Rectifyq

2026-06-25 SharpPanda Strike Again

Thu, 25 Jun 2026 00:00:00 GMT

📃Title: SharpPanda Strike Again
📅Date: 2026-06-25
🔗References:

https://research.pelagos-intel.com/sharppanda-strike-again

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: malware-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

threat-actor= SharpPanda
target-information=“France”
target-information=“Malaysia”
operating-system=“Windows”
software-vendor=“microsoft”
mitre-attack-pattern=[]

MISP event uuid: c43ea1a9-5308-43d7-a187-048d2b65e20b

Indicator of Compromise (IoCs)

type,value,comment
md5, cb161e2b9508e93f1b3113d3d8087dc2, 'Document'
md5, 3927ec252d2b00bd2d9d8550c529ae4f, 'Document'
md5, a63496ff570d2f75ae3f211780976eaa, 'Stage 2'
md5, 6615feda87063553f7239c2865e4fbf3, 'Macro module'
md5, 642bd3c02e79d5953b0119a7d60903e2, 'Macro module'
sha256, 92fd13374bbc2d0741cb0b78d6a5f979796380ad03f3dc59b7ad633b45668e14, 'ZIP No sample in VT\r\nLast check:27/06/2026'
sha256, c373b6ae57c53449d0442c6aaf307c36ccc4a3e37960b60be6ce29c0573bc1fb, 'ZIP No sample in VT\r\nLast check:27/06/2026'
sha256, 47976166cdf4ceb36c4743423b85559ebc2a591389c5cf031ab50a9583d97d0d, 'Stage 1 No sample in VT\r\nLast check:27/06/2026'
sha256, 002ea3f1a773fd33f134d25fe43f46bd367567b3db4e513c5003a6017d41c18f, 'Stage 1 No sample in VT\r\nLast check:27/06/2026'
sha256, 28622bd3709e022939060827bcbf629a8cf0620ca0bef439667b5b0fe248a8a8, 'Stage 2 No sample in VT\r\nLast check:27/06/2026'
sha256, bedb6e6466ab92e48741a6f3f1d5471e49403d69fe295170097a76fe79efe8cd, 'Resource No sample in VT\r\nLast check:27/06/2026'
sha256, 54cbd4e83aff8cf3c1531a5603753469450c380f792ebfeb926b4dd978b44d44, 'Resource No sample in VT\r\nLast check:27/06/2026'
sha256, 9055a6eee0533329c6740314d3e939434c68a8e85cf710afc9b8dfab7d0334bc, 'Shortcut No sample in VT\r\nLast check:27/06/2026'

Full IOCs available in Rectifyq’s MISP

2026-06-22 MA-1464.062026 MyCERT Alert - Malware Campaign Delivering Malicious VBScript via WhatsApp Desktop

Mon, 22 Jun 2026 00:00:00 GMT

📃Title: MA-1464.062026: MyCERT Alert - Malware Campaign Delivering Malicious VBScript via WhatsApp Desktop
📅Date: 2026-06-22
🔗References:

https://www.mycert.org.my/portal/advisory?id=MA-1464.062026

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
operating-system=“Windows”
software-vendor=“WhatsApp”
mitre-attack-pattern=[]

MISP event uuid: 3c5282e4-a4e0-480a-8928-fe0c8c443494

Indicator of Compromise (IoCs)

type,value,comment
md5, 66442f2457eca8f47385b1fb2c6fcab8, ''

Full IOCs available in Rectifyq’s MISP

2026-06-22 An unknown actor distributes malicious VBS scripts via WhatsApp

Mon, 22 Jun 2026 00:00:00 GMT

📃Title: An unknown actor distributes malicious VBS scripts via WhatsApp
📅Date: 2026-06-22
🔗References:

https://securelist.com/whatsapp-vbs-rmm-campaign/120290/

Description

An active malware campaign has been discovered distributing malicious VBScript files through WhatsApp direct messages since June 2026. The operation affects users across multiple countries, with Malaysia experiencing the highest concentration of victims. Attackers compromise WhatsApp accounts and send weaponized VBS files disguised as business and financial documents to contacts. The multi-stage infection chain ultimately deploys legitimate ManageEngine Endpoint Central RMM software, providing persistent remote access to compromised systems. The scripts employ heavy obfuscation, Chinese-language comments, and modify Windows UAC settings. Infrastructure overlaps with ValleyRAT and Gh0st RAT operations suggest possible Chinese-speaking operators, though attribution remains uncertain. The campaign primarily targets individual users through opportunistic rather than focused methods, exploiting social engineering techniques with localized filenames in multiple languages.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer= Kaspersky
target-information=“Australia”
target-information=“Brazil”
target-information=“India”
target-information=“Malaysia”
target-information=“Mexico”
target-information=“Russia”
target-information=“Singapore”
target-information=“Spain”
target-information=“Taiwan”
target-information=“United Kingdom”
online-service=“01031d3f-c9c9-4288-bb58-234c38e4246e”
mitre-tool=“BITSAdmin - S0190”
mitre-tool=“certutil - S0160”
software-vendor=“WhatsApp”
rmm-tool=“ManageEngine”
operating-system=“Windows”
mitre-attack-pattern=[‘T1548.002’, ‘T1204.002’, ‘T1082’, ‘T1140’, ‘T1219’, ‘T1112’, ‘T1027’, ‘T1573’, ‘T1071.001’, ‘T1059.005’, ‘T1105’, ‘T1564.001’, ‘T1193’, ‘T1566.001’, ‘T1059.001’, ‘T1086’]

MISP event uuid: ef37da5f-f14c-4d52-88ff-af1dfd7fccd9

Indicator of Compromise (IoCs)

type,value,comment
md5, 02bb20455cc592a69c080abac770ce90, ''
md5, 31037a42ca048e06e69a78f55bc2eff5, ''
md5, 05d188f071d097f5b6bd8138749b4b14, ''
md5, 0ba93109757776a44de9d8c88baa4963, ''
md5, 1a3cc75466ffb1971482f7abf7aabc3f, ''
md5, 1c47c63e5ed25060d95359c57c77b107, ''
md5, 1d94fbe9cab21278cc3f104bea334d08, ''
md5, 20209b3a32769afc6a75694b8d8839dd, ''
md5, 2c6f05f1f309d89b2236e6c8b59c88f9, ''
md5, 3b1aba44dd3d9b6339b6f56e2f42034b, ''
md5, 4044e4b6471c9de7b0a4ba37d9d9df9a, ''
md5, 4f0593e8e0e8fac49429e9b45ebf7fa1, ''
md5, 5002eca748205d544618e3bd2dedc223, ''
md5, 5b6bbcc06cf08cc99e1afeda486d42fb, ''
md5, 6359e6236471cbe434d0ef4c42b7f879, ''
md5, 63ac85195b73753333316a889cf5880f, ''
md5, 66442f2457eca8f47385b1fb2c6fcab8, ''
md5, 66705384a7ad81d14c34fc6c054a0ecf, ''
md5, 68c16c46f8afb9e00bbaba0207fb0a46, ''
md5, 6c39900d77dcba158e1d27c7619cb06d, ''
md5, 6fb6a55424adfb61e31f06aef33273e5, ''
md5, 7403cbcc5a9c32384d431856dc48fcc9, ''
md5, 74fd9f91fc93b6288b4fc253ea5b3e20, ''
md5, 7849061c536a3efb05a56d504694e7e7, ''
md5, 79ecd61b09b0f2d54b34586c916c4ec9, ''
md5, 7f16449cd0c4862d1eadf8a5742bf09a, ''
md5, 7f81c1bc8cfd588e8998968e2621456e, ''
md5, 8c3322009b8982663c0cbecd9492e7eb, ''
md5, 8c6d9fc389ad3f20ccbc71d77eb39bfa, ''
md5, 993f4c0cadbc769a4b0ed62a918db58d, ''
md5, 9d9ac85765e4a818a3ccabe2cf4fef82, ''
md5, 9f13c7b8ba391b2f597874e54d310648, ''
md5, b7cd06c71465038b658a6dc1f273a507, ''
md5, c7f38cbb99c8b74fa0465293feeba700, ''
md5, d01cad98dd0d01b75e04e784953c5e2b, ''
md5, d06333c360b51456f427e616c3c5f8bd, ''
md5, d43fdaa1f0ee09d7e5f0f94ee9df7b6c, ''
md5, dad708e050632a4280cabf98ac1376b7, ''
md5, ddaffe9849f7f3c79f8804adb9a6b3d5, ''
md5, df4fa0369eaca5cec348be293890d4af, ''
md5, f90ed4b2d0b67114aa89ddfed658e5c0, ''
ip-dst, 202.61.160.201, 'Attacker-controlled UEMS server IP Address'
ip-dst, 202.61.160.137, 'Attacker-controlled UEMS server IP Address'
ip-dst, 202.61.160.160, 'Attacker-controlled UEMS server IP Address'
ip-dst, 202.61.160.202, 'Attacker-controlled UEMS server IP Address'
ip-dst, 202.61.160.208, 'Attacker-controlled UEMS server IP Address'
ip-dst, 38.55.151.63, 'Attacker-controlled UEMS server IP Address'
domain, baoxis.cc, ''
hostname, invoice.msopsa.top, ''
hostname, temu.baskwms.top, ''
hostname, qse.shoppes.help, ''
domain, shaaslong.one, ''
hostname, baolongwes.oss-ap-southeast-1.aliyuncs.com, ''
hostname, sdcwww.oss-ap-southeast-1.aliyuncs.com, ''
hostname, baoyuw2s.s3.ap-southeast-1.amazonaws.com, ''
hostname, hksha3.s3.ap-southeast-1.amazonaws.com, ''
hostname, sjdkjj23.s3.ap-southeast-1.amazonaws.com, ''
hostname, xijkwm2.s3.ap-southeast-1.amazonaws.com, ''
hostname, yifubafu.s3.ap-southeast-1.amazonaws.com, ''
hostname, caiwuascw.s3.us-east-005.backblazeb2.com, ''
hostname, facaia.s3.us-east-005.backblazeb2.com, ''

Full IOCs available in Rectifyq’s MISP

2026-06-17 More Than 4,000 Legacy Routers Compromised by AryStinger, Turned into Global Attack Proxies for Hackers

Wed, 17 Jun 2026 00:00:00 GMT

📃Title: More Than 4,000 Legacy Routers Compromised by AryStinger, Turned into Global Attack Proxies for Hackers
📅Date: 2026-06-17
🔗References:

https://blog.xlab.qianxin.com/arystinger-botnet-hijacks-legacy-routers-for-global-attacks-en/

Description

Security researchers discovered AryStinger, a botnet targeting legacy routers and NAS devices to build reconnaissance and attack infrastructure. The malware exploits vulnerabilities from 2013-2025 to compromise over 4,300 devices globally, primarily D-Link routers using RTL819X chips. AryStinger communicates via HTTP/HTTPS using Protobuf encoding and XOR encryption, supporting tasks including network scanning, traffic proxying, command execution, and persistent backdoor deployment through dropbear or gs-netcat. Two versions exist: RTL819X in C for routers, and Standard in Go for NAS devices with expanded capabilities including integration of fscan, ksubdomain, and httpx tools. Infected devices serve as distributed scanning nodes and attack proxies, effectively hiding attacker identities while conducting footprinting activities. The campaign shows extremely low detection rates in mainstream security engines, with evidence suggesting operations possibly began in 2024.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“China”
target-information=“Malaysia”
target-information=“Singapore”
target-information=“South Korea”
target-information=“Sweden”
operating-system=“Linux”
mitre-attack-pattern=[‘T1543’, ‘T1082’, ‘T1071’, ‘T1190’, ‘T1021’, ‘T1016’, ‘T1087’, ‘T1090’, ‘T1059’, ‘T1083’, ‘T1049’, ‘T1057’, ‘T1027’, ‘T1573’, ‘T1095’, ‘T1505’, ‘T1071.001’, ‘T1136’, ‘T1018’, ‘T1046’]

MISP event uuid: 65db42c9-e25b-479e-95cf-d21fd34c73ae

Indicator of Compromise (IoCs)

type,value,comment
md5, a97e552f5e655e1cfa56853f65beeb0e, ''
md5, abae20b26b70b526bebb5e2617092ede, ''
md5, 05627d1bddb7292bb45139244f46051f, 'No sample in VT\r\nLast check:25/06/2026'
md5, 0627f034c42549e2130734b5f8dbf854, 'No sample in VT\r\nLast check:25/06/2026'
md5, 0a2d2a4ec1ca2aa6a23a35abb5a75451, 'No sample in VT\r\nLast check:25/06/2026'
md5, 0ffb4b4e430f4b69216fb9d2e082e482, 'No sample in VT\r\nLast check:25/06/2026'
md5, 10ba24db187836efe77ed7e75d279d33, 'No sample in VT\r\nLast check:25/06/2026'
md5, 16fed5909de4f50351fc33fbfcf156df, 'No sample in VT\r\nLast check:25/06/2026'
md5, 18f894a3168ee0b809eed321a2e748b4, 'No sample in VT\r\nLast check:25/06/2026'
md5, 19232d0eff3ef7aee3b5d7620c72358c, 'No sample in VT\r\nLast check:25/06/2026'
md5, 36ff9f683e870145aaf5a715bc934762, 'No sample in VT\r\nLast check:25/06/2026'
md5, 44805c4b36bd3d97ba8ecaf6fe103572, 'No sample in VT\r\nLast check:25/06/2026'
md5, 4c80d17fa5db5b1c2aaddb5351e9cb6b, 'No sample in VT\r\nLast check:25/06/2026'
md5, 5d9cdb072415b191df3f444f53b2ff4b, 'No sample in VT\r\nLast check:25/06/2026'
md5, 6869f24aecd75e2144aba8dc03dc2d0f, 'No sample in VT\r\nLast check:25/06/2026'
md5, 6f761f63642cd6329a29cfad80be50c3, 'No sample in VT\r\nLast check:25/06/2026'
md5, 6f91d1f8f0cbaab137351936b52f7a94, 'No sample in VT\r\nLast check:25/06/2026'
md5, 7461445fca3f9d8911148e0908d33c3b, 'No sample in VT\r\nLast check:25/06/2026'
md5, 7b361a6d0d42309d09ec9000b53712b3, 'No sample in VT\r\nLast check:25/06/2026'
md5, 7f2b2e3516fa454adfd51f857ae80adf, 'No sample in VT\r\nLast check:25/06/2026'
md5, 8cc249b16adf7e4a658af7fa31d7998e, 'No sample in VT\r\nLast check:25/06/2026'
md5, 8deb2a60d42de0f8f8786e485d2f046f, 'No sample in VT\r\nLast check:25/06/2026'
md5, 8edb3ea62a7e643ba1a88d20799cf94f, 'No sample in VT\r\nLast check:25/06/2026'
md5, 9221423d7daff9e64f7e2af54f911fea, 'No sample in VT\r\nLast check:25/06/2026'
md5, 9660895fa3fcabbef466703636f6d51d, 'No sample in VT\r\nLast check:25/06/2026'
md5, 98e55d712a99d2cd45e8592c6dda5110, 'No sample in VT\r\nLast check:25/06/2026'
md5, 9973676bfa9fe89aa5c76e3cd0b21ae8, 'No sample in VT\r\nLast check:25/06/2026'
md5, a2d54fcd0c2816f607a5962523fc648c, 'No sample in VT\r\nLast check:25/06/2026'
md5, a3181550e0e0a6153a44b7a0495535b0, 'No sample in VT\r\nLast check:25/06/2026'
md5, a3e3197e2344c51e95c063541ea22205, 'No sample in VT\r\nLast check:25/06/2026'
md5, a5101caf0a1789d6a4bc30e644d6b152, 'No sample in VT\r\nLast check:25/06/2026'
md5, b0f4f813a9de094c06821366e2459aee, 'No sample in VT\r\nLast check:25/06/2026'
md5, b104a05e8a2e218adfb7654ba8bf3d49, 'No sample in VT\r\nLast check:25/06/2026'
md5, b9406e969cdfdaef433e93d0b9ad1f5d, 'No sample in VT\r\nLast check:25/06/2026'
md5, c113739225ece5f6e4805466dec1401d, 'No sample in VT\r\nLast check:25/06/2026'
md5, d2fd89ebdad493ec9ac76ce35213cec4, 'No sample in VT\r\nLast check:25/06/2026'
md5, d79270ba44e665ebb0383eb77a52e38b, 'No sample in VT\r\nLast check:25/06/2026'
md5, d997efa98afab2c003654b8d5ce2bedf, 'No sample in VT\r\nLast check:25/06/2026'
md5, dbcc5a3e6afe41060d6357e24dc03fd3, 'No sample in VT\r\nLast check:25/06/2026'
md5, dbdd4d8e4aef3ce69cf65ed470425c89, 'No sample in VT\r\nLast check:25/06/2026'
md5, dc35086ba0f5f83545c32a023a1f3be4, 'No sample in VT\r\nLast check:25/06/2026'
md5, dc71c10ca0b2c83b6b3a6a062fca314f, 'No sample in VT\r\nLast check:25/06/2026'
md5, dd1e5a3cd9f842bd70be45a62c3ebbf6, 'No sample in VT\r\nLast check:25/06/2026'
md5, df0c9f6289e56f31c0700f40590857d3, 'No sample in VT\r\nLast check:25/06/2026'
md5, e6b27080aa1ce1901a23dd75716d9092, 'No sample in VT\r\nLast check:25/06/2026'
md5, e9916ff56074725f5739ead5091fe6c7, 'No sample in VT\r\nLast check:25/06/2026'
md5, ea2fe3b409da439aec25cf7eabf5b7a7, 'No sample in VT\r\nLast check:25/06/2026'
md5, ed9209111b995cbe78f8e097c289f127, 'No sample in VT\r\nLast check:25/06/2026'
md5, f093891e281bcd9c8016dea7d89cc671, 'No sample in VT\r\nLast check:25/06/2026'
md5, fc4cee066d8526f5806bb23278f647da, 'No sample in VT\r\nLast check:25/06/2026'
md5, fcc9de5c040307e6ac3011e8b379f6d9, 'No sample in VT\r\nLast check:25/06/2026'
md5, ff11e000f377c54dea928b09ebad9df8, 'No sample in VT\r\nLast check:25/06/2026'
md5, fffcbd0ac2cb545496890f50395181ff, 'No sample in VT\r\nLast check:25/06/2026'
url, http://eixfi.ajb8.com, ''
url, http://hgodpcx.ajb8.com, ''
url, http://hgodpcx.ajb8.com/prod/RTL819X/, ''
url, http://opi7.com, ''
url, http://xonice.ahb8.com, ''
url, http://xook.ajb8.com, ''
url, https://dybic.ajb8.com, ''
url, https://hgodpcx.ajb8.com/n, ''
url, https://hgodpcx.ajb8.com/prod/RTL819X/, ''
url, https://hgodpcx.ajb8.com/prod/standard/, ''
url, https://hgodpcx.auq8.com/t, ''
url, https://sdkv1.dataexplore.cc, ''
url, https://sdkv1.dataexplore.co, ''
domain, opi7.com, ''
hostname, dybic.ajb8.com, ''
hostname, eixfi.ajb8.com, ''
hostname, hgodpcx.ajb8.com, ''
hostname, hgodpcx.auq8.com, ''
hostname, io.ary2.com, ''
hostname, sdkv1.dataexplore.cc, ''
hostname, sdkv1.dataexplore.co, ''
hostname, xonice.ahb8.com, ''
hostname, xook.ajb8.com, ''
ip-dst, 107.150.106.14, ''
url, https://hgodpcx.ajb8.com/prod/RTL819X/{version}/manifest.json, ''
url, https://hgodpcx.ajb8.com/prod/standard/{version}/manifest.json, ''
url, http://hgodpcx.ajb8.com/prod/RTL819X/{version}/syswapd0, ''
url, https://hgodpcx.ajb8.com/prod/standard/{version}/syswapd0-linux-amd64, ''

Full IOCs available in Rectifyq’s MISP

2026-06-17 Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign

Wed, 17 Jun 2026 00:00:00 GMT

📃Title: Threat Actors Abuse claude.ai Shared Chat for ClickFix Malvertising Campaign
📅Date: 2026-06-17
🔗References:

https://www.trendmicro.com/en_us/research/26/f/claudeai-shared-chat-abused-in-malvertising.html

Description

Cybercriminals orchestrated a sophisticated malvertising operation leveraging Google Ads to impersonate popular AI developer tools including Claude AI, ChatGPT Codex, Perplexity, Cursor IDE, and JetBrains. Over seven weeks spanning April to June 2026, attackers deployed 106 unique malicious hostnames across six distinct waves, initially hosting ClickFix social engineering pages on GitLab infrastructure before pivoting to weaponize claude.ai’s legitimate shared chat feature. The campaign targeted technically proficient users searching for AI development tools, tricking them into executing terminal commands that deployed the MacSync infostealer. This credential-harvesting malware collected browser data, SSH keys, and cryptocurrency wallets. The Asia-Pacific region sustained the heaviest impact with 67.2% of over 2,000 victims, particularly concentrated in Taiwan. Anthropic responded by banning malicious accounts and implementing additional abuse mitigations.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: infra-profile
topic: ai
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer= Trend-Micro
target-information=“British Indian Ocean Territory”
target-information=“France”
target-information=“Hong Kong”
target-information=“India”
target-information=“Italy”
target-information=“Japan”
target-information=“Malaysia”
target-information=“Singapore”
target-information=“Taiwan”
operating-system=“macOS”
software-vendor=“JetBrains”
software-vendor=“cursor”
software-vendor=“openai”
software-vendor=“apple”
software-vendor=“google”
mitre-attack-pattern=[‘T1033’, ‘T1539’, ‘T1036.005’, ‘T1497.001’, ‘T1566.002’, ‘T1082’, ‘T1005’, ‘T1140’, ‘T1555’, ‘T1555.003’, ‘T1083’, ‘T1552.001’, ‘T1583.006’, ‘T1041’, ‘T1059.004’, ‘T1204.003’, ‘T1189’, ‘T1105’, ‘T1102.001’]

MISP event uuid: f66d7792-44c8-4b5a-8f0e-7357bd8352cb

Indicator of Compromise (IoCs)

type,value,comment
domain, jerryshvac.com, ''
domain, customroofingcontractors.com, ''
domain, a2abotnet.com, ''
hostname, claude-code.official-version.com, ''
domain, isgilan.com, ''
domain, plirepsijr74.com, ''
domain, thnikagent.com, ''
domain, babulikinet.com, ''
domain, loserrq0j1sha8.com, ''
domain, bernasibutuwqu2.com, ''
domain, briskinternet.com, ''
domain, touristprogram.com, ''
domain, homeinspectionnaperville.com, ''
domain, yoauction.com, ''
domain, alabamarecoverycenter.com, ''
domain, 5x5web.com, ''
domain, bewqslkslikrtjinfg9.com, ''
domain, oaklandwaterdamage.com, ''
domain, peowqlauoshau8.com, ''
url, https://loserrq0j1sha8.com/debug/loader.sh?build=a39427f9d5bfda11277f1a58c89b7c2d, ''
domain, 20claude.ai, ''
hostname, claude-code-app.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, claude-desktop-lm.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, cladesktop.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, claudecode-desktop.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, claude-app-new.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, claude-desktop.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, claudeapp.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, claudesktop.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, claudesktop-app.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, perplexity-platform.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, codexgpt.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, chatgpt-codex-app.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, chatgpt-codex-lm.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, cursor-8ced8a.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
hostname, jetbrains-apps-group.gitlab.io, 'Notable Malicious Hostnames (GitLab Pages)'
domain, claude.ai, 'Notable Malicious Hostnames (GitLab Pages)'
url, https://claude.ai/share/498818d9-1ddc-4fbb-9fa7-56dfb84840b0, 'Claude.ai Abused Share IDs (Top 5 by Traffic)'
url, https://claude.ai/share/cfc70dcd-779c-4f4a-966c-ec12b7ea166f, 'Claude.ai Abused Share IDs (Top 5 by Traffic)'
url, https://claude.ai/share/b2699c2e-1260-4a3f-b312-e5288a43fd11, 'Claude.ai Abused Share IDs (Top 5 by Traffic)'
url, https://claude.ai/share/41b11dc2-ac83-4cb4-8f38-ac63b75e9e62, 'Claude.ai Abused Share IDs (Top 5 by Traffic)'
url, https://claude.ai/share/b81a4375-1d0d-43cc-ad89-6a1007b4e7e5, 'Claude.ai Abused Share IDs (Top 5 by Traffic)'

Full IOCs available in Rectifyq’s MISP

2026-06-15 Travel Phishing and Cyber Attacks are Surging in 2026, Growing 122% over the last 3 years How Cybercriminals Are Targeting Travelers in 2026

Mon, 15 Jun 2026 00:00:00 GMT

📃Title: Travel Phishing and Cyber Attacks are Surging in 2026, Growing 122% over the last 3 years: How Cybercriminals Are Targeting Travelers in 2026
📅Date: 2026-06-15
🔗References:

https://blog.checkpoint.com/research/travel-phishing-and-cyber-attacks-are-surging-in-2026-growing-122-over-the-last-3-years-heres-what-cyber-criminals-are-actually-doing/

Description

The hospitality and travel sector experienced a dramatic surge in cyberattacks, with organizations facing an average of 2,291 weekly attacks in May 2026, representing a 24% year-over-year increase and a cumulative 122% rise since 2023. Cybercriminals registered 47,318 travel-related domains in May 2026 alone, with one in every 112 classified as malicious or suspicious. Three coordinated bulk-registration campaigns were identified, including sequential hotel-lure domains, American Express and Lloyds Travel Choice impersonations, and widespread Fora Travel brand abuse across 108 TLDs. Active phishing operations target major platforms including Booking.com, Airbnb, and Skyscanner through lookalike domains designed to harvest credentials and payment information. These attacks deliberately intensify during peak summer booking season when travelers are distracted and eager for deals, exploiting the industry’s high volume of personal and financial data processing.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer= Check-Point
target-information=“Malaysia”
target-information=“Canada”
software-vendor=“airbnb”
mitre-attack-pattern=[‘T1583’, ‘T1539’, ‘T1114’, ‘T1204.002’, ‘T1566.002’, ‘T1598.003’, ‘T1583.001’, ‘T1056.003’, ‘T1204’, ‘T1566’, ‘T1585.001’, ‘T1056’, ‘T1132’, ‘T1598’, ‘T1585’, ‘T1213’]

MISP event uuid: be7ce1a3-06b7-40b8-baae-d4fa3adfba87

Indicator of Compromise (IoCs)

type,value,comment
domain, booking-cn.com, ''
domain, skyscanners.life, ''
domain, booking-jp.com, ''
domain, airbnb-ca.com, ''
domain, booking-hk.com, ''
domain, booking-zh.com, ''
domain, bookingni.com, ''
domain, skyscanners.shop, ''

Full IOCs available in Rectifyq’s MISP

2026-06-11 Cyber-Enabled Maritime Sanctions Evasion

Thu, 11 Jun 2026 00:00:00 GMT

📃Title: Cyber-Enabled Maritime Sanctions Evasion
📅Date: 2026-06-11
🔗References:

Description

Iranian and Russian shadow fleet vessels are utilizing sophisticated online infrastructure consisting of over 36 inauthentic websites to facilitate sanctions evasion. These websites impersonate ship registries, national maritime administrations, seafarer training organizations, protection and indemnity clubs, and classification societies from jurisdictions including Comoros, Benin, Bhutan, Cameroon, Chad, Equatorial Guinea, Gambia, Haiti, Malawi, Nicaragua, and Zambia. The infrastructure operates through three identified clusters designated Alpha, Bravo, and Charlie, which demonstrate technical overlaps suggesting a broader ecosystem supporting multiple sanctions evasion networks. Operators employ tactics including automated document generation, typosquatting, identity spoofing, and mutual endorsement loops between fraudulent entities. Attribution includes links to Indian web development company Oceaniek Technologies and two Syrian nationals. The infrastructure has documented connections to seventeen vesse…

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: infra-profile
sub-category: campaign-analysis
topic: geopolitical
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer= Recorded-Future
mitre-attack-pattern=[]

MISP event uuid: 64d4b916-e459-44a4-80d0-636de8f9c850

Indicator of Compromise (IoCs)

type,value,comment
domain, imspanel.com, ''
domain, olymposnaval.com, ''
domain, beninmaritime.co, ''
domain, oceaniektechnologies.com, ''
url, http://beninmaritime.org/ship-registry, ''
url, http://static.eigbox.ne, ''
domain, alliance-scs.org, ''
domain, atlasregister.net, ''
domain, atlasregister.org, ''
domain, benin-maritime.org, ''
domain, beninmaritime.bj, ''
domain, beninmaritime.in, ''
domain, beninmaritime.net, ''
domain, beninmaritime.org, ''
domain, brunieshipclass.org, ''
domain, btn-shipreg.com, ''
domain, cameroonshipregistry.org, ''
domain, chad-maradmin.org, ''
domain, epnicaragua.com, ''
domain, epnicaragua.org, ''
domain, eqguinea-shipadmin.org, ''
domain, gove.bj, ''
domain, guve.bj, ''
domain, haiti-shipreg.com, ''
domain, hellasnaval.com, ''
domain, hellasnaval.net, ''
domain, hss-registry.org, ''
domain, imsnaval.com, ''
domain, isithin.com, ''
domain, marinegov.net, ''
domain, marinegov.org, ''
domain, medlloyd.online, ''
domain, medlloyd.org, ''
domain, mpabd-shipregistry.org, ''
domain, nauticacentro.com, ''
domain, nauticacentro.mx, ''
domain, niataregister.net, ''
domain, niataregister.org, ''
domain, pioneersmaritime.com, ''
domain, sasmaa.club, ''
domain, zambiamaritime.org, ''
domain, zambmaritime.org, ''
domain, zambshipadmin.org, ''
hostname, malawi.marinegov.net, ''
hostname, 150.160.96.66.static.eigbox.ne, ''
hostname, bma.gov.bj, ''
hostname, hellasnaval.net.olymposnaval.com, ''
hostname, imspanel.com.olymposnaval.com, ''
hostname, malawi.marinegov.org, ''
hostname, malawi.shipregistry.marinegov.org, ''
hostname, medlloyd.online.beninmaritime.net, ''
hostname, medlloyd.online.olymposnaval.com, ''
hostname, pdf.beninmaritime.co, ''
hostname, registry.zmgov.org, ''

Full IOCs available in Rectifyq’s MISP

2026-06-10 Phantom Casino

Wed, 10 Jun 2026 00:00:00 GMT

📃Title: Phantom Casino
📅Date: 2026-06-10
🔗References:

Threat Actor

Golden Wheel

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: infra-profile
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
sector=“Education”
sector=“Government, Administration”
software-vendor=“WhatsApp”
software-vendor=“alibaba”
software-vendor=“cloudflare”
software-vendor=“facebook”
mitre-attack-pattern=[‘T1190’, ‘T1608.006’, ‘T1189’, ‘T1584’]

MISP event uuid: 2603f2d2-024d-4874-a26c-074a965ff561

Indicator of Compromise (IoCs)

type,value,comment
domain, axas888.net, 'wallet, merchant 50703'
domain, axas888.com, 'second axas888 domain'
domain, cikgu88.com, 'wallet, merchant 60569'
hostname, cdn.vefrop.com, 'operator-controlled CDN serving the wallet platform'
ip-dst, 47.84.198.177, 'Alibaba Cloud SG, AS45102'
ip-dst, 47.237.119.71, 'Alibaba Cloud SG, AS45102'
hostname, max-cv4.pages.dev, 'Cloudflare Pages mirror (one of many, rotates)'
domain, hljnx.com, 'cloaking gate (now dead)'
url, https://linkmy.pro/mega888, 'operator bio-link, 301s to the WhatsApp agent'

Full IOCs available in Rectifyq’s MISP

2026-06-08 Old WinRAR Flaw Fuels Attacks on Ukraine How Unmanaged Software Keeps the Door Open

Mon, 08 Jun 2026 00:00:00 GMT

📃Title: Old WinRAR Flaw Fuels Attacks on Ukraine: How Unmanaged Software Keeps the Door Open
📅Date: 2026-06-08
🔗References:

https://www.trendmicro.com/en_us/research/26/f/old-winrar-flaw-fuels-attacks-on-ukraine.html

Description

Two Russia-aligned campaigns continue exploiting CVE-2025-8088, a WinRAR path traversal vulnerability patched in July 2025, against Ukrainian organizations through April 2026. SHADOW-EARTH-066 deploys an evolved GIFTEDCROOK information stealer using in-memory DLL loading via direct NT system calls, harvesting browser credentials, session cookies, and documents across 35 file extensions before self-deleting. Earth Dahu employs an HTA-based infection chain delivering espionage modules through Cloudflare Workers infrastructure. Both campaigns leverage the same CVE-2025-8088 exploit but use distinct tooling: SHADOW-EARTH-066 relies on compiled C++ with RC4-encrypted C&C communication, while Earth Dahu uses script-based approaches with Dynamic DNS. The persistent exploitation nearly a year post-patch demonstrates how unmanaged software lacking centralized update mechanisms creates enduring attack surfaces that threat actors deliberately target.

Threat Actor

SHADOW-EARTH-066

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
topic: geopolitical
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer= Trend-Micro
target-information=“Ukraine”
malpedia=“GIFTEDCROOK”
mitre-attack-pattern=[‘T1539’, ‘T1204.002’, ‘T1573.001’, ‘T1566.001’, ‘T1005’, ‘T1036’, ‘T1555.003’, ‘T1497’, ‘T1041’, ‘T1059.001’, ‘T1547.001’, ‘T1027’, ‘T1485’, ‘T1070.004’, ‘T1071.001’, ‘T1564.004’, ‘T1620’]

MISP event uuid: 19d42e7a-969a-4f87-8931-af8fecb5aa8b

Indicator of Compromise (IoCs)

type,value,comment
md5, c0b73ff43312d442260328a8cefdf3b6, ''
md5, 2af0a6135df3502a7f6de4d2de6db73b, 'IOC-title:ALF:AGGR:LinkifierA:95!ml'
md5, 5d462d0f3704d7db1b1d8c2cdcb19033, ''
md5, 587a464ffc174288d3f66d1845133229, ''
md5, c1d02459038d86dcc96c0a721724a3a0, ''
md5, c17e8387f2718a55948c7d8d45ee8100, ''
md5, addf25d1f994729f2d3cbb3d0ab49897, ''
md5, 6e99ea85251d4def4eccb32dd4c10c18, ''
md5, 8aa796cf85858d9113aac294ca0bdd96, ''
md5, 454ea7aa75d57543bd36131d7f2dd7ff, ''
md5, 014623f6f39501eb1afc07f608036e3a, ''
md5, 31bc8b17da2ba7a94335e8c29391368a, ''
md5, d2cf055f564664cc761287628d24953b, ''
md5, 8ca36b9cbd72d1f4ab4a9c8fcf85fe7e, ''
md5, dcdeba12bdfc3a0dce97b2f2ce60789a, ''
md5, f819578d740cec4708e1b96eae967515, ''
md5, a1cce40d02e350e96cd7dc20d4d9f5c2, ''
md5, be9ed70483a0820810b937358a52b24e, ''
md5, 082b9caaa287ba26c26387e6489c93d4, ''
md5, 4082096ec0b8f723a79a224a6b6d37cd, ''
md5, ea610ea6a8d69cb1e93fb79d4a8fa26f, ''
md5, 6a48fbe91482b2f14ed977c110a3685c, 'IOC-title:invalid_trailer_structure\nIOC-description:MD5 of 5d164b6d74dae9fe3022bc3cf453cd8b846e9cdc0cd616246fe620be88e3f1e5'
md5, c07f91e052bcb508353ad74c54bc1c96, ''
md5, 3699542ba04458e84dc9148a2234fe61, ''
md5, b3c86e81b330157519b9e188a1f9fbf3, ''
md5, ab7121d9dfa5d075498eb5a5904f1a0b, ''
md5, f68943c9f94af947e5bef95fa889de6a, ''
md5, c06ef1a6be8b92cbc3eb710a7cfe83d7, ''
domain, astrocaf.com, 'Earth Dahu: Attacker-controlled email sending domain'
ip-dst, 166.0.132.237, 'IOC-description:CC=US ASN=AS61317 digital energy technologies ltd.'
ip-dst, 38.225.209.229, 'SHADOW-EARTH-066: C&C server (port 9623)'
ip-dst, 23.26.237.80, 'SHADOW-EARTH-066: Potential C&C server (port 8941)'
ip-dst, 136.0.141.138, 'SHADOW-EARTH-066: C&C server (port 8406)'
url, https://136.0.141.138:8406/rcv/, 'SHADOW-EARTH-066: C&C exfiltration endpoint'
ip-dst, 194.58.66.82, 'Earth Dahu: IP associated with astrocaf[.]com'
ip-dst, 136.0.141.112, 'IOC-description:CC=US ASN=AS18779 egihosting'
ip-dst, 136.0.141.41, 'SHADOW-EARTH-066: C&C server (port 9580)'
ip-dst, 38.225.209.122, 'SHADOW-EARTH-066: Potential C&C server (port 8009)'
domain, joymobile.com.ua, ''
md5, a84375d4bd67c46d50fef7f7af31c7fb, 'IOC-description:MD5 of 3c0330f9f934f86b6b70e108ff279a009b88a4a815acbed4adb3664e322e3e59 No sample in VT\r\nLast check:13/06/2026'
sha1, 526833a16669a85f0546809bfc35122e6f0bc17b, 'IOC-description:SHA1 of 3c0330f9f934f86b6b70e108ff279a009b88a4a815acbed4adb3664e322e3e59 No sample in VT\r\nLast check:13/06/2026'
sha256, 2d9adb7932b7842dfb0e0f453b87e5d28dd4552094105e6340bad009956d8c2b, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 378809699c7252dc38b31969b9cc40858397759f15d6e418246dfaba9088fdd1, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 3c0330f9f934f86b6b70e108ff279a009b88a4a815acbed4adb3664e322e3e59, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 4e21c4c97aeb391473ee1e44961676f32de2ee8b56ecb136c1d8081df97c3db4, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 77963398e2c5c2fdf9d28d9c5f9c2791cfbf422ba02225e01635dd7f5b31eff8, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 7d3ba419751e5ea52b567e1162f6a366bf3d06c44c8956a9f14520e9fb6ed0b1, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 82fda6ea769d61aba230c3487787087cec53dd378e22f22a8fb8f0bd5ae83ded, 'No sample in VT\r\nLast check:13/06/2026'
sha256, 89d20418450b34efe698bd36214100cfa49f60adf1c39a8bc8d65991b1ce2c23, 'No sample in VT\r\nLast check:13/06/2026'
sha256, dc5082b07eb994ddee343a4080dce0a9ec2e891e5690654e24ae74ba9eabe422, 'No sample in VT\r\nLast check:13/06/2026'
ip-dst, 194.58.66.53, 'Earth Dahu: IP associated with astrocaf[.]com'
url, https://136.0.141.41:9580/rcv/, 'SHADOW-EARTH-066: C&C exfiltration endpoint'
url, https://166.0.132.237:7044/rcv/, 'SHADOW-EARTH-066: C&C exfiltration endpoint'
url, https://38.225.209.229:9623/rcv/, 'SHADOW-EARTH-066: C&C exfiltration endpoint'
email-src, vodafonenovic33@joymobile.com.ua, ''

Full IOCs available in Rectifyq’s MISP

2026-06-06 MA-1451.062026 MyCERT Advisory - Multi-Variant Android Banking Trojan Campaign Targeting Malaysian Banking Users (Delivery4U / KerjaExpress / MaxTag)

Sat, 06 Jun 2026 00:00:00 GMT

📃Title: MA-1451.062026: MyCERT Advisory - Multi-Variant Android Banking Trojan Campaign Targeting Malaysian Banking Users (Delivery4U / KerjaExpress / MaxTag)
📅Date: 2026-06-06
🔗References:

https://www.mycert.org.my/portal/advisory?id=MA-1451.062026

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
topic: mobile-attack
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
operating-system=“Android”
mitre-attack-pattern=[‘T1446’, ‘T1412’, ‘T1444’, ‘T1684’, ‘T1453’, ‘T1513’, ‘T1496’]

MISP event uuid: c0fb7f53-b749-40f8-99b8-b7339530bb6f

Indicator of Compromise (IoCs)

type,value,comment
md5, ba7c0059d2236bf914c26ce8034ab1bf, 'D4Ucod.apk'
md5, 609ea1b31d73c66eec9086e5e2bc3f45, 'Stage 3 APK (musics.emitter.indexer)'
ip-dst, 209.92.170.40, 'Active C2 / payload host (nginx/1.18.0, Ubuntu)'
ip-dst, 142.91.101.182, 'Legacy C2 host'
sha256, de5cc3b4d5f34aabfc13d94f13c63670f481cf74dad66cde19b8e920031fdc89, 'Stage 4 payload (ads.txt, encrypted) No sample in VT\r\nLast check:26/06/2026'

Full IOCs available in Rectifyq’s MISP

2026-06-03 The Demon Arrives Later A Havoc Stager Hides Behind Microsoft Defender DLP

Wed, 03 Jun 2026 00:00:00 GMT

📃Title: The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP
📅Date: 2026-06-03
🔗References:

https://www.levelblue.com/blogs/spiderlabs-blog/the-demon-arrives-later-a-havoc-stager-hides-behind-microsoft-defender-dlp

Description

Cybercriminals in Brazil are exploiting the country’s electronic invoice system (Nota Fiscal eletrônica) to deliver Havoc framework implants. The campaign surfaced during May 2026, coinciding with tax season when accountants routinely process invoice-related emails. Attackers distribute malicious ZIP files disguised as legitimate invoices, containing VBScript droppers that download MSI installers from Google Cloud Storage. These installers deploy a fake Microsoft Defender DLP module (endpointdlp.dll) alongside a legitimate signed executable. The stager DLL downloads Havoc demon shellcode from command-and-control infrastructure at runtime, never writing the final payload to disk. Analysis reveals nine stager variants originating from a single builder, distributed through multiple channels including Brazilian NF-e-themed lures and Malaysia-registered domains. The implant establishes persistence through the rarely-monitored UserInitMprLogonScript registry key and employs advanced anti-forensic techniques incl…

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Brazil”
producer= da7743e9-205e-47b0-8afc-b7aa7a5ae050
malpedia=“Havoc”
country=“malaysia”
malpedia=“KongTuke”
operating-system=“Windows”
software-vendor=“googleapis”
software-vendor=“microsoft”
mitre-attack-pattern=[‘T1036.005’, ‘T1566.002’, ‘T1218.007’, ‘T1140’, ‘T1036.001’, ‘T1071.001’, ‘T1059.005’, ‘T1574.002’, ‘T1105’, ‘T1037.001’, ‘T1027.013’]

MISP event uuid: 636a805b-58f3-442e-9a0a-72b9d7e7f244

Indicator of Compromise (IoCs)

type,value,comment
md5, 347a3f5f2ed2f503a22f68c4951c78c7, ''
md5, 3fe903c9d39790de3bf6c1a8a2217d29, ''
md5, 63e45ffa6d0c22cb04646ef549d61065, ''
md5, ce9abf0dab1facd7afeb70dc34925a78, ''
md5, 659575cb45a67b4d0c70e7361709fb03, ''
md5, 9d066964414cff647beeecb75affb5b5, ''
md5, 01b43dad62e56164771db696827a30ae, ''
md5, 4442897e3b772dfa4f7af109bec8924d, ''
md5, a9198c1497481b2fea007ea5f13eafbf, ''
md5, 6b8ec32dc76fa3138f00616156962f4f, ''
md5, 08060143ea9b55b480746b415af22e3a, ''
md5, f799ea5df9ec08690385d0972aefb59d, ''
md5, e6c69f14d7b0dabff5c67e54cf87aba2, ''
md5, 6ee4050ac0c5192961c9f34568ca68fd, ''
md5, fa9d1f3e719d9284af8af075b1cef9cc, ''
md5, 37e065585c573ecc082aacbfd31564eb, ''
md5, 609c3fc64a67630a7b206a6880c893a8, ''
md5, 19b2f2902825eaf62f2db1eb8aaa520a, ''
md5, 37b996509ce2873f96781c9f9b12d8b5, ''
domain, thomphon.com, ''
domain, e4wxbrg5277.com, ''
domain, 49xb5hoiqsr.com, ''
domain, jh038x18gy9.com, ''
ip-dst, 194.62.55.81, ''
sha256, eca5c297008e7c07a5c6fc9070c03121d702ef093b4a8e508b712040d87fed36, 'No sample in VT\r\nLast check:05/06/2026'
sha256, ced6b0f4441085bb9c54a32da9ab4ba14c6e21daf6e34fd61d54923f87baacd0, 'No sample in VT\r\nLast check:05/06/2026'
md5, 07d0d4c580ac76ac3ffb63353c9b6b85, 'No sample in VT\r\nLast check:05/06/2026'
md5, 7d384886720c8e576c3ca9d68cb5f08b, 'No sample in VT\r\nLast check:05/06/2026'
ip-dst, 194.59.31.192, ''
sha1, b032d4ec4e24714f59e853da9b6e63794aacdbcb, 'No sample in VT\r\nLast check:05/06/2026'
url, https://tr.ee/lAZ5yi, ''
url, https://storage.googleapis.com/nodesdownload/update.msi, ''
url, https://e4wxbrg5277.com/dl/update.zip?tk=, ''
url, https://49xb5hoiqsr.com/dl/update.zip?tk=, ''
url, https://jh038x18gy9.com/dl/update.zip?tk=, ''
ip-dst, 143.198.183.46, ''

Full IOCs available in Rectifyq’s MISP

2026-06-03 TA4922 The Suspected Chinese Crime Group is Going Global

Wed, 03 Jun 2026 00:00:00 GMT

📃Title: TA4922: The Suspected Chinese Crime Group is Going Global
📅Date: 2026-06-03
🔗References:

https://www.proofpoint.com/us/blog/threat-insight/ta4922-suspected-chinese-crime-group-going-global

Description

TA4922 is a highly sophisticated Chinese-speaking threat actor demonstrating rapid operational tempo and continually evolving malware capabilities. Initially targeting East Asia, particularly Japan, the group has expanded globally to Europe and Africa. The actor deploys multiple malware families including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT (Winos4.0), alongside legitimate remote management tools like AnyDesk and SyncFuture. Campaigns use localized lures themed around HR, payroll, tax, and invoicing, targeting hundreds to thousands of recipients per campaign. TA4922 conducts credential phishing, fraud operations including credit card theft, and attempts to shift communications to out-of-band channels like LINE, WhatsApp, and Microsoft Teams. The group leverages legitimate cloud hosting services and trusted software for delivery and persistence, combining advanced tradecraft with financially motivated objectives such as data theft, fraud, access resale, and persistent remote access.

Threat Actor

TA4922

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer= Proofpoint
target-information=“British Indian Ocean Territory”
target-information=“Germany”
target-information=“India”
target-information=“Indonesia”
target-information=“Italy”
target-information=“Japan”
target-information=“Malaysia”
target-information=“Singapore”
target-information=“South Africa”
target-information=“Taiwan”
target-information=“United Kingdom”
malpedia=“ValleyRAT”
mitre-attack-pattern=[‘T1113’, ‘T1056.001’, ‘T1204.002’, ‘T1573.001’, ‘T1566.002’, ‘T1566.001’, ‘T1119’, ‘T1005’, ‘T1140’, ‘T1055.003’, ‘T1055’, ‘T1125’, ‘T1041’, ‘T1566’, ‘T1571’, ‘T1055.012’, ‘T1027’, ‘T1598’, ‘T1574.002’, ‘T1105’, ‘T1204.001’, ‘T1055.001’, ‘T1566.003’]

MISP event uuid: 6a7790d3-55d8-46c0-9903-9a5dc28211d9

Indicator of Compromise (IoCs)

type,value,comment
md5, 315bda377beafb746f1c2f4fba430867, 'RomulusLoader / SyncFuture executable (Alles in dem schuppen.exe)'
md5, 3e7066e44132e64360a30974b6ea3671, 'RomulusLoader / SyncFuture DLL (teamspeak_control.dll)'
md5, 0ffb16209def5500ff4380d9e8093437, 'RomulusLoader / SyncFuture ZIP (Alles in dem schuppen.zip)'
md5, c0738cfa4f1488956ef4aef054c3144a, 'Atlas RAT DLL (libcef.dll)'
md5, da3161679965c898574449b7d789451c, 'SilentRunLoader Executable'
md5, 2960b323ffcd4cf419d4b0c9ba3648e7, 'ZIP archive (【給与調整のお知らせ】.zip) delivering Atlas RAT'
md5, 1bd939d2bcc0851348263cd06092686d, 'Atlas RAT DLL (libcef.dll)'
md5, 3cb0a1f572056cd4eb65c19c3c85c7e2, 'SilentRunLoader ZIP'
md5, 2e738dae88d058110c55b63233cee2de, 'SilentRunLoader Executable'
ip-dst, 154.211.86.110, 'Atlas RAT C2'
sha256, 3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d, 'RomulusLoader component (vulkan-1.bin) No sample in VT\r\nLast check:12/06/2026'
sha256, 40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5, 'RAR archive (会社文書.rar) delivering RomulusLoader No sample in VT\r\nLast check:12/06/2026'
sha256, 4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d, 'ZIP archive (HR (2).zip) delivering Atlas RAT No sample in VT\r\nLast check:12/06/2026'
sha256, 66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d, 'ZIP archive (Paperwork.zip) delivering Atlas RAT No sample in VT\r\nLast check:12/06/2026'
sha256, 8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0, 'RomulusLoader DLL (vulkan-1.dll) No sample in VT\r\nLast check:12/06/2026'
ip-dst, 103.214.172.33, 'RomulusLoader First-stage C2'
ip-dst, 112.121.183.202, ''
ip-dst, 206.238.115.58, 'Atlas RAT C2'
url, https://nwphotoblog.com, 'URL used in RomulusLoader / SyncFuture campaign which hosted a landing page with download button'
url, https://ws.ztts88.cyou/file/cg.exe, 'SilentRunLoader download URL'
url, https://ws.ztts88.cyou/upload.php, 'SilentRunLoader data exfiltration URL'
domain, nwphotoblog.com, 'URL used in RomulusLoader / SyncFuture campaign which hosted a landing page with download button'
hostname, ws.ztts88.cyou, ''
ip-dst, 43.156.77.97, 'RomulusLoader C2'
ip-dst, 18.139.83.110, 'SilentRunLoader data exfiltration IP'

Full IOCs available in Rectifyq’s MISP

2026-05-20 Premium Deception Uncovering a Global Android Carrier Billing Fraud Campaign

Wed, 20 May 2026 00:00:00 GMT

📃Title: Premium Deception: Uncovering a Global Android Carrier Billing Fraud Campaign
📅Date: 2026-05-20
🔗References:

https://zimperium.com/blog/premium-deception-uncovering-a-global-android-carrier-billing-fraud-campaign

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
topic: mobile-attack
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Croatia”
target-information=“Malaysia”
target-information=“Romania”
target-information=“Thailand”
producer= Zimperium
online-service=“b0c71d51-34fd-47b5-9eb4-dd406ffc607f”
mitre-attack-pattern=[‘T1412’, ‘T1476’, ‘T1646’, ‘T1643’, ‘T1417’, ‘T1582’, ‘T1603’, ‘T1628.001’, ‘T1426’, ‘T1422’, ‘T1437.001’]

MISP event uuid: 441a0a60-4abf-4afc-8318-eee24dbf5b68

Indicator of Compromise (IoCs)

type,value,comment
md5, ea28ad4769603b2fff732ca2f881240d, 'apk'
md5, 64e126904611f981eae0523f7031a678, 'apk'
md5, a49dfac6e682c29537750e45a7011a24, 'apk'
md5, 2bb58ac67ae0b0744aeb345aeb0c2387, 'apk'
md5, 0e299b5b9abad22c8a976f547d8587d5, 'apk'
md5, fb27f9c6fbe6a89993213e3b9213cec0, 'apk'
md5, 9f800e4b2839247a7dbf0e3cadd6f40f, 'apk'
md5, 6bd72afa30df7959cb82cae1afe46320, 'apk'
md5, 64927a8cdc68e02afd3c63d32a07f7b6, 'apk'
md5, 2e09920beb06f5eccbaddc2a89fbb68b, 'apk'
md5, 519f2d0451d1f3c8b92b5b53da89cc0c, 'apk'
md5, 2fdd8d62da6c1f8dddc0ac18f1f0616f, 'apk'
md5, 822d6772565cafc3bc5c506ea40b428c, 'apk'
md5, b01f2839d0e2df6047f89db9245cdd23, 'apk'
md5, aa7b04931d543b83b3ef052d6a69331b, 'apk'
md5, 3a81a444ec81dfdd2433b74f2cc0d028, 'apk'
md5, 536a942d2503bc3f75a6f3b777c26928, 'apk'
md5, 05cf42e0c514a1fbe956cd74d9dc8de8, 'apk'
md5, 528f1e4d56813c7f4600cafd5cc53725, 'apk'
md5, 03d0df278887435b1c3bbfb7c1e8514e, 'apk'
md5, 0686061d6f2702d48402e64b850a9461, 'apk'
md5, 58c612673d2ecad853e589f5d9a16bb6, 'apk'
md5, dd8cda9754db25ab68a3875143d7b51e, 'apk'
md5, a391d5d3f834b21a5f5de00e1638c8d5, 'apk'
md5, cf586160cb33c0f3d0a6fe7ee65f2fd8, 'apk'
md5, 35683ee3a7399d85d1c0e5b7445a1d53, 'apk'
md5, b1df9d3c02abb0d53970fbf4dabe84ec, 'apk'
md5, 702a122a658a8673c9605d2c3e60ddfe, 'apk'
md5, 92e4fc1bf0d4f28700150d4f09fa3a57, 'apk'
md5, 27c950143615b7e5a1238ecd35b853fc, 'apk'
md5, ca605d9f09c9272435c185ca6fe9e39d, 'apk'
md5, 53393c3df07540925c75d10da933ed8b, 'apk'
md5, 0ab94dcf89bfd8156ff6ec705025cb58, 'apk'
md5, 6b5f6d86d16c2d0b0294cec9518cc8da, 'apk'
md5, 848a2948274c4c10898fde54b9803958, 'apk'
md5, f5269c961eca5301ff048ed78ce79334, 'apk'
md5, d8343404354866ed7c1d02c093bcdec1, 'apk'
md5, 8aa0cb2b00155a7e670923f0a9ac1061, 'apk'
md5, 2535bd9b97ce9d9ade52dbb4b2c747e7, 'apk'
md5, 8fbf34f64e55f1ebf09f5755ec25281f, 'apk'
md5, 95b8778fb5156d62294664d80fdc6f0a, 'apk'
md5, 06c863c0b1ec1567e063c39f596a116a, 'apk'
md5, bd2a426d46eb92cb13bc39686356a302, 'apk'
md5, 5c7a1baa321e1206283ca85f84d67ffd, 'apk'
md5, 977cb63eb94772779bab8bbd0969f618, 'apk'
md5, 96e76ae096ac34ae09b15adfa166961f, 'apk'
md5, b8b07cbb4eaf1b8e5e52e2287a3afb91, 'apk'
md5, 9a6eba81dc47427afa573b8ff290bff0, 'apk'
md5, 3fe62c901b74d199840484b349eecab9, 'apk'
md5, 1e017f45212e16641a0af7e380ad2ec9, 'apk'
md5, 017ea031573137abd6625eca9ba83580, 'apk'
md5, e2b51176a5b39b3b1a8485dbbfe4f322, 'apk'
md5, 4c706f4ae96cf1bb4e6c5b321844baee, 'apk'
md5, 45f1043a6d05400e6dde6c932291b035, 'apk'
md5, 01edce45317ef4e51a3da5c41a73959d, 'apk'
md5, c7d5ede439d92c4449adcf21cc9032e0, 'apk'
md5, e57366a3a1ed05a1de6246cc8cd9b9f0, 'apk'
md5, 3f1daf3943a19522b90d4088da481f76, 'apk'
md5, 8ac5b4c2ade5ead9f082bb6b718af6a4, 'apk'
md5, fc2e35fffbd64929ccd5a65dac469e4c, 'apk'
md5, ea6d52c41e4d76b815d4a9331328992c, 'apk'
md5, f1cfcd135fe4eccac5cad53254afd72a, 'apk'
md5, 901a950b4515935a44110922b9a8d319, 'apk'
md5, 207f339afa4d246f089bb132900d72ff, 'apk'
md5, 8d9c4d790120dcacfbe85810dad12172, 'apk'
md5, bd9cd5ed898c7aab9e18d4952c97ccb3, 'apk'
md5, 81798ca53cb16a5125c78fde5f02423c, 'apk'
md5, 5e86cd389df2950a9d8973431ee50c07, 'apk'
md5, f8103cf50adb7b7251c54501e92f7331, 'apk'
md5, 4ae7bc5f3d0e948eac832841b47fcb1b, 'apk'
md5, 26a344dbcf273bfd5b820b2d47f4f0de, 'apk'
md5, 88bb8152324664389bddb22bf9f5f4ef, 'apk'
md5, b3b9ef49f73e472bb17f7f3470752617, 'apk'
md5, 14962266a8b20f90bc01b2efa934a31b, 'apk'
md5, 0cb4f128e7e75d32e55d0d0124abc65e, 'apk'
md5, d9b907fdec254805d6457afcda7d311d, 'apk'
md5, c912ca70ebdb581564be77568d3c8f82, 'apk'
md5, 6bb1d8ba947613c25f63d44b1741475b, 'apk'
md5, bf66f797047ad894bda1b2ec4c18dce7, 'apk'
md5, ebb307cd48964a3b7fd5375d890ec521, 'apk'
md5, 775f49ac6e5b0921af7fad9be200dfec, 'apk'
md5, 193c4a0dfa17e4f183402d503327bfcb, 'apk'
md5, 4598ce6b04ca2a84a6c5aa7e5cd8a717, 'apk'
md5, fe0713812cc098bc358ad89ca5e35566, 'apk'
md5, 72c7107a196cf3e5ab0b2ffd6a7036de, 'apk'
md5, 3543ba6897bdb41829b19508c0c611ea, 'apk'
md5, cde08520473411073003893da9056396, 'apk'
md5, 051fa5f945b41d05a753293c685b20f0, 'apk'
md5, 6d1f010df8f2aabb710bb2b98edfae4d, 'apk'
md5, 0efa75183b0501ccb59e5e5b05a025fd, 'apk'
md5, 187056497ebe19dcc9ebbc2c2f86fb79, 'apk'
md5, 6898e6e69757b0394078319915281b4e, 'apk'
md5, 5346135f90edb339e0be03d5e5653d60, 'apk'
md5, 695484416ba461fb32c2d592128cc1be, 'apk'
md5, 0478a2aa9395f855f46567c753a5e4a8, 'apk'
md5, 4648fcaba36ca3b74e59477bdd90faf4, 'apk'
md5, f44e4cdc42d0b32ea4a5c15295efc478, 'apk'
md5, b498d8fe8c4154b60ba2d7ad1b2095fb, 'apk'
md5, ffb58cff43ecfb3e86e6b392de5d16d2, 'apk'
md5, 3e4a737b74479f22bf7902d7632f78dc, 'apk'
md5, 50f3dda4698b6e0e9f449fa4fffd9871, 'apk'
md5, 18866cf0842cb47eddaa9234f80662e8, 'apk'
md5, c921d459c4cf98f7043e9fb074cc114b, 'apk'
md5, 0f59d3c1bac19b9207fba17ee095cd98, 'apk'
md5, c573aafcd6cebc92e1104930fa20ad16, 'apk'
md5, e4fa88a50ce69e6ab0385a05d5a0dc13, 'apk'
md5, 863f3753f7be29d97aeb910edd5df2df, 'apk'
md5, 9b811b1568f94f7f4dc97af6ac3859ed, 'apk'
md5, b9362ed08a719225f97d799169e2d02f, 'apk'
md5, 9adfb1f4b34d88d6cd23d86c012306dc, 'apk'
md5, 2464e09c00b8fd5e5f4d79c61eef3663, 'apk'
md5, 44bb1fbbbcb08a31615aeccfa8b65782, 'apk'
md5, 9d13730dc7f0a543d4c4a1647a8c3afb, 'apk'
md5, 94014620147de1a46d07ad34b217369f, 'apk'
md5, 44c7f1d58e6bfc800b563616cc228f2e, 'apk'
md5, 9f27336f24a86c3d77ba355a1520a822, 'apk'
md5, 76a81f30cacbba6a4d1bfb29891bee61, 'apk'
md5, 6e01fba3c98f541803a6b3c922e50ed4, 'apk'
md5, be0c31d49d18aa92d0b52391825c2ce8, 'apk'
md5, 64f6fac79cc2a34f0db0acd728fc3535, 'apk'
md5, 6d9b80602bd989afc2468be03296ea36, 'apk'
md5, 38fa1af7866698c8a584378a2ed69308, 'apk'
md5, 2ea2afccca69678600408582dd98fcea, 'apk'
md5, 286f660b3a8c055dc5b0c59cb00bbb15, 'apk'
md5, 02e5739966c558aa56b90e327d2473de, 'apk'
md5, 39b7ae6421027f64cd826e95a5325c75, 'apk'
md5, 5f3a04babe025c9c175d42379897a7d2, 'apk'
md5, eadd92707a854f9f9450412d51680ca3, 'apk'
md5, 3edd1e69bf8feabc9e4e06eee4171a08, 'apk'
md5, c9528583c28b2c54d94151ddb6eed153, 'apk'
md5, 264f1a6ac68630da2e9c4c4b881f4e33, 'apk'
md5, 092ac951bec8280fd7a3976f54bd4ecb, 'apk'
md5, f5c401690dacbd58a27509db3fa5d3f4, 'apk'
md5, 046f6dc46f93176c7fe3f6d127b4a07a, 'apk'
md5, 4cb054ca772afbbd6372bb4affe9836b, 'apk'
md5, 1c63cfa3e2b95b569e5816765b864751, 'apk'
md5, c82e4f4ebc1f1ba32fa18a050c60383b, 'apk'
md5, 410efb1341dff33456ecd5fc3954070a, 'apk'
md5, 4f789d7bdaa839e1d9cbbaa03e9fe182, 'apk'
md5, e9897a03230bfbc5c86b6f692a08e5ff, 'apk'
md5, 1fc6cb4b583ce33f6225bea031231561, 'apk'
md5, 7420fe3c2550a0ca763d507531572a28, 'apk'
md5, 594aeeee1e9fe61ae6fb1442e5bfb2fd, 'apk'
md5, f4c4aba2bec2e060c616dbae14a82d4d, 'apk'
md5, 6ff89731e5afd4a49eab95ee2d8f3b02, 'apk'
md5, a4f24cffd229b7341923ff85e5495f10, 'apk'
md5, af0fac752b97b1cab8374a2cf2f5549f, 'apk'
md5, f76e85c652e5c6aa59daf292f5e1276f, 'apk'
md5, 4483beff90db3a90bd3092d3967fd2ef, 'apk'
md5, 09a7bde84262208bc97322a089262b56, 'apk'
md5, 4595ce58f39b04a60da45ebfd9967877, 'apk'
md5, 181cde59295d8e060bee1ae43cd68a84, 'apk'
md5, 45de8c6b4cac7546c389e942d0ee3a40, 'apk'
md5, fe3a1367fafd49a35e0b99aa3f9ce60e, 'apk'
md5, 5bcc864e91d8600a5523c9440c6f3498, 'apk'
md5, 62fd9716a8b84191045b391a78b007fb, 'apk'
md5, 9c804db4ce76c2787e60a4cdc7816c63, 'apk'
md5, e4ad4c1f067c3b706742339edd621292, 'apk'
md5, 0c8d462ff2913ecd04416523bec4da05, 'apk'
md5, a2fd8f837a99887ffe2b8b869364476d, 'apk'
md5, 2018d8606734a6755f45223d40bdbd5b, 'apk'
md5, 8d6b571ef72b3b19dcaeccb946300c6d, 'apk'
md5, cc34143c4cdeb6c1c73e1bba088add2f, 'apk'
md5, 834ee8993e50b280caf3e573c319c0fb, 'apk'
md5, d237368fbe56bfea321a6dd16db7b692, 'apk'
md5, 515e835c9e2520be86d90192648308db, 'apk'
md5, 217997a522b2040a7e339d95f2b2c4d9, 'apk'
md5, 741261f68c1f443a2bf3ead1ccc0c571, 'apk'
md5, 649d096872939758c55e851a6e070fde, 'apk'
md5, 2628bb40699e4dffe6e78dc589fce234, 'apk'
md5, 82ca98ccdf0db582fd232c2c0f312969, 'apk'
md5, a5ac42f0996be5300d0ea9dd7101292c, 'apk'
md5, f1f1c67cb0902a5ced741aa0e3376905, 'apk'
md5, 5e0bbf53dde3498daf46eff6fe809159, 'apk'
md5, a2f94d5a454577c934030f06c6a81192, 'apk'
md5, 85623429a8624f4e944e5116776506cc, 'apk'
md5, b7892df057264295cc672f5d3e692208, 'apk'
md5, 89035bfa90eca5cd50aca6f258a355fb, 'apk'
md5, 9a457659633418aa66dcdc7b5f5edd2f, 'apk'
md5, a8755f85a7f696b5132507293c30cf4f, 'apk'
md5, 39fe73bac312031d8c774ba30f2181cc, 'apk'
md5, 60d471d14e9903723b440f8e83f6384c, 'apk'
md5, ae0495da25fd970ed961d92625c14cfd, 'apk'
md5, e3e5a168a1dc3097f6ec2f548c72f893, 'apk'
md5, 1988fea17666f1cae43892d75bae714a, 'apk'
md5, edf7678378b6c9d1f86381d478398dcd, 'apk'
md5, e661ca3b8a40d49508af836231847b70, 'apk'
md5, 6a943e23f8307585f0c15a92920d22b7, 'apk'
md5, b9b3d18865703b577e8b1573b3e995e8, 'apk'
md5, b12411add93cf02515a47d9879a58228, 'apk'
md5, b25061eb976ca7ba691a5ed0d0291320, 'apk'
md5, 22649986f213041fcc27a8d6c682ba3a, 'apk'
md5, 1b7b8b200e0755335b272b4442f9f997, 'apk'
md5, a9d1da8a1393d3990ca8121a8b875f93, 'apk'
md5, b98a7207be4a05ef0b5fbb2c48300f42, 'apk'
md5, 6f5504b1cab0a5d9f0aa1c53861fc5ec, 'apk'
md5, 92c348445dcee63f58c4c634de690442, 'apk'
md5, cc97f2e68da79d434210bbd930ef9fcd, 'apk'
hostname, api.modobomco.com, ''
hostname, apichecksubs.modobomz.com, ''
hostname, apizep.modobomz.com, ''
hostname, apizep.mwmze.com, ''
domain, apkafe.com, ''
domain, apkhype.com, ''
hostname, filesub.modobomco.com, ''
domain, gamemixes.com, ''
domain, gamemuchs.com, ''
hostname, gameshtml5.thacyber.com, ''
domain, grannygames.net, ''
hostname, lpbigfun.thacyber.com, ''
hostname, minecraft-mdb.s3.ap-southeast-1.amazonaws.com, ''
hostname, onesignal.mwmze.com, ''
hostname, onesignalmdb.modobomz.com, ''
hostname, portal.bigfunspace.com, ''
domain, sunny-mobi.com, ''
domain, tobegame.com, ''
domain, topboxinggames.com, ''
domain, topstickmangames.com, ''
hostname, wap-cpa.digi.com.my, ''
hostname, wap.lpalice2appsmart.com, ''

Full IOCs available in Rectifyq’s MISP

2026-05-15 Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations

Fri, 15 May 2026 00:00:00 GMT

📃Title: Custom Attack Tooling Including Undisclosed C2 Infrastructure Targeting Malaysian Organizations
📅Date: 2026-05-15
🔗References:

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: infra-profile
target: targeted
MY-relevancy: relevant
action-taken: diamond-model

🔖MISP Galaxies:

target-information=“Malaysia”
sector=“Government, Administration”
online-service=“8206e5d7-9189-4d8b-855d-339fa45e9c47”
mitre-attack-pattern=[‘T1100’, ‘T1505.003’, ‘T1552.001’, ‘T1567.002’, ‘T1190’, ‘T1587.001’, ‘T1003.003’, ‘T1059.001’, ‘T1059.006’, ‘T1003.002’, ‘T1071.001’, ‘T1021.006’]

MISP event uuid: a30d2c51-b056-4b55-ad4d-971722af82d8

Indicator of Compromise (IoCs)

type,value,comment
ip-dst, 20.17.161.118, 'Adversary Infrastructure'
url, https://7d83b67b237af36f803533a57d8a4843.r2.cloudflarestorage.com/, 'External Data Exfiltration to Cloudflare Storage'
url, http://20.17.161.118/, ''
url, http://20.17.161.118:8888/rce_ekyc_chain2, 'Laravel RCE Exploit Chain'
url, http://20.17.161.118:8888/rce_ekyc_chain9, 'Laravel RCE Exploit Chain'
url, http://20.17.161.118:8888/rce_ekyc_chain10, 'Laravel RCE Exploit Chain'
url, http://20.17.161.118:8888/rce_ekyc_chain14, 'Laravel RCE Exploit Chain'
url, http://20.17.161.118:8888/rce_ekyc_chain20, 'Laravel RCE Exploit Chain'
url, https://20.17.161.118/, 'C2 URL'
hostname, www.ros.gov.my, ''
url, http://103.156.82.221/assets/health.php, ''
ip-dst, 103.156.82.221, ''
hostname, jpa.gov.my, ''
hostname, hrmis2.eghrmis.gov.my, ''

Full IOCs available in Rectifyq’s MISP

2026-05-12 MA-1439.052026 MyCERT Alert - "Boss Impersonation" Scam Email

Tue, 12 May 2026 00:00:00 GMT

📃Title: MA-1439.052026: MyCERT Alert - “Boss Impersonation” Scam Email
📅Date: 2026-05-12
🔗References:

https://www.mycert.org.my/portal/advisory?id=MA-1439.052026

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
mitre-attack-pattern=[‘T1566’]

MISP event uuid: 322e6c2d-3cb5-48ba-a8fa-1f01eb2c380f

Indicator of Compromise (IoCs)

type,value,comment
domain, telefonica.net, ''

Full IOCs available in Rectifyq’s MISP

2026-05-05 InstallFix and Claude Code How Fake Install Pages Lead to Real Compromise

Tue, 05 May 2026 00:00:00 GMT

📃Title: InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise
📅Date: 2026-05-05
🔗References:

https://www.trendmicro.com/en_us/research/26/e/installfix-and-claude-code.html

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: malware-analysis
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer= Trend-Micro
target-information=“Malaysia”
target-information=“Netherlands”
target-information=“Thailand”
target-information=“United States”
sector=“Education”
sector=“Electronic”
sector=“Food”
sector=“Government, Administration”
mitre-attack-pattern=[‘T1559.001’, ‘T1562’, ‘T1583.008’, ‘T1218.005’, ‘T1027’, ‘T1059.001’, ‘T1566.002’, ‘T1059.005’]

MISP event uuid: e30b1a07-b830-46e2-bf69-e67eee29d4af

Indicator of Compromise (IoCs)

type,value,comment
md5, 45029deaf9033802d08b5f82b77978fa, 'claude.msixbundle  (ZIP/HTA polyglot, Stage 2)'
md5, 67640d4378e7c13110c7ee268c667c43, '(FINAL SHELLCODE)'
md5, d62297e291f43469181785a9d9131e37, 'cloude-91267b64-989f-49b4-89b4-984e0154d4d1 (Stage 4 fileless payload)'
hostname, download-version.1-5-8.com, 'Payload host (Stage 2) - Disease vector'
hostname, hosted-by.yeezyhost.net, 'Resolves to 77[.]91[.]97[.]244 - Disease vector'
ip-dst, 77.91.97.244, 'C&C attempt over TCP/443; resolves to hosted-by.yeezyhost[.]net'
domain, oakenfjrod.ru, 'C&C domain (Stage 4) - Disease vector'
url, https://download-version.1-5-8.com/claude.msixbundle, 'Disease vector'
url, oakenfjrod.ru/cloude-91267b64-989f-49b4-89b4-984e0154d4d1, 'Disease vector'
ip-dst, 185.177.239.255, 'Outbound - C&C server'
ip-dst, 104.21.0.95, 'Outbound - Untested'

Full IOCs available in Rectifyq’s MISP

2026-05-04 Fake PAIP Berhad Site Stealing Pahang Customers' Data and Water Bill Payments

Mon, 04 May 2026 00:00:00 GMT

📃Title: Fake PAIP Berhad Site Stealing Pahang Customers’ Data and Water Bill Payments
📅Date: 2026-05-04
🔗References:

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

financial-fraud=“Fake Website”
financial-fraud=“Fund Transfer”
target-information=“Malaysia”
mitre-attack-pattern=[‘T1660’]

MISP event uuid: 0a0479bf-0a6f-4a68-a7c4-4f464b202596

Indicator of Compromise (IoCs)

type,value,comment
domain, onlinepaip.com, 'Impersontate PAIP, when customer paying bills, the acc details is personal acc.'
ip-dst, 162.0.239.2, ''

Full IOCs available in Rectifyq’s MISP

2026-04-30 Inside Shadow-Earth-053 A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

Thu, 30 Apr 2026 00:00:00 GMT

📃Title: Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia
📅Date: 2026-04-30
🔗References:

https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html

Threat Actor

Shadow-Earth-053

Threat Actor

SHADOW-EARTH-054

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant
action-taken: diamond-model

🔖MISP Galaxies:

producer= Trend-Micro
country=“china”
malpedia=“ShadowPad”
target-information=“India”
target-information=“Malaysia”
target-information=“Myanmar”
target-information=“Pakistan”
target-information=“Sri Lanka”
target-information=“Taiwan”
target-information=“Thailand”
malpedia=“iox”
malpedia=“Vshell”
malpedia=“Nood RAT”
malpedia=“Godzilla Webshell”
malpedia=“MimiKatz”
mitre-attack-pattern=[‘T1190’, ‘T1505.003’, ‘T1219’, ‘T1047’, ‘T1560.001’, ‘T1003.006’, ‘T1574.002’, ‘T1087.002’, ‘T1003.001’, ‘T1112’, ‘T1046’, ‘T1550.002’, ‘T1055’, ‘T1572’, ‘T1090’, ‘T1114.002’, ‘T1018’, ‘T1036.003’, ‘T1021.002’, ‘T1053.005’, ‘T1003.002’, ‘T1569.002’, ‘T1027.002’]

MISP event uuid: 327326e7-354a-45ba-b25e-363984f01010

Indicator of Compromise (IoCs)

type,value,comment
md5, efcb90de13a82c10a34e900ab91942c1, 'ShadowPad loader — graphics-hook-filter32.dll'
md5, 48370247d5c3c01474f19e172112710a, 'ShadowPad loader — imjp14k.dll'
md5, e5b0fd04b03d92d4dfb8e50b9b9b3068, 'ShadowPad loader — imjp14k.dll'
md5, 9daba43a4c2495f596555653c6fe88d2, 'ShadowPad loader — imjp14k.dll'
md5, 4b7a47b639a2aca7818d111ee7f23b3e, 'ShadowPad loader — uxtheme.dll'
md5, c4144edb268001595700b5f27d7d7422, 'ShadowPad loader — MPS.dll'
md5, be328739e97303b2e72fe36feae358d5, 'IOX Proxy'
md5, 531da3715b1e4fc9baeaa034888ac419, 'EVILCREATEDUMP'
md5, a85459a1ec90a52b5c1f2f5a12bb2d10, 'SHADOW-EARTH-053 loader — found by infrastructure pivoting'
md5, 29015d3fa89c75ee576b14849133d6d9, 'TosBtKbd.dll Custom Registry Loader'
md5, 2616e7ec2d6c4b86a7fa1f4a762ae918, 'RingQ.exe'
md5, 7b2590be24290eb4b51bed2af1744b04, 'SHADOW-EARTH-054 loader'
md5, 0933fbd16c7a8b70199f5612e147a22c, 'GOST tunnel (gost.exe)'
md5, fc751b0416d4dc320eb175cea5a9e4dd, 'Wstunnel (wt.exe)'
sha256, f43748a809680a23272ec684a8cce9af071ad165c3b01acdcd7fe501a0949745, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 2dc1ad07b7529af3ba5c11a58519681909971a81, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 3229ba46dd54802093c81e6e2123fd1520faf960, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 0fff684fa209cb79ab1104da3cfbbf4c950078e14e54c2564d130abbd4e464a9, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 128f3ad395f86be6569ef2a957d42902a910de6c, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 4f77b4fcfde7abb7e6d0e36104e433abfed3a9d9938bf7fbe0e9d1a0b2ccf265, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, a5477ff2b3d6d475558abf03878dff0cca98c20c17aae35a8ad8e99e03293f89, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 83e9f99a377566cf30df0ad71ca8522613b14d45e3e2eaead4a336509d26bef3, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 9a83466f6c34e588ba3e99d6cbfac0102e173cdd, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 996fb4f7d1b3150490380c4ce9c7c3d60fac33bd6a7c1e3a46487021964cf3bb, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 9244cd99a27a8741a78e0b449cea063fdcfb0090, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 3dffbfcb825a70e477474e88b18679557ef467de37fc26e45ddbe572f520c52a, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 8a5ac2682d70eacff7eb554e242227c82e2baa94, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 2dd93edc8cc64747a7ca94b6827dc4e5b1e385d493ed4450272dd1dfc52a6255, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 579bc9a640ac939b1f75eda852815f063cebd332, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 5eb2122c4c645543966b07b94faccb5b4697561163382f21fb3b793b0d5cc9fe, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha1, ec38a56f9368eac67106a4ad61538e12053f03d1, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha256, eff699456ed4c5938d53afdb8df0836d7cb953ed933ed1a2899ec43f6f9e540b, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 75d0d5080afd091114818d082babc418ccb43d545d9fda1fb715af6c129b6e51, 'ShadowPad loader — uxtheme.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 35cc0b684b0906aed9d672a1a8635510fe91aa67, 'ShadowPad loader — uxtheme.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97, 'SHADOW-EARTH-053 — Mdync.exe No sample in VT\r\nLast check:03/05/2026'
sha256, 26f4c7f37448911310adf20e6e74aac60e92b97591f4ac9e5e21cc503be8da16, 'Possible RDP Launcher No sample in VT\r\nLast check:03/05/2026'
sha256, 8df8282da75ebe6cf1a535739991e3f298f903974a05966503d7fd2919ecea4e, 'Privileged Process Launcher No sample in VT\r\nLast check:03/05/2026'
sha256, 03a89ea5a8604e8bc09a4249211e20404a2c7047adda65a57deeb46abb1fb116, 'data.aspx webshell No sample in VT\r\nLast check:03/05/2026'
sha256, d083b6d82765faffe738ebd0678c8eb01c1f1fac8d3c51ffdfe40e34da3ce902, 'ExchangeExport.exe No sample in VT\r\nLast check:03/05/2026'
sha256, 0c8c562ed7343d28c76d93a88bd0534440d0e71292ebcee66314d6d5c2f34403, 'Newdcsync.exe No sample in VT\r\nLast check:03/05/2026'
sha256, 55e929971a7975c7f9dfa4d677d5ec357af23a4ca208ef8f920804743e9011cd, 'SHADOW-EARTH-054 malware No sample in VT\r\nLast check:03/05/2026'
sha1, b8d586d376b342b08b3dd8a77c788480e025ad12, 'SHADOW-EARTH-054 malware No sample in VT\r\nLast check:03/05/2026'
sha256, 165cc3a9a40e04c469e5c818943920f38dc48db2c2365f1a71bb52c9582f0ea9, 'DomainMachines.exe — Custom discovery tool No sample in VT\r\nLast check:03/05/2026'
sha256, 1a5da90175ff7b55ddafcdb816adf574b92a112604019b219d82adab820fb3a2, 'IOX (code.exe) No sample in VT\r\nLast check:03/05/2026'
sha256, 4173c218efe31a6b36df714cf4e1073696f3acbe7edd1b7fcba01e4a2d923a27, 'Unknown proxy (code.exe / tunnel-core.exe) No sample in VT\r\nLast check:03/05/2026'
hostname, time.microsofttrends.com, 'ShadowPad C&C — TrendAI telemetry'
hostname, erp.kaspersky.icu, 'ShadowPad C&C — TrendAI telemetry'
hostname, dns.dnsmap.icu, 'Infrastructure'
hostname, cert.kaspersky.icu, 'Infrastructure'
hostname, news.kaspersky.icu, 'Infrastructure'
hostname, ns1.kaspersky.icu, 'Infrastructure'
hostname, ns2.kaspersky.icu, 'Infrastructure'
hostname, www.kaspersky.icu, 'Infrastructure'
hostname, dns.dnserver.life, 'Infrastructure'
hostname, nslookup.dnserver.life, 'Infrastructure'
hostname, router.dnserver.life, 'Infrastructure'
hostname, ww12.dnserver.life, 'Infrastructure'
hostname, ns1.group-ib.icu, 'Infrastructure'
hostname, ns2.group-ib.icu, 'Infrastructure'
hostname, www.group-ib.icu, 'Infrastructure'
hostname, check.dnsmaps.com, 'Infrastructure'
hostname, update.kaspersky.icu, 'Infrastructure Hunting — Malware Hosting'
hostname, check.office365-update.com, 'NOODLERAT C&C'
domain, zimbra-beta.info, 'SHADOW-EARTH-054 C&C'
domain, zimbra.life, 'SHADOW-EARTH-054 C&C'
domain, microsi0ft.com, 'SHADOW-EARTH-054 C&C'
ip-dst, 141.164.46.77, 'SHADOW-EARTH-053 C&C'
ip-dst, 96.9.125.227, 'SHADOW-EARTH-053 C&C'
ip-dst, 194.38.11.3, 'SHADOW-EARTH-053 Malware Hosting — TrendAI telemetry'
ip-dst, 209.141.40.254, 'SHADOW-EARTH-054 VShell C&C'
ip-dst, 45.61.62.172, 'SHADOW-EARTH-054 IOX Proxy'
url, http://209.141.40.254:8443/update, 'SHADOW-EARTH-054 VShell C&C'

Full IOCs available in Rectifyq’s MISP

2026-04-29 Phoenix Rising Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns

Wed, 29 Apr 2026 00:00:00 GMT

📃Title: Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns
📅Date: 2026-04-29
🔗References:

https://www.group-ib.com/blog/phoenix-phaas-kit-smishing

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer= Group-IB
financial-fraud=“Phishing”
financial-fraud=“Smishing”
target-information=“Argentina”
target-information=“Australia”
target-information=“Belgium”
target-information=“Chile”
target-information=“Costa Rica”
target-information=“Hong Kong”
target-information=“India”
target-information=“Indonesia”
target-information=“Japan”
target-information=“Malaysia”
target-information=“Mexico”
target-information=“Philippines”
target-information=“Singapore”
target-information=“Spain”
target-information=“Taiwan”
target-information=“United Kingdom”
target-information=“United States”
target-information=“Vietnam”
sector=“Finance”
sector=“Logistic”
sector=“Telecoms”
mitre-attack-pattern=[‘T1204.001’, ‘T1566.002’, ‘T1539’]

MISP event uuid: 5109a940-ef8e-4cf9-a5c8-fdfc684aa6ae

Indicator of Compromise (IoCs)

type,value,comment
ip-dst, 23.95.166.127, ''
ip-dst, 38.162.114.0, ''
ip-dst, 43.133.0.0, ''
ip-dst, 43.134.0.0, ''
ip-dst, 43.134.12.32, ''
ip-dst, 43.134.239.46, ''
ip-dst, 43.153.0.0, ''
ip-dst, 43.154.31.214, ''
ip-dst, 43.156.61.150, ''
ip-dst, 43.160.192.0, ''
ip-dst, 43.162.0.0, ''
ip-dst, 43.163.100.238, ''
ip-dst, 45.203.220.0, ''
ip-dst, 47.80.0.0, ''
ip-dst, 47.80.64.106, ''
ip-dst, 47.80.70.114, ''
ip-dst, 47.80.79.203, ''
ip-dst, 8.212.128.102, ''
ip-dst, 8.220.130.133, ''
ip-dst, 8.220.190.2, ''
ip-dst, 101.32.186.29, ''
ip-dst, 154.91.90.0, ''
ip-dst, 156.245.145.174, ''
ip-dst, 156.245.146.210, ''

Full IOCs available in Rectifyq’s MISP

2026-04-21 GhostCargo, a 5-years campaign

Tue, 21 Apr 2026 00:00:00 GMT

📃Title: GhostCargo, a 5-years campaign
📅Date: 2026-04-21
🔗References:

https://www.syntx.com.my/blog/ghostcargo-a-5-years-campaign

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: intrusion-analysis
target: targeted
MY-relevancy: relevant

🔖MISP Galaxies:

financial-fraud=“Phishing”
financial-fraud=“Fake Website”
financial-fraud=“Distraction”
financial-fraud=“Scam”
financial-fraud=“Merchant Fraud”
financial-fraud=“Compromised Personally Identifiable Information (PII)”
target-information=“Malaysia”
country=“indonesia”
country=“venezuela”
country=“australia”
online-service=“b0c71d51-34fd-47b5-9eb4-dd406ffc607f”
online-service=“01031d3f-c9c9-4288-bb58-234c38e4246e”
mitre-attack-pattern=[‘T1657’, ‘T1056’, ‘T1204.001’, ‘T1036’, ‘T1593’, ‘T1566.002’]

MISP event uuid: 9c16b2b8-dd25-4533-958e-97d8d1c92cca

Indicator of Compromise (IoCs)

type,value,comment
hostname, bnk.ing-boa.pro, 'Active fake Barclays portal'
domain, ing-boa.pro, 'Parent domain; wildcard cert *.ing-boa[.]pro issued Feb 2026'
domain, jetexpressdeliveries.com, 'Fake logistics front (Drupal + transpix theme)'
hostname, barcl.ays-uk.com, 'Predecessor Barclays portal (Jun 2024 to May 2025, now NXDOMAIN)'
domain, ays-uk.com, 'Parent of predecessor; same Hostinger IP'
hostname, ban.king-en.com, 'Predecessor bank portal (Feb 2023, now NXDOMAIN)'
domain, king-en.com, 'Parent domain; wildcard cert from Dec 2020'
domain, topexpresdelivery.com, 'Predecessor delivery domain (Sep 2020, HTTrack source)'
domain, doorcargoexpress.com, 'Predecessor tracking page template (Feb 2023)'
domain, ermontexpressdelivery.com, 'Same-Actor Domain - Fake delivery; same NS, IP, registrar'
domain, fastlinkquickdelivery.com, 'Same-Actor Domain - Fake delivery; same NS, IP, registrar'
domain, firstcredituni.pro, 'Same-Actor Domain - Fake bank; confirmed Bankpro default deployment, .pro TLD match'
domain, suntrustcomunityfcu.com, 'Fake credit union'
domain, cresttcredit.com, 'Fake credit institution'
domain, trusteqbank.com, 'Fake bank'
domain, metropolis-credit.com, 'Fake credit'
domain, finestostandard.com, 'Fake financial institution'
domain, digitaltradechainpro.com, 'Fake trading platform'
domain, expert-traders.net, 'Fake trading'
domain, coinbaseminingfarm.com, 'Coinbase impersonation / crypto scam'
domain, greenfund.live, 'Fake charity / investment'
domain, futurezioncharity.org, 'Fake charity'
domain, daltevintransact.online, 'Fake transaction service'
domain, zeltextransact.click, 'Fake transaction service'
domain, hiltonacessglobal.com, 'Fake Hilton access / global services'
domain, zenixtransit.online, 'Fake transit / logistics'
domain, royalgatesschools.com, 'Fake school with finance admin portal'
domain, credixrise.com, 'Fake banking (Cloudflare NS, same IP)'
ip-dst, 198.251.89.82, 'Primary hosting IP (FranTech AS53667, Cheyenne WY)'
ip-dst, 91.108.101.78, 'barcl.ays-uk[.]com hosting IP (Hostinger, Paris)'
ip-dst, 46.202.172.167, 'jetexpressdeliveries[.]com hosting IP (Hostinger)'
hostname, ns115.my-control-panel.com, 'Hosted on same IP as scam domains'
hostname, ns116.my-control-panel.com, 'Hosted on same IP as scam domains'
domain, zentroid.com, 'unrelated sites'
domain, ultraviewvault.com, 'unrelated sites'
email-src, admin@ing-boa.pro, 'Operator contact'
email-src, support@indigenousservice.com, 'Contact email on firstcredituni[.]pro'
email-src, support@dirtyscripts.shop, 'Bankpro kit default admin login'

Full IOCs available in Rectifyq’s MISP