07-b830-46e2-bf69-e67eee29d4af
Trend Micro
InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
πTitle: Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted
π Date: 2026-05-27
πReferences:
https://hunt.io/blog/massive-smishing-campaign-governments-postal-telecoms
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ target-information="United States"
β’ target-information="Albania"
β’ target-information="Armenia"
β’ target-information="Bulgaria"
β’ target-information="Estonia"
β’ target-information="France"
β’ target-information="Georgia"
β’ target-information="Greece"
β’ target-information="Ireland"
β’ target-information="Kosovo"
β’ target-information="Latvia"
β’ target-information="Lithuania"
β’ target-information="North Macedonia"
β’ target-information="Montenegro"
β’ target-information="Romania"
β’ target-information="Slovenia"
β’ target-information="Spain"
β’ target-information="Trinidad and Tobago"
β’ target-information="United Kingdom"
mitre-attack-pattern=['T1583', 'T1204.002', 'T1566.002', 'T1598.003', 'T1586.002', 'T1608.001', 'T1583.001', 'T1560', 'T1090', 'T1584', 'T1586', 'T1102', 'T1608', 'T1583.006', 'T1204', 'T1041', 'T1566', 'T1078', 'T1598', 'T1213', 'T1584.001']
MISP event uuid: 36e75fd8-359f-4f84-8258-5f35cf8ed39b
π Date: 2026-05-27
πReferences:
https://hunt.io/blog/massive-smishing-campaign-governments-postal-telecoms
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ target-information="United States"
β’ target-information="Albania"
β’ target-information="Armenia"
β’ target-information="Bulgaria"
β’ target-information="Estonia"
β’ target-information="France"
β’ target-information="Georgia"
β’ target-information="Greece"
β’ target-information="Ireland"
β’ target-information="Kosovo"
β’ target-information="Latvia"
β’ target-information="Lithuania"
β’ target-information="North Macedonia"
β’ target-information="Montenegro"
β’ target-information="Romania"
β’ target-information="Slovenia"
β’ target-information="Spain"
β’ target-information="Trinidad and Tobago"
β’ target-information="United Kingdom"
mitre-attack-pattern=['T1583', 'T1204.002', 'T1566.002', 'T1598.003', 'T1586.002', 'T1608.001', 'T1583.001', 'T1560', 'T1090', 'T1584', 'T1586', 'T1102', 'T1608', 'T1583.006', 'T1204', 'T1041', 'T1566', 'T1078', 'T1598', 'T1213', 'T1584.001']
MISP event uuid: 36e75fd8-359f-4f84-8258-5f35cf8ed39b
hunt.io
Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted
Inside a coordinated smishing campaign targeting 19 countries across Europe, the Americas, and the Caucasus. 1,628 URLs, 32 IPs, one campaign fingerprint.
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: MTNew-v3Campaign Advanced Banking Trojan Targeting Malaysian Financial Sector π
Date: 2026-05-24 πReferences: πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: β Threat β’ sub-category="malware-analysis" β’ topic="mobile-attack" β’ target="broadβ¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: MaxTag Malware Family π
Date: 2026-05-25 πReferences: πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: β Threat β’ sub-category="malware-analysis" β’ topic="mobile-attack" β’ target="broad-based" β’ no-samples-in="MalwareBazaar" β’ noβ¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise π
Date: 2026-05-05 πReferences: https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category:β¦Β»
πTitle: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
π Date: 2026-05-27
πReferences:
https://www.wiz.io/blog/threat-actors-target-crypto-orgs
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Wiz Blog"
mitre-attack-pattern=[]
MISP event uuid: 9672f16b-c5cd-4c1f-82fa-488daf2773c3
π Date: 2026-05-27
πReferences:
https://www.wiz.io/blog/threat-actors-target-crypto-orgs
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Wiz Blog"
mitre-attack-pattern=[]
MISP event uuid: 9672f16b-c5cd-4c1f-82fa-488daf2773c3
wiz.io
Threat Actor Targets Crypto Organizations | Wiz Blog | Wiz Blog
Threat actor, JINX-0164, uses LinkedIn social engineering, custom macOS malware, and CI/CD hijacking to target crypto organizations.
πTitle: A miner with a side of RAT: the unintended gift with your TV show or book
π Date: 2026-05-28
πReferences:
https://securelist.com/video-books-pirates-miners-rat/119943/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ TA-category="Cybercrime"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
mitre-attack-pattern=['T1132.001', 'T1568.002', 'T1071.004', 'T1573.001', 'T1543.003', 'T1497.001', 'T1082', 'T1140', 'T1219', 'T1036', 'T1112', 'T1083', 'T1057', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1518.001', 'T1059.003', 'T1574.002', 'T1105']
MISP event uuid: 92c2564d-b7dd-46df-94ff-b63fa34fed48
π Date: 2026-05-28
πReferences:
https://securelist.com/video-books-pirates-miners-rat/119943/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ TA-category="Cybercrime"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
mitre-attack-pattern=['T1132.001', 'T1568.002', 'T1071.004', 'T1573.001', 'T1543.003', 'T1497.001', 'T1082', 'T1140', 'T1219', 'T1036', 'T1112', 'T1083', 'T1057', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1518.001', 'T1059.003', 'T1574.002', 'T1105']
MISP event uuid: 92c2564d-b7dd-46df-94ff-b63fa34fed48
πTitle: Typosquatted npm packages used to steal cloud and CI/CD secrets
π Date: 2026-05-28
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ topic="cloud"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1033', 'T1059.007', 'T1069.003', 'T1021.004', 'T1082', 'T1083', 'T1552.001', 'T1087.004', 'T1057', 'T1098', 'T1078', 'T1027', 'T1195.002', 'T1071.001', 'T1543.002', 'T1105', 'T1021.001', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 129b0e64-c241-431c-9742-ec756cbde228
π Date: 2026-05-28
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ topic="cloud"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1033', 'T1059.007', 'T1069.003', 'T1021.004', 'T1082', 'T1083', 'T1552.001', 'T1087.004', 'T1057', 'T1098', 'T1078', 'T1027', 'T1195.002', 'T1071.001', 'T1543.002', 'T1105', 'T1021.001', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 129b0e64-c241-431c-9742-ec756cbde228
Microsoft News
Typosquatted npm packages used to steal cloud and CI/CD secrets
The Mini Shai-Hulud campaign used malicious npm packages to target cloud and CI/CD credentials across developer environments. This report details the attack chain, detection opportunities, and mitigation guidance to help organizations identify and disruptβ¦