πTitle: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
π Date: 2026-05-05
πReferences:
https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ mitre-att&ck="from-original-src"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="x"
β’ action-taken="linkedin"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Malaysia"
β’ target-information="Netherlands"
β’ target-information="Thailand"
β’ target-information="United States"
β’ sector="Education"
β’ sector="Electronic"
β’ sector="Food"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1559.001', 'T1562', 'T1583.008', 'T1218.005', 'T1027', 'T1059.001', 'T1566.002', 'T1059.005']
MISP event uuid: e30b1a07-b830-46e2-bf69-e67eee29d4af
π Date: 2026-05-05
πReferences:
https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html
πRectifyq Taxonomies:
Relevancy: π΄ Highly Relevant
Category: β Threat
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ mitre-att&ck="from-original-src"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="x"
β’ action-taken="linkedin"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Trend Micro"
β’ target-information="Malaysia"
β’ target-information="Netherlands"
β’ target-information="Thailand"
β’ target-information="United States"
β’ sector="Education"
β’ sector="Electronic"
β’ sector="Food"
β’ sector="Government, Administration"
mitre-attack-pattern=['T1559.001', 'T1562', 'T1583.008', 'T1218.005', 'T1027', 'T1059.001', 'T1566.002', 'T1059.005']
MISP event uuid: e30b1a07-b830-46e2-bf69-e67eee29d4af
Trend Micro
InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
πTitle: Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted
π Date: 2026-05-27
πReferences:
https://hunt.io/blog/massive-smishing-campaign-governments-postal-telecoms
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ target-information="United States"
β’ target-information="Albania"
β’ target-information="Armenia"
β’ target-information="Bulgaria"
β’ target-information="Estonia"
β’ target-information="France"
β’ target-information="Georgia"
β’ target-information="Greece"
β’ target-information="Ireland"
β’ target-information="Kosovo"
β’ target-information="Latvia"
β’ target-information="Lithuania"
β’ target-information="North Macedonia"
β’ target-information="Montenegro"
β’ target-information="Romania"
β’ target-information="Slovenia"
β’ target-information="Spain"
β’ target-information="Trinidad and Tobago"
β’ target-information="United Kingdom"
mitre-attack-pattern=['T1583', 'T1204.002', 'T1566.002', 'T1598.003', 'T1586.002', 'T1608.001', 'T1583.001', 'T1560', 'T1090', 'T1584', 'T1586', 'T1102', 'T1608', 'T1583.006', 'T1204', 'T1041', 'T1566', 'T1078', 'T1598', 'T1213', 'T1584.001']
MISP event uuid: 36e75fd8-359f-4f84-8258-5f35cf8ed39b
π Date: 2026-05-27
πReferences:
https://hunt.io/blog/massive-smishing-campaign-governments-postal-telecoms
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ target-information="United States"
β’ target-information="Albania"
β’ target-information="Armenia"
β’ target-information="Bulgaria"
β’ target-information="Estonia"
β’ target-information="France"
β’ target-information="Georgia"
β’ target-information="Greece"
β’ target-information="Ireland"
β’ target-information="Kosovo"
β’ target-information="Latvia"
β’ target-information="Lithuania"
β’ target-information="North Macedonia"
β’ target-information="Montenegro"
β’ target-information="Romania"
β’ target-information="Slovenia"
β’ target-information="Spain"
β’ target-information="Trinidad and Tobago"
β’ target-information="United Kingdom"
mitre-attack-pattern=['T1583', 'T1204.002', 'T1566.002', 'T1598.003', 'T1586.002', 'T1608.001', 'T1583.001', 'T1560', 'T1090', 'T1584', 'T1586', 'T1102', 'T1608', 'T1583.006', 'T1204', 'T1041', 'T1566', 'T1078', 'T1598', 'T1213', 'T1584.001']
MISP event uuid: 36e75fd8-359f-4f84-8258-5f35cf8ed39b
hunt.io
Exposing a Global Smishing Operation Across 19 Countries: Governments, Postal Services, and Telecoms Targeted
Inside a coordinated smishing campaign targeting 19 countries across Europe, the Americas, and the Caucasus. 1,628 URLs, 32 IPs, one campaign fingerprint.
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: MTNew-v3Campaign Advanced Banking Trojan Targeting Malaysian Financial Sector π
Date: 2026-05-24 πReferences: πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: β Threat β’ sub-category="malware-analysis" β’ topic="mobile-attack" β’ target="broadβ¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: MaxTag Malware Family π
Date: 2026-05-25 πReferences: πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category: β Threat β’ sub-category="malware-analysis" β’ topic="mobile-attack" β’ target="broad-based" β’ no-samples-in="MalwareBazaar" β’ noβ¦Β»
Rectifyq Cybersecurity News π²πΎ pinned Β«πTitle: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise π
Date: 2026-05-05 πReferences: https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html πRectifyq Taxonomies: Relevancy: π΄ Highly Relevant Category:β¦Β»
πTitle: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure
π Date: 2026-05-27
πReferences:
https://www.wiz.io/blog/threat-actors-target-crypto-orgs
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Wiz Blog"
mitre-attack-pattern=[]
MISP event uuid: 9672f16b-c5cd-4c1f-82fa-488daf2773c3
π Date: 2026-05-27
πReferences:
https://www.wiz.io/blog/threat-actors-target-crypto-orgs
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="crypto-related"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Wiz Blog"
mitre-attack-pattern=[]
MISP event uuid: 9672f16b-c5cd-4c1f-82fa-488daf2773c3
wiz.io
Threat Actor Targets Crypto Organizations | Wiz Blog | Wiz Blog
Threat actor, JINX-0164, uses LinkedIn social engineering, custom macOS malware, and CI/CD hijacking to target crypto organizations.
πTitle: A miner with a side of RAT: the unintended gift with your TV show or book
π Date: 2026-05-28
πReferences:
https://securelist.com/video-books-pirates-miners-rat/119943/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ TA-category="Cybercrime"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
mitre-attack-pattern=['T1132.001', 'T1568.002', 'T1071.004', 'T1573.001', 'T1543.003', 'T1497.001', 'T1082', 'T1140', 'T1219', 'T1036', 'T1112', 'T1083', 'T1057', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1518.001', 'T1059.003', 'T1574.002', 'T1105']
MISP event uuid: 92c2564d-b7dd-46df-94ff-b63fa34fed48
π Date: 2026-05-28
πReferences:
https://securelist.com/video-books-pirates-miners-rat/119943/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ TA-category="Cybercrime"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
mitre-attack-pattern=['T1132.001', 'T1568.002', 'T1071.004', 'T1573.001', 'T1543.003', 'T1497.001', 'T1082', 'T1140', 'T1219', 'T1036', 'T1112', 'T1083', 'T1057', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1518.001', 'T1059.003', 'T1574.002', 'T1105']
MISP event uuid: 92c2564d-b7dd-46df-94ff-b63fa34fed48
πTitle: Typosquatted npm packages used to steal cloud and CI/CD secrets
π Date: 2026-05-28
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ topic="cloud"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1033', 'T1059.007', 'T1069.003', 'T1021.004', 'T1082', 'T1083', 'T1552.001', 'T1087.004', 'T1057', 'T1098', 'T1078', 'T1027', 'T1195.002', 'T1071.001', 'T1543.002', 'T1105', 'T1021.001', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 129b0e64-c241-431c-9742-ec756cbde228
π Date: 2026-05-28
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ topic="cloud"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1033', 'T1059.007', 'T1069.003', 'T1021.004', 'T1082', 'T1083', 'T1552.001', 'T1087.004', 'T1057', 'T1098', 'T1078', 'T1027', 'T1195.002', 'T1071.001', 'T1543.002', 'T1105', 'T1021.001', 'T1550.001', 'T1078.004', 'T1552.007']
MISP event uuid: 129b0e64-c241-431c-9742-ec756cbde228
Microsoft News
Typosquatted npm packages used to steal cloud and CI/CD secrets
The Mini Shai-Hulud campaign used malicious npm packages to target cloud and CI/CD credentials across developer environments. This report details the attack chain, detection opportunities, and mitigation guidance to help organizations identify and disruptβ¦
πTitle: The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
π Date: 2026-05-28
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="malware-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1053.005', 'T1489', 'T1135', 'T1106', 'T1070.003', 'T1021.002', 'T1021.006', 'T1070.001', 'T1021.003', 'T1482', 'T1083', 'T1059.001', 'T1547.001', 'T1562.001', 'T1486', 'T1134', 'T1018', 'T1569.002', 'T1490']
MISP event uuid: 6707c413-a393-496b-92e4-29b1bbb663ec
π Date: 2026-05-28
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ sub-category="malware-analysis"
β’ TA-category="Ransomware"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
β’ ransomware="the gentlemen"
mitre-attack-pattern=['T1053.005', 'T1489', 'T1135', 'T1106', 'T1070.003', 'T1021.002', 'T1021.006', 'T1070.001', 'T1021.003', 'T1482', 'T1083', 'T1059.001', 'T1547.001', 'T1562.001', 'T1486', 'T1134', 'T1018', 'T1569.002', 'T1490']
MISP event uuid: 6707c413-a393-496b-92e4-29b1bbb663ec
Microsoft News
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor
Microsoft Threat Intelligence presents a comprehensive analysis of The Gentlemen, a Go-based ransomware deployed by affiliates of Storm-2697 that combines per-file ephemeral key encryption with an aggressive self-propagation module to deploy itself acrossβ¦
πTitle: FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch
π Date: 2026-05-27
πReferences:
https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Arctic Wolf"
mitre-attack-pattern=['T1190']
MISP event uuid: 31e1118e-9aa4-4708-8eca-21d21950bfd2
π Date: 2026-05-27
πReferences:
https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ sub-category="critical-vuln"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Arctic Wolf"
mitre-attack-pattern=['T1190']
MISP event uuid: 31e1118e-9aa4-4708-8eca-21d21950bfd2
Arctic Wolf
FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf
Arctic Wolf observed a threat cluster exploiting CVE-2026-35616, deploying an infostealer disguised as a Fortinet patch to FortiClient EMS-managed endpoints.
πTitle: Sapphire Sleet Targets macOS
π Date: 2026-05-29
πReferences:
https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="da7743e9-205e-47b0-8afc-b7aa7a5ae050"
β’ threat-actor="Lazarus Group"
β’ threat-actor="STARDUST CHOLLIMA"
mitre-attack-pattern=[]
MISP event uuid: 9805a443-f7d8-4233-9c46-75dea24852bb
π Date: 2026-05-29
πReferences:
https://www.levelblue.com/blogs/spiderlabs-blog/sapphire-sleet-targets-macos-in-multi-stage-intrusion-campaign
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="da7743e9-205e-47b0-8afc-b7aa7a5ae050"
β’ threat-actor="Lazarus Group"
β’ threat-actor="STARDUST CHOLLIMA"
mitre-attack-pattern=[]
MISP event uuid: 9805a443-f7d8-4233-9c46-75dea24852bb
Levelblue
Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign
We recently observed a multi-stage macOS intrusion campaign conducted by the North Korean state-sponsored threat group Sapphire Sleet.
πTitle: Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant
π Date: 2026-05-27
πReferences:
https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ threat-actor="Kimsuky"
β’ target-information="South Korea"
β’ sector="Military"
mitre-attack-pattern=['T1010', 'T1070.009', 'T1027.010', 'T1134.002', 'T1005', 'T1140', 'T1055.001', 'T1027.009', 'T1027.013', 'T1041', 'T1070.004', 'T1083', 'T1059.007', 'T1204.002', 'T1036.004', 'T1566', 'T1057', 'T1090', 'T1012', 'T1620', 'T1547.001', 'T1053.005', 'T1113', 'T1132.001', 'T1573.001', 'T1497.001', 'T1082', 'T1070.006', 'T1071.001', 'T1059.003']
MISP event uuid: 8852557e-67b3-41c3-a52f-51232fc96b30
π Date: 2026-05-27
πReferences:
https://www.enki.co.kr/en/media-center/blog/kimsuky-s-advanced-attack-techniques-jsonping-webex-spoofing-and-a-new-httpspy-variant
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ threat-actor="Kimsuky"
β’ target-information="South Korea"
β’ sector="Military"
mitre-attack-pattern=['T1010', 'T1070.009', 'T1027.010', 'T1134.002', 'T1005', 'T1140', 'T1055.001', 'T1027.009', 'T1027.013', 'T1041', 'T1070.004', 'T1083', 'T1059.007', 'T1204.002', 'T1036.004', 'T1566', 'T1057', 'T1090', 'T1012', 'T1620', 'T1547.001', 'T1053.005', 'T1113', 'T1132.001', 'T1573.001', 'T1497.001', 'T1082', 'T1070.006', 'T1071.001', 'T1059.003']
MISP event uuid: 8852557e-67b3-41c3-a52f-51232fc96b30
www.enki.co.kr
Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant | Enki White Hat
πTitle: Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan
π Date: 2026-05-29
πReferences:
https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Seqrite"
β’ target-information="Afghanistan"
β’ threat-actor="SideCopy"
β’ malpedia="XenoRAT"
mitre-attack-pattern=['T1123', 'T1115', 'T1140', 'T1562.001', 'T1583.001', 'T1568', 'T1573', 'T1090.002', 'T1070.004', 'T1027.011', 'T1564.001', 'T1059.007', 'T1056.001', 'T1218.005', 'T1106', 'T1095', 'T1027', 'T1055', 'T1012', 'T1620', 'T1547.001', 'T1053.005', 'T1113', 'T1518.001', 'T1129', 'T1518', 'T1566.001', 'T1218', 'T1082', 'T1125', 'T1071.001', 'T1059.003']
MISP event uuid: eb0c187a-2b4d-421e-9faa-871606571fb0
π Date: 2026-05-29
πReferences:
https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Seqrite"
β’ target-information="Afghanistan"
β’ threat-actor="SideCopy"
β’ malpedia="XenoRAT"
mitre-attack-pattern=['T1123', 'T1115', 'T1140', 'T1562.001', 'T1583.001', 'T1568', 'T1573', 'T1090.002', 'T1070.004', 'T1027.011', 'T1564.001', 'T1059.007', 'T1056.001', 'T1218.005', 'T1106', 'T1095', 'T1027', 'T1055', 'T1012', 'T1620', 'T1547.001', 'T1053.005', 'T1113', 'T1518.001', 'T1129', 'T1518', 'T1566.001', 'T1218', 'T1082', 'T1125', 'T1071.001', 'T1059.003']
MISP event uuid: eb0c187a-2b4d-421e-9faa-871606571fb0
Seqrite Labs
Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan
<p>Authors: Dixit Panchal & Vaibhav Krushna Billade Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoy: Technical Analysis: Stage 1: Analysis of LNK File. Stage 2: Analysis of HTA/JavaScript Payloadβ¦
πTitle: Operation Dragon Weave: Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2
π Date: 2026-05-29
πReferences:
https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: π Vulnerability
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="cloud"
β’ target="broad-based"
β’ TA-category="APT"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Seqrite"
β’ target-information="Czech Republic"
β’ target-information="Taiwan"
mitre-attack-pattern=['T1204.002', 'T1497.001', 'T1566.001', 'T1082', 'T1055', 'T1016', 'T1090', 'T1083', 'T1057', 'T1041', 'T1059.001', 'T1027', 'T1573', 'T1059.005', 'T1574.002', 'T1105', 'T1102.001', 'T1620']
MISP event uuid: 2a39eb24-b765-4968-9c52-198844a7f7f9
π Date: 2026-05-29
πReferences:
https://www.seqrite.com/blog/operation-dragon-weave-uncovering-a-china-linked-campaign-targeting-czech-republic-and-taiwan-using-azure-cloud-c2/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: π Vulnerability
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="cloud"
β’ target="broad-based"
β’ TA-category="APT"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Seqrite"
β’ target-information="Czech Republic"
β’ target-information="Taiwan"
mitre-attack-pattern=['T1204.002', 'T1497.001', 'T1566.001', 'T1082', 'T1055', 'T1016', 'T1090', 'T1083', 'T1057', 'T1041', 'T1059.001', 'T1027', 'T1573', 'T1059.005', 'T1574.002', 'T1105', 'T1102.001', 'T1620']
MISP event uuid: 2a39eb24-b765-4968-9c52-198844a7f7f9
Seqrite Labs
Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2
<p>Contents Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Document Technical Analysis Stage 1 β Initial Delivery Path A: LNK-Based Execution Path B: Executable-Based Delivery Stageβ¦
πTitle: Reloaded in a modern Remcos RAT Infection
π Date: 2026-05-29
πReferences:
https://blog.gdatasoftware.com/2026/05/38426-donutloader-remcos-rat
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="G DATA"
β’ malpedia="Remcos"
mitre-attack-pattern=['T1560.001', 'T1059.007', 'T1566.001', 'T1071', 'T1140', 'T1219', 'T1036', 'T1055', 'T1218', 'T1059', 'T1059.001', 'T1027', 'T1564.003', 'T1059.003', 'T1059.005', 'T1105', 'T1620']
MISP event uuid: 8851f4ff-ce5e-4109-a60f-6bdb729a78d5
π Date: 2026-05-29
πReferences:
https://blog.gdatasoftware.com/2026/05/38426-donutloader-remcos-rat
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="G DATA"
β’ malpedia="Remcos"
mitre-attack-pattern=['T1560.001', 'T1059.007', 'T1566.001', 'T1071', 'T1140', 'T1219', 'T1036', 'T1055', 'T1218', 'T1059', 'T1059.001', 'T1027', 'T1564.003', 'T1059.003', 'T1059.005', 'T1105', 'T1620']
MISP event uuid: 8851f4ff-ce5e-4109-a60f-6bdb729a78d5
Gdatasoftware
DonutLoader Reloaded in a modern Remcos RAT Infection
Discover how a new Remcos RAT campaign uses DonutLoader shellcode, AutoIt staging, LOLBins, and in-memory execution to evade detection. G Data analysts reveal the full multi-stage infection chain, from phishing email to process injection and Remcos RAT 7.2.1β¦
πTitle: A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites
π Date: 2026-05-30
πReferences:
https://www.silentpush.com/blog/drivesurge/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Silent Push"
mitre-attack-pattern=['T1588.004', 'T1204.002', 'T1566.002', 'T1140', 'T1583.001', 'T1055', 'T1112', 'T1090.002', 'T1583.006', 'T1059.001', 'T1547.001', 'T1059.004', 'T1027', 'T1203', 'T1059.006', 'T1070.004', 'T1189', 'T1564.001', 'T1204.001']
MISP event uuid: 60f381bf-1ce4-4f1c-bf8f-bbe210033304
π Date: 2026-05-30
πReferences:
https://www.silentpush.com/blog/drivesurge/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Silent Push"
mitre-attack-pattern=['T1588.004', 'T1204.002', 'T1566.002', 'T1140', 'T1583.001', 'T1055', 'T1112', 'T1090.002', 'T1583.006', 'T1059.001', 'T1547.001', 'T1059.004', 'T1027', 'T1203', 'T1059.006', 'T1070.004', 'T1189', 'T1564.001', 'T1204.001']
MISP event uuid: 60f381bf-1ce4-4f1c-bf8f-bbe210033304
Silent Push
Meet DriveSurge: A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites
Silent Push observed several drive-by attack clusters using ClickFix and FakeUpdates campaigns. We named the primary driver DriveSurge.
πTitle: A stealthy RAT burrowing deep into Android devices
π Date: 2026-05-26
πReferences:
https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ target-information="Argentina"
β’ target-information="Brazil"
β’ malpedia="BTMOB RAT"
mitre-attack-pattern=[]
MISP event uuid: 0da26aa9-86b0-415a-a8c4-0ce1d326a101
π Date: 2026-05-26
πReferences:
https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ target-information="Argentina"
β’ target-information="Brazil"
β’ malpedia="BTMOB RAT"
mitre-attack-pattern=[]
MISP event uuid: 0da26aa9-86b0-415a-a8c4-0ce1d326a101
Welivesecurity
BTMOB: A stealthy RAT burrowing deep into Android devices
The BTMOB malware pairs remote access capabilities with ready-made campaign tools, lowering the barrier for full device compromise.
πTitle: Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT
π Date: 2026-05-28
πReferences:
https://www.esentire.com/blog/nimbus-rat-how-threat-actors-are-abusing-microsoft-teams-and-google-drive-to-deploy-a-java-rat
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="eSentire"
mitre-attack-pattern=['T1560.001', 'T1113', 'T1033', 'T1132.001', 'T1071.004', 'T1114.001', 'T1204.002', 'T1573.001', 'T1566.002', 'T1082', 'T1106', 'T1005', 'T1140', 'T1555', 'T1219', 'T1055', 'T1010', 'T1112', 'T1016', 'T1087', 'T1083', 'T1057', 'T1041', 'T1534', 'T1547.001', 'T1056.002', 'T1027', 'T1102.002', 'T1059.003', 'T1071.001']
MISP event uuid: f5cbcf38-1444-44ec-ba04-af735b61b5b4
π Date: 2026-05-28
πReferences:
https://www.esentire.com/blog/nimbus-rat-how-threat-actors-are-abusing-microsoft-teams-and-google-drive-to-deploy-a-java-rat
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="eSentire"
mitre-attack-pattern=['T1560.001', 'T1113', 'T1033', 'T1132.001', 'T1071.004', 'T1114.001', 'T1204.002', 'T1573.001', 'T1566.002', 'T1082', 'T1106', 'T1005', 'T1140', 'T1555', 'T1219', 'T1055', 'T1010', 'T1112', 'T1016', 'T1087', 'T1083', 'T1057', 'T1041', 'T1534', 'T1547.001', 'T1056.002', 'T1027', 'T1102.002', 'T1059.003', 'T1071.001']
MISP event uuid: f5cbcf38-1444-44ec-ba04-af735b61b5b4
eSentire
Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT
Learn about a sophisticated intrusion campaign using Microsoft Teams vishing and Nimbus RAT malware to compromise targets via social engineering and legitimate cloud services.
πTitle: Malicious npm packages abuse dependency confusion to profile developer environments
π Date: 2026-05-29
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1059.007', 'T1036.005', 'T1497.001', 'T1574.001', 'T1082', 'T1106', 'T1140', 'T1059', 'T1083', 'T1497', 'T1102', 'T1552.001', 'T1027', 'T1195.002', 'T1564.003', 'T1071.001', 'T1518', 'T1105', 'T1078.004', 'T1552.007']
MISP event uuid: 1fc9cd4b-9149-47fa-b7ea-3316688e46ea
π Date: 2026-05-29
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1059.007', 'T1036.005', 'T1497.001', 'T1574.001', 'T1082', 'T1106', 'T1140', 'T1059', 'T1083', 'T1497', 'T1102', 'T1552.001', 'T1027', 'T1195.002', 'T1564.003', 'T1071.001', 'T1518', 'T1105', 'T1078.004', 'T1552.007']
MISP event uuid: 1fc9cd4b-9149-47fa-b7ea-3316688e46ea
Microsoft News
Malicious npm packages abuse dependency confusion to profile developer environments
A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and detection opportunities to help organizations identifyβ¦
πTitle: FSBβs matryoshka #1/3 β Gamaredonβs gifts that keeps unpacking β GammaPhish and GammaWorm
π Date: 2026-06-01
πReferences:
https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="geopolitical"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Sekoia"
β’ target-information="Ukraine"
β’ threat-actor="Gamaredon Group"
mitre-attack-pattern=['T1053.005', 'T1132.001', 'T1204.002', 'T1566.001', 'T1082', 'T1091', 'T1005', 'T1547.009', 'T1112', 'T1020', 'T1547.001', 'T1027', 'T1573', 'T1102.002', 'T1071.001', 'T1059.005', 'T1204.001', 'T1564.004', 'T1102.001']
MISP event uuid: 4b07e628-47c4-46c6-a774-3c500bd9f831
π Date: 2026-06-01
πReferences:
https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="geopolitical"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Sekoia"
β’ target-information="Ukraine"
β’ threat-actor="Gamaredon Group"
mitre-attack-pattern=['T1053.005', 'T1132.001', 'T1204.002', 'T1566.001', 'T1082', 'T1091', 'T1005', 'T1547.009', 'T1112', 'T1020', 'T1547.001', 'T1027', 'T1573', 'T1102.002', 'T1071.001', 'T1059.005', 'T1204.001', 'T1564.004', 'T1102.001']
MISP event uuid: 4b07e628-47c4-46c6-a774-3c500bd9f831
Sekoia.io Blog
FSBβs matryoshka #1/3 - Gamaredonβs gifts that keeps unpacking - GammaPhish and GammaWorm
Part 1 of our FSB Matryoshka series. Discover the context behind Gamaredon's cyberespionage campaigns, introducing GammaPhish and GammaWorm operations.
πTitle: Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages
π Date: 2026-06-01
πReferences:
https://socket.dev/blog/mini-shai-hulud-campaign-hits-red-hat-cloud-services-npm-packages
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ topic="supply-chain"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=[]
MISP event uuid: e150d133-a2a1-4b77-890d-774c4dba737b
π Date: 2026-06-01
πReferences:
https://socket.dev/blog/mini-shai-hulud-campaign-hits-red-hat-cloud-services-npm-packages
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ topic="supply-chain"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=[]
MISP event uuid: e150d133-a2a1-4b77-890d-774c4dba737b
Socket
Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Pac...
A mini Shai-Hulud campaign compromised Red Hat Cloud Services npm packages to steal developer and CI/CD secrets during installation.