Rectifyq

Get access to Rectifyq's MISP

Wed, 18 Mar 2026 09:38:05 GMT

Application to get access to Rectifyq’s TIP (MISP) is now open. https://forms.gle/b57aaQixjdS5CPTEA

Courses to be released soon.🙏

Role: Cybervigilantes

flowchart LR
    B1[Complete Rectifyq Course in Coursestack] --> B2[Apply via Google Form]
    B2 --> B4[Post min 1 Article on Malaysia Threat Landscape on any platform]
    B4 -- Checked Quarterly--> B5{Requirement fulfilled & inline with T&C?}

    B5 -- Yes --> B6[Access MISP202X & MISPMY]
    B7 --> B4
    B6 --> B7(TLP:CLEAR & TLP:GREEN)

    B5 -- No --> B8[Account Disabled]
    B8 --> B2

Role: Cyberheroes

flowchart LR
    C0[Currently Cybervigilantes Role] --> C1[Continuous Contribution] 
    C1 --> D{Vetting Process & inline with T&C}
    C2[Proven Contribution Track Record]  --> D
    D -- Approved --> C3[Access MISP202X & MISPMY]
    D -- Denied --> R[Account Disabled]
    C3 --> C4(TLP:CLEAR, TLP:GREEN, & TLP:AMBER)
    C4 -- Checked Quarterly --> D

Phish Hunt MY

Wed, 18 Mar 2026 00:00:00 GMT

Background

Phishing scams—like Telegram takeovers, fake APK wedding invites, and Bantuan Kerajaan fakesite—have been around for ages. Most IT pros and cybersecurity experts tend to ignore them, thinking they’re “uninteresting” or wondering how anyone could still fall for them. But the fact that these scams are still happening means they work. Even if they don’t catch everyone, they only need to hit the right victim for the financial impact to be devastating.

A few things triggered me to organize this challenge. One was an article by Foxy about recent phishing campaigns, which reminded me of my own previous writing. Then, a “threat actor” actually had the nerve to post a phishing link right in the OWASP Malaysia WhatsApp group!😂 When KDJebat called for an advisory, it gave me an idea: why not create a challenge to push pros and students to actually analyze these campaigns?

It’s a win-win. I get to learn from their findings, and they get to build their portfolios and potentially win prizes.

So, a big shout out to Foxy and KDJebat for the inspiration! 🙌

Challenge Details

With the festive season approaching, scams impersonating local organizations, governments, and local e-wallets are on the rise. We’re looking for Phish Hunters and analysts to help map out these campaigns, warn the community, and get them taken down.

🔍 How to Participate

Identify: Find an active phishing link or campaign (SMS, Email, Social Media) specifically targeting Malaysians.
Analyze: Break down the infrastructure and TTP used by Threat Actor. Who is the registrar? Where is it hosted? Can you find the phishing kit etc? (Always use a sandbox/VM).
Report & Post: File a report with Google Safe Browsing or MyCERT (Cyber999) or any relevant parties. Then, share your findings on LinkedIn, X, Facebook, or your blog to educate others.
Submit: Drop your analysis and post link in our entry form: [https://forms.gle/ei6EqfBFsbtzdEJU9] before 12 midnight of 15th March 2026 🏆 The Prizes (Touch ‘n Go e-Wallet Credit: Each category will win RM100)

We’re awarding two distinct types of hunters:

The Apex Hunter (Technical Prize): For the most thorough technical breakdown. We’re looking for high-quality analysis—TTPs, indicators of compromise (IOCs), kit discovery, evidence of reporting and so on. Technical evaluation will be done on 12 noon of 16th March 2026; if you submitted your analysis but have some minor adjustment, please do so before this date.
The Community Advocate (Engagement Prize): For the Rectifyq’s Linkedin repost (once you submitted your entry, we will repost it in our page) that gets the most Likes & Shares. This is about making the warning go viral to prevent others from falling victim. Counting date fort his prize will be on 12 noon of 18th March 2026. Do share with everyone your specific Rectifyq’s Linkedin repost for everyone to like and share.

Rule: To keep the rewards distributed, one participant cannot win both. If the top technical entry also has the highest engagement, the engagement prize will go to the next runner-up and/or student winner will be prioritized for the community advocate category.

Results for Apex Hunter

2 champions - Mohd Fazri & Ahmad Nazif

Updates

After another round of review and recalculation, the previously announced winner lost 1 point which resulted to a draw between Mohd Fazri & Ahmad Nazif. Therefore, decision has been made to announce both as champion for this challenge with the accumulating of same score points. So, both won the duit raya!

Below are the top 5:

Article link	Category	Total Points	Extra points given	Room for improvement
ayiezola	Working Professional	26	Infection chain using AI/clean diagram, nuclei template, comparative analysis, sample of exfiltrated data	No Recommendation included, TTPs listed not using known framework such as MITRE ATT&CK
nazif	Working Professional	26	Included Impact assessment and usage of PCAP analysis	No infection chain diagram included & report format to be more concise and succinct
171k	Student	25	Included TA assessment and TA’s opsec fails	No Action taken (e.g. report to google safe browsing) included, TTPs listed not using known framework such as MITRE ATT&CK
Myo	Student	23	None	Action taken (e.g. report to google safe browsing) can be beyond the two listed in the google form
Alif & Faez	Student	22	Included Chain of Code Reuse	TTPs listed not using known framework such as MITRE ATT&CK

Remaining 6 (listed in random and no particular order)

Article link	Category	Extra points given	Room for improvement
n3r	Working Professional	OTP Form & Anti analysis	To include executive summary, to include action taken
khairul-zuhaili	Student	Telegram bot screenshot with victim data	To include executive summary, IoCs and action taken
akmaltaufik	Student	Usage of crt.sh for pivoting	To include executive summary, TTPs using known framework and action taken & report format to be more concise and succinct
syazwanisubri	Working Professional	Usage of VT collection	To include infection diagram/attack diagram and screenshots/proof of reporting to be included directly in the article (audience may missed to check in the evidence folder you’ve created)
matpwnguin	Working Professional	Included TA assessment and security misconfig	Executive summary is a bit too long - can be more concise, to include action taken
amirulhmd	Student	Asked questions to stakeholder (Rectifyq) - which is good to understand stakeholder’s requirement, reporting (action taken) beyond suggested (Cloudflare abuse)	Overview if chosen as executive summary is bit too long, TTPs listed not using known framework such as MITRE ATT&CK

Results for Community Advocate

Winner: Alif & Faez

Scoring Criteria

Brief Summary - if it is too short, too long or just right
Diagrams - if includes screenshots, code snippets, infection chain/attack diagram
Indicator Pivoting - pivoting from initial indicator (often phishing url) to underlying IP then whois record and so on
TTP - TTPs listed and usage of known framework such as MITRE ATT&CK or attck4fraud
IoC - if IoCs were included, compiled and each IoCs has context
Action Taken - proof of action taken (such as reporting to Google safe browsing and even beyond suggested previously) that gives out result (e.g. site no longer reachable)
Phishing Kit - found phishing kit used, may pivot to similar campaigns that uses same phsihing kit, or even found the source code of the phishing kit
Recommendation - provided relevant recommendation, be it to the public or organizations
Extra points - interesting part of the report which unique to the writer
Questions to Stakeholder - contacted stakeholder (Rectifyq) to clarify the expectation in terms formatting, or even the scoring criteria
Follow Rectifyq’s social media - followed all Rectifyq’s social media

Conclusion

This challenge really shows that Malaysia has amazing cybersecurity talent, from students to working pros. Everyone brought something different to the table—whether it was offensive skills or traffic analysis—and used those strengths to break down the phishing campaigns targeting Malaysian.

I learned a ton from organizing this, and the feedback from few participants were great. Like I told one of the participants, I can’t officially promise to make this a regular thing just yet. But hopefully, even if I’m not the one running it next time, I hope this inspires other companies or organizations to host similar challenges.

Threat Intelligence focusing on Malaysia 🇲🇾

Thu, 05 Mar 2026 15:01:06 GMT

🇲🇾 Empowering Malaysia’s Cyber Defense

Help us build the future

Rectifyq is evolving. Share your feedback or feature requests via our Google Form.

🛡️ The Mission

A Personal Initiative for National Resilience

Threat Intelligence Malaysia | Rectifyq is a self-funded, personal project dedicated to refining the Malaysian cybersecurity ecosystem. It’s a space for continuous learning, data sharing, and collective defense—bridging the gap between global intelligence and local reality.

🔍 Addressing the “Malaysian Gap”

Global threat reports often overlook our region. Rectifyq focuses on:

Localized Intelligence: Moving beyond Western-centric APT reports to focus on threats hitting 🇲🇾 infrastructure.
Strategic Justification: Providing concrete, local data to help leaders justify cybersecurity investments.
Actionable Contribution: Providing a structured platform for local analysts to share findings and grow together.

🕸️ Ecosystem Map

Our intelligence flows through several specialized channels. Click any node below to explore.

flowchart LR
    A@{ shape: lean-r, label: "Sources" } ==> B[fa:fa-comment MISP202x]
    B ==> C[fa:fa-comment MISPMY]

    subgraph Global
    E@{ shape: lean-r, label: "fab:fa-telegram Telegram" }
    H@{ shape: lean-r, label: "fab:fa-github Github" }
    I@{ shape: lean-r, label: "fab:fa-medium Medium" }
    J@{ shape: lean-r, label: "fab:fa-notion Notion" }
    K@{ shape: lean-r, label: "fab:fa-tiktok Tiktok" }
    L@{ shape: lean-r, label: "fa:fa-virus VirusTotal" }

    end
    subgraph MY-focused
    D@{ shape: lean-r, label: "fa:fa-globe Web" }
    F@{ shape: lean-r, label: "fab:fa-x X(Twitter)" }
    G@{ shape: lean-r, label: "fab:fa-linkedin LinkedIn" }
    end

    B --> E
    B --> J
    B --> K
    B --> I
    B --> H
    B --> L

    C --> D
    C --> F
    C --> G

    click B "https://misp2026.rectifyq.com" _blank
    click C "https://mispmy.rectifyq.com" _blank
    click D "https://rectifyq.com" _blank
    click E "http://t.me/rectifyq" _blank
    click F "https://x.com/_rectifyq" _blank
    click G "https://linkedin.com/company/rectifyq" _blank
    click H "https://github.com/rectifyq" _blank
    click I "https://medium.com/@rectifyq" _blank
    click J "https://rectifyq.notion.site/Rectifyq-7ece6db87cd44ad4b7503e238191b801" _blank
    click K "https://www.tiktok.com/@rectifyq" _blank
    click L "https://www.virustotal.com/gui/user/rectifyq" _blank

    style A stroke:#0f0
    style B stroke:#00f
    style C stroke:#00f

2026-03-03 Silver Dragon Targets Organizations in Southeast Asia and Europe

Tue, 03 Mar 2026 00:00:00 GMT

📃Title: Silver Dragon Targets Organizations in Southeast Asia and Europe
📅Date: 2026-03-03
🔗References:

https://research.checkpoint.com/2026/silver-dragon-targets-organizations-in-southeast-asia-and-europe/

Description

Check Point Research has identified a Chinese-nexus advanced persistent threat group named Silver Dragon, targeting organizations in Southeast Asia and Europe since mid-2024. The group, likely operating under APT41, exploits public-facing servers and uses phishing emails for initial access. They deploy custom tools including GearDoor, a backdoor using Google Drive for command and control, SSHcmd for remote access, and SilverScreen for covert screen monitoring. Silver Dragon primarily focuses on government entities, utilizing Cobalt Strike beacons and DNS tunneling for communication. The group’s sophisticated tactics and evolving toolkit demonstrate a well-resourced and adaptable threat actor.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: TA-profile
target: broad-based
MY-relevancy: relevant
action-taken: diamond-model

🔖MISP Galaxies:

producer Check-Point
region=“035 - South-eastern Asia”
threat-actor APT41
target-information=“Italy”
target-information=“Japan”
target-information=“Kazakhstan”
target-information=“Malaysia”
target-information=“Myanmar”
target-information=“Poland”
target-information=“Russia”
online-service=“4a9eade3-5de4-4a80-9c7a-ba3a7566e130”
malpedia=“Cobalt Strike”
sector=“Government, Administration”
mitre-attack-pattern=[‘T1113’, ‘T1033’, ‘T1132.001’, ‘T1071.004’, ‘T1036.005’, ‘T1021.004’, ‘T1082’, ‘T1053’, ‘T1055’, ‘T1016’, ‘T1083’, ‘T1036.004’, ‘T1049’, ‘T1057’, ‘T1059.001’, ‘T1078’, ‘T1102.002’, ‘T1001.003’, ‘T1059.003’, ‘T1105’]

MISP event uuid: 2e319e49-6c2f-442b-ba50-ae7d2e43ddb4

Indicator of Compromise (IoCs)

type,value,comment
md5, 9d3f61dcaba90db2ede1c1906a80ace2, 'No sample in VT\r\nLast check:06/03/2026'
sha256, 16b9a7358be88632378ba20ba1430786f3b844694b1f876211ecdbecf5cccbc2, 'No sample in VT\r\nLast check:06/03/2026'
sha256, 37b485ed8d150d022c41e5e307b8c54c34ef806625b44d0c940b18be7d5b29ce, 'No sample in VT\r\nLast check:06/03/2026'
domain, ampolice.org, ''
domain, bigflx.net, ''
domain, copilot-cloud.net, ''
domain, exchange4study.com, ''
domain, mindssurpass.com, ''
domain, oicm.org, ''
domain, onedriveconsole.com, ''
domain, protacik.com, ''
domain, revitpourtous.com, ''
domain, splunkds.com, ''
domain, wikipedla.blog, ''
domain, zhydromet.com, ''
hostname, ns1.exchange4study.com, ''
hostname, ns1.onedriveconsole.com, ''
hostname, ns2.onedriveconsole.com, ''
hostname, drivefrontend.pa-clients.workers.dev, ''

Full IOCs available in Rectifyq's MISP```

2026-02-28 Analysis of the “Kongsi Rezeki” on Threads social media QR-phishing campaign

Sat, 28 Feb 2026 00:00:00 GMT

📃Title: Analysis of the “Kongsi Rezeki” on Threads social media QR-phishing campaign
📅Date: 2026-02-28
🔗References:

https://www.notion.so/3ch0/Analysis-of-the-Kongsi-Rezeki-on-Threads-social-media-QR-phishing-campaign-314d05a447d5809abc48e44233792978

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
mitre-attack-pattern=[‘T1531’, ‘T1588.004’, ‘T1583.001’, ‘T1041’, ‘T1111’, ‘T1566.002’, ‘T1598.003’]

MISP event uuid: 0b6037c8-d75d-4ba2-a378-7e0a2757a051

Indicator of Compromise (IoCs)

type,value,comment
url, https://tngduitraya14.gbdjw.my/, 'Landing page after QR scan.'
url, https://tngduitraya14.gbdjw.my/go/, 'Data collection page.'
url, https://tngduitraya14.gbdjw.my/API/index.php, 'C2 server for data exfiltration.'
domain, gbdjw.my, 'Malicious Domain.'
hostname, money.gbdjw.my, ''
hostname, tngduitraya.gbdjw.my, ''
hostname, moneypocket.gbdjw.my, ''

Full IOCs available in Rectifyq's MISP```

2026-02-23 Chronology of MuddyWater APT Attacks Targeting the Middle East

Mon, 23 Feb 2026 00:00:00 GMT

📃Title: Chronology of MuddyWater APT Attacks Targeting the Middle East
📅Date: 2026-02-23
🔗References:

https://www.genians.co.kr/en/blog/threat_intelligence/muddywater-apt?hs_amp=true

Description

This report analyzes the recent activities of the MuddyWater APT group, which primarily targets organizations in the Middle East. The group employs sophisticated spear-phishing techniques, often impersonating legitimate entities and using malicious documents to gain initial access. Their attacks focus on long-term infiltration and intelligence gathering rather than immediate disruption. The report details several attack cases from 2019 to 2026, highlighting the group’s evolving tactics, including the abuse of legitimate remote management tools and the use of Rust-based malware. The analysis emphasizes the importance of endpoint detection and response (EDR) solutions in identifying and mitigating these threats, as traditional perimeter-based security measures prove insufficient against such advanced persistent threats.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
topic: geopolitical
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Egypt”
target-information=“Iraq”
target-information=“Israel”
target-information=“Jordan”
target-information=“Malaysia”
target-information=“Oman”
target-information=“Turkmenistan”
threat-actor MuddyWater
mitre-attack-pattern=[‘T1133’, ‘T1071’, ‘T1190’, ‘T1583.001’, ‘T1036’, ‘T1588.001’, ‘T1102’, ‘T1204’, ‘T1059.001’, ‘T1547.001’, ‘T1199’, ‘T1588.002’, ‘T1566’, ‘T1078’, ‘T1027’, ‘T1213’, ‘T1105’, ‘T1569.002’]

MISP event uuid: 902d955b-e5f7-4bca-948e-857e6ab0017c

Indicator of Compromise (IoCs)

type,value,comment
ip-dst, 159.198.66.153, ''
ip-dst, 159.198.68.25, ''
domain, screenai.online, ''
domain, stratioai.org, ''
hostname, nomercys.it.com, ''

Full IOCs available in Rectifyq's MISP```

Achievement

Thu, 19 Feb 2026 01:51:50 GMT

Public mentions/featured

MISP contribution

Misc

https://blog.pulsedive.com/content/files/2024/01/CTI-Networking-Report-2024_Grace-Chi.pdf

Speaking/Training

Trainer at Malaysia Cyber Camp 2025 - https://cybercamp.my/posts/2025/mcc-2025-conquer

MISP Initial Setup

Thu, 12 Feb 2026 08:32:17 GMT

Initial Setup

Setting up Taxonomies

Enable Taxonomies

Enable the following taxonomies:

tlp
type
workflow
ms-caro-malware

Adding Custom Rectifyq Taxonomies

cd /var/www/MISP/app/files/taxonomies/
mkdir rectifyq
cd rectifyq
nano machinetag.json

Tips in case of copy issue:

jq . machinetag.json > temp
mv temp machinetag.json

Add the following content to machinetag.json

{
    "namespace": "rectifyq",
    "description": "Rectifyq taxonomies used for checklist, context and statistics",
    "version": 2.6,
    "predicates": [{
            "value": "category",
            "expanded": "Category"
        }, {
            "value": "sub-category",
            "expanded": "Sub-Category"
        }, {
            "value": "topic",
            "expanded": "Related topics"
        }, {
            "value": "TA-category",
            "expanded": "Threat Actor Category"
        }, {
            "value": "target",
            "expanded": "Target"
        }, {
            "value": "samples-found-in",
            "expanded": "Samples found in"
        }, {
            "value": "no-samples-in",
            "expanded": "No samples in"
        }, {
            "value": "ioc",
            "expanded": "IOC"
        }, {
            "value": "MY-relevancy",
            "expanded": "Malaysia relevancy"
        }, {
            "value": "workflow",
            "expanded": "Workflow"
        }, {
            "value": "mitre-att&ck",
            "expanded": "MITRE ATT&CK"
        }, {
            "value": "detection-rules",
            "expanded": "Detection Rules"
        }, {
            "value": "action-taken",
            "expanded": "Action taken"
        }
    ],
    "values": [{
            "predicate": "category",
            "entry": [{
                    "value": "threat",
					"colour": "#49a260",
                    "expanded": "Threat related event - mostly contains IOCs"
                }, {
                    "value": "data-breach",
					"colour": "#49a260",
                    "expanded": "Data breach related event"
                }, {
                    "value": "vulnerability",
					"colour": "#49a260",
                    "expanded": "Vulnerability related event"
                }
            ]
        }, {
            "predicate": "sub-category",
            "entry": [{
                    "value": "TA-profile",
                    "expanded": "Threat Actor Profile: Comprehensive dossiers on specific groups (e.g., APT41, Lazarus), including motives, history, and suspected origin."
                }, {
                    "value": "tool-profile",
                    "expanded": "Tooling Context: Analysis of non-malicious tools used for malicious purposes (e.g., Cobalt Strike, PowerShell, AdFind)."
                }, {
                    "value": "malware-analysis",
                    "expanded": "Technical Deep-Dive: Results from sandbox execution, reverse engineering, or static analysis of a specific sample."
                }, {
                    "value": "intrusion-analysis",
                    "expanded": "Incident Reconstruction: The story of a breach, mapping out the full kill-chain from initial access to data exfiltration."
                }, {
                    "value": "infra-profile",
                    "expanded": "Infrastructure Mapping: Details on C2 servers, IP ranges, ASN reputations, and domain registration patterns used by attackers."
                }, {
					"value": "campaign-analysis",
                    "expanded": "Strategic Grouping: Analysis of a series of related incidents/attacks over a specific timeframe, often linked by shared infrastructure, TTPs, or themes."
                }, {
                    "value": "leak-forums",
                    "expanded": "Dark Web Monitoring: Intelligence gathered from illicit underground marketplaces or forums where data/access is sold."
                }, {
                    "value": "leak-infostealer",
                    "expanded": "Stealer Logs: Specific data exfiltrated via malware like RedLine or Lumma (e.g., credentials, cookies, crypto wallets)."
                }, {
                    "value": "report",
                    "expanded": "Finished Intel: High-level narrative summaries or white papers (internal or third-party) that synthesize multiple events."
                }, {
                    "value": "zero-day",
                    "expanded": "Unpatched Exploits: High-priority indicators for vulnerabilities that have no official patch or were exploited before public awareness."
                }, {
                    "value": "branded-vuln",
                    "expanded": "High-Profile Bugs: Vulnerabilities with marketing names/logos (e.g., Heartbleed, PwnKit) that often see rapid, mass exploitation."
                }, {
                    "value": "critical-vuln",
                    "expanded": "High-Severity Flaws: Standard vulnerabilities that carry a high CVSS/EPSS score but may not have a brand name."
                }
            ]
        }, {
            "predicate": "topic",
            "entry": [{
                    "value": "mobile-attack",
                    "expanded": "Indicators and patterns related to mobile OS (Android/iOS) exploits, malicious apps, and smishing."
                }, {
                    "value": "ai",
                    "expanded": "Threats targeting AI models (adversarial ML), or attacks generated/enhanced by AI/LLMs."
                }, {
                    "value": "supply-chain",
                    "expanded": "Compromises of third-party vendors, software libraries (e.g., npm/PyPI), or hardware manufacturing."
                }, {
                    "value": "ics-ot",
                    "expanded": "Attacks on Industrial Control Systems, SCADA, and operational technology in critical infrastructure."
                }, {
					"value": "web3",
                    "expanded": "Threats targeting decentralized protocols, DAOs, and smart contract vulnerabilities."
                }, {
                    "value": "crypto-related",
                    "expanded": "Cryptojacking, wallet draining, and fraudulent initial offerings or exchange breaches."
                }, {
                    "value": "cloud",
                    "expanded": "Exploits targeting container orchestration (Kubernetes), serverless functions, and CSP misconfigurations."
                }, {
                    "value": "insider-threat",
                    "expanded": "Malicious or accidental data exfiltration and system sabotage by authorized users."
                }, {
                    "value": "geopolitical",
                    "expanded": "Nation-state sponsored activity, cyber-espionage, and attacks linked to physical conflicts."
                }, {
                    "value": "api-security",
                    "expanded": "Vulnerabilities in REST/GraphQL endpoints, broken authentication, and mass assignment attacks."
                }
            ]
        }, {
            "predicate": "TA-category",
            "entry": [{
                    "value": "APT",
					"colour": "#f1dfed",
                    "expanded": "Advance Persistent Threat"
                }, {
                    "value": "State-Sponsored",
					"colour": "#f1dfed",
                    "expanded": "State Sponsored"
                }, {
                    "value": "Cybercrime",
					"colour": "#f1dfed",
                    "expanded": "Cybercrime"
                }, {
                    "value": "Ransomware",
					"colour": "#f1dfed",
                    "expanded": "Ransomware"
                }, {
                    "value": "Hacktivist",
					"colour": "#f1dfed",
                    "expanded": "Hacktivist"
                }
            ]
        }, {
            "predicate": "target",
            "entry": [{
                    "value": "broad-based",
					"colour": "#ffd12e",
                    "expanded": "Broad based attacks"
                }, {
                    "value": "targeted",
					"colour": "#d92121",
                    "expanded": "Targeted attacks"
                }
            ]
        }, {
            "predicate": "samples-found-in",
            "entry": [{
                    "value": "MalwareBazaar",
                    "expanded": "MalwareBazaar"
                }, {
                    "value": "VirusTotal",
                    "expanded": "VirusTotal"
                }, {
                    "value": "Tria.ge",
                    "expanded": "Tria.ge"
                }
            ]
        }, {
            "predicate": "no-samples-in",
            "entry": [{
                    "value": "MalwareBazaar",
					"colour": "#626567",
                    "expanded": "MalwareBazaar"
                }, {
                    "value": "VirusTotal",
					"colour": "#626567",
                    "expanded": "VirusTotal"
                }, {
                    "value": "Tria.ge",
					"colour": "#626567",
                    "expanded": "Tria.ge"
                }
            ]
        }, {
            "predicate": "ioc",
            "entry": [{
                    "value": "enriched",
                    "expanded": "IOC enriched"
                }, {
                    "value": "no-detection-by-any-vendor",
                    "expanded": "No detection by any vendor"
                }, {
                    "value": "low-detection-by-any-vendor",
                    "expanded": "Low detection by any vendor"
                }
            ]
        }, {
            "predicate": "MY-relevancy",
            "entry": [{
                    "value": "not-relevant",
					"colour": "#31373d",
                    "expanded": "Not relevant to Malaysia context - good to know"
                }, {
                    "value": "potentially-relevant",
					"colour": "#55acee",
                    "expanded": "Potentially relevant to Malaysia context e.g. Infostealers impact globally"
                }, {
                    "value": "somewhat-relevant",
					"colour": "#fdcb58",
                    "expanded": "Somewhat relevant to Malaysia context e.g. APT target Asian country."
                }, {
                    "value": "relevant",
					"colour": "#dd2e44",
                    "expanded": "Highly relevant to Malaysia context e.g. APT target Malaysia"
                }
            ]
        }, {
            "predicate": "workflow",
            "entry": [{
                    "value": "check-date",
                    "expanded": "Check article date"
                }, {
                    "value": "review-severity",
                    "expanded": "Review Severity"
                }, {
                    "value": "check-producer",
                    "expanded": "Check producer"
                }, {
                    "value": "check-actor",
                    "expanded": "Check Threat Actor"
                }, {
                    "value": "check-target",
                    "expanded": "Check Target"
                }, {
                    "value": "check-tool",
                    "expanded": "Check Tools"
                }, {
                    "value": "check-malware",
                    "expanded": "Check Malware"
                }, {
                    "value": "check-TTP",
                    "expanded": "Check TTPs"
                }, {
                    "value": "add-ioc-context",
                    "expanded": "Add IOC contexts"
                }, {
                    "value": "check-key-indicator",
                    "expanded": "Check Key Indicator unique to TA"
                }, {
                    "value": "enrichment",
                    "expanded": "Enrichment"
                }, {
                    "value": "need-sample-sponsor",
                    "expanded": "Require Malware sample sponsor, either upload to Malware Bazaar (preferred) or upload directly to MISP(for sample with sensitive data)"
                }, {
                    "value": "to-report-to",
                    "expanded": "To report to relevant parties such as the owner, hosting provider, MyCERT, registrar or etc."
                }
            ]
        }, {
            "predicate": "mitre-att&ck",
            "entry": [{
                    "value": "from-original-src",
					"colour": "#b94b1d",
                    "expanded": "TTPs included in original source"
                }, {
                    "value": "none-from-src",
					"colour": "#b94b1d",
                    "expanded": "No TTPs included in original source"
                }, {
                    "value": "from-OTX",
					"colour": "#b94b1d",
                    "expanded": "TTPs from OTX"
                }, {
                    "value": "self-curated",
					"colour": "#b94b1d",
                    "expanded": "Self curated TTPs"
                }
            ]
        }, {
            "predicate": "detection-rules",
            "entry": [{
                    "value": "yara-from-src",
                    "expanded": "YARA from source"
                }, {
                    "value": "sigma-from-src",
                    "expanded": "Sigma rules from source"
                }, {
                    "value": "snort-from-src",
                    "expanded": "Snort rule from source"
                }, {
                    "value": "yara-from-VT",
                    "expanded": "YARA from VirusTotal"
                }, {
                    "value": "sigma-from-VT",
                    "expanded": "Sigma rules from source"
                }
            ]
        }, {
            "predicate": "action-taken",
            "entry": [{
                    "value": "VT-collection",
                    "expanded": "Added to VT Collection"
                }, {
                    "value": "VT-comment",
                    "expanded": "Added to VT comment"
                }, {
                    "value": "github",
                    "expanded": "Added to Github"
                }, {
                    "value": "diamond-model",
                    "expanded": "Created Diamond Model"
                }, {
                    "value": "x",
                    "expanded": "Shared to X"
                }, {
                    "value": "linkedin",
                    "expanded": "Shared to Linkedin"
                }, {
                    "value": "tiktok",
                    "expanded": "Shared to Tiktok"
                }, {
                    "value": "medium",
                    "expanded": "Shared to Medium"
                }, {
                    "value": "telegram",
                    "expanded": "Shared to Telegram"
                }, {
                    "value": "threatfox",
                    "expanded": "Added to ThreatFox"
                }, {
                    "value": "malwarebazaar",
                    "expanded": "Added to MalwareBazaar"
                }, {
                    "value": "phishtank",
                    "expanded": "Added to PhishTank"
                }, {
                    "value": "report-to-mycert",
                    "expanded": "Reported to MyCERT"
                }, {
                    "value": "report-to-hosting-provider",
                    "expanded": "Reported to Hosting Provider"
                }, {
                    "value": "report-to-registrar",
                    "expanded": "Reported to Registrar"
                }, {
                    "value": "urlhaus",
                    "expanded": "Added to URLHaus"
                }, {
                    "value": "urlscan.io",
                    "expanded": "Added to urlscan.io"
                }, {
                    "value": "report-google-safe-browsing",
                    "expanded": "Reported to Google Safe Browsing"
                }
            ]
        }
    ]
}

Setting up Galaxies

Disable unnecessary Galaxies

Disable the following unnecessary galaxies

Dashboard

Import following dashboard config

{
    "UserSetting": {
        "id": "1",
        "setting": "dashboard",
        "value": [
            {
                "widget": "MispStatusWidget",
                "config": [],
                "position": {
                    "x": "10",
                    "y": "10",
                    "width": "2",
                    "height": "2"
                }
            },
            {
                "widget": "TrendingTagsWidget",
                "config": {
                    "alias": "Top Category [Threat, Data Breach, Vulnerability]",
                    "time_window": "-1",
                    "include": [
                        "rectifyq:category"
                    ]
                },
                "position": {
                    "x": "0",
                    "y": "0",
                    "width": "3",
                    "height": "2"
                }
            },
            {
                "widget": "AuthenticationFailureWidget",
                "config": [],
                "position": {
                    "x": "10",
                    "y": "7",
                    "width": "2",
                    "height": "1"
                }
            },
            {
                "widget": "MispAdminWorkerWidget",
                "config": [],
                "position": {
                    "x": "10",
                    "y": "0",
                    "width": "2",
                    "height": "7"
                }
            },
            {
                "widget": "TrendingTagsWidget",
                "config": {
                    "alias": "Top Sub-Category",
                    "time_window": "-1",
                    "include": [
                        "rectifyq:sub-category"
                    ]
                },
                "position": {
                    "x": "0",
                    "y": "2",
                    "width": "3",
                    "height": "3"
                }
            },
            {
                "widget": "TrendingTagsWidget",
                "config": {
                    "alias": "Top Relevancy",
                    "time_window": "-1",
                    "include": [
                        "rectifyq:MY-relevancy"
                    ]
                },
                "position": {
                    "x": "0",
                    "y": "5",
                    "width": "3",
                    "height": "2"
                }
            },
            {
                "widget": "TrendingTagsWidget",
                "config": {
                    "alias": "Top TA-Category",
                    "time_window": "-1",
                    "include": [
                        "rectifyq:TA-category"
                    ]
                },
                "position": {
                    "x": "0",
                    "y": "7",
                    "width": "3",
                    "height": "2"
                }
            },
            {
                "widget": "TrendingTagsWidget",
                "config": {
                    "alias": "Top MITRE ATT&CK",
                    "time_window": "-1",
                    "include": [
                        "rectifyq:mitre-att&ck"
                    ]
                },
                "position": {
                    "x": "0",
                    "y": "9",
                    "width": "3",
                    "height": "3"
                }
            },
            {
                "widget": "APIActivityWidget",
                "config": [],
                "position": {
                    "x": "10",
                    "y": "8",
                    "width": "2",
                    "height": "1"
                }
            },
            {
                "widget": "LoginsWidget",
                "config": [],
                "position": {
                    "x": "10",
                    "y": "9",
                    "width": "2",
                    "height": "1"
                }
            },
            {
                "widget": "TrendingTagsWidget",
                "config": {
                    "alias": "Top Producer",
                    "time_window": "-1",
                    "include": [
                        "misp-galaxy:producer="
                    ],
                    "threshold": 100
                },
                "position": {
                    "x": "3",
                    "y": "0",
                    "width": "3",
                    "height": "15"
                }
            },
            {
                "widget": "TrendingTagsWidget",
                "config": {
                    "alias": "Top Detection Included",
                    "time_window": "-1",
                    "include": [
                        "rectifyq:detection"
                    ]
                },
                "position": {
                    "x": "0",
                    "y": "12",
                    "width": "3",
                    "height": "3"
                }
            },
            {
                "widget": "TrendingTagsWidget",
                "config": {
                    "alias": "Top Ransomware",
                    "time_window": "-1",
                    "include": [
                        "misp-galaxy:ransomware="
                    ],
                    "threshold": "100"
                },
                "position": {
                    "x": "6",
                    "y": "5",
                    "width": "2",
                    "height": "10"
                }
            },
            {
                "widget": "TrendingTagsWidget",
                "config": {
                    "alias": "Top 10 Malpedia",
                    "time_window": "-1",
                    "include": [
                        "misp-galaxy:malpedia="
                    ],
                    "threshold": "10"
                },
                "position": {
                    "x": "6",
                    "y": "0",
                    "width": "2",
                    "height": "5"
                }
            },
            {
                "widget": "TrendingTagsWidget",
                "config": {
                    "alias": "Threat Actor",
                    "time_window": "-1",
                    "include": [
                        "misp-galaxy:threat-actor="
                    ],
                    "threshold": "100"
                },
                "position": {
                    "x": "8",
                    "y": "0",
                    "width": "2",
                    "height": "15"
                }
            }
        ],
        "user_id": "1",
        "timestamp": "1742012921"
    }
}

Enable Plugins

Enrichment

Plugin.Enrichment_vulnerability_lookup_enabled
Plugin.Enrichment_html_to_markdown_enabled
Plugin.Enrichment_extract_url_components_enabled
Plugin.Enrichment_mmdb_lookup_enabled

Import

Plugin.Import_csvimport_enabled
Plugin.Import_ocr_enabled
Plugin.Import_mispjson_enabled

Export

Enable Warning List

Warning List

Optional: Enforce MFA

Administration > Server Settings & Maintenance > Security

Security.otp_disabled False
Security.otp_required True

Change OS Timezone

timedatectl list-timezones
sudo timedatectl set-timezone Asia/Kuala_Lumpur

Installing MISP + MISP Module

Thu, 12 Feb 2026 08:32:17 GMT

Installing MISP + MISP Module

Ubuntu 24.04

Download and install Ubuntu 24.04 from here.

You can use any virtualization method you are familiar with such as Virtualbox, VMware Workstation, Hyper-V, etc.

My resource setup for this homelab MISP:

vCPU: 2
RAM: 2GB (Recommended 4GB above)
Disk: 60GB

Update && Upgrade

sudo apt-get update -y && sudo apt-get upgrade -y

Installing MISP 2.5

wget --no-cache -O /tmp/INSTALL.sh https://raw.githubusercontent.com/MISP/MISP/refs/heads/2.5/INSTALL/INSTALL.ubuntu2404.sh

sudo bash /tmp/INSTALL.sh

Change BaseURL

Depending on how you host this MISP and the network adapter config (NAT/Bridge/etc.), change it accordingly

sudo -u www-data /var/www/MISP/app/Console/cake admin setSetting MISP.baseurl https://your-ip-or-domain.com

Install MISP Modules

sudo -u www-data virtualenv -p python3 /var/www/MISP/venv

sudo apt-get install python3-dev python3-pip libpq5 libjpeg-dev tesseract-ocr libpoppler-cpp-dev pkg-config imagemagick virtualenv libopencv-dev zbar-tools libzbar0 libzbar-dev libfuzzy-dev build-essential -y

sudo -u www-data /var/www/MISP/venv/bin/pip install misp-modules

sudo -u www-data /var/www/MISP/venv/bin/pip install \
    git+https://github.com/cartertemm/ODTReader.git \
    git+https://github.com/abenassi/Google-Search-API \
    git+https://github.com/SteveClement/trustar-python.git \
    git+https://github.com/sebdraven/pydnstrails.git \
    git+https://github.com/sebdraven/pyonyphe.git

sudo nano /etc/systemd/system/misp-modules.service

Then write the following in the file

[Unit]
Description=MISP modules
After=network.target

[Service]
User=www-data
Group=www-data
Environment="PATH=/var/www/MISP/venv/bin/"
ExecStart=/var/www/MISP/venv/bin/misp-modules -l 127.0.0.1
Restart=always


[Install]
WantedBy=multi-user.target

sudo chmod 774 /etc/systemd/system/misp-modules.service

sudo systemctl daemon-reload

sudo systemctl enable --now misp-modules

Enable it in Administration > Server Settings & Maintenance > Plugins

Threat Intelligence Platform

Thu, 12 Feb 2026 08:32:17 GMT

Rectifyq utilizes MISP for Threat Intelligence Platform (TIP)

Contact Us

Thu, 12 Feb 2026 08:32:17 GMT

Connect with Rectifyq

Whether you’re a CISO looking for a strategic briefing, a SOC analyst needing API support, or a student wanting to learn more about the Malaysian threat landscape—we’re here to help.

How can we help?

General Inquiries

For partnerships, media requests, or just to say Salam, drop us an email: 📧 hello@rectifyq.com

API & Technical Support

Need help integrating our MISP feeds into your SIEM? Our engineering team is on standby. 📧 support@rectifyq.com 🛠️ Check out our API-Documentation first!

Report a Local Incident

Found a new APK scam or a phishing domain targeting a Malaysian bank? Let’s analyze it together. Note: We are a private CTI entity. For official government reporting, please also contact NACSA or Cyber999. 📧 phishing@rectifyq.com

Community & Socials

We believe in “connecting the dots” together. Follow our latest deep dives and technical breakdowns on our social channels:

Medium: Rectifyq Lab (Deep technical TTP breakdowns)
LinkedIn: Rectifyq Malaysia (CISO-level updates & news)
Telegram: t.me/rectifyq (Real-time local IoC alerts)

Looking for data right now? Search our MY Threat Landscape.

Resources

Thu, 12 Feb 2026 08:32:17 GMT

The Rectifyq Toolbox

To move from “collecting data” to “producing intelligence,” you need the right tools and a structured approach. This page centralizes the resources we use at Rectifyq to track and analyze the Malaysian threat landscape.

📕Notion

🗓️Malaysia Cybersecurity Events
🔁Cybersecurity Subscription Comparison
💼Certification Comparison and Action Plan (CCAP)

💻Github Repos

Collections

CTFd to MISP Importer

CTFd-to-MISP

💬MISP Feed (Free Integration - TLP:Clear only)

🌏Global MISP events

MISP 2024 - https://feeds.rectifyq.com/MISP2024
MISP 2025 - https://feeds.rectifyq.com/MISP2025
MISP 2026 - soon

🇲🇾 MISP MY

MISP MY - soon

📦Miscelleanous

MISP CTFs - soon

Malaysia Cybersecurity Ecosystem

flowchart TB
    direction RL
    subgraph CTF
        direction RL
        C1[Wargames.my]
        C2[GCTF]
        C3[Bahtera Siber]
        C4[Sherpasec CTF]
        C5[I-Hack]
        C6[ABOH]
        C7[UTPHax]
        C8[Hack@10]
        C9[SunCTF]
        C10[KPMG]
        C11[iCTFF]
    end
    subgraph Community
        direction RL
        M1[Rawsec]
        M2[Sherpasec]
        M3[Offsec]
        M4[ISC2]
        M5[OWASP KL]
        M6[MyOPECS]
    end
    subgraph Conferences
        direction RL
        F1[CyberDSA]
        F2[Cydes]
        F3[NanoSec]
        F4[5GOT]

    end


    click M1 "https://mcco.org.my/" _blank
    click M2 "https://sherpasec.org/" _blank
    click M3 "https://www.linkedin.com/groups/14716092/" _blank
    click M4 "https://www.isc2chapter.my/" _blank
    click M5 "https://owasp.org/www-chapter-kuala-lumpur/" _blank
    click M6 "https://t.me/+HZLe3mJs9MxlNzRl" _blank

    click C1 "https://wargames.my" _blank
    click C2 "https://girls-in-ctf.online/" _blank
    click C3 "https://x.com/bahterasiber" _blank
    click C4 "https://sherpasec.org/sherpactf/" _blank
    click C5 "https://news.uitm.edu.my/2024/07/ihack-2024-and-siber-siaga-2024-malaysia-takes-strides-in-cybersecurity-education-and-awareness/" _blank
    click C6 "https://www.linkedin.com/posts/apumalaysia_the-asean-battle-of-hackers-aboh-2023-activity-7147881717654036481-ViCf/" _blank
    click C7 "https://utphax.github.io/" _blank
    click C8 "https://linktr.ee/hackaten" _blank
    click C9 "https://www.linkedin.com/company/csc-sunway/" _blank
    click C10 "https://www.youtube.com/watch?v=xSIKCjKj2gY" _blank
    click C11 "https://www.ictff.com.my/" _blank

    click F1 "https://www.cyberdsa.com/" _blank
    click F2 "https://cydes.my/" _blank
    click F3 "https://nanosec.asia/" _blank
    click F4 "https://5got.asia/" _blank

2026-02-12 LockBit strikes with new 5.0 version, targeting Windows, Linux and ESXI systems

Thu, 12 Feb 2026 00:00:00 GMT

📃Title: LockBit strikes with new 5.0 version, targeting Windows, Linux and ESXI systems
📅Date: 2026-02-12
🔗References:

https://www.acronis.com/en/tru/posts/lockbit-strikes-with-new-50-version-targeting-windows-linux-and-esxi-systems

Description

LockBit 5.0, the latest version of the notorious ransomware, has been released with support for Windows, Linux, and ESXi systems. This update brings improved defense evasion, faster encryption, and enhanced modularity. The Windows variant employs extensive anti-analysis techniques, while Linux and ESXi versions remain unpacked. All variants share a common encryption scheme using XChaCha20 and Curve25519. LockBit 5.0 demonstrates a focus on enterprise and infrastructure targets, including explicit support for Proxmox virtualization. The group’s data leak site reveals a primary focus on the U.S. business sector, with victims spanning various industries. LockBit’s infrastructure has shown connections to SmokeLoader, suggesting possible cooperation or infrastructure reuse among malware operators.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: malware-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“United States”
ransomware=“lockbit5”
malpedia=“SmokeLoader”
target-information=“Argentina”
target-information=“Bolivia”
target-information=“Brazil”
target-information=“China”
target-information=“Czech Republic”
target-information=“Egypt”
target-information=“Estonia”
target-information=“France”
target-information=“Germany”
target-information=“India”
target-information=“Ireland”
target-information=“Italy”
target-information=“Kuwait”
target-information=“Malaysia”
target-information=“Mexico”
target-information=“Singapore”
target-information=“South Africa”
target-information=“Spain”
target-information=“Thailand”
target-information=“Turkey”
target-information=“United Arab Emirates”
target-information=“United Kingdom”
mitre-attack-pattern=[‘T1489’, ‘T1553.002’, ‘T1082’, ‘T1071’, ‘T1140’, ‘T1036’, ‘T1055’, ‘T1562.002’, ‘T1112’, ‘T1070.001’, ‘T1222’, ‘T1083’, ‘T1497’, ‘T1480’, ‘T1078’, ‘T1027’, ‘T1486’, ‘T1573’, ‘T1490’]

MISP event uuid: db240f3d-7cc8-4a58-9b99-69e778ab7a5d

Indicator of Compromise (IoCs)

type,value,comment
domain, lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion, ''
domain, lockbit7z2mmiz3ryxafn5kapbvbbiywsxwovasfkgf5dqqp5kxlajad.onion, ''
domain, lockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd.onion, ''
domain, lockbit7z355oalq4hiy5p7de64l6rsqutwlvydqje56uvevcc57r6qd.onion, ''
domain, lockbit7z36ynytxwjzuoao46ck7b3753gpedary3qvuizn3iczhe4id.onion, ''
domain, lockbit7z37ntefjdbjextn6tmdkry4j546ejnru5cejeguitiopvhad.onion, ''
domain, lockbit7z3azdoxdpqxzliszutufbc2fldagztdu47xyucp25p4xtqad.onion, ''
domain, lockbit7z3ddvg5vuez2vznt73ljqgwx5tnuqaa2ye7lns742yiv2zyd.onion, ''
domain, lockbit7z3hv7ev5knxbrhsvv2mmu2rddwqizdz4vwfvxt5izrq6zqqd.onion, ''
domain, lockbit7z3ujnkhxwahhjduh5me2updvzxewhhc5qvk2snxezoi5drad.onion, ''
domain, lockbit7z4bsm63m3dagp5xglyacr4z4bwytkvkkwtn6enmuo5fi5iyd.onion, ''
domain, lockbit7z4cgxvictidwfxpuiov4scdw34nxotmbdjyxpkvkg34mykyd.onion, ''
domain, lockbit7z4k5zer5fbqi2vdq5sx2vuggatwyqvoodrkhubxftyrvncid.onion, ''
domain, lockbit7z4ndl6thsct34yd47jrzdkpnfg3acfvpacuccb45pnars2ad.onion, ''
domain, lockbit7z55tuwaflw2c7torcryobdvhkcgvivhflyndyvcrexafssad.onion, ''
domain, lockbit7z57mkicfkuq44j6yrpu5finwvjllczkkp2uvdedsdonjztyd.onion, ''
domain, lockbit7z5ehshj6gzpetw5kso3onts6ty7wrnneya5u4aj3vzkeoaqd.onion, ''
domain, lockbit7z5hwf6ywfuzipoa42tjlmal3x5suuccngsamsgklww2xgyqd.onion, ''
domain, lockbit7z5ltrhzv46lsg447o3cx2637dloc3qt4ugd3gr2xdkkkeayd.onion, ''
domain, lockbit7z6choojah4ipvdpzzfzxxchjbecnmtn4povk6ifdvx2dpnid.onion, ''
domain, lockbit7z6dqziutocr43onmvpth32njp4abfocfauk2belljjpobxyd.onion, ''
domain, lockbit7z6f3gu6rjvrysn5gjbsqj3hk3bvsg64ns6pjldqr2xhvhsyd.onion, ''
domain, lockbit7z6qinyhhmibvycu5kwmcvgrbpvtztkvvmdce5zwtucaeyrqd.onion, ''
domain, lockbit7z6rzyojiye437jp744d4uwtff7aq7df7gh2jvwqtv525c4yd.onion, ''
domain, lockbitfbinpwhbyomxkiqtwhwiyetrbkb4hnqmshaonqxmsrqwg7yad.onion, ''
domain, lockbitsuppyx2jegaoyiw44ica5vdho63m5ijjlmfb7omq3tfr3qhyd.onion, ''
domain, rodericwalter.com, ''
ip-dst, 205.185.116.233, 'LockBit exposed server'
domain, karma0.xyz, 'LockBit exposed server'
url, http://lockbitfbinpwhbyomxkiqtwhwiyetrbkb4hnqmshaonqxmsrqwg7yad.onion/, 'Data leak site'
url, http://lockbitsuppyx2jegaoyiw44ica5vdho63m5ijjlmfb7omq3tfr3qhyd.onion, 'Threat actor chat link'
url, http://lockbit7z2jwcskxpbokpemdxmltipntwlkmidcll2qirbu7ykg46eyd.onion/, 'Leaked data mirrors'
url, http://lockbit7z2mmiz3ryxafn5kapbvbbiywsxwovasfkgf5dqqp5kxlajad.onion/, 'Leaked data mirrors'
url, http://lockbit7z2og4jlsmdy7dzty3g42eu3gh2sx2b6ywtvhrjtss7li4fyd.onion/, 'Leaked data mirrors'
url, http://lockbit7z355oalq4hiy5p7de64l6rsqutwlvydqje56uvevcc57r6qd.onion/, 'Leaked data mirrors'
url, http://lockbit7z36ynytxwjzuoao46ck7b3753gpedary3qvuizn3iczhe4id.onion/, 'Leaked data mirrors'
url, http://lockbit7z37ntefjdbjextn6tmdkry4j546ejnru5cejeguitiopvhad.onion/, 'Leaked data mirrors'
url, http://lockbit7z3azdoxdpqxzliszutufbc2fldagztdu47xyucp25p4xtqad.onion/, 'Leaked data mirrors'
url, http://lockbit7z3ddvg5vuez2vznt73ljqgwx5tnuqaa2ye7lns742yiv2zyd.onion/, 'Leaked data mirrors'
url, http://lockbit7z3hv7ev5knxbrhsvv2mmu2rddwqizdz4vwfvxt5izrq6zqqd.onion/, 'Leaked data mirrors'
url, http://lockbit7z3ujnkhxwahhjduh5me2updvzxewhhc5qvk2snxezoi5drad.onion/, 'Leaked data mirrors'
url, http://lockbit7z4bsm63m3dagp5xglyacr4z4bwytkvkkwtn6enmuo5fi5iyd.onion/, 'Leaked data mirrors'
url, http://lockbit7z4cgxvictidwfxpuiov4scdw34nxotmbdjyxpkvkg34mykyd.onion/, 'Leaked data mirrors'
url, http://lockbit7z4k5zer5fbqi2vdq5sx2vuggatwyqvoodrkhubxftyrvncid.onion/, 'Leaked data mirrors'
url, http://lockbit7z4ndl6thsct34yd47jrzdkpnfg3acfvpacuccb45pnars2ad.onion/, 'Leaked data mirrors'
url, http://lockbit7z55tuwaflw2c7torcryobdvhkcgvivhflyndyvcrexafssad.onion/, 'Leaked data mirrors'
url, http://lockbit7z57mkicfkuq44j6yrpu5finwvjllczkkp2uvdedsdonjztyd.onion/, 'Leaked data mirrors'
url, http://lockbit7z5ehshj6gzpetw5kso3onts6ty7wrnneya5u4aj3vzkeoaqd.onion/, 'Leaked data mirrors'
url, http://lockbit7z5hwf6ywfuzipoa42tjlmal3x5suuccngsamsgklww2xgyqd.onion/, 'Leaked data mirrors'
url, http://lockbit7z5ltrhzv46lsg447o3cx2637dloc3qt4ugd3gr2xdkkkeayd.onion/, 'Leaked data mirrors'
url, http://lockbit7z6choojah4ipvdpzzfzxxchjbecnmtn4povk6ifdvx2dpnid.onion/, 'Leaked data mirrors'
url, http://lockbit7z6dqziutocr43onmvpth32njp4abfocfauk2belljjpobxyd.onion/, 'Leaked data mirrors'
url, http://lockbit7z6f3gu6rjvrysn5gjbsqj3hk3bvsg64ns6pjldqr2xhvhsyd.onion/, 'Leaked data mirrors'
url, http://lockbit7z6qinyhhmibvycu5kwmcvgrbpvtztkvvmdce5zwtucaeyrqd.onion/, 'Leaked data mirrors'
url, http://lockbit7z6rzyojiye437jp744d4uwtff7aq7df7gh2jvwqtv525c4yd.onion/, 'Leaked data mirrors'

Full IOCs available in Rectifyq's MISP```

Contribute

Thu, 12 Feb 2026 00:00:00 GMT

🤝 Join the Mission

Cyber Threat Intelligence (CTI) is a team sport. At Rectifyq, we believe that collective defense is the best defense—especially within our local Malaysian landscape.

Whether you are a seasoned CTI practitioner or a student just starting your journey, your analysis helps make the digital space safer for everyone.

🔍 How You Can Help

You don’t need a formal invitation to contribute. If you find something interesting using the data on the Rectifyq website or our MISP instance, we want to see your insights!

Areas of Focus

We are particularly interested in reports covering:

👤 Threat Actor Profiles: Deep dives into groups targeting Malaysian infrastructure or local industries.
🦠 Malware Analysis: Reverse engineering or behavioral analysis of samples found in the wild locally.
🚨 Incident Analysis: Post-mortem or technical breakdowns of recent Malaysian cyber incidents.
🔓 Leak Data Analysis: Investigating data breaches, credential dumps, or PII leaks affecting Malaysian citizens.
🎣 Phishing Analysis: Tracking local phishing kits, SMS scams (Smishing), or brand impersonation campaigns.

🛠 The Workflow

Contributing is straightforward:

Analyze: Use the indicators (IoCs) and telemetry available on our website or MISP.
Report: Create a technical write-up, a Gist, a PDF, or even a detailed social media thread.
Notify: This is the most important part! Let us know you’ve published something so we can amplify your work.

TIP

Where to find us? Reach out to us via X (Twitter), LinkedIn, or any of our official social media channels. We’d love to feature your work or link it back to our intelligence feeds.

🎓 For Students

If you’re a student using Rectifyq data for your final year project or personal research, don’t be shy! Contributing a report is a fantastic way to build your portfolio and get noticed by the local cybersecurity community.

2026-02-05 The Shadow Campaigns Uncovering Global Espionage

Thu, 05 Feb 2026 00:00:00 GMT

📃Title: The Shadow Campaigns: Uncovering Global Espionage
📅Date: 2026-02-05
🔗References:

https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage

Description

This investigation reveals a new cyberespionage group tracked as TGR-STA-1030, believed to be a state-aligned actor operating from Asia. Over the past year, the group has compromised government and critical infrastructure organizations in 37 countries, targeting ministries, law enforcement agencies, and departments related to economic, trade, and diplomatic functions. The group employs sophisticated phishing and exploitation techniques, leveraging various tools and infrastructure to maintain persistent access. Their activities span across the Americas, Europe, Asia, Oceania, and Africa, with a focus on countries exploring certain economic partnerships. The group’s operations often coincide with significant geopolitical events and economic interests, particularly in sectors like rare earth minerals and international trade agreements.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: TA-profile
target: targeted
MY-relevancy: relevant
action-taken: diamond-model

🔖MISP Galaxies:

producer Palo-Alto
target-information=“United States”
target-information=“United Kingdom”
target-information=“Singapore”
target-information=“Brazil”
target-information=“Mexico”
target-information=“Panama”
target-information=“Cyprus”
target-information=“Czech Republic”
target-information=“Germany”
target-information=“Greece”
target-information=“Italy”
target-information=“Poland”
target-information=“Portugal”
target-information=“Serbia”
target-information=“Afghanistan”
target-information=“Bangladesh”
target-information=“British Indian Ocean Territory”
target-information=“India”
target-information=“Indonesia”
target-information=“Japan”
target-information=“Malaysia”
target-information=“Mongolia”
target-information=“Papua New Guinea”
target-information=“Saudi Arabia”
target-information=“Sri Lanka”
target-information=“Taiwan”
target-information=“Thailand”
target-information=“Uzbekistan”
target-information=“Djibouti”
target-information=“Ethiopia”
target-information=“Namibia”
target-information=“Niger”
target-information=“Nigeria”
target-information=“Zambia”
target-information=“Bolivia”
target-information=“Venezuela”
sector=“Government, Administration”
sector=“Finance”
malpedia=“Cobalt Strike”
online-service=“4605654f-8487-4d17-bfbb-bbcc223281d5”
online-service=“3b16bb5a-eb4f-4603-a909-bebc5df4a46d”
malpedia=“Havoc”
malpedia=“Sliver”
malpedia=“SparkRAT”
malpedia=“Vshell”
mitre-attack-pattern=[‘T1204.002’, ‘T1584.003’, ‘T1190’, ‘T1583.001’, ‘T1021.002’, ‘T1505.003’, ‘T1583.004’, ‘T1090’, ‘T1059’, ‘T1583.003’, ‘T1102’, ‘T1588.002’, ‘T1566’, ‘T1078’, ‘T1027’, ‘T1584.004’, ‘T1105’, ‘T1021.001’, ‘T1204.001’, ‘T1584.001’]

MISP event uuid: 14c1cdc4-4306-4f92-9f44-7d6b5ea0d20e

Indicator of Compromise (IoCs)

type,value,comment
ip-dst, 138.197.44.208, ''
ip-dst, 157.230.34.45, ''
ip-dst, 188.127.251.171, ''
ip-dst, 188.166.210.146, ''
sha256, 7808b1e01ea790548b472026ac783c73a033bb90bbe548bf3006abfbcb48c52d, 'ShadowGuard No sample in VT\r\nLast check:07/02/2026'
ip-dst, 142.91.105.172, ''
ip-dst, 146.190.152.219, ''
ip-dst, 157.245.194.54, ''
ip-dst, 159.203.164.101, ''
ip-dst, 178.128.109.37, ''
ip-dst, 178.128.60.22, ''
ip-dst, 208.85.21.30, ''
domain, 888910.xyz, ''
domain, abwxjp5.me, ''
domain, brackusi0n.live, ''
domain, dog3rj.tech, ''
domain, emezonhe.me, ''
domain, gouvn.me, ''
domain, msonline.help, ''
domain, pickupweb.me, ''
domain, pr0fu5a.me, ''
domain, q74vn.live, ''
domain, servgate.me, ''
domain, zamstats.me, ''
domain, zrheblirsy.me, ''
ip-dst, 159.65.156.200, ''
url, https://raw.githubusercontent.com/padeqav/WordPress/refs/heads/master/wp-includes/images/admin-bar-sprite.png, 'the malware downloads the following files from GitHub'
url, https://raw.githubusercontent.com/padeqav/WordPress/refs/heads/master/wp-includes/images/Linux.jpg, 'the malware downloads the following files from GitHub'
url, https://raw.githubusercontent.com/padeqav/WordPress/refs/heads/master/wp-includes/images/Windows.jpg, 'the malware downloads the following files from GitHub'

Full IOCs available in Rectifyq's MISP```

2026-02-02 Cross-Border Cryptocurrency Investment Scam Leveraging Social Messaging Channels and Fake Regulatory Credentials

Mon, 02 Feb 2026 00:00:00 GMT

📃Title: Cross-Border Cryptocurrency Investment Scam Leveraging Social Messaging Channels and Fake Regulatory Credentials
📅Date: 2026-02-02
🔗References:

https://www.cloudsek.com/blog/cross-border-cryptocurrency-investment-scam-leveraging-social-messaging-channels-and-fake-regulatory-credentials

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
topic: crypto-related
target: broad-based
MY-relevancy: relevant
topic: mobile-attack

🔖MISP Galaxies:

producer CloudSEK
target-information=“Malaysia”
country=“china”
financial-fraud=“Fake Website”
financial-fraud=“Phishing”
financial-fraud=“Compromised Account Credentials”
financial-fraud=“Compromised Personally Identifiable Information (PII)”
financial-fraud=“Virtual Currency Fraud”
financial-fraud=“Cryptocurrency Exchange”
financial-fraud=“Social Media Scams”
financial-fraud=“Fake App”
financial-fraud=“Scam”
mitre-attack-pattern=[]

MISP event uuid: 020ceb62-7009-41fe-b22f-1ddd6806e4ea

Indicator of Compromise (IoCs)

type,value,comment
domain, zhguihc.com, 'cloned domain'
domain, zhguize.com, 'cloned domain'
hostname, rtqs.zhguiwe.com, ''
hostname, udesk.zhgui.com, 'Embeds Udesk customer service integrations'
ip-dst, 52.77.125.17, 'backend management consoles'
ip-dst, 188.114.96.3, 'replicate the scam login and investment page'
ip-dst, 172.67.191.67, 'replicate the scam login and investment page'
ip-dst, 104.21.84.186, 'replicate the scam login and investment page'
domain, zhgui.com, ''
ip-dst, 172.67.145.192, ''
domain, zhguiro.com, ''
ip-dst, 18.164.237.46, ''
domain, zhguiwd.com, ''
ip-dst, 18.164.246.64, ''
domain, zhguiyv.com, ''
ip-dst, 18.66.63.105, ''
domain, zhguitn.com, ''
ip-dst, 104.21.48.1, ''
domain, zhguivx.com, ''
ip-dst, 18.164.246.111, ''
domain, zhguimj.com, ''
domain, zhguioe.com, ''
ip-dst, 104.21.84.95, ''
domain, zhguiqt.com, ''
ip-dst, 172.67.149.149, ''
domain, zhguisp.com, ''
domain, zhguicx.com, ''
sha256, 1ca2e500f792fdce9128e8f26fd0a5c10b3f06f1047ce5217e5789db9b33681b, 'favicon hash No sample in VT\r\nLast check:09/02/2026'
url, https://www.knightkron.com, 'domains replicate identical ZHGUI interfaces'
url, https://www.sydmonet.com, 'domains replicate identical ZHGUI interfaces'
url, https://52.77.125.17/home/login, 'Presents an internal “Management Console” login page'
url, https://udesk.zhgui.com/, 'Exposes an end-user login page with Chinese-language error messages and the same JavaScript resources'
url, https://52.74.11.35/, 'Exposes an end-user login page with Chinese-language error messages and the same JavaScript resources'
ip-dst, 18.66.112.81, ''
hostname, rtqs.zhguibn.com, ''
ip-dst, 18.244.18.3, ''
url, https://1884145.s5.udesk.cn/im_client/?web_plugin_id=350&language=en-us&im_user_key=66666, ''
url, https://1884145.udeskglobal.com/sim, ''
email-src, support@zhgui.org, ''
url, https://msb.fincen.gov/msb.registration.letter.php?ID=28612373, ''
url, https://doc.zhgui.com/ZHGUI-Whitepaper-EN.pdf, ''
domain, zhguiqz.com, ''
url, https://www.wikifx.me/en/newsdetail/202510231334676397.html, ''
url, https://apps.apple.com/us/app/zhguige/id6747241718, ''
url, https://klse.i3investor.com/web/blog/detail/ZHGUIscam/2025-07-25-story-h499657939-ZHGUI_Exchange_Reminder_Beware_of_On_Chain_Data_Forgery_Traps_and_Stay_A, ''
url, https://www.zhgui.org, ''
url, https://www.facebook.com/ZHGUI.Official, ''
url, https://www.facebook.com/ZHGUI.Global/, ''
url, https://x.com/ZHGUI_, ''
url, https://x.com/ZHGUI_global, ''
url, https://t.me/lease_choobot, ''
url, https://www.facebook.com/share/p/1KCg4dA3k9/, ''
url, https://www.linkedin.com/posts/ivanblinde_web3-defi-innovation-activity-7337856604559634432-IjRC, 'LinkedIn Promotion Post (Likely Fraudulent)'

Full IOCs available in Rectifyq's MISP```

Ransomware Tracker

Thu, 29 Jan 2026 00:00:00 GMT

Ransomware Tracker

Timeline of MY organizations in alleged Ransomware cases

timeline
    title Alleged Ransomware cases on Malaysian organizations
    2018 : Med** Pri** Ber*** (Television Broadcast)
    2021 : GDe****** Ber*** (Logistic)
         : Mer********* Asi* Sdn Bhd (Payment)
         : Jab**** Per******** Ban*** dan Des* Neg*** Sel***** (Government, Administration)
         : TLP Ter***** Sdn Bhd (Logistic)
         : UM* Hol***** Ber*** (Multi-sector)
    2022 : Asi* Pac**** Uni******* Sdn* Bhd* (Academia - University)
         : Sho******* Sdn Bhd (Marketing)
         : UCS* Edu****** Sdn* Bhd* (Academia - University)
         : Aut**** Hir***** Saf*** Sdn Bhd (Automotive)
         : Age*** Pek****** Mel***** Sdn Bhd (Employment)
         : Air**** Gro** (Civil Aviation)
    2023 : Mat*** Edu**** Sdn Bhd* (Education)
         : ViT*** Cor******** Ber*** (Electronic)
         : Kil*** Ti* Ca* (Se** Sdn Bhd (Manufacturing)
         : Sun**** Pha*********** Sdn Bhd (Pharmacy)
         : TF AM* Mic************* (Electronic)
         : Age*** Kau******* dan Pen******* Kre*** (Government, Administration)
         : Fia*** Hol***** Ber*** (Multi-sector)
         : Isk***** Reg***** Dev******** Aut****** (Government, Administration)
         : Hon* Kon* Sa Sa (M) Sdn***** (Online marketplace)
         : Lei* Hin* Gro** (Ka** San*** Mal****** (Logistic)
         : Asi* Pac**** Uni******* Sdn* Bhd* (Academia - University)
         : Pla********** (M) Sdn Bhd* (Manufacturing)
         : Pen**** Sol***** Sdn* Bhd* (IT)
         : Pra****** Mal***** Ber*** (Transport)
         : Waw**** Den**** Sdn Bhd (Construction)
         : May*** Man********** (M) Sdn Bhd (Manufacturing)
         : Ala* Flo** Sdn Bhd (Environment)
         : Nat***** Ant*********** Cri** Cen*** (NF*** (Government, Administration)
         : Ind** Wat** Kon******* Sdn Bhd (Environment)
         : Ken** Cor******** (M) Sdn Bhd (Agriculture)
         : Tra******* Int********** Ins****** Bro**** Sdn Bhd (Insurance)
    2024 : Har****** Hol***** Ber*** (Manufacturing)
         : HOE Pha************ Sdn Bhd (Pharmacy)
         : IJM Cor******** Ber*** (Multi-sector)
         : Fre***** Int********** Sdn* Bhd* (Manufacturing)
         : Rek*** Sdn* Bhd* (Technology)
         : Kov** Sdn Bhd (eCommerce)
         : Mal****** Ind******* Dev******** Fin**** Ber*** (MI*** (Finance)
         : MH* Dis********* Sdn Bhd (Retail)
         : CAR***** HES* Ope****** Com**** Sdn Bhd (Oil and Gas)
         : iCa***** Lim**** (Automotive)
         : Pra****** Mal***** Ber*** (Transport)
         : Ban* Ker****** Rak*** Mal***** Ber*** (Bank)
         : REX**** PC Sdn Bhd (Retail)
         : Duo****** Bio**** Ber*** (Pharmacy)
         : FG* Hol***** Ber*** (Agriculture)
         : CAR*** Est*** Sdn Bhd (Pharmacy)
         : Phe** Uni* Tru*** Ber*** (Investment)
         : Sou***** Aci** (M) Ber*** (Chemical)
         : Del** Hol***** (M) Sdn Bhd (Security systems)
         : MI* Ind******* Sdn Bhd (Engineering)
         : Maj*** Aga** Isl** Mel*** (Government, Administration)
    2025 : Mal**** Air**** Sdn Bhd* (Civil Aviation)
         : Kov** Sdn Bhd (eCommerce)
         : Rek*** Sdn* Bhd* (Technology)
         : CAR* CO* MY Sdn* Bhd* (IT)
         : Tho** Si* Sdn Bhd (Retail)
         : Ran**** Ber****** Sdn Bhd (Engineering)
         : Aeo****** Int******** Sdn Bhd (Game)
         : Swi** Hau**** Ber*** (Logistic)
         : Rai**** As**** Cor******** (Railway)
         : Maj*** Per******** Amp*** Jay* (Government, Administration)
         : Mal***** Air***** Hol***** Ber*** (Civil Aviation)
         : Naz* TTD* Sdn Bhd (Automotive)
         : TF AM* Mic************* (Electronic)
         : MS Sup*** Cha** Sol****** (Ma******* Sdn Bhd (Logistic)
         : Agr***** Hol***** Sdn Bhd (Agriculture)
         : Dew** Ban****** Kua** Lum*** (Government, Administration)
         : MS* Met** Ind******* Sdn Bhd (Manufacturing)
         : Eve******* Cor******** Ber*** (Engineering)
         : War**** TC Hol***** Ber*** (Multi-sector)
         : Ta* Cho** Mot** Hol***** Ber*** (Automotive)
         : Cus*** Foo* Ing******** Sdn Bhd (Food)
         : HC* Cap**** Gro**(Development)
         : Pal***** Man******* Sdn Bhd (Investment)
         : EAS* Des*** Arc****** Sdn* Bhd (Consulting)
         : SF* Tec******* (M) Sdn Bhd (Electric)
         : Reg**** Spe******* Hos***** (Health)
         : Mei****** (Ma******* Sdn Bhd (Engineering)
         : Fed**** Aut* Hol***** Ber*** (Automotive)
         : Sil******* Axi* Ltd Gro** (IT)
         : CyP*** Res****** Ber*** (Energy)
         : Hei**** Pad* Ber*** (IT)
         : YP* (Ma******* Sdn Bhd (Manufacturing)
         : XO* Com Sdn Bhd (Telecoms)
         : MFE* For***** Tec******* Sdn Bhd (Construction)
         : Sou***** Lio* Sdn* Bhd* (Manufacturing)
         : PJS* Con******** Sdn Bhd (Consulting)
         : Ori***** Cas*** Sdn Bhd (Manufacturing)
         : Ber**** Air Sdn* Bhd* (Civil Aviation)
    2026 : Sun*** Gro** Ber*** (Manufacturer)
         : Bin* Dar****** Ber*** (Construction)
         : PTS Gol***** Ind******* Sdn Bhd (Manufacturing)
         : RED**** Dig**** Ber*** (Telecoms)
         : Che***** Kon******* Sdn Bhd (Engineering)
         : Per**** Petr***** Ber*** (Oil and Gas)
         : WRP Asi* Pac**** Sdn Bhd (Manufacturing)
         : Kon**** Nas***** Ber*** (Logistic)
         : PLU* Mal***** Ber*** (Infrastructure)
         : WCT Hol***** Ber*** (Construction)
         : Mal***** Air***** (Civil Aviation)
         : Gol*** Cla* Ind******* Sdn Bhd (Manufacturing)

p.s. This is based on Ransomware Group claims or news, unless the organization confirmed it then it is only a claim.

Top 10 Ransomware Group impacting Malaysian Organziations

pie title Ransomware Victim (by sector)
    "Lockbit3" : 21
    "Qilin" : 14
    "Ransomhub" : 7
    "Direwolf" : 7
    "Akira" : 5
    "The Gentlemen" : 5
    "BlackCat" : 4
    "Hunters" : 4
    "Babuk" : 4
    "Lockbit" : 3

Top 10 sectors affected by Ransomware

pie title Ransomware Victim (by sector)
    "Manufacturing" : 12
    "Government, Administration" : 7
    "Logistic" : 6
    "Engineering" : 5
    "Automotive" : 5
    "Civil Aviation" : 5
    "Pharmacy" : 4
    "Multi-sector" : 4
    "IT" : 4
    "Construction" : 4

Full breakdown Ransomware victim by sector:

Sector	Count
Manufacturing	12
Government, Administration	7
Logistic	6
Engineering	5
Automotive	5
Civil Aviation	5
Pharmacy	4
Multi-sector	4
IT	4
Construction	4
Agriculture	3
Retail	3
Electronic	3
Academia - University	3
Technology	2
Telecoms	2
Oil and Gas	2
Investment	2
Environment	2
eCommerce	2
Consulting	2
Transport	2
Bank	1
Railway	1
Online marketplace	1
Finance	1
Health	1
Television Broadcast	1
Marketing	1
Manufacturer	1
Development	1
Energy	1
Insurance	1
Employment	1
Chemical	1
Payment	1
Security systems	1
Electric	1
Food	1
Education	1
Game	1
Infrastructure	1

The NCII sectors are:

Government
Banking and finance
Transportation
Defence and national security
Information, communication and digital
Healthcare services
Water, sewerage and waste management
Energy
Agriculture and plantation
Trade, industry and economy
Science, technology and innovation

Sources

Thu, 29 Jan 2026 00:00:00 GMT

General sources

Alienvault OTX (LevelBlue Inc)
X (twitter)
URLScan.io
Triage
MyCERT advisories
Cybersecurity vendors article
Cybersecurity news
https://www.cfr.org/global-conflict-tracker
https://www.cfr.org/cyber-operations/
https://thestraitsintelligence.com/
https://globalthreatmap.up.railway.app/

Local cyberheroes

Private sources

HS - Malaysia Spamtrap Project
Rectifyq’s MISPs Project

MISP Style Guide

Thu, 29 Jan 2026 00:00:00 GMT

Rectifyq’s MISP Style Guide

Traffic Light Protocol (TLP)

TLP	Formal Definition	Rectifyq’s audience
🔴 tlp:red	For the eyes and ears of individual recipients only, no further disclosure.	Rectifyq + specific recipients
🟠 tlp:amber	Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.	Rectifyq + Cyberheroes
🟢 tlp:green	Limited disclosure, recipients can spread this within their community.	Rectifyq + Cyberheroes + Cybervigilantes
⚪ tlp:clear	Information can be shared publicly in accordance with the law.	Everyone

Severity definition

Severity	Description	Example
High	State sponsored TA APT + targeted Custom malware/tool + targeted 0day + exploited in wild	Lazarus APT (North Korea) FIN7 + target company A Custom and targeting company A Currently being exploited
Medium	APT + broad-based Ransomware (Threat & Data Breach) Tool Profile Supply chain related 0day + POC Critical/High/Branded Vulnerability	FIN7 + Multiple countries Any ransomware related Any tool profiles Any supply chain related No actual case reported yet Vuln focused w malware sample(s) exploiting it
Low	Cybercrime - broad-based Commodity malware Infostealer leaks	Phishing, clickfix, defacements campaigns Infostealer, clickfix, etc Lumma stealer, redline, vidar, etc
Undefined	News article Indictment Achievement To be removed	Other articles that may still be interesting to be recorded.

APT definition - Advanced Persistence Threat. Not only limited to State Sponsored.

Category	Descriptio
Threat	In-depth analysis of specific cyber threats. The focus is on technical details, including Indicators of Compromise (IOCs) and the Tactics, Techniques, and Procedures (TTPs) utilized by threat actors.
Data Breach	Articles covering confirmed or alleged incidents of unauthorized data access or exfiltration. Key content focuses on the scope of the compromised data, affected entities, or reports concerning ransomware victim claims.
Vulnerability	Articles that details the vulnerability's impact, and its exploitation status (e.g., availability of a Proof-of-Concept (POC) or active exploitation in the wild).

Sub-category

Sub-category	Description
Threat Actor Profile	A detailed report on a specific Threat Actor (who they are), how they attack, what tools they use, and all the past campaigns we think they are responsible for.
Tool Profile	A report that focuses on a single hacking tool (or a normal tool that hackers abuse). It explains how it works, which hacker groups use it, and how you can detect and block it.
Malware Analysis	Deep dive analysis of malware either static, dynamic or reverse engineer the malware sample(s) to understand how it works, capabilities, potential attributions and other intelligence requirements.
Intrusion Analysis (Incident Analysis)	A close-up look at one single successful attack on only against specific target (usually one). It maps out the entire story, from how the hacker first got in until they achieved their final goal (like stealing data).
Campaign Analysis	A report that looks at several related attacks against multiple targets. It helps connect the dots to see a bigger picture of what a hacker group is trying to achieve strategically.
Leaks Forum	Reports focused on illegal underground forums where hackers post and try to sell or share data they claim to have stolen from a company.
Leaks Infostealer	An analysis focused on finding stolen data logs (like passwords) from "Infostealer" malware that are linked to a specific company or organization.
Zero-day	Unpatched Exploits: High-priority indicators for vulnerabilities that have no official patch or were exploited before public awareness.
Branded Vulnerability	High-Profile Bugs: Vulnerabilities with marketing names/logos (e.g., Heartbleed, PwnKit) that often see rapid, mass exploitation."
Critical Vulnerability	High-Severity Flaws: Standard vulnerabilities that carry a high CVSS/EPSS score but may not have a brand name
Report	Other related cybersecurity or intelligence reports that is relevant.

Threat Actor Category

TA Category	Description	Example
APT	Highly sophisticated, long-term clandestine campaigns. These actors have significant resources and focus on stealth to maintain persistent access to a network for espionage or data theft. Can be State sponsored, can be cybercrime.	Dark Basin, Lazarus, FIN7
State Sponsored	Highly-skilled hackers funded and directed by a government of certain nation.	APT28 (Fancy Bear), APT34 (OilRig), Lazarus Group
Cybercrime	Individuals or organized groups (Cybercriminals) whose primary motivation is financial gain.	FIN7
Ransomware	An organized collective of cybercriminals that develops, distributes, and operates sophisticated ransomware strains, often employing the Ransomware-as-a-Service (RaaS) model and double extortion tactics.	LockBit, BlackCat (ALPHV), Clop
Hacktivist	Hackers motivated by a political, social, or ideological cause, using hacking as a form of protest.	Anonymous, LulzSec, OpIsrael

Target

Target	Details
Broad-based	Commodity Opportunistic	Everyone is a target, no exclusion Everyone is a target, some exclusion such as specific country, locale, etc. Specific Language - still broad (example targeting German/Mandarin Speaking) Specific country - political events, etc. Specific group of people (red-teamers, pentesters, gamers, etc.)
Targeted	Specific Target - specially crafted based on opportunity or targets Information Attack Space	Specific Individual/Company/Organization

Target vs Victim

Characteristics	Target	Victim
Inclusivity	All target is a victim	Not all victim is a target
Details	Must contain specific key indicators (multiple) that directs to the target.	Most of the articles with specified country etc. is victim limited to their telemetry (who is their customer)
Example	Based on keyword in the spear-phishing email which only relevant to the target and vulnerability exploited is opportunity TA used against the victim.	Based on the telemetry of the vendor, it is found that country X has been affected in this campaign.
Defined as	specifically targeting	at least

Relevancy

Relevancy	Example
🔴Relevant	APT targeting Malaysian entity.
🟡Somewhat Relevant	APT target Asian country.
🔵Potentially Relevant	Infostealers impact globally.
⚫Not Relevant	Good to know only.

_{p.s. Not relevant does not mean to be ignored, it can be use to improve our security detection or prevention from the lesson learn of the incident. It is just lower priority compared to other three as the event may specifically targeting organizations that is not related to Malaysia, or targeting specific language speakers (e.g. russian language) and etc.}

Rectifyq’s Workflow

Workflow	Description
Check Date	Ensure MISP Event Date is same as the date the article was posted.
Review Severity	Select MISP Event severity as per above severity definition.
Check Producer	Ensure correct Producer is tagged in MISP Event galaxy.
Check Actor	Add Threat Actor tag in MISP Event Galaxy, if there is none in Galaxy, add as attribute and tag as create missing galaxy.
Check Target	Add Target Information and Sector tag in MISP Event Galaxy.
Check Tool	Add related tools tag in MISP Event Galaxy.
Check Malware	Add Malpedia tag in MISP Event Galaxy
Check TTP	Ensure MITRE ATT&CK in MISP Event Galaxy is accurate, priority goes to Malaysia related event (may need to self curate if not provided by the Producer)
Add IOC Context	Add comments with relevant context in each attributes. (e.g. `84c82835a5d21bbcf75a61706d8ab549` - WannaCry Ransomware)
Check Key Indicator	Add related attributes/objects with details that may be used for attribution such as: - username:password used by TA in the infection chain - decryption key used - mutexes - password for archives - sender email addressess - language used - etc.
Need sample sponsor	Require Malware sample sponsor, either upload to Malware Bazaar (preferred) or upload directly to MISP(for sample with sensitive data)
To Report to	To report to relevant parties such as the owner, hosting provider, MyCERT, registrar or etc.

Topics

Topics	Description
geopolitical	Geopolitical Related
ics-ot	Industrial Control System (ICS) and Operational Technology (OT)
mobile-attack	Mobile Attack
supply-chain	Supply Chain

2026-01-27 HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns

Tue, 27 Jan 2026 00:00:00 GMT

📃Title: HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns
📅Date: 2026-01-27
🔗References:

https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: malware-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer Kaspersky
threat-actor MUSTANG-PANDA
sector=“Government, Administration”
region=“035 - South-eastern Asia”
target-information=“Malaysia”
target-information=“Mongolia”
target-information=“Myanmar”
target-information=“Pakistan”
target-information=“Russia”
mitre-attack-pattern=[‘T1073’, ‘T1574.002’, ‘T1088’, ‘T1548.002’, ‘T1060’, ‘T1547.001’, ‘T1053.005’, ‘T1055’, ‘T1070’, ‘T1056.001’]

MISP event uuid: 033d1a45-804d-43ad-b916-a942ecf806fa

Indicator of Compromise (IoCs)

type,value,comment
md5, f518d8e5fe70d9090f6280c68a95998f, 'CoolClient - libngs.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, 6b7300a8b3f4aac40eeecfd7bc47ee7c, 'CoolClient - time.dat No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, 7aa53ba3e3f8b0453ffcfba06347ab34, 'CoolClient plugins - ServiceMgrS.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, a1cd59f769e9e5f6a040429847ca6eae, 'CoolClient plugins - FileMgrS.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, 1bc5329969e6bf8ef2e9e49aab003f0b, 'CoolClient plugins - RemoteShellS.dll No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, 1a5a9c013ce1b65abc75d809a25d36a7, 'Browser login data stealer - Variant A No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, da6f89f15094fd3f74ba186954be6b05, 'Browser login data stealer - Variant C No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, c19bd9e6f649df1df385deef94e0e8c4, 'Scripts - 1.bat No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, 838b591722512368f81298c313e37412, 'Scripts - Ttraazcs32.ps1 No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
md5, a4d7147f0b1ca737bfc133349841aaba, 'Scripts - t.ps1 No sample in VT\r\nLast check:27/01/2026 No sample in VT\r\nLast check:28/01/2026'
hostname, account.hamsterxnxx.com, 'CoolClient C2'
domain, popnike-share.com, 'CoolClient C2'
hostname, japan.lenovoappstore.com, 'CoolClient C2'
ip-dst, 113.23.212.15, 'FTP server'

Full IOCs available in Rectifyq's MISP```