πTitle: A stealthy RAT burrowing deep into Android devices
π Date: 2026-05-26
πReferences:
https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ target-information="Argentina"
β’ target-information="Brazil"
β’ malpedia="BTMOB RAT"
mitre-attack-pattern=[]
MISP event uuid: 0da26aa9-86b0-415a-a8c4-0ce1d326a101
π Date: 2026-05-26
πReferences:
https://www.welivesecurity.com/en/malware/btmob-stealthy-rat-burrowing-deep-android-devices/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="ESET"
β’ target-information="Argentina"
β’ target-information="Brazil"
β’ malpedia="BTMOB RAT"
mitre-attack-pattern=[]
MISP event uuid: 0da26aa9-86b0-415a-a8c4-0ce1d326a101
Welivesecurity
BTMOB: A stealthy RAT burrowing deep into Android devices
The BTMOB malware pairs remote access capabilities with ready-made campaign tools, lowering the barrier for full device compromise.
πTitle: Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT
π Date: 2026-05-28
πReferences:
https://www.esentire.com/blog/nimbus-rat-how-threat-actors-are-abusing-microsoft-teams-and-google-drive-to-deploy-a-java-rat
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="eSentire"
mitre-attack-pattern=['T1560.001', 'T1113', 'T1033', 'T1132.001', 'T1071.004', 'T1114.001', 'T1204.002', 'T1573.001', 'T1566.002', 'T1082', 'T1106', 'T1005', 'T1140', 'T1555', 'T1219', 'T1055', 'T1010', 'T1112', 'T1016', 'T1087', 'T1083', 'T1057', 'T1041', 'T1534', 'T1547.001', 'T1056.002', 'T1027', 'T1102.002', 'T1059.003', 'T1071.001']
MISP event uuid: f5cbcf38-1444-44ec-ba04-af735b61b5b4
π Date: 2026-05-28
πReferences:
https://www.esentire.com/blog/nimbus-rat-how-threat-actors-are-abusing-microsoft-teams-and-google-drive-to-deploy-a-java-rat
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="intrusion-analysis"
β’ target="targeted"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="eSentire"
mitre-attack-pattern=['T1560.001', 'T1113', 'T1033', 'T1132.001', 'T1071.004', 'T1114.001', 'T1204.002', 'T1573.001', 'T1566.002', 'T1082', 'T1106', 'T1005', 'T1140', 'T1555', 'T1219', 'T1055', 'T1010', 'T1112', 'T1016', 'T1087', 'T1083', 'T1057', 'T1041', 'T1534', 'T1547.001', 'T1056.002', 'T1027', 'T1102.002', 'T1059.003', 'T1071.001']
MISP event uuid: f5cbcf38-1444-44ec-ba04-af735b61b5b4
eSentire
Nimbus RAT: How Threat Actors Are Abusing Microsoft Teams and Google Drive to Deploy a Java RAT
Learn about a sophisticated intrusion campaign using Microsoft Teams vishing and Nimbus RAT malware to compromise targets via social engineering and legitimate cloud services.
πTitle: Malicious npm packages abuse dependency confusion to profile developer environments
π Date: 2026-05-29
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1059.007', 'T1036.005', 'T1497.001', 'T1574.001', 'T1082', 'T1106', 'T1140', 'T1059', 'T1083', 'T1497', 'T1102', 'T1552.001', 'T1027', 'T1195.002', 'T1564.003', 'T1071.001', 'T1518', 'T1105', 'T1078.004', 'T1552.007']
MISP event uuid: 1fc9cd4b-9149-47fa-b7ea-3316688e46ea
π Date: 2026-05-29
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1059.007', 'T1036.005', 'T1497.001', 'T1574.001', 'T1082', 'T1106', 'T1140', 'T1059', 'T1083', 'T1497', 'T1102', 'T1552.001', 'T1027', 'T1195.002', 'T1564.003', 'T1071.001', 'T1518', 'T1105', 'T1078.004', 'T1552.007']
MISP event uuid: 1fc9cd4b-9149-47fa-b7ea-3316688e46ea
Microsoft News
Malicious npm packages abuse dependency confusion to profile developer environments
A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and detection opportunities to help organizations identifyβ¦
πTitle: FSBβs matryoshka #1/3 β Gamaredonβs gifts that keeps unpacking β GammaPhish and GammaWorm
π Date: 2026-06-01
πReferences:
https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="geopolitical"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Sekoia"
β’ target-information="Ukraine"
β’ threat-actor="Gamaredon Group"
mitre-attack-pattern=['T1053.005', 'T1132.001', 'T1204.002', 'T1566.001', 'T1082', 'T1091', 'T1005', 'T1547.009', 'T1112', 'T1020', 'T1547.001', 'T1027', 'T1573', 'T1102.002', 'T1071.001', 'T1059.005', 'T1204.001', 'T1564.004', 'T1102.001']
MISP event uuid: 4b07e628-47c4-46c6-a774-3c500bd9f831
π Date: 2026-06-01
πReferences:
https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ TA-category="APT"
β’ target="broad-based"
β’ topic="geopolitical"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Sekoia"
β’ target-information="Ukraine"
β’ threat-actor="Gamaredon Group"
mitre-attack-pattern=['T1053.005', 'T1132.001', 'T1204.002', 'T1566.001', 'T1082', 'T1091', 'T1005', 'T1547.009', 'T1112', 'T1020', 'T1547.001', 'T1027', 'T1573', 'T1102.002', 'T1071.001', 'T1059.005', 'T1204.001', 'T1564.004', 'T1102.001']
MISP event uuid: 4b07e628-47c4-46c6-a774-3c500bd9f831
Sekoia.io Blog
FSBβs matryoshka #1/3 - Gamaredonβs gifts that keeps unpacking - GammaPhish and GammaWorm
Part 1 of our FSB Matryoshka series. Discover the context behind Gamaredon's cyberespionage campaigns, introducing GammaPhish and GammaWorm operations.
πTitle: Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages
π Date: 2026-06-01
πReferences:
https://socket.dev/blog/mini-shai-hulud-campaign-hits-red-hat-cloud-services-npm-packages
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ topic="supply-chain"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=[]
MISP event uuid: e150d133-a2a1-4b77-890d-774c4dba737b
π Date: 2026-06-01
πReferences:
https://socket.dev/blog/mini-shai-hulud-campaign-hits-red-hat-cloud-services-npm-packages
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ topic="supply-chain"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="37ebf9d7-5e9a-466f-a42c-6e60313db868"
β’ malpedia="Shai-Hulud"
mitre-attack-pattern=[]
MISP event uuid: e150d133-a2a1-4b77-890d-774c4dba737b
Socket
Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Pac...
A mini Shai-Hulud campaign compromised Red Hat Cloud Services npm packages to steal developer and CI/CD secrets during installation.
πTitle: Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
π Date: 2026-06-02
πReferences:
https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
mitre-attack-pattern=['T1539', 'T1553.002', 'T1082', 'T1176', 'T1106', 'T1005', 'T1036', 'T1185', 'T1555.003', 'T1083', 'T1204', 'T1041', 'T1547.001', 'T1566', 'T1059.004', 'T1027', 'T1573', 'T1543.001', 'T1189', 'T1071.001']
MISP event uuid: df1ad879-c8fb-4b8e-b263-bee925461d92
π Date: 2026-06-02
πReferences:
https://unit42.paloaltonetworks.com/flutterbridge-new-fluttershell-backdoor/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Palo Alto"
mitre-attack-pattern=['T1539', 'T1553.002', 'T1082', 'T1176', 'T1106', 'T1005', 'T1036', 'T1185', 'T1555.003', 'T1083', 'T1204', 'T1041', 'T1547.001', 'T1566', 'T1059.004', 'T1027', 'T1573', 'T1543.001', 'T1189', 'T1071.001']
MISP event uuid: df1ad879-c8fb-4b8e-b263-bee925461d92
Unit 42
Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor
Operation FlutterBridge is a malvertising campaign targeting macOS users. It distributed the new backdoor FlutterShell, built using the Flutter framework.
πTitle: Iran Expands Handala Brand to Physical Threats
π Date: 2026-06-02
πReferences:
https://www.recordedfuture.com/research/iran-handala-physical-threats
https://www.recordedfuture.com/research/media_14c4348cdfe3e4e2b574896b502432695b25c37a9.gif?width=1200&format=pjpg&optimize=medium
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ topic="geopolitical"
β’ target="broad-based"
β’ TA-category="APT"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Recorded Future"
β’ target-information="United States"
β’ target-information="Albania"
β’ target-information="Israel"
β’ country="iran"
mitre-attack-pattern=['T1583', 'T1071', 'T1195', 'T1190', 'T1589', 'T1586', 'T1204', 'T1591', 'T1059.001', 'T1590', 'T1048', 'T1566', 'T1565', 'T1078', 'T1027', 'T1486', 'T1598', 'T1585', 'T1485', 'T1574.002']
MISP event uuid: 5cdd986c-7f2c-4576-bbce-0b56918f50c4
π Date: 2026-06-02
πReferences:
https://www.recordedfuture.com/research/iran-handala-physical-threats
https://www.recordedfuture.com/research/media_14c4348cdfe3e4e2b574896b502432695b25c37a9.gif?width=1200&format=pjpg&optimize=medium
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="TA-profile"
β’ topic="geopolitical"
β’ target="broad-based"
β’ TA-category="APT"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Recorded Future"
β’ target-information="United States"
β’ target-information="Albania"
β’ target-information="Israel"
β’ country="iran"
mitre-attack-pattern=['T1583', 'T1071', 'T1195', 'T1190', 'T1589', 'T1586', 'T1204', 'T1591', 'T1059.001', 'T1590', 'T1048', 'T1566', 'T1565', 'T1078', 'T1027', 'T1486', 'T1598', 'T1585', 'T1485', 'T1574.002']
MISP event uuid: 5cdd986c-7f2c-4576-bbce-0b56918f50c4
Recordedfuture
Iran Expands Handala Brand to Physical Threats
Iran's MOIS expands its Handala brand to hybrid cyber and physical threat operations, recruiting proxies to conduct attacks, espionage, and sabotage against US and Israeli interests
πTitle: From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services
π Date: 2026-06-02
πReferences:
https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="tool-profile"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ topic="cloud"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Arctic Wolf"
mitre-attack-pattern=['T1539', 'T1566.002', 'T1566.001', 'T1071', 'T1140', 'T1550', 'T1090', 'T1102', 'T1528', 'T1204', 'T1098', 'T1566', 'T1078', 'T1027', 'T1102.002', 'T1071.001', 'T1204.001', 'T1550.001', 'T1078.004', 'T1566.003', 'T1583.001', 'T1041', 'T1056.003', 'T1583.006']
MISP event uuid: a5eedd88-5f36-4684-b9fb-799b2eef534b
π Date: 2026-06-02
πReferences:
https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="tool-profile"
β’ TA-category="Cybercrime"
β’ target="broad-based"
β’ topic="cloud"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Arctic Wolf"
mitre-attack-pattern=['T1539', 'T1566.002', 'T1566.001', 'T1071', 'T1140', 'T1550', 'T1090', 'T1102', 'T1528', 'T1204', 'T1098', 'T1566', 'T1078', 'T1027', 'T1102.002', 'T1071.001', 'T1204.001', 'T1550.001', 'T1078.004', 'T1566.003', 'T1583.001', 'T1041', 'T1056.003', 'T1583.006']
MISP event uuid: a5eedd88-5f36-4684-b9fb-799b2eef534b
Arctic Wolf
From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Otherβ¦
Arctic Wolf has observed a significant expansion of the phishing-as-a-service operation Kali365, which abuses Microsoft's OAuth device authorization flow to bypass MFA.
πTitle: Argamal: Malware hidden in hentai games
π Date: 2026-06-03
πReferences:
https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ target-information="Russia"
β’ target-information="Brazil"
β’ target-information="Germany"
β’ target-information="Vietnam"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1218.011', 'T1056.001', 'T1036.005', 'T1204.002', 'T1573.001', 'T1497.001', 'T1082', 'T1106', 'T1140', 'T1547.009', 'T1112', 'T1564.002', 'T1041', 'T1059.001', 'T1027', 'T1071.001', 'T1105']
MISP event uuid: 3d73990f-7cf6-48cf-91e6-3ae67ec56bf5
π Date: 2026-06-03
πReferences:
https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Kaspersky"
β’ target-information="Russia"
β’ target-information="Brazil"
β’ target-information="Germany"
β’ target-information="Vietnam"
mitre-attack-pattern=['T1053.005', 'T1113', 'T1218.011', 'T1056.001', 'T1036.005', 'T1204.002', 'T1573.001', 'T1497.001', 'T1082', 'T1106', 'T1140', 'T1547.009', 'T1112', 'T1564.002', 'T1041', 'T1059.001', 'T1027', 'T1071.001', 'T1105']
MISP event uuid: 3d73990f-7cf6-48cf-91e6-3ae67ec56bf5
Securelist
New Argamal RAT targets hentai gamers
Kaspersky researchers analyze new Argamal RAT distributed via infected hentai games and allowing the attacker to control the target machine.
πTitle: Preinstall to persistence: Inside the npm Miasma credential-stealing campaign
π Date: 2026-06-02
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1059.007', 'T1548.003', 'T1195.001', 'T1606.002', 'T1140', 'T1552.004', 'T1078.001', 'T1098.004', 'T1083', 'T1552.001', 'T1567.001', 'T1136.003', 'T1068', 'T1027', 'T1195.002', 'T1485', 'T1550.001', 'T1078.004', 'T1552.007', 'T1078.003']
MISP event uuid: a3c52e1d-66df-4660-9c0d-df262d3772d4
π Date: 2026-06-02
πReferences:
https://www.microsoft.com/en-us/security/blog/2026/06/02/preinstall-persistence-inside-red-hat-npm-miasma-credential-stealing-campaign/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="supply-chain"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Microsoft"
mitre-attack-pattern=['T1059.007', 'T1548.003', 'T1195.001', 'T1606.002', 'T1140', 'T1552.004', 'T1078.001', 'T1098.004', 'T1083', 'T1552.001', 'T1567.001', 'T1136.003', 'T1068', 'T1027', 'T1195.002', 'T1485', 'T1550.001', 'T1078.004', 'T1552.007', 'T1078.003']
MISP event uuid: a3c52e1d-66df-4660-9c0d-df262d3772d4
Microsoft News
Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign
A large-scale npm supply chain attack compromised over 90 versions of @redhat-cloud-services packages, silently infecting CI/CD environments and developer systems. The malicious code steals credentials from GitHub, cloud platforms, and local machines, thenβ¦
πTitle: Browser Spy-Ons: Threat Actor's Extension Hijack Your AI Conversations
π Date: 2026-06-03
πReferences:
https://blog.gdatasoftware.com/2026/06/38428-browser-addons-spy-on-ai-chats
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="G DATA"
mitre-attack-pattern=['T1557', 'T1583', 'T1071', 'T1036', 'T1059', 'T1102', 'T1041', 'T1199', 'T1189', 'T1071.001']
MISP event uuid: dd04fd2f-6f98-44c7-8245-420da214bf24
π Date: 2026-06-03
πReferences:
https://blog.gdatasoftware.com/2026/06/38428-browser-addons-spy-on-ai-chats
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="ai"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="G DATA"
mitre-attack-pattern=['T1557', 'T1583', 'T1071', 'T1036', 'T1059', 'T1102', 'T1041', 'T1199', 'T1189', 'T1071.001']
MISP event uuid: dd04fd2f-6f98-44c7-8245-420da214bf24
Gdatasoftware
Browser Extensions Hijack AI Chats and Steal User Data
Millions of users rely on browser extensions to enhance their AI experience. Our investigation reveals how seemingly legitimate Chrome add-ons can intercept ChatGPT, Claude, DeepSeek, and other AI conversations, exposing sensitive personal and corporate data.β¦
πTitle: Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO
π Date: 2026-06-03
πReferences:
https://www.fortinet.com/blog/threat-research/inside-cross-platform-propagation-of-new-gafgyt-variant-c0xmo
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Fortinet"
β’ target-information="Japan"
β’ malpedia="Bashlite"
β’ botnet="Gafgyt"
mitre-attack-pattern=['T1110.001', 'T1133', 'T1543.003', 'T1053.003', 'T1021.004', 'T1082', 'T1106', 'T1190', 'T1021.006', 'T1057', 'T1210', 'T1571', 'T1486', 'T1059.006', 'T1498', 'T1595.001', 'T1037.004', 'T1071.001', 'T1136', 'T1046']
MISP event uuid: 3ddae69d-0e05-4def-81d3-aa7661d89c49
π Date: 2026-06-03
πReferences:
https://www.fortinet.com/blog/threat-research/inside-cross-platform-propagation-of-new-gafgyt-variant-c0xmo
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="malware-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Fortinet"
β’ target-information="Japan"
β’ malpedia="Bashlite"
β’ botnet="Gafgyt"
mitre-attack-pattern=['T1110.001', 'T1133', 'T1543.003', 'T1053.003', 'T1021.004', 'T1082', 'T1106', 'T1190', 'T1021.006', 'T1057', 'T1210', 'T1571', 'T1486', 'T1059.006', 'T1498', 'T1595.001', 'T1037.004', 'T1071.001', 'T1136', 'T1046']
MISP event uuid: 3ddae69d-0e05-4def-81d3-aa7661d89c49
Fortinet Blog
Inside the Cross-Platform Propagation of a New Gafgyt Variant C0XMO
FortiGuard Labs analyzes C0XMO, a new Gafgyt variant leveraging DD-WRT exploitation and multi-architecture propagation to expand IoT botnet infections.β¦
πTitle: The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
π Date: 2026-06-03
πReferences:
https://www.levelblue.com/blogs/spiderlabs-blog/the-demon-arrives-later-a-havoc-stager-hides-behind-microsoft-defender-dlp
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Brazil"
β’ producer="da7743e9-205e-47b0-8afc-b7aa7a5ae050"
β’ malpedia="Havoc"
mitre-attack-pattern=['T1036.005', 'T1566.002', 'T1218.007', 'T1140', 'T1036.001', 'T1071.001', 'T1059.005', 'T1574.002', 'T1105', 'T1037.001', 'T1027.013']
MISP event uuid: 636a805b-58f3-442e-9a0a-72b9d7e7f244
π Date: 2026-06-03
πReferences:
https://www.levelblue.com/blogs/spiderlabs-blog/the-demon-arrives-later-a-havoc-stager-hides-behind-microsoft-defender-dlp
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ target-information="Brazil"
β’ producer="da7743e9-205e-47b0-8afc-b7aa7a5ae050"
β’ malpedia="Havoc"
mitre-attack-pattern=['T1036.005', 'T1566.002', 'T1218.007', 'T1140', 'T1036.001', 'T1071.001', 'T1059.005', 'T1574.002', 'T1105', 'T1037.001', 'T1027.013']
MISP event uuid: 636a805b-58f3-442e-9a0a-72b9d7e7f244
Levelblue
The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
Attackers disguise Havoc malware as routine Brazilian NF-e invoice ZIP files, enabling remote access, command execution, and network compromise.
πTitle: Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem
π Date: 2026-06-03
πReferences:
https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Check Point"
β’ target-information="Brazil"
β’ target-information="France"
β’ target-information="Germany"
β’ target-information="Poland"
β’ target-information="Russia"
β’ target-information="United Kingdom"
mitre-attack-pattern=['T1113', 'T1056.001', 'T1539', 'T1036.005', 'T1204.002', 'T1566.002', 'T1115', 'T1082', 'T1005', 'T1140', 'T1055', 'T1555.003', 'T1083', 'T1497', 'T1552.001', 'T1027', 'T1573', 'T1132', 'T1071.001', 'T1105']
MISP event uuid: a61ff03b-bbe4-4a37-9108-01012488dde8
π Date: 2026-06-03
πReferences:
https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ samples-found-in="MalwareBazaar"
β’ samples-found-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Check Point"
β’ target-information="Brazil"
β’ target-information="France"
β’ target-information="Germany"
β’ target-information="Poland"
β’ target-information="Russia"
β’ target-information="United Kingdom"
mitre-attack-pattern=['T1113', 'T1056.001', 'T1539', 'T1036.005', 'T1204.002', 'T1566.002', 'T1115', 'T1082', 'T1005', 'T1140', 'T1055', 'T1555.003', 'T1083', 'T1497', 'T1552.001', 'T1027', 'T1573', 'T1132', 'T1071.001', 'T1105']
MISP event uuid: a61ff03b-bbe4-4a37-9108-01012488dde8
Check Point Research
Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem - Check Point Research
Research by: Alexey Bukhteyev Key Takeaways Introduction When we search Google for a popular piece of software, we usually click the first result, sometimes without even looking at the rest, because official project sites tend to rank highest and appear nearβ¦
πTitle: PCPJack Hijacked 230 AWS, GCP, and Azure Servers to Run a Hidden SMTP Relay Network
π Date: 2026-06-03
πReferences:
https://hunt.io/blog/pcpjack-230-cloud-servers-smtp-proxy-network-sliver-chisel
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="infra-profile"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ malpedia="Chisel (ELF)"
β’ malpedia="Chisel (Windows)"
β’ malpedia="Excalibur"
mitre-attack-pattern=['T1053.003', 'T1190', 'T1572', 'T1583.003', 'T1036.004', 'T1049', 'T1057', 'T1048', 'T1090.003', 'T1059.004', 'T1543.002', 'T1564.001']
MISP event uuid: bdc12c3b-f677-4d66-84c8-833e2a1bfb5d
π Date: 2026-06-03
πReferences:
https://hunt.io/blog/pcpjack-230-cloud-servers-smtp-proxy-network-sliver-chisel
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="infra-profile"
β’ topic="cloud"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Hunt.io"
β’ malpedia="Chisel (ELF)"
β’ malpedia="Chisel (Windows)"
β’ malpedia="Excalibur"
mitre-attack-pattern=['T1053.003', 'T1190', 'T1572', 'T1583.003', 'T1036.004', 'T1049', 'T1057', 'T1048', 'T1090.003', 'T1059.004', 'T1543.002', 'T1564.001']
MISP event uuid: bdc12c3b-f677-4d66-84c8-833e2a1bfb5d
hunt.io
PCPJack Hijacked 230 AWS, GCP, and Azure Servers to Run a Hidden SMTP Relay Network
Hunt.io recovered a 12-file SMTP proxy deployment toolkit from exposed PCPJack infrastructure, revealing how 230 compromised Linux servers were converted into a persistent email relay network using Sliver and Chisel.
πTitle: Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages
π Date: 2026-06-03
πReferences:
https://www.group-ib.com/blog/error-524-decoy-smishing/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Group-IB"
β’ target-information="Australia"
β’ target-information="Chile"
β’ target-information="Colombia"
β’ target-information="Germany"
β’ target-information="Mexico"
β’ target-information="Netherlands"
mitre-attack-pattern=['T1592.004', 'T1071.001', 'T1583.001', 'T1027.005', 'T1598.003', 'T1090.003', 'T1036.005', 'T1041', 'T1027', 'T1566.002', 'T1659']
MISP event uuid: bc9ff843-b5ce-4827-8e58-fc9196922e34
π Date: 2026-06-03
πReferences:
https://www.group-ib.com/blog/error-524-decoy-smishing/
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="from-original-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="mobile-attack"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Group-IB"
β’ target-information="Australia"
β’ target-information="Chile"
β’ target-information="Colombia"
β’ target-information="Germany"
β’ target-information="Mexico"
β’ target-information="Netherlands"
mitre-attack-pattern=['T1592.004', 'T1071.001', 'T1583.001', 'T1027.005', 'T1598.003', 'T1090.003', 'T1036.005', 'T1041', 'T1027', 'T1566.002', 'T1659']
MISP event uuid: bc9ff843-b5ce-4827-8e58-fc9196922e34
Group-IB
Error 524 Decoy: Unmasking a Global Smishing Operation Hiding Behind Error Pages
Group-IB researchers expose a large-scale smishing and phishing operation impersonating 260+ brands across 72 countries, using fake Cloudflare error pages, geofencing, and encrypted WebSocket channels for real-time credit card theft.
πTitle: Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT
π Date: 2026-06-03
πReferences:
https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Huntress"
mitre-attack-pattern=['T1053.005', 'T1204.002', 'T1218.004', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1055', 'T1112', 'T1562.006', 'T1083', 'T1497', 'T1218.005', 'T1059.001', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1012', 'T1059.003', 'T1071.001']
MISP event uuid: 7c5f90fb-3502-48a6-ba36-12cae8c1cecc
π Date: 2026-06-03
πReferences:
https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis
πRectifyq Taxonomies:
Relevancy: π΅ Potentially Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Huntress"
mitre-attack-pattern=['T1053.005', 'T1204.002', 'T1218.004', 'T1566.001', 'T1082', 'T1106', 'T1140', 'T1055', 'T1112', 'T1562.006', 'T1083', 'T1497', 'T1218.005', 'T1059.001', 'T1547.001', 'T1562.001', 'T1055.012', 'T1027', 'T1012', 'T1059.003', 'T1071.001']
MISP event uuid: 7c5f90fb-3502-48a6-ba36-12cae8c1cecc
Huntress
Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT | Huntress
A malspam campaign abusing Google's DoubleClick delivers DesckVB RAT through a five-stage chain that evades detection and blinds Windows telemetry before persisting
πTitle: FSBβs matryoshka #2/3 β Gamaredonβs gifts that keeps unpacking β GammaLoad
π Date: 2026-06-03
πReferences:
https://blog.sekoia.io/fsbs-matryoshka-2-3-gamaredons-gifts-that-keeps-unpacking-gammaload/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Sekoia"
β’ target-information="Ukraine"
β’ threat-actor="Gamaredon Group"
mitre-attack-pattern=['T1053.005', 'T1132.001', 'T1573.001', 'T1497.001', 'T1082', 'T1140', 'T1070.006', 'T1036.004', 'T1102', 'T1059.001', 'T1547.001', 'T1027', 'T1218.010', 'T1012', 'T1090.004', 'T1071.001', 'T1059.005', 'T1105', 'T1564.004']
MISP event uuid: 1a8677ce-66e4-45f6-83b0-525be67118ff
π Date: 2026-06-03
πReferences:
https://blog.sekoia.io/fsbs-matryoshka-2-3-gamaredons-gifts-that-keeps-unpacking-gammaload/
πRectifyq Taxonomies:
Relevancy: β« Not Relevant
Category: β Threat
β’ mitre-att&ck="none-from-src"
β’ mitre-att&ck="from-OTX"
β’ sub-category="campaign-analysis"
β’ topic="geopolitical"
β’ TA-category="APT"
β’ target="broad-based"
β’ no-samples-in="MalwareBazaar"
β’ no-samples-in="Tria.ge"
β’ action-taken="VT-comment"
πMISP Galaxies:
β’ producer="Sekoia"
β’ target-information="Ukraine"
β’ threat-actor="Gamaredon Group"
mitre-attack-pattern=['T1053.005', 'T1132.001', 'T1573.001', 'T1497.001', 'T1082', 'T1140', 'T1070.006', 'T1036.004', 'T1102', 'T1059.001', 'T1547.001', 'T1027', 'T1218.010', 'T1012', 'T1090.004', 'T1071.001', 'T1059.005', 'T1105', 'T1564.004']
MISP event uuid: 1a8677ce-66e4-45f6-83b0-525be67118ff
Sekoia.io Blog
FSBβs matryoshka #2/3 - Gamaredonβs gifts that keeps unpacking - GammaLoad
In part 2 of our FSB Matryoshka series, we analyze Gamaredon's Gammaload malware variant, dissecting its technical updates and deployment mechanisms.