Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: KerjaExpress Campaign - Android Banking Trojan Targeting Malaysian Financial Institutions π
Date: 2026-05-23 πReferences: πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: β Threat β’ sub-category="campaign-analysis" β’ topic="mobile-attack"β¦Β»
πTitle: MTNew-v3Campaign Advanced Banking Trojan Targeting Malaysian Financial Sector
π Date: 2026-05-24
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1660', 'T1476', 'T1406.002', 'T1437', 'T1437.001', 'T1406', 'T1417.001', 'T1412', 'T1513', 'T1429', 'T1446']
MISP event uuid: c3e3d1a1-2a9e-420d-b8f0-16a801149af0
π Date: 2026-05-24
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1660', 'T1476', 'T1406.002', 'T1437', 'T1437.001', 'T1406', 'T1417.001', 'T1412', 'T1513', 'T1429', 'T1446']
MISP event uuid: c3e3d1a1-2a9e-420d-b8f0-16a801149af0
πTitle: MaxTag Malware Family
π Date: 2026-05-25
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1429', 'T1412', 'T1417', 'T1516', 'T1411', 'T1461', 'T1444', 'T1406', 'T1582', 'T1603', 'T1513', 'T1481']
MISP event uuid: dcc49ea4-0a45-434b-ad1e-44d68b14b954
π Date: 2026-05-25
πReferences:
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ sector="Finance"
mitre-attack-pattern=['T1429', 'T1412', 'T1417', 'T1516', 'T1411', 'T1461', 'T1444', 'T1406', 'T1582', 'T1603', 'T1513', 'T1481']
MISP event uuid: dcc49ea4-0a45-434b-ad1e-44d68b14b954
πTitle: The GHOST STADIUM Score: Billions At Stake At The Worldβs Largest Football Tournament
π Date: 2026-05-27
πReferences:
https://www.group-ib.com/blog/ghost-stadium-football-fraud/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Group-IB"
β’ target-information="United States"
β’ target-information="Argentina"
β’ target-information="Brazil"
β’ target-information="Canada"
β’ target-information="Colombia"
β’ target-information="Mexico"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1588.004', 'T1566.002', 'T1598.003', 'T1586.002', 'T1583.001', 'T1185', 'T1555.003', 'T1003.001', 'T1102', 'T1566', 'T1078', 'T1585.001', 'T1027', 'T1573', 'T1598', 'T1189', 'T1071.001', 'T1590.001']
MISP event uuid: e4437cb1-34ec-4e07-b01f-92303168362f
π Date: 2026-05-27
πReferences:
https://www.group-ib.com/blog/ghost-stadium-football-fraud/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="campaign-analysis"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Group-IB"
β’ target-information="United States"
β’ target-information="Argentina"
β’ target-information="Brazil"
β’ target-information="Canada"
β’ target-information="Colombia"
β’ target-information="Mexico"
mitre-attack-pattern=['T1056.001', 'T1539', 'T1588.004', 'T1566.002', 'T1598.003', 'T1586.002', 'T1583.001', 'T1185', 'T1555.003', 'T1003.001', 'T1102', 'T1566', 'T1078', 'T1585.001', 'T1027', 'T1573', 'T1598', 'T1189', 'T1071.001', 'T1590.001']
MISP event uuid: e4437cb1-34ec-4e07-b01f-92303168362f
Group-IB
The GHOST STADIUM Score: Billions At Stake At The Worldβs Largest Football Tournament
With the 2026 FIFA World Cup just weeks away, Group-IB researchers have uncovered six distinct fraud schemes, four independent threat actors, and over 4,300 fraudulent domains impersonating FIFA's official web presence β including a sophisticated phishingβ¦
πTitle: From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
π Date: 2026-05-26
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1497.001', 'T1082', 'T1218.007', 'T1140', 'T1219', 'T1547.009', 'T1497.003', 'T1112', 'T1059.001', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1189', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 375002f5-d1e7-4371-93ed-5a833e8595b0
π Date: 2026-05-26
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1053.005', 'T1036.005', 'T1497.001', 'T1082', 'T1218.007', 'T1140', 'T1219', 'T1547.009', 'T1497.003', 'T1112', 'T1059.001', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1573', 'T1189', 'T1071.001', 'T1574.002', 'T1105']
MISP event uuid: 375002f5-d1e7-4371-93ed-5a833e8595b0
Microsoft News
From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
Microsoft exposes a cryptojacking campaign using SEO poisoning and ScreenConnect to target high-performance PCs, with malicious sites also surfaced through AI chatbots.
πTitle: Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
π Date: 2026-05-26
πReferences:
https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="web3"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Switzerland"
β’ malpedia="SectopRAT"
mitre-attack-pattern=['T1539', 'T1036.005', 'T1204.002', 'T1497.001', 'T1140', 'T1185', 'T1555.003', 'T1055.002', 'T1102', 'T1059.001', 'T1055.012', 'T1027', 'T1012', 'T1518.001', 'T1059.006', 'T1189', 'T1071.001', 'T1105', 'T1056.004']
MISP event uuid: ead1cc2e-5a16-47f9-b9e0-6e8cd5ff1dfc
π Date: 2026-05-26
πReferences:
https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="web3"
β’ topic="crypto-related"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Switzerland"
β’ malpedia="SectopRAT"
mitre-attack-pattern=['T1539', 'T1036.005', 'T1204.002', 'T1497.001', 'T1140', 'T1185', 'T1555.003', 'T1055.002', 'T1102', 'T1059.001', 'T1055.012', 'T1027', 'T1012', 'T1518.001', 'T1059.006', 'T1189', 'T1071.001', 'T1105', 'T1056.004']
MISP event uuid: ead1cc2e-5a16-47f9-b9e0-6e8cd5ff1dfc
Trend Micro
Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet
TrendAIβ’ Research analyzed an intrusion where threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. The attack chain ended with two simultaneously deployed stealers, SectopRATβ¦
πTitle: Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
π Date: 2026-05-26
πReferences:
https://www.fortinet.com/blog/threat-research/phishing-campaign-deploys-javascript-driven-purelogs-variant-to-steal-sensitive-data
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ topic="crypto-related"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Fortinet"
β’ malpedia="PureLogs Stealer"
mitre-attack-pattern=['T1113', 'T1033', 'T1218.011', 'T1059.007', 'T1539', 'T1566.001', 'T1115', 'T1082', 'T1005', 'T1140', 'T1555', 'T1055', 'T1218', 'T1555.003', 'T1041', 'T1059.001', 'T1566', 'T1055.012', 'T1027', 'T1573', 'T1027.002', 'T1071.001', 'T1105']
MISP event uuid: 75c62da8-6ae9-45ed-bdaa-1558105b9bf4
π Date: 2026-05-26
πReferences:
https://www.fortinet.com/blog/threat-research/phishing-campaign-deploys-javascript-driven-purelogs-variant-to-steal-sensitive-data
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ topic="crypto-related"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Fortinet"
β’ malpedia="PureLogs Stealer"
mitre-attack-pattern=['T1113', 'T1033', 'T1218.011', 'T1059.007', 'T1539', 'T1566.001', 'T1115', 'T1082', 'T1005', 'T1140', 'T1555', 'T1055', 'T1218', 'T1555.003', 'T1041', 'T1059.001', 'T1566', 'T1055.012', 'T1027', 'T1573', 'T1027.002', 'T1071.001', 'T1105']
MISP event uuid: 75c62da8-6ae9-45ed-bdaa-1558105b9bf4
Fortinet Blog
Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data
FortiGuard Labs analyzed a new phishing campaign that uses obfuscated JavaScript, PowerShell, process hollowing, and PureLogs to steal sensitive dataβ¦
πTitle: Pinduoduo (ζΌε€ε€) Android APK Static Analysis & Verdict
π Date: 2026-05-27
πReferences:
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1437', 'T1544', 'T1521', 'T1417', 'T1430', 'T1429', 'T1424', 'T1406', 'T1512', 'T1636.003']
MISP event uuid: 9c3282c7-b7dd-4fcd-bb2f-427f58b9f7b8
π Date: 2026-05-27
πReferences:
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
mitre-attack-pattern=['T1437', 'T1544', 'T1521', 'T1417', 'T1430', 'T1429', 'T1424', 'T1406', 'T1512', 'T1636.003']
MISP event uuid: 9c3282c7-b7dd-4fcd-bb2f-427f58b9f7b8
πTitle: Windows and macOS Malware Spreads via Fake βClaude Codeβ Google Ads
π Date: 2026-03-11
πReferences:
https://www.bitdefender.com/en-us/blog/labs/fake-claude-code-google-ads-malware
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ mitre-att&ck="none-from-src"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ producer="Bitdefender"
mitre-attack-pattern=['T1170', 'T1218.005']
MISP event uuid: 19961acf-73c8-4594-8698-6294f9b2d5ca
π Date: 2026-03-11
πReferences:
https://www.bitdefender.com/en-us/blog/labs/fake-claude-code-google-ads-malware
πRectifyq Taxonomies:
Relevancy: π‘ Somewhat Relevant
Category: β Threat
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ mitre-att&ck="none-from-src"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Malaysia"
β’ producer="Bitdefender"
mitre-attack-pattern=['T1170', 'T1218.005']
MISP event uuid: 19961acf-73c8-4594-8698-6294f9b2d5ca
Bitdefender
Windows and macOS Malware Spreads via Fake βClaude Codeβ Google Ads
Bitdefender has discovered a malicious Google Ads campaign targeting anyone searching for downloads related to Claude
πTitle: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
π Date: 2026-05-05
πReferences:
https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ mitre-att&ck="from-original-src"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="x"
β’ action-taken="linkedin"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Malaysia"
β’ target-information="Netherlands"
β’ target-information="Thailand"
β’ target-information="United States"
β’ sector="Education"
β’ sector="Electronic"
β’ sector="Food"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1559.001', 'T1562', 'T1583.008', 'T1218.005', 'T1027', 'T1059.001', 'T1566.002', 'T1059.005']
MISP event uuid: e30b1a07-b830-46e2-bf69-e67eee29d4af
π Date: 2026-05-05
πReferences:
https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ mitre-att&ck="from-original-src"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="x"
β’ action-taken="linkedin"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Malaysia"
β’ target-information="Netherlands"
β’ target-information="Thailand"
β’ target-information="United States"
β’ sector="Education"
β’ sector="Electronic"
β’ sector="Food"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1559.001', 'T1562', 'T1583.008', 'T1218.005', 'T1027', 'T1059.001', 'T1566.002', 'T1059.005']
MISP event uuid: e30b1a07-b830-46e2-bf69-e67eee29d4af
Trend Micro
InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
πTitle: Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted
π Date: 2026-05-27
πReferences:
https://hunt.io/blog/massive-smishing-campaign-governments-postal-telecoms
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ target-information="United States"
β’ target-information="Albania"
β’ target-information="Armenia"
β’ target-information="Bulgaria"
β’ target-information="Estonia"
β’ target-information="France"
β’ target-information="Georgia"
β’ target-information="Greece"
β’ target-information="Ireland"
β’ target-information="Kosovo"
β’ target-information="Latvia"
β’ target-information="Lithuania"
β’ target-information="North Macedonia"
β’ target-information="Montenegro"
β’ target-information="Romania"
β’ target-information="Slovenia"
β’ target-information="Spain"
β’ target-information="Trinidad and Tobago"
β’ target-information="United Kingdom"
mitre-attack-pattern=['T1583', 'T1204.002', 'T1566.002', 'T1598.003', 'T1586.002', 'T1608.001', 'T1583.001', 'T1560', 'T1090', 'T1584', 'T1586', 'T1102', 'T1608', 'T1583.006', 'T1204', 'T1041', 'T1566', 'T1078', 'T1598', 'T1213', 'T1584.001']
MISP event uuid: 36e75fd8-359f-4f84-8258-5f35cf8ed39b
π Date: 2026-05-27
πReferences:
https://hunt.io/blog/massive-smishing-campaign-governments-postal-telecoms
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ target-information="United States"
β’ target-information="Albania"
β’ target-information="Armenia"
β’ target-information="Bulgaria"
β’ target-information="Estonia"
β’ target-information="France"
β’ target-information="Georgia"
β’ target-information="Greece"
β’ target-information="Ireland"
β’ target-information="Kosovo"
β’ target-information="Latvia"
β’ target-information="Lithuania"
β’ target-information="North Macedonia"
β’ target-information="Montenegro"
β’ target-information="Romania"
β’ target-information="Slovenia"
β’ target-information="Spain"
β’ target-information="Trinidad and Tobago"
β’ target-information="United Kingdom"
mitre-attack-pattern=['T1583', 'T1204.002', 'T1566.002', 'T1598.003', 'T1586.002', 'T1608.001', 'T1583.001', 'T1560', 'T1090', 'T1584', 'T1586', 'T1102', 'T1608', 'T1583.006', 'T1204', 'T1041', 'T1566', 'T1078', 'T1598', 'T1213', 'T1584.001']
MISP event uuid: 36e75fd8-359f-4f84-8258-5f35cf8ed39b
hunt.io
Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted
Inside a coordinated smishing campaign targeting 19 countries across Europe, the Americas, and the Caucasus. 1,628 URLs, 32 IPs, one campaign fingerprint.
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: MTNew-v3Campaign Advanced Banking Trojan Targeting Malaysian Financial Sector π
Date: 2026-05-24 πReferences: πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: β Threat β’ sub-category="malware-analysis" β’ topic="mobile-attack" β’ target="broadβ¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: MaxTag Malware Family π
Date: 2026-05-25 πReferences: πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: β Threat β’ sub-category="malware-analysis" β’ topic="mobile-attack" β’ target="broad-based" β’ no-samples-in="MalwareBazaar" β’ noβ¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise π
Date: 2026-05-05 πReferences: https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category:β¦Β»
πTitle: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
π Date: 2026-05-27
πReferences:
https://www.wiz.io/blog/threat-actors-target-crypto-orgs
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Wiz Blog"
mitre-attack-pattern=[]
MISP event uuid: 9672f16b-c5cd-4c1f-82fa-488daf2773c3
π Date: 2026-05-27
πReferences:
https://www.wiz.io/blog/threat-actors-target-crypto-orgs
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Wiz Blog"
mitre-attack-pattern=[]
MISP event uuid: 9672f16b-c5cd-4c1f-82fa-488daf2773c3
wiz.io
Threat Actor Targets Crypto Organizations | Wiz Blog | Wiz Blog
Threat actor, JINX-0164, uses LinkedIn social engineering, custom macOS malware, and CI/CD hijacking to target crypto organizations.
πTitle: A miner with a side of RAT: the unintended gift with your TV show or book
π Date: 2026-05-28
πReferences:
https://securelist.com/video-books-pirates-miners-rat/119943/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ TA-category="Cybercrime"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
mitre-attack-pattern=['T1132.001', 'T1568.002', 'T1071.004', 'T1573.001', 'T1543.003', 'T1497.001', 'T1082', 'T1140', 'T1219', 'T1036', 'T1112', 'T1083', 'T1057', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1518.001', 'T1059.003', 'T1574.002', 'T1105']
MISP event uuid: 92c2564d-b7dd-46df-94ff-b63fa34fed48
π Date: 2026-05-28
πReferences:
https://securelist.com/video-books-pirates-miners-rat/119943/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ TA-category="Cybercrime"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
mitre-attack-pattern=['T1132.001', 'T1568.002', 'T1071.004', 'T1573.001', 'T1543.003', 'T1497.001', 'T1082', 'T1140', 'T1219', 'T1036', 'T1112', 'T1083', 'T1057', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1518.001', 'T1059.003', 'T1574.002', 'T1105']
MISP event uuid: 92c2564d-b7dd-46df-94ff-b63fa34fed48
πTitle: Typosquatted npm packages used to steal cloud and CI/CD secrets
π Date: 2026-05-28
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ topic="cloud"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1033', 'T1059.007', 'T1069.003', 'T1021.004', 'T1082', 'T1083', 'T1552.001', 'T1087.004', 'T1057', 'T1098', 'T1078', 'T1027', 'T1195.002', 'T1071.001', 'T1543.002', 'T1105', 'T1021.001', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 129b0e64-c241-431c-9742-ec756cbde228
π Date: 2026-05-28
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ topic="cloud"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1033', 'T1059.007', 'T1069.003', 'T1021.004', 'T1082', 'T1083', 'T1552.001', 'T1087.004', 'T1057', 'T1098', 'T1078', 'T1027', 'T1195.002', 'T1071.001', 'T1543.002', 'T1105', 'T1021.001', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 129b0e64-c241-431c-9742-ec756cbde228
Microsoft News
Typosquatted npm packages used to steal cloud and CI/CD secrets
The Mini Shai-Hulud campaign used malicious npm packages to target cloud and CI/CD credentials across developer environments. This report details the attack chain, detection opportunities, and mitigation guidance to help organizations identify and disruptβ¦
πTitle: The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
π Date: 2026-05-28
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="malware-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1053.005', 'T1489', 'T1135', 'T1106', 'T1070.003', 'T1021.002', 'T1021.006', 'T1070.001', 'T1021.003', 'T1482', 'T1083', 'T1059.001', 'T1547.001', 'T1562.001', 'T1486', 'T1134', 'T1018', 'T1569.002', 'T1490']
MISP event uuid: 6707c413-a393-496b-92e4-29b1bbb663ec
π Date: 2026-05-28
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="malware-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1053.005', 'T1489', 'T1135', 'T1106', 'T1070.003', 'T1021.002', 'T1021.006', 'T1070.001', 'T1021.003', 'T1482', 'T1083', 'T1059.001', 'T1547.001', 'T1562.001', 'T1486', 'T1134', 'T1018', 'T1569.002', 'T1490']
MISP event uuid: 6707c413-a393-496b-92e4-29b1bbb663ec
Microsoft News
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
Microsoft Threat Intelligence presents a comprehensive analysis of The Gentlemen, a Go-based ransomware deployed by affiliates of Storm-2697 that combines per-file ephemeral key encryption with an aggressive self-propagation module to deploy itself acrossβ¦
πTitle: FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch
π Date: 2026-05-27
πReferences:
https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Arctic Wolf"
mitre-attack-pattern=['T1190']
MISP event uuid: 31e1118e-9aa4-4708-8eca-21d21950bfd2
π Date: 2026-05-27
πReferences:
https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Arctic Wolf"
mitre-attack-pattern=['T1190']
MISP event uuid: 31e1118e-9aa4-4708-8eca-21d21950bfd2
Arctic Wolf
FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf
Arctic Wolf observed a threat cluster exploiting CVE-2026-35616, deploying an infostealer disguised as a Fortinet patch to FortiClient EMS-managed endpoints.
πTitle: Sapphire Sleet Targets macOS
π Date: 2026-05-29
πReferences:
https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="da7743e9-205e-47b0-8afc-b7aa7a5ae050"
β’ threat-actor="Lazarus Group"
β’ threat-actor="STARDUST CHOLLIMA"
mitre-attack-pattern=[]
MISP event uuid: 9805a443-f7d8-4233-9c46-75dea24852bb
π Date: 2026-05-29
πReferences:
https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="da7743e9-205e-47b0-8afc-b7aa7a5ae050"
β’ threat-actor="Lazarus Group"
β’ threat-actor="STARDUST CHOLLIMA"
mitre-attack-pattern=[]
MISP event uuid: 9805a443-f7d8-4233-9c46-75dea24852bb
Levelblue
Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign
We recently observed a multi-stage macOS intrusion campaign conducted by the North Korean state-sponsored threat group Sapphire Sleet.
πTitle: Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant
π Date: 2026-05-27
πReferences:
https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ threat-actor="Kimsuky"
β’ target-information="South Korea"
β’ sector="Military"
mitre-attack-pattern=['T1010', 'T1070.009', 'T1027.010', 'T1134.002', 'T1005', 'T1140', 'T1055.001', 'T1027.009', 'T1027.013', 'T1041', 'T1070.004', 'T1083', 'T1059.007', 'T1204.002', 'T1036.004', 'T1566', 'T1057', 'T1090', 'T1012', 'T1620', 'T1547.001', 'T1053.005', 'T1113', 'T1132.001', 'T1573.001', 'T1497.001', 'T1082', 'T1070.006', 'T1071.001', 'T1059.003']
MISP event uuid: 8852557e-67b3-41c3-a52f-51232fc96b30
π Date: 2026-05-27
πReferences:
https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ threat-actor="Kimsuky"
β’ target-information="South Korea"
β’ sector="Military"
mitre-attack-pattern=['T1010', 'T1070.009', 'T1027.010', 'T1134.002', 'T1005', 'T1140', 'T1055.001', 'T1027.009', 'T1027.013', 'T1041', 'T1070.004', 'T1083', 'T1059.007', 'T1204.002', 'T1036.004', 'T1566', 'T1057', 'T1090', 'T1012', 'T1620', 'T1547.001', 'T1053.005', 'T1113', 'T1132.001', 'T1573.001', 'T1497.001', 'T1082', 'T1070.006', 'T1071.001', 'T1059.003']
MISP event uuid: 8852557e-67b3-41c3-a52f-51232fc96b30
www.enki.co.kr
Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant | Enki White Hat