Rectifyq

2026-04-30 Inside Shadow-Earth-053 A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia

Thu, 30 Apr 2026 00:00:00 GMT

📃Title: Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia
📅Date: 2026-04-30
🔗References:

https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer= Trend-Micro
country=“china”
malpedia=“ShadowPad”
target-information=“India”
target-information=“Malaysia”
target-information=“Myanmar”
target-information=“Pakistan”
target-information=“Sri Lanka”
target-information=“Taiwan”
target-information=“Thailand”
malpedia=“iox”
malpedia=“Vshell”
malpedia=“Nood RAT”
mitre-attack-pattern=[]

MISP event uuid: 327326e7-354a-45ba-b25e-363984f01010

Indicator of Compromise (IoCs)

type,value,comment
md5, efcb90de13a82c10a34e900ab91942c1, 'ShadowPad loader — graphics-hook-filter32.dll'
md5, 48370247d5c3c01474f19e172112710a, 'ShadowPad loader — imjp14k.dll'
md5, e5b0fd04b03d92d4dfb8e50b9b9b3068, 'ShadowPad loader — imjp14k.dll'
md5, 9daba43a4c2495f596555653c6fe88d2, 'ShadowPad loader — imjp14k.dll'
md5, 4b7a47b639a2aca7818d111ee7f23b3e, 'ShadowPad loader — uxtheme.dll'
md5, c4144edb268001595700b5f27d7d7422, 'ShadowPad loader — MPS.dll'
md5, be328739e97303b2e72fe36feae358d5, 'IOX Proxy'
md5, 531da3715b1e4fc9baeaa034888ac419, 'EVILCREATEDUMP'
md5, a85459a1ec90a52b5c1f2f5a12bb2d10, 'SHADOW-EARTH-053 loader — found by infrastructure pivoting'
md5, 29015d3fa89c75ee576b14849133d6d9, 'TosBtKbd.dll Custom Registry Loader'
md5, 2616e7ec2d6c4b86a7fa1f4a762ae918, 'RingQ.exe'
md5, 7b2590be24290eb4b51bed2af1744b04, 'SHADOW-EARTH-054 loader'
md5, 0933fbd16c7a8b70199f5612e147a22c, 'GOST tunnel (gost.exe)'
md5, fc751b0416d4dc320eb175cea5a9e4dd, 'Wstunnel (wt.exe)'
sha256, f43748a809680a23272ec684a8cce9af071ad165c3b01acdcd7fe501a0949745, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 2dc1ad07b7529af3ba5c11a58519681909971a81, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 0eda83335334d3c877578326a5843d3e2a3b745834de27eac00b694262e2b1ed, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 3229ba46dd54802093c81e6e2123fd1520faf960, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 0fff684fa209cb79ab1104da3cfbbf4c950078e14e54c2564d130abbd4e464a9, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 128f3ad395f86be6569ef2a957d42902a910de6c, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 4f77b4fcfde7abb7e6d0e36104e433abfed3a9d9938bf7fbe0e9d1a0b2ccf265, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, a5477ff2b3d6d475558abf03878dff0cca98c20c17aae35a8ad8e99e03293f89, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 83e9f99a377566cf30df0ad71ca8522613b14d45e3e2eaead4a336509d26bef3, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 9a83466f6c34e588ba3e99d6cbfac0102e173cdd, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 996fb4f7d1b3150490380c4ce9c7c3d60fac33bd6a7c1e3a46487021964cf3bb, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 9244cd99a27a8741a78e0b449cea063fdcfb0090, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 3dffbfcb825a70e477474e88b18679557ef467de37fc26e45ddbe572f520c52a, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 8a5ac2682d70eacff7eb554e242227c82e2baa94, 'ShadowPad loader — graphics-hook-filter32.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 2dd93edc8cc64747a7ca94b6827dc4e5b1e385d493ed4450272dd1dfc52a6255, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 579bc9a640ac939b1f75eda852815f063cebd332, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 5eb2122c4c645543966b07b94faccb5b4697561163382f21fb3b793b0d5cc9fe, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha1, ec38a56f9368eac67106a4ad61538e12053f03d1, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha256, eff699456ed4c5938d53afdb8df0836d7cb953ed933ed1a2899ec43f6f9e540b, 'ShadowPad loader — imjp14k.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 75d0d5080afd091114818d082babc418ccb43d545d9fda1fb715af6c129b6e51, 'ShadowPad loader — uxtheme.dll No sample in VT\r\nLast check:03/05/2026'
sha1, 35cc0b684b0906aed9d672a1a8635510fe91aa67, 'ShadowPad loader — uxtheme.dll No sample in VT\r\nLast check:03/05/2026'
sha256, 3f6382418d0137f6ecbef23bfd981938bb86a935b27203f5b053e3710e835f97, 'SHADOW-EARTH-053 — Mdync.exe No sample in VT\r\nLast check:03/05/2026'
sha256, 26f4c7f37448911310adf20e6e74aac60e92b97591f4ac9e5e21cc503be8da16, 'Possible RDP Launcher No sample in VT\r\nLast check:03/05/2026'
sha256, 8df8282da75ebe6cf1a535739991e3f298f903974a05966503d7fd2919ecea4e, 'Privileged Process Launcher No sample in VT\r\nLast check:03/05/2026'
sha256, 03a89ea5a8604e8bc09a4249211e20404a2c7047adda65a57deeb46abb1fb116, 'data.aspx webshell No sample in VT\r\nLast check:03/05/2026'
sha256, d083b6d82765faffe738ebd0678c8eb01c1f1fac8d3c51ffdfe40e34da3ce902, 'ExchangeExport.exe No sample in VT\r\nLast check:03/05/2026'
sha256, 0c8c562ed7343d28c76d93a88bd0534440d0e71292ebcee66314d6d5c2f34403, 'Newdcsync.exe No sample in VT\r\nLast check:03/05/2026'
sha256, 55e929971a7975c7f9dfa4d677d5ec357af23a4ca208ef8f920804743e9011cd, 'SHADOW-EARTH-054 malware No sample in VT\r\nLast check:03/05/2026'
sha1, b8d586d376b342b08b3dd8a77c788480e025ad12, 'SHADOW-EARTH-054 malware No sample in VT\r\nLast check:03/05/2026'
sha256, 165cc3a9a40e04c469e5c818943920f38dc48db2c2365f1a71bb52c9582f0ea9, 'DomainMachines.exe — Custom discovery tool No sample in VT\r\nLast check:03/05/2026'
sha256, 1a5da90175ff7b55ddafcdb816adf574b92a112604019b219d82adab820fb3a2, 'IOX (code.exe) No sample in VT\r\nLast check:03/05/2026'
sha256, 4173c218efe31a6b36df714cf4e1073696f3acbe7edd1b7fcba01e4a2d923a27, 'Unknown proxy (code.exe / tunnel-core.exe) No sample in VT\r\nLast check:03/05/2026'
hostname, time.microsofttrends.com, 'ShadowPad C&C — TrendAI telemetry'
hostname, erp.kaspersky.icu, 'ShadowPad C&C — TrendAI telemetry'
hostname, dns.dnsmap.icu, 'Infrastructure'
hostname, cert.kaspersky.icu, 'Infrastructure'
hostname, news.kaspersky.icu, 'Infrastructure'
hostname, ns1.kaspersky.icu, 'Infrastructure'
hostname, ns2.kaspersky.icu, 'Infrastructure'
hostname, www.kaspersky.icu, 'Infrastructure'
hostname, dns.dnserver.life, 'Infrastructure'
hostname, nslookup.dnserver.life, 'Infrastructure'
hostname, router.dnserver.life, 'Infrastructure'
hostname, ww12.dnserver.life, 'Infrastructure'
hostname, ns1.group-ib.icu, 'Infrastructure'
hostname, ns2.group-ib.icu, 'Infrastructure'
hostname, www.group-ib.icu, 'Infrastructure'
hostname, check.dnsmaps.com, 'Infrastructure'
hostname, update.kaspersky.icu, 'Infrastructure Hunting — Malware Hosting'
hostname, check.office365-update.com, 'NOODLERAT C&C'
domain, zimbra-beta.info, 'SHADOW-EARTH-054 C&C'
domain, zimbra.life, 'SHADOW-EARTH-054 C&C'
domain, microsi0ft.com, 'SHADOW-EARTH-054 C&C'
ip-dst, 141.164.46.77, 'SHADOW-EARTH-053 C&C'
ip-dst, 96.9.125.227, 'SHADOW-EARTH-053 C&C'
ip-dst, 194.38.11.3, 'SHADOW-EARTH-053 Malware Hosting — TrendAI telemetry'
ip-dst, 209.141.40.254, 'SHADOW-EARTH-054 VShell C&C'
ip-dst, 45.61.62.172, 'SHADOW-EARTH-054 IOX Proxy'
url, http://209.141.40.254:8443/update, 'SHADOW-EARTH-054 VShell C&C'

Full IOCs available in Rectifyq’s MISP

2026-04-29 Phoenix Rising Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns

Wed, 29 Apr 2026 00:00:00 GMT

📃Title: Phoenix Rising: Exposing the PhaaS Kit Behind Global Mass Phishing Campaigns
📅Date: 2026-04-29
🔗References:

https://www.group-ib.com/blog/phoenix-phaas-kit-smishing

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

producer= Group-IB
financial-fraud=“Phishing”
financial-fraud=“Smishing”
target-information=“Argentina”
target-information=“Australia”
target-information=“Belgium”
target-information=“Chile”
target-information=“Costa Rica”
target-information=“Hong Kong”
target-information=“India”
target-information=“Indonesia”
target-information=“Japan”
target-information=“Malaysia”
target-information=“Mexico”
target-information=“Philippines”
target-information=“Singapore”
target-information=“Spain”
target-information=“Taiwan”
target-information=“United Kingdom”
target-information=“United States”
target-information=“Vietnam”
sector=“Finance”
sector=“Logistic”
sector=“Telecoms”
mitre-attack-pattern=[‘T1204.001’, ‘T1566.002’, ‘T1539’]

MISP event uuid: 5109a940-ef8e-4cf9-a5c8-fdfc684aa6ae

Indicator of Compromise (IoCs)

type,value,comment
ip-dst, 23.95.166.127, ''
ip-dst, 38.162.114.0, ''
ip-dst, 43.133.0.0, ''
ip-dst, 43.134.0.0, ''
ip-dst, 43.134.12.32, ''
ip-dst, 43.134.239.46, ''
ip-dst, 43.153.0.0, ''
ip-dst, 43.154.31.214, ''
ip-dst, 43.156.61.150, ''
ip-dst, 43.160.192.0, ''
ip-dst, 43.162.0.0, ''
ip-dst, 43.163.100.238, ''
ip-dst, 45.203.220.0, ''
ip-dst, 47.80.0.0, ''
ip-dst, 47.80.64.106, ''
ip-dst, 47.80.70.114, ''
ip-dst, 47.80.79.203, ''
ip-dst, 8.212.128.102, ''
ip-dst, 8.220.130.133, ''
ip-dst, 8.220.190.2, ''
ip-dst, 101.32.186.29, ''
ip-dst, 154.91.90.0, ''
ip-dst, 156.245.145.174, ''
ip-dst, 156.245.146.210, ''

Full IOCs available in Rectifyq’s MISP

2026-04-21 GhostCargo, a 5-years campaign

Tue, 21 Apr 2026 00:00:00 GMT

📃Title: GhostCargo, a 5-years campaign
📅Date: 2026-04-21
🔗References:

https://www.syntx.com.my/blog/ghostcargo-a-5-years-campaign

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: intrusion-analysis
target: targeted
MY-relevancy: relevant

🔖MISP Galaxies:

financial-fraud=“Phishing”
financial-fraud=“Fake Website”
financial-fraud=“Distraction”
financial-fraud=“Scam”
financial-fraud=“Merchant Fraud”
financial-fraud=“Compromised Personally Identifiable Information (PII)”
target-information=“Malaysia”
country=“indonesia”
country=“venezuela”
country=“australia”
online-service=“b0c71d51-34fd-47b5-9eb4-dd406ffc607f”
online-service=“01031d3f-c9c9-4288-bb58-234c38e4246e”
mitre-attack-pattern=[‘T1657’, ‘T1056’, ‘T1204.001’, ‘T1036’, ‘T1593’, ‘T1566.002’]

MISP event uuid: 9c16b2b8-dd25-4533-958e-97d8d1c92cca

Indicator of Compromise (IoCs)

type,value,comment
hostname, bnk.ing-boa.pro, 'Active fake Barclays portal'
domain, ing-boa.pro, 'Parent domain; wildcard cert *.ing-boa[.]pro issued Feb 2026'
domain, jetexpressdeliveries.com, 'Fake logistics front (Drupal + transpix theme)'
hostname, barcl.ays-uk.com, 'Predecessor Barclays portal (Jun 2024 to May 2025, now NXDOMAIN)'
domain, ays-uk.com, 'Parent of predecessor; same Hostinger IP'
hostname, ban.king-en.com, 'Predecessor bank portal (Feb 2023, now NXDOMAIN)'
domain, king-en.com, 'Parent domain; wildcard cert from Dec 2020'
domain, topexpresdelivery.com, 'Predecessor delivery domain (Sep 2020, HTTrack source)'
domain, doorcargoexpress.com, 'Predecessor tracking page template (Feb 2023)'
domain, ermontexpressdelivery.com, 'Same-Actor Domain - Fake delivery; same NS, IP, registrar'
domain, fastlinkquickdelivery.com, 'Same-Actor Domain - Fake delivery; same NS, IP, registrar'
domain, firstcredituni.pro, 'Same-Actor Domain - Fake bank; confirmed Bankpro default deployment, .pro TLD match'
domain, suntrustcomunityfcu.com, 'Fake credit union'
domain, cresttcredit.com, 'Fake credit institution'
domain, trusteqbank.com, 'Fake bank'
domain, metropolis-credit.com, 'Fake credit'
domain, finestostandard.com, 'Fake financial institution'
domain, digitaltradechainpro.com, 'Fake trading platform'
domain, expert-traders.net, 'Fake trading'
domain, coinbaseminingfarm.com, 'Coinbase impersonation / crypto scam'
domain, greenfund.live, 'Fake charity / investment'
domain, futurezioncharity.org, 'Fake charity'
domain, daltevintransact.online, 'Fake transaction service'
domain, zeltextransact.click, 'Fake transaction service'
domain, hiltonacessglobal.com, 'Fake Hilton access / global services'
domain, zenixtransit.online, 'Fake transit / logistics'
domain, royalgatesschools.com, 'Fake school with finance admin portal'
domain, credixrise.com, 'Fake banking (Cloudflare NS, same IP)'
ip-dst, 198.251.89.82, 'Primary hosting IP (FranTech AS53667, Cheyenne WY)'
ip-dst, 91.108.101.78, 'barcl.ays-uk[.]com hosting IP (Hostinger, Paris)'
ip-dst, 46.202.172.167, 'jetexpressdeliveries[.]com hosting IP (Hostinger)'
hostname, ns115.my-control-panel.com, 'Hosted on same IP as scam domains'
hostname, ns116.my-control-panel.com, 'Hosted on same IP as scam domains'
domain, zentroid.com, 'unrelated sites'
domain, ultraviewvault.com, 'unrelated sites'
email-src, admin@ing-boa.pro, 'Operator contact'
email-src, support@indigenousservice.com, 'Contact email on firstcredituni[.]pro'
email-src, support@dirtyscripts.shop, 'Bankpro kit default admin login'

Full IOCs available in Rectifyq’s MISP

2026-04-08 A new Mac stealer targeting $10K+ crypto wallets

Wed, 08 Apr 2026 00:00:00 GMT

📃Title: A new Mac stealer targeting $10K+ crypto wallets
📅Date: 2026-04-08
🔗References:

https://moonlock.com/notorious-hacker-returns-notnullosx-stealer

Description

A sophisticated macOS stealer called notnullOSX emerged in March 2026, developed by threat actor alh1mik (formerly 0xFFF) who returned after a 2023 exit from underground forums. This Go-written modular stealer exclusively targets macOS users with cryptocurrency holdings exceeding $10,000. Distribution occurs through ClickFix social engineering and malicious DMG files disguised as legitimate applications like WallSpace. The malware employs a modular architecture with specialized components to exfiltrate iMessage history, Apple Notes, browser credentials, Safari cookies, crypto wallet files, SSH keys, and cloud provider credentials. By social-engineering victims into granting Full Disk Access, notnullOSX bypasses macOS TCC protections without triggering permission dialogs. The stealer maintains persistent WebSocket connections to Firebase infrastructure, functioning as both an infostealer and backdoor with remote module update capabilities.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
topic: crypto-related
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Spain”
target-information=“Taiwan”
country=“malaysia”
mitre-attack-pattern=[‘T1056.001’, ‘T1539’, ‘T1036.005’, ‘T1204.002’, ‘T1566.002’, ‘T1119’, ‘T1005’, ‘T1140’, ‘T1555.003’, ‘T1552.004’, ‘T1087’, ‘T1083’, ‘T1552.001’, ‘T1041’, ‘T1059.004’, ‘T1562.001’, ‘T1573.002’, ‘T1543.001’, ‘T1071.001’, ‘T1564.001’]

MISP event uuid: c4af9327-6041-4a3b-99f2-33c7af75c9ad

Indicator of Compromise (IoCs)

type,value,comment
md5, c4c249ee87fbda08834e5883f8626db1, ''
md5, a1f06c2c83835259998f2d9d518ee2f6, ''
md5, ddf5c959ef9d990152d39c90b5efbfde, ''
md5, 85870d9889492e3df9fbec630bbb5fde, ''
md5, 48ac3d7ed39152844b8b3112563cfcf7, ''
domain, coockie.pro, ''
ip-dst, 83.217.209.88, ''
sha256, 4584d02b5193799453766857dba97021f966b9cbf6033d7dd3a33d61eb975a6c, 'No sample in VT\r\nLast check:20/04/2026'
sha256, 47373950e1d23c066de0ed2d511b4b7eea56ec22d7b501db265995fec51dbb44, 'No sample in VT\r\nLast check:20/04/2026'
sha256, 82cb3a22c90aee6cfc2f7e7f72e921e21226492c1d424d2b754b9cd763ab0b20, 'No sample in VT\r\nLast check:20/04/2026'
sha256, b73adc5dc04159241e4a89cbc82eaa381f406080f3aaaa1f27d145900dd54267, 'No sample in VT\r\nLast check:20/04/2026'
ip-dst, 111.90.149.111, ''
url, http://wallpapermacos.com/download/, ''
domain, wallpapermacos.com, ''
domain, wallspaceapp.com, ''
hostname, mactest-6b2ab-default-rtdb.firebaseio.com, ''
hostname, cdn.filestackcontent.com, ''
url, https://www.youtube.com/watch?v=nbH5KJGYBHk, ''
url, https://www.youtube.com/@wallspacemacos, ''
url, http://111.90.149.111:8080/installer, 'bash installer script location at Shinjiru IP'

Full IOCs available in Rectifyq’s MISP

Phish Hunt MY 2026

Wed, 18 Mar 2026 00:00:00 GMT

Background

Phishing scams—like Telegram takeovers, fake APK wedding invites, and Bantuan Kerajaan fakesite—have been around for ages. Most IT pros and cybersecurity experts tend to ignore them, thinking they’re “uninteresting” or wondering how anyone could still fall for them. But the fact that these scams are still happening means they work. Even if they don’t catch everyone, they only need to hit the right victim for the financial impact to be devastating.

A few things triggered me to organize this challenge. One was an article by Foxy about recent phishing campaigns, which reminded me of my own previous writing. Then, a “threat actor” actually had the nerve to post a phishing link right in the OWASP Malaysia WhatsApp group!😂 When KDJebat called for an advisory, it gave me an idea: why not create a challenge to push pros and students to actually analyze these campaigns?

It’s a win-win. I get to learn from their findings, and they get to build their portfolios and potentially win prizes.

So, a big shout out to Foxy and KDJebat for the inspiration! 🙌

Challenge Details

With the festive season approaching, scams impersonating local organizations, governments, and local e-wallets are on the rise. We’re looking for Phish Hunters and analysts to help map out these campaigns, warn the community, and get them taken down.

🔍 How to Participate

Identify: Find an active phishing link or campaign (SMS, Email, Social Media) specifically targeting Malaysians.
Analyze: Break down the infrastructure and TTP used by Threat Actor. Who is the registrar? Where is it hosted? Can you find the phishing kit etc? (Always use a sandbox/VM).
Report & Post: File a report with Google Safe Browsing or MyCERT (Cyber999) or any relevant parties. Then, share your findings on LinkedIn, X, Facebook, or your blog to educate others.
Submit: Drop your analysis and post link in our entry form: [https://forms.gle/ei6EqfBFsbtzdEJU9] before 12 midnight of 15th March 2026 🏆 The Prizes (Touch ‘n Go e-Wallet Credit: Each category will win RM100)

We’re awarding two distinct types of hunters:

The Apex Hunter (Technical Prize): For the most thorough technical breakdown. We’re looking for high-quality analysis—TTPs, indicators of compromise (IOCs), kit discovery, evidence of reporting and so on. Technical evaluation will be done on 12 noon of 16th March 2026; if you submitted your analysis but have some minor adjustment, please do so before this date.
The Community Advocate (Engagement Prize): For the Rectifyq’s Linkedin repost (once you submitted your entry, we will repost it in our page) that gets the most Likes & Shares. This is about making the warning go viral to prevent others from falling victim. Counting date fort his prize will be on 12 noon of 18th March 2026. Do share with everyone your specific Rectifyq’s Linkedin repost for everyone to like and share.

Rule: To keep the rewards distributed, one participant cannot win both. If the top technical entry also has the highest engagement, the engagement prize will go to the next runner-up and/or student winner will be prioritized for the community advocate category.

Results for Apex Hunter

2 champions - Mohd Fazri & Ahmad Nazif

Updates

After another round of review and recalculation, the previously announced winner lost 1 point which resulted to a draw between Mohd Fazri & Ahmad Nazif. Therefore, decision has been made to announce both as champion for this challenge with the accumulating of same score points. So, both won the duit raya!

Below are the top 5:

Article link	Category	Total Points	Extra points given	Room for improvement
ayiezola	Working Professional	26	Infection chain using AI/clean diagram, nuclei template, comparative analysis, sample of exfiltrated data	No Recommendation included, TTPs listed not using known framework such as MITRE ATT&CK
nazif	Working Professional	26	Included Impact assessment and usage of PCAP analysis	No infection chain diagram included & report format to be more concise and succinct
171k	Student	25	Included TA assessment and TA’s opsec fails	No Action taken (e.g. report to google safe browsing) included, TTPs listed not using known framework such as MITRE ATT&CK
Myo	Student	23	None	Action taken (e.g. report to google safe browsing) can be beyond the two listed in the google form
Alif & Faez	Student	22	Included Chain of Code Reuse	TTPs listed not using known framework such as MITRE ATT&CK

Remaining 6 (listed in random and no particular order)

Article link	Category	Extra points given	Room for improvement
n3r	Working Professional	OTP Form & Anti analysis	To include executive summary, to include action taken
khairul-zuhaili	Student	Telegram bot screenshot with victim data	To include executive summary, IoCs and action taken
akmaltaufik	Student	Usage of crt.sh for pivoting	To include executive summary, TTPs using known framework and action taken & report format to be more concise and succinct
syazwanisubri	Working Professional	Usage of VT collection	To include infection diagram/attack diagram and screenshots/proof of reporting to be included directly in the article (audience may missed to check in the evidence folder you’ve created)
matpwnguin	Working Professional	Included TA assessment and security misconfig	Executive summary is a bit too long - can be more concise, to include action taken
amirulhmd	Student	Asked questions to stakeholder (Rectifyq) - which is good to understand stakeholder’s requirement, reporting (action taken) beyond suggested (Cloudflare abuse)	Overview if chosen as executive summary is bit too long, TTPs listed not using known framework such as MITRE ATT&CK

Results for Community Advocate

Winner: Alif & Faez

Scoring Criteria

Brief Summary - if it is too short, too long or just right
Diagrams - if includes screenshots, code snippets, infection chain/attack diagram
Indicator Pivoting - pivoting from initial indicator (often phishing url) to underlying IP then whois record and so on
TTP - TTPs listed and usage of known framework such as MITRE ATT&CK or attck4fraud
IoC - if IoCs were included, compiled and each IoCs has context
Action Taken - proof of action taken (such as reporting to Google safe browsing and even beyond suggested previously) that gives out result (e.g. site no longer reachable)
Phishing Kit - found phishing kit used, may pivot to similar campaigns that uses same phsihing kit, or even found the source code of the phishing kit
Recommendation - provided relevant recommendation, be it to the public or organizations
Extra points - interesting part of the report which unique to the writer
Questions to Stakeholder - contacted stakeholder (Rectifyq) to clarify the expectation in terms formatting, or even the scoring criteria
Follow Rectifyq’s social media - followed all Rectifyq’s social media

Conclusion

This challenge really shows that Malaysia has amazing cybersecurity talent, from students to working pros. Everyone brought something different to the table—whether it was offensive skills or traffic analysis—and used those strengths to break down the phishing campaigns targeting Malaysian.

I learned a ton from organizing this, and the feedback from few participants were great. Like I told one of the participants, I can’t officially promise to make this a regular thing just yet. But hopefully, even if I’m not the one running it next time, I hope this inspires other companies or organizations to host similar challenges.

2026-03-18 Iran — US/Israel Conflict, how is it impacted Malaysia Organisation?

Wed, 18 Mar 2026 00:00:00 GMT

📃Title: Iran — US/Israel Conflict, how is it impacted Malaysia Organisation?
📅Date: 2026-03-18
🔗References:

https://medium.com/@StampedeOps/iran-us-israel-conflict-how-is-it-impacted-malaysia-organisation-8ec8e3535959

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
topic: geopolitical
target: broad-based
MY-relevancy: relevant
sub-category: TA-profile
topic: ics-ot

🔖MISP Galaxies:

target-information=“Malaysia”
country=“iran”
country=“israel”
country=“united states of america”
threat-actor= MuddyWater
threat-actor= APT35
threat-actor= APT42
threat-actor= Cyber-Av3ngers
threat-actor= Fox-Kitten
threat-actor= OilRig
mitre-attack-pattern=[]

MISP event uuid: 12ec4fe2-55a7-4cd4-b7d4-f3acf5d223e0

Indicator of Compromise (IoCs)

type,value,comment
md5, f6a4c531e92cbdd5ffac75c76939d7f3, 'IoCs related to MuddyWater'
md5, c89671f994af65677aa48b699a01fe9d, 'IoCs related to MuddyWater'
md5, 2ed6ebaa28a9bfccc59c6e89a8990631, 'IoCs related to MuddyWater'
md5, cd555279b6438260ec71b32e4d02cd9d, 'IoCs related to MuddyWater'
md5, ef6ec560efd05d21976a6fd3f489e206, 'IoCs related to MuddyWater'
md5, 4c169dde3bc184c42ca7a712a61c6f3c, 'IoCs related to MuddyWater'
md5, d2b0785b69f8578bdddf039634507f47, 'IoCs related to MuddyWater'
md5, 7da3d206519086f2725494b3ab095fbb, 'IoCs related to MuddyWater'
md5, 68352f61da6e3236c4fe760997a981ea, 'IoCs related to MuddyWater'
md5, 3a95186019af1943a0ea0f8eb07a288f, 'IoCs related to MuddyWater'
md5, 404f5b1ff4ed035c6178d1789192c4d8, 'IoCs related to MuddyWater'
md5, 74e75830252220cbbe7e3adec4340d2d, 'IoCs related to MuddyWater'
md5, c5c0829df294cc4fd701df5d5c55718f, 'IoCs related to MuddyWater'
md5, cdeb7abfc7775c63745135431272dda3, 'IoCs related to MuddyWater'
md5, f97650ede0c39a29b0b5c5472f685d11, 'IoCs related to MuddyWater'
md5, 0a95918fd6000a69b8a70609f93e910f, 'IoCs related to MuddyWater'
md5, b9a67ffb81420e68f9e5607cc200604a, 'IoCs related to MuddyWater'
md5, 95d9e6c262632abe004c4693a71eaced, 'IoCs related to MuddyWater'
md5, aba760ec55fdeccb35adb068443feb89, 'IoCs related to MuddyWater'
md5, 809334c0b55009c5a50f37e4eec63c43, 'IoCs related to MuddyWater'
md5, 75060f5394b72421c0d8f81f79931aa9, 'IoCs related to MuddyWater'
md5, 93be13bbcad30440a0d0ef3868d67003, 'IoCs related to MuddyWater'
md5, 806adc79e7ea3be50ef1d3974a16b7fb, 'IoCs related to MuddyWater'
md5, 242098c3e87822bffa7c337987065fbe, 'IoCs related to MuddyWater'
md5, c381c2cb8fdd6acf1636280b9424f573, 'IoCs related to MuddyWater'
md5, 2533307ec1ef8b0611c8896e1460b076, 'IoCs related to MuddyWater'
md5, 1f280f51eeb6cf895fe80082ce725841, 'IoCs related to MuddyWater'
md5, 43be8a405a7f57cf9f910d829c521b21, 'IoCs related to MuddyWater'
md5, 23d99f912f2491749b89e4fd337273bc, 'IoCs related to MuddyWater'
md5, 0873ce3db84b79da935f71df3d6c8e6d, 'IoCs related to MuddyWater'
md5, f06e30dee8629e951cefa73373fdef9d, 'IoCs related to MuddyWater'
md5, 1e9a4e774b61acc8a6b35ee50417e661, 'IoCs related to MuddyWater'
md5, d276b8c1660f264d64eff3474718509b, 'IoCs related to MuddyWater'
md5, d70ddec75de88bf4ca7cbb67b56627f6, 'IoCs related to MuddyWater'
md5, 3ab16bd1c339fd0727be650104b74dd1, 'IoCs related to MuddyWater'
md5, 64fc017a451ef273dcacdf6c099031f3, 'IoCs related to MuddyWater'
md5, 4055d8b5c2e909f5db8b75a5750a7005, 'IoCs related to MuddyWater'
md5, e2d6031afd81bf3b6a44de4d0b039055, 'IoCs related to MuddyWater'
md5, f1c935ce028022ab2a495eae83adacc6, 'IoCs related to MuddyWater'
md5, 47e312ecca7af098bb1c6c69188f54cf, 'IoCs related to MuddyWater'
md5, b181ecbb7394e3b1394a8c97af65b7e2, 'IoCs related to MuddyWater'
md5, 08d8ab5dd375847ce909297e59e7df00, 'IoCs related to MuddyWater'
md5, c478e472f6223e7ee92cff8b459e55e2, 'IoCs related to MuddyWater'
md5, 96d5a7e0e75654c444cb1a915c666ac8, 'IoCs related to MuddyWater'
md5, 244a4f81cff4a8dc5872628a40713735, 'IoCs related to MuddyWater'
md5, 6d7ce5b03fe61683229c29a859505163, 'IoCs related to MuddyWater'
md5, aaa9db79b5d6ba319e24e6180a7935d6, 'IoCs related to MuddyWater'
md5, 80c91b4343fe1260e348872e1b4c0713, 'IoCs related to APT35'
md5, 83b7ec5f0d5d6f11ba1284a3f705e98e, 'IoCs related to APT35'
md5, b7e4b752adff07ac1b7b67a9be30b366, 'IoCs related to APT35'
md5, 223196939e1e1ba9256f515b0a510d7a, 'IoCs related to APT35'
md5, e8e0f2ade7294808d86b23a989b21be1, 'IoCs related to APT35'
md5, 7391c3d895246dbd5d26bf70f1d8cbad, 'IoCs related to APT35'
md5, b40533e67e70b7ff7bb53d34a4b9170e, 'IoCs related to APT35'
md5, a17b40b8133c1cc29c6146732086db69, 'IoCs related to APT35'
md5, 14d8e865d3ca67b88c01f7e5d2b0862d, 'IoCs related to APT35'
md5, 67dbe102978e4b612237ad3ee371702f, 'IoCs related to APT35'
md5, 721ec011d75fea67ce9cb2796412651e, 'IoCs related to APT35'
md5, 0c6f48c62d56b454ebc0e1b7e044ca69, 'IoCs related to APT35'
md5, 097447c4b526f8a42e3144afe510ec20, 'IoCs related to APT35'
md5, b319d8972115895f156807348fa9b45f, 'IoCs related to APT35'
md5, 7d216c57da81193a45c67c323d4049c3, 'IoCs related to APT35'
md5, fac805be171884ddbd1396f6a59c90eb, 'IoCs related to APT35'
md5, 776677256087a5a0f543a6b6317cadf8, 'IoCs related to APT35'
md5, 1baeff23794e47eb5c927c0303b7cd92, 'IoCs related to APT35'
md5, cef266a5ea7ba57abc576cbeb5497c97, 'IoCs related to APT35'
md5, b19a097c237d594a85986881f69f127d, 'IoCs related to APT35'
md5, 3a85381dd880c69f40b02859cd9fd473, 'IoCs related to APT35'
md5, 53d0f4a75e8acbb6255bb44242e4843f, 'IoCs related to APT35'
md5, c4b95c1ba3671c5172e7eb01178a7c39, 'IoCs related to APT35'
md5, 20e80c787e129ec11de9accdd0ae4611, 'IoCs related to APT35'
md5, 0c76c41dfe6989ba042e27755e2b68f7, 'IoCs related to APT35'
md5, b683628884cc1d00c234ea2f4b85d153, 'IoCs related to APT35'
md5, 1965a61d6f96b7bb221564ad52ba9719, 'IoCs related to APT35'
md5, 68abbdd75f82a22e3cf6200e13a664b3, 'IoCs related to APT35'
md5, be2bd408c615997c600871970573f023, 'IoCs related to APT35'
md5, be556a0d7d75524acc5518482e43ed9a, 'IoCs related to APT35'
md5, e5f0aea43ac33bf19a78c1a600f690d5, 'IoCs related to APT35'
md5, e23637423599434a6de45b9080b7c561, 'IoCs related to APT35'
md5, 96a9078d97a8b2a0cdc6632b48b8a649, 'IoCs related to APT35'
md5, e16c8c285b1d537be5fe32e93247c282, 'IoCs related to APT35'
md5, 2dab429e52096fd9eb031fc666965a5e, 'IoCs related to APT35'
md5, 347b273df245f5e1fcbef32f5b836f1d, 'IoCs related to APT42'
md5, 2ff97de7a16519b74113ea9137c6ba0c, 'IoCs related to APT42'
md5, d32f89a8a3dd360db3fa9b838163ffa0, 'IoCs related to APT42'
md5, 853687659483d215309941dae391a68f, 'IoCs related to APT42'
md5, dd2653a2543fa44eaeeff3ca82fe3513, 'IoCs related to APT42'
md5, 081419a484bbf99f278ce636d445b9d8, 'IoCs related to APT42'
md5, 4551a6cdf8d23a96aa4124ac9bdb6d1d, 'IoCs related to APT42'
md5, 22e9135a650cd674eb330cbb4a7329c3, 'IoCs related to APT42'
md5, e7df84a5a22aeafcf1c3abf4fd986c91, 'IoCs related to APT42'
md5, d783001d1f98fe3b33e7b97b0b7d96dc, 'IoCs related to APT42'
md5, 755c0350038daefb29b888b6f8739e81, 'IoCs related to APT42'
md5, 2783376fd7af9ec138ecf49ad7391f16, 'IoCs related to APT42'
md5, c23663ebdfbc340457201dbec7469386, 'IoCs related to APT42'
md5, a70d6bbf2acb62e257c98cb0450f4fec, 'IoCs related to APT42'
md5, 5746a9e0a410349b17f8a64af30f9cd3, 'IoCs related to APT42'
md5, c92e2655d115368f92e7b7de5803b7bc, 'IoCs related to APT42'
md5, a50a20edddaded453410600549968914, 'IoCs related to APT42'
md5, a713e686fd984588a4db74f34bf32275, 'IoCs related to APT42'
md5, d7bf138d1aa2b70d6204a2f3c3bc72a7, 'IoCs related to APT42'
md5, bdd0d556166ad0af9ded39ab4b9ed34f, 'IoCs related to APT42'
md5, abe531e9f1e642c47260fac40dc41f59, 'IoCs related to APT42'
md5, 93c19436e6e5207e2e2bed425107f080, 'IoCs related to APT42'
md5, a9cd92a3a4d90daf9331036c772c67de, 'IoCs related to APT42'
md5, d533a3c61e8425e51dca36415b9e8af2, 'IoCs related to APT42'
md5, 8678cca1ee25121546883db16846878b, 'IoCs related to APT42'
md5, c17f4bb8e415e21e6010b98e13c6dff3, 'IoCs related to APT42'
md5, cafe08392d476a057d85de4983bac94e, 'IoCs related to APT42'
md5, 63c4c31965ed08a3207d44e885ebd5e4, 'IoCs related to APT42'
md5, b3411927cc7cd05e02ba64b2a789bbde, 'IoCs related to PARISITE'
md5, ebd96cf97f93e62210fe4d928c49464c, 'IoCs related to PARISITE'
md5, 48274e0b14ce2fbea39bbb98d7c8d495, 'IoCs related to PARISITE'
md5, 6a58b52b184715583cda792b56a0a1ed, 'IoCs related to PARISITE'
md5, 057999f7fedb3339def3be576a2408a7, 'IoCs related to PARISITE'
md5, 923cab44221fabd8f42dd00cc0701ac3, 'IoCs related to PARISITE'
md5, 6445cddd5284516b192330a2805606de, 'IoCs related to PARISITE'
md5, fe94c576b99dcc99b1c82fce00af97ab, 'IoCs related to PARISITE'
md5, e736229e890a138ccf7810e00a6bb50d, 'IoCs related to PARISITE'
domain, stratioai.org, 'IoCs related to MuddyWater'
domain, moodleuni.com, 'IoCs related to MuddyWater'
hostname, nomercys.it.com, 'IoCs related to MuddyWater'
domain, bootcamptg.org, 'IoCs related to MuddyWater'
hostname, sso.moodleuni.com, 'IoCs related to MuddyWater'
domain, bookairway.com, 'IoCs related to MuddyWater'
hostname, sso.facetalk.org, 'IoCs related to MuddyWater'
domain, netivtech.org, 'IoCs related to MuddyWater'
domain, processplanet.org, 'IoCs related to MuddyWater'
domain, screenai.online, 'IoCs related to MuddyWater'
domain, pharmacynod.com, 'IoCs related to MuddyWater'
domain, facetalk.org, 'IoCs related to MuddyWater'
domain, photosjournalism.com, 'IoCs related to MuddyWater'
ip-dst, 165.227.82.147, 'IoCs related to MuddyWater'
ip-dst, 194.11.246.101, 'IoCs related to MuddyWater'
ip-dst, 157.20.182.49, 'IoCs related to MuddyWater'
ip-dst, 161.35.228.250, 'IoCs related to MuddyWater'
ip-dst, 195.20.17.189, 'IoCs related to MuddyWater'
ip-dst, 62.106.66.112, 'IoCs related to MuddyWater'
ip-dst, 159.198.68.25, 'IoCs related to MuddyWater'
ip-dst, 159.65.227.190, 'IoCs related to MuddyWater'
ip-dst, 18.116.63.2, 'IoCs related to MuddyWater'
ip-dst, 209.74.87.100, 'IoCs related to MuddyWater'
ip-dst, 35.175.224.64, 'IoCs related to MuddyWater'
ip-dst, 159.198.66.153, 'IoCs related to MuddyWater'
ip-dst, 143.198.5.41, 'IoCs related to MuddyWater'
ip-dst, 18.223.24.218, 'IoCs related to MuddyWater'
ip-dst, 185.128.139.4, 'IoCs related to MuddyWater'
sha1, 2d5b8da0d0719e6f8212497d7e34d5f1b1fa6776, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
md5, 8db7338c487143a4d43ed1a22fec49a7, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
md5, f5dd107eaca971f24effbaf598119ca1, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
sha1, 4d6bf3834e9afb8e3c3861bf2ad64a68d9c7d870, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
md5, 943981571f4e095063850c26158835b8, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
md5, 25d3a014c332aaa3adce429d0e714e31, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
md5, 7d887893a6107d7ae902e6771f30e080, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
md5, 63080b45ca4978fb5d2d71387dbaf610, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
md5, a933c623e3b047292efd55e0e424c732, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
sha1, 544bf4f9e5fdb4d35987b4c25f537213ce3c926a, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
md5, 67e09818d1aa650896a432b1de54d376, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
md5, 424f887f651371aa3058cf7c8e908d2a, 'IoCs related to APT35 No sample in VT\r\nLast check:21/03/2026'
domain, unityprogressall.org, 'IoCs related to APT35'
domain, transfergocompany.com, 'IoCs related to APT35'
domain, defenceprodindia.site, 'IoCs related to APT35'
domain, mojavemassageandwellness.com, 'IoCs related to APT35'
domain, supervisor-intendant.info, 'IoCs related to APT35'
ip-dst, 185.132.176.13, 'IoCs related to APT35'
ip-dst, 195.160.220.202, 'IoCs related to APT35'
ip-dst, 1.235.222.140, 'IoCs related to APT35'
hostname, whatsapp-meeting.duckdns.org, 'IoCs related to APT42'
hostname, whatsapp-meet.duckdns.org, 'IoCs related to APT42'
hostname, meet-join.duckdns.org, 'IoCs related to APT42'
hostname, whatsapp-join-meet.duckdns.org, 'IoCs related to APT42'
domain, meet-safe.online, 'IoCs related to APT42'
hostname, meet-login.duckdns.org, 'IoCs related to APT42'
domain, act-rights-gaming.digital, 'IoCs related to APT42'
hostname, book.good-while.online, 'IoCs related to APT42'
domain, net-vision.xyz, 'IoCs related to APT42'
domain, join-host-room.xyz, 'IoCs related to APT42'
domain, joining-inside-space.world, 'IoCs related to APT42'
domain, forward-goal-inner.digital, 'IoCs related to APT42'
hostname, www.whatsapp-meet.duckdns.org, 'IoCs related to APT42'
domain, accord-room-check.live, 'IoCs related to APT42'
domain, joining-room-host.xyz, 'IoCs related to APT42'
domain, net-works.xyz, 'IoCs related to APT42'
domain, re-shrt98.xyz, 'IoCs related to APT42'
domain, first-step.space, 'IoCs related to APT42'
domain, tiny-name.cyou, 'IoCs related to APT42'
domain, bonjour-ills.christmas, 'IoCs related to APT42'
md5, 59f636854f5a511945eb4870cce6a85b, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, 786379bb3c0e3ea6ec7d7af88d109994c20bb849, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
md5, 923cefd8623c495b31415e0775c099c2, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, e12acf1b58b633d090b7e9828b0790502c9b9cd2df51a6863319912d2152dbc9, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, c0786c60e92be76cb9f9b3da5f53d5e8b999b2c86a73e94d793070f2b96f852e, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, 30c4ff83d5dc3d4c5be77283defce614f6310339705b039cae022bdde72dec38, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, 86969bc9f13c6359c54151432f3819301074164c, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
md5, 9dcf203b7d87698d678cf9df42ab4ac0, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
md5, 56401106c49609c526e218a4a4103fee, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, def5cb2d480d058902b7cc2f6c0915afd972ad0b, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, 9885c4343942163087fbbea7939bec38702086e0f737c97deb288e8d3e6f140a, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
md5, 9e7f2b5e0c5b164f2c62b412a9a91cbc, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, a841c8179ac48bdc2ebf1e646d4f552d9cd02fc79207fdc2fc783889049f32bc, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, ea10bc8c77446c9a7eb4720df656a465e3cf4edb40a2c5cacd7f6b665960ccda, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, 5d3ddb0e95725974b6034f19cfaef2d6ebd69c87, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
md5, 03f2b01a9bc670ce6f2a2a50d5c08b22, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, ddc5bdace73c1754d87d9ea1c545a0cb9112789b, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, 9208034af160357c99b45564ff54570b1510baf3bc033999ae4281482617ff5b, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, e6a1157020746cf487799ad344a5b1a603052f0e, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
md5, 669437838a13bf783d6ff1574274e5b0, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, b6e4db5df0f92783341267dedea4fdc5530e4a4f, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, bbe681caebf5711ffc366d09097c7c587e212ebb, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, f7ec27cd5b05a66b263f620402c39c2b7d2f23ef, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
md5, 07ab4dd676f477e9f93be1a325073d93, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, 27ae97933a4dd955a7e928be0efa361907c088076837446ada5642bd32500627, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, 1c4147fb6edf4075102432716c6a62711b5c57599c6a22a20eda61321023a429, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, 28e04219b84d36243cfa03320ab0b9677bc9fd1d, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, 5d573209939c737a829dac72383062d9965a8fa3, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
md5, 04f9274c62c612342e74f868fc3069f5, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, 903638cceca0718c586739cb822ca396f84693bc3e9b3d07daff5c09f0a5b2a6, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, a87b96ae9a31ec92e29a48a522ef9554d02ce74db7cb6cd4b133fff07c5b258e, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha256, 64892920b813f61eab4797bd60e3fc79a810354e2318061b252dfc027bf72329, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, efb7b3c47ae74663f153a4b091abfa841c15ea7c, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, 876fd4e9676ef914bbaf3bbaf7d97e368290e09c, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, 10f64f4a976195e25587713c4f754b46b61849cc, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
sha1, cf7399acf378c147e706f90e924015ef47cdb364, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
md5, 42c497d2b9b43061482d2544c6d09d14, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
md5, 167f4e92fb3d937bd6a7ded14bf076e6, 'IoCs related to PARISITE No sample in VT\r\nLast check:21/03/2026'
domain, encoremir.com, 'IoCs related to PARISITE'
hostname, apps.gist.githubapp.net, 'IoCs related to PARISITE'
ip-dst, 66.55.159.84, 'IoCs related to PARISITE'
ip-dst, 64.176.165.175, 'IoCs related to PARISITE'
ip-dst, 5.255.100.203, 'IoCs related to PARISITE'

Full IOCs available in Rectifyq’s MISP

2026-03-15 PhishHuntMY] QRaya A Quishing Campaign Targeting TNG eWallet Users During Ramadhan 2026

Sun, 15 Mar 2026 00:00:00 GMT

📃Title: PhishHuntMY] QRaya: A Quishing Campaign Targeting TNG eWallet Users During Ramadhan 2026
📅Date: 2026-03-15
🔗References:

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
mitre-attack-pattern=[‘T1041’, ‘T1566’, ‘T1566.002’, ‘T1056.003’]

MISP event uuid: a0e17fad-45e1-4ab2-9704-ffed51520720

Indicator of Compromise (IoCs)

type,value,comment
url, https://t.ly/cdn.tngdigital.com.my/s/oauth2/berbagirezki/, 'Fake TNG OAuth path, Indonesian-language strings'
url, https://myportalregistration.com/claim-segera, 'Direct phishing domain'
url, https://tngduitraya.gbdjw.my/, 'Direct phishing domain'
url, https://t.ly/Claim11-money-pocket.com?r=qr, 't.ly shortener to phishing domain'
url, https://cdntng.sit-e.com/daftar/, 'Typosquats TNG CDN domain'
url, https://bantuan-tng.inst-my.online/in, 'Malay-language targeting'
hostname, cdn-tngdigital9.my-regist.com, 'Typosquats cdn.tngdigital.com.my'
url, https://shrturl.dev, 'Fortinet flagged: Phishing'
url, https://cq7zc1x.clxz-hv.xyz, 'Cloudflare-protected credential harvester, ~3mo old domain'
hostname, register-now-7528.vercel.app, 'secondary campaign, Bantuan Aidilfitri RM750'
url, myportalregistration.com/claim-segera, ''
hostname, tngduitraya.gbdjw.my, ''
hostname, cdntng.sit-e.com, ''
hostname, cdn.tngdigital.com.my, ''
hostname, bantuan-tng.inst-my.online, ''
url, https://t.ly/cdn.tngdigital.com.my/s/oauth2/berbagirezki/bulansuciramadhan/penuhberkah/moneypacket/1234567890/234567876543234567887654345678765432345678987654323456788765432345677654334567887654234567?r=qr, ''
url, https://t.ly/cdn.tngdigital.com.my/s/oauth2/berbagirezki/bulansuciramadhan/penuhberkah/moneypacket/1234567890/123456787654323456788765432345678876543234567887654323456789876543256787654328765387643876?r=qr, ''
url, https://t.ly/cdn.tngdigital.com.my/s/oauth2/berbagirezki/bulansuciramadhan/penuhberkah/moneypacket/1234567890/234567898765432124567887654321234567898765432345678987654323456789876543234567898765432456?r=qr, ''

Full IOCs available in Rectifyq’s MISP

2026-03-15 PhishHuntMY] PHISH HUNT MY Hunting a Touch ’n Go “Duit Raya” Phishing Campaign Targeting Malaysians

Sun, 15 Mar 2026 00:00:00 GMT

📃Title: PhishHuntMY] PHISH HUNT MY: Hunting a Touch ’n Go “Duit Raya” Phishing Campaign Targeting Malaysians
📅Date: 2026-03-15
🔗References:

https://medium.com/@work.akmaltaufik/hunting-a-touch-n-go-duit-raya-phishing-campaign-targeting-malaysians-dedad86d39b1

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
mitre-attack-pattern=[]

MISP event uuid: acf129a1-cdf0-4e12-89dd-7e94b1fa5c81

Indicator of Compromise (IoCs)

type,value,comment
hostname, tngduitraya79.gofvv2.my, ''
url, https://tngduitraya79.gofvv2.my, ''
url, https://tngduitraya17.gofvv2.my/go, ''
url, https://tngduitraya17.gofvv2.my/go/, ''

Full IOCs available in Rectifyq’s MISP

2026-03-15 PhishHuntMY] Phishing Alert Think Before You Scan!

Sun, 15 Mar 2026 00:00:00 GMT

📃Title: PhishHuntMY] Phishing Alert: Think Before You Scan!
📅Date: 2026-03-15
🔗References:

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
mitre-attack-pattern=[]

MISP event uuid: bf98b299-b634-41c8-8591-fc1a1da63824

Indicator of Compromise (IoCs)

type,value,comment
hostname, tng-wallet-qr.ty-fli.com, 'Malicious Domain'
url, https://tng-wallet-qr.ty-fli.com/6/, 'Full Phishing URL'
ip-dst, 172.67.204.240, 'Hosting IP Address'

Full IOCs available in Rectifyq’s MISP

2026-03-14 PhishHuntMY] Full analysis - BANTUAN TUNAI 2025

Sat, 14 Mar 2026 00:00:00 GMT

📃Title: PhishHuntMY] Full analysis - BANTUAN TUNAI 2025
📅Date: 2026-03-14
🔗References:

https://www.linkedin.com/posts/khairul-zuhaili-4abb2435a_initial-discovery-a-suspicious-activity-7438077834687881216-5pHw

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
mitre-attack-pattern=[]

MISP event uuid: 0bb9238e-aab6-461a-94e5-7cf68f16649d

Indicator of Compromise (IoCs)

type,value,comment
url, https://t.me/bantuantngggg/2, ''
url, https://bit.ly/4u17ViW, ''
url, https://bantuantngonline.blogspot.com/?m=1, ''
hostname, bantuantngonline.blogspot.com, ''

Full IOCs available in Rectifyq’s MISP

2026-03-14 PhishHuntMY] Phishing Campaign Analysis “Laptop Percuma / Bantuan E-Wallet” Scam

Sat, 14 Mar 2026 00:00:00 GMT

📃Title: PhishHuntMY] Phishing Campaign Analysis: “Laptop Percuma / Bantuan E-Wallet” Scam
📅Date: 2026-03-14
🔗References:

https://myos-esc.gitbook.io/myos-esc./blogs/phishing-campaign-analysis-laptop-percuma-bantuan-e-wallet-scam

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
country=“indonesia”
online-service=“b0c71d51-34fd-47b5-9eb4-dd406ffc607f”
mitre-attack-pattern=[‘T1041’, ‘T1056’, ‘T1036’, ‘T1566’, ‘T1090’]

MISP event uuid: 2e75d0d3-61e8-431e-8aaa-b047eaa87b52

Indicator of Compromise (IoCs)

type,value,comment
url, http://bantuan-malay.biz.id/66/, 'Main phishing landing page'
hostname, bantuan-malay.biz.id, 'Phishing domain'
domain, xwasq.com, 'Backend data collection server'
ip-dst, 104.21.78.24, 'Cloudflare proxy IP'
ip-dst, 172.67.215.26, 'Cloudflare proxy IP'
ip-dst, 103.163.138.21, 'Backend phishing infrastructure'
url, https://xwasq.com/terkini6/send_otp, ''
email-src, lhepakbudak@gmail.com, 'Registrant Email'

Full IOCs available in Rectifyq’s MISP

2026-03-13 PhishHuntMY] TNG eWallet Quishing Campaign

Fri, 13 Mar 2026 00:00:00 GMT

📃Title: PhishHuntMY] TNG eWallet Quishing Campaign
📅Date: 2026-03-13
🔗References:

https://remarkable-xenon-ff5.notion.site/TNG-eWallet-Quishing-Campaign-31ea6f58415f80cc8e2dd5cee0c56826

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
mitre-attack-pattern=[]

MISP event uuid: 16aad763-2989-4fd3-b6cd-8ceb09e2ef6b

Indicator of Compromise (IoCs)

type,value,comment
url, https://bantuan.tng-gov-my.online/aply, ''
url, https://tng-wallet-qr.ty-fli.com/6/, ''
url, https://ewallet.tng-qr.it.com/2/, ''
domain, tng-gov-my.online, ''
domain, ty-fli.com, ''
hostname, tng-qr.it.com, ''
hostname, bantuan.tng-gov-my.online, ''
hostname, tng-wallet-qr.ty-fli.com, ''
hostname, ewallet.tng-qr.it.com, ''
ip-dst, 172.67.217.169, ''
ip-dst, 104.21.62.10, ''
ip-dst, 104.21.50.106, ''
ip-dst, 172.67.204.240, ''
ip-dst, 104.21.37.23, ''
ip-dst, 172.67.203.71, ''
ip-dst, 2606:4700:3037::ac43:d9a9, ''
ip-dst, 2606:4700:3036::6815:3e0a, ''
ip-dst, 2606:4700:3030::ac43:ccf0, ''
ip-dst, 2606:4700:3033::6815:326a, ''
ip-dst, 2606:4700:3032::ac43:cb47, ''
ip-dst, 2606:4700:3032::6815:2517, ''

Full IOCs available in Rectifyq’s MISP

2026-03-12 PhishHuntMY] How Scammers Stole Telegram Accounts During Ramadhan 2026

Thu, 12 Mar 2026 00:00:00 GMT

📃Title: PhishHuntMY] How Scammers Stole Telegram Accounts During Ramadhan 2026
📅Date: 2026-03-12
🔗References:

https://www.notion.so/How-Scammers-Stole-Telegram-Accounts-During-Ramadhan-2026-3211ea45347c80f19a61cbb0f570fc64

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
country=“indonesia”
online-service=“b0c71d51-34fd-47b5-9eb4-dd406ffc607f”
mitre-attack-pattern=[]

MISP event uuid: c99cb7b0-3736-4cab-b7b5-3b1b4d769179

Indicator of Compromise (IoCs)

type,value,comment
ip-dst, 142.251.143.97, ''
url, http://bantuantngmalaysia18.blogspot.com/, ''
hostname, bantuantngmalaysia18.blogspot.com, ''

Full IOCs available in Rectifyq’s MISP

2026-03-11 PhishHuntMY] Bantuan Laptop eMadani Phishing Analysis

Wed, 11 Mar 2026 00:00:00 GMT

📃Title: PhishHuntMY] Bantuan Laptop eMadani Phishing Analysis
📅Date: 2026-03-11
🔗References:

https://shrouded-brake-a7f.notion.site/Bantuan-Laptop-eMadani-Phishing-Analysis-320002229ba780278300f55f5b06adb1

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
country=“indonesia”
online-service=“b0c71d51-34fd-47b5-9eb4-dd406ffc607f”
mitre-attack-pattern=[]

MISP event uuid: 4f13ed69-7e1b-42f7-b8a4-8a47116ab229

Indicator of Compromise (IoCs)

type,value,comment
domain, percumaa477.com, 'Phishing Domain'
hostname, bantuan-laptop.percumaa477.com, 'Phishing Subdomain'
url, https://bantuan-laptop.percumaa477.com/, 'Phishing URL'

Full IOCs available in Rectifyq’s MISP

2026-03-10 PhishHuntMY] Touch ‘n Go / Malaysia Madani Scam QR Phishing analysis!

Tue, 10 Mar 2026 00:00:00 GMT

📃Title: PhishHuntMY] Touch ‘n Go / Malaysia Madani Scam QR Phishing analysis!
📅Date: 2026-03-10
🔗References:

https://171k.my/2026/03/10/tngmadaniphishing/

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
country=“azerbaijan”
country=“indonesia”
online-service=“b0c71d51-34fd-47b5-9eb4-dd406ffc607f”
mitre-attack-pattern=[]

MISP event uuid: 5655b3a1-9dac-4fe3-9da0-4f637ca9206d

Indicator of Compromise (IoCs)

type,value,comment
url, https://bantuan-tng-inst.aply-gov.online/ap/, ''
domain, aply-gov.online, ''
hostname, bantuan-tng-inst.aply-gov.online, ''
url, https://bantuan-tng-inst.aply-gov.online/ap/gateway.php?path=/generate-session, 'Admin Panel'
url, https://bantuan-tng-inst.aply-gov.online/ap/setting.php, 'Config File'

Full IOCs available in Rectifyq’s MISP

2026-03-09 PhishHuntMY] Phishing Page Semakan Tunai Rahmah

Mon, 09 Mar 2026 00:00:00 GMT

📃Title: PhishHuntMY] Phishing Page Semakan Tunai Rahmah
📅Date: 2026-03-09
🔗References:

https://ayiezola.github.io/2026-03-09-Phishing-Page-Semakan-Tunai-Rahmah/

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
online-service=“b0c71d51-34fd-47b5-9eb4-dd406ffc607f”
mitre-attack-pattern=[]

MISP event uuid: 3414f3d9-78e7-4c88-898e-7f39db6f7b68

Indicator of Compromise (IoCs)

type,value,comment
url, https://bantuanstr.infopublic.my.id/e/, 'Primary Phishing URL'
hostname, berjaya66.my.id, 'C2 Backend'

Full IOCs available in Rectifyq’s MISP

2026-03-07 PhishHuntMY] How a Fake eWallet Aid Page Steals Your Telegram Account

Sat, 07 Mar 2026 00:00:00 GMT

📃Title: PhishHuntMY] How a Fake eWallet Aid Page Steals Your Telegram Account
📅Date: 2026-03-07
🔗References:

https://badrulmunir.com/posts/fake-ewallet-my/

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
online-service=“b0c71d51-34fd-47b5-9eb4-dd406ffc607f”
mitre-attack-pattern=[‘T1555.003’, ‘T1589’, ‘T1656’, ‘T1036’, ‘T1027’, ‘T1598’, ‘T1566.002’]

MISP event uuid: d5db54fc-c17c-41dd-bf0e-051090d68e97

Indicator of Compromise (IoCs)

type,value,comment
sha256, aea32c34b4c7f43766908856ff2ae7e5c1d75c290eb3b4ae37fb60b9a23c486f, 'No sample in VT\r\nLast check:17/03/2026 No sample in VT\r\nLast check:20/03/2026'
url, https://bantuan-ewallet-tng-my65mo.ask88sx.my.id/, ''
url, https://bantuan-tng-ewallet-my-009k.faj8.my.id/, ''
url, https://new-link-update-nhcr52.dwwb41.my.id/, ''
url, https://tng-ewallet-chc5x7.uncategori-v3.my.id/, ''
url, https://tng-ewallet-ch7v1.qx0-b5.my.id/, ''
url, https://tng-ewallet-xvcy8.fast-x9.my.id/, ''
url, https://tng-ewallet-gxk7v3.zx88c.my.id/, ''
url, https://tbg-ewallet-xdt42.qif7.my.id/, ''
url, https://tng-ewallet-chx9m.axf66.my.id/, ''
url, https://tng-ewallet-ex73f.afc88v.my.id/, ''
url, https://tng-digital-bc882x.qx0-b5.my.id/, ''
url, https://bantuan-ewallet-2026.zx88c.my.id/, ''
url, https://tng-digital-cfx008.exc-k7.my.id/, ''
url, https://tng-ewalet2026-vx9.regis-x8.my.id/, ''
url, https://bantuan-tng-ewallet-fj2z8.xxx55.my.id/, ''
url, https://tng-ewallet-ic5s80.zx88.my.id/, ''
url, https://bantuan-tng-ewallet-ckf772f.vip-66dx.my.id/, ''
url, https://bantuan-tng-ewallet-dgp85.saft88.my.id/, ''
url, https://bantuan-ewallet-tng-2025-my76c08.gvw08d.my.id/, ''
url, http://bantuan-ewallet-tng-2025-my76c08.gvw08d.my.id/, ''

Full IOCs available in Rectifyq’s MISP

2026-03-03 Silver Dragon Targets Organizations in Southeast Asia and Europe

Tue, 03 Mar 2026 00:00:00 GMT

📃Title: Silver Dragon Targets Organizations in Southeast Asia and Europe
📅Date: 2026-03-03
🔗References:

https://research.checkpoint.com/2026/silver-dragon-targets-organizations-in-southeast-asia-and-europe/

Description

Check Point Research has identified a Chinese-nexus advanced persistent threat group named Silver Dragon, targeting organizations in Southeast Asia and Europe since mid-2024. The group, likely operating under APT41, exploits public-facing servers and uses phishing emails for initial access. They deploy custom tools including GearDoor, a backdoor using Google Drive for command and control, SSHcmd for remote access, and SilverScreen for covert screen monitoring. Silver Dragon primarily focuses on government entities, utilizing Cobalt Strike beacons and DNS tunneling for communication. The group’s sophisticated tactics and evolving toolkit demonstrate a well-resourced and adaptable threat actor.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: TA-profile
target: broad-based
MY-relevancy: relevant
action-taken: diamond-model

🔖MISP Galaxies:

producer= Check-Point
region=“035 - South-eastern Asia”
threat-actor= APT41
target-information=“Italy”
target-information=“Japan”
target-information=“Kazakhstan”
target-information=“Malaysia”
target-information=“Myanmar”
target-information=“Poland”
target-information=“Russia”
online-service=“4a9eade3-5de4-4a80-9c7a-ba3a7566e130”
malpedia=“Cobalt Strike”
sector=“Government, Administration”
mitre-attack-pattern=[‘T1113’, ‘T1033’, ‘T1132.001’, ‘T1071.004’, ‘T1036.005’, ‘T1021.004’, ‘T1082’, ‘T1053’, ‘T1055’, ‘T1016’, ‘T1083’, ‘T1036.004’, ‘T1049’, ‘T1057’, ‘T1059.001’, ‘T1078’, ‘T1102.002’, ‘T1001.003’, ‘T1059.003’, ‘T1105’]

MISP event uuid: 2e319e49-6c2f-442b-ba50-ae7d2e43ddb4

Indicator of Compromise (IoCs)

type,value,comment
md5, 876e6bca4c322db479d00152a5c8231a, ''
md5, 00bd4de2bde0461accdd2e79279b08c2, ''
md5, 2edd53b59f01931888d9d237871aa808, ''
md5, 61bb113beecd0166ac2f2e8e027645fe, ''
md5, 9fd54246d78eacdb02d8d830a27f95bc, ''
md5, 0d1f1d68ae32ee8d51f8ec8f2676bfeb, ''
md5, e43f35f6cbb86a283bf2d8051d73b31c, ''
md5, 8ee654d826ca5243e2ed1bc4d07f86be, ''
md5, ae72b2c870eb5cb9e01183c3cd301c7c, ''
md5, 5f1928e8a644dab9fb294374362b045e, ''
md5, 791de86ffaf47666e3dcf26c8f943f25, ''
md5, ccc1631e700763c4c31cd7540f2bf608, ''
md5, b0bae77341da2871b8354cbe22b39cf6, ''
md5, 7728646e661df092f1e71735a711f05a, ''
md5, 2a7042102cae68fce699e33cd78d847d, ''
md5, 2524f644a0d731c252079870ec7c882e, ''
md5, cbdd29728b03f1da10e3dafd1bc5df30, ''
md5, 1c66d075c3df801f92a24d99b3f69de3, ''
md5, a5c9a0a0f09683ccdcc56b9ff284162a, ''
md5, ae98807d74d87edfc35140d507420874, ''
md5, 14e9ef06501f14449e56fcb3471273ed, ''
md5, 658a1cb18ad9a3450093ade1ef29f94e, ''
md5, e4b79d14ebbca9240e9d763ce90fe0e6, ''
md5, e3dcb68059e854af3b99bd4d1dc02e53, ''
md5, a53331b3562f12c84cb59c24d7641251, ''
md5, b2f9bf291261499f60fbaaaa2b50a4ae, ''
md5, 5a654a8a336156d637abd8cedc2bb977, ''
md5, da1ac5b2ee326a66bfb233c89c1f1aac, ''
md5, 0012f9f7bc6db810618fb914bfa87171, ''
md5, 9d3f61dcaba90db2ede1c1906a80ace2, 'No sample in VT\r\nLast check:06/03/2026'
sha256, 16b9a7358be88632378ba20ba1430786f3b844694b1f876211ecdbecf5cccbc2, 'No sample in VT\r\nLast check:06/03/2026'
sha256, 37b485ed8d150d022c41e5e307b8c54c34ef806625b44d0c940b18be7d5b29ce, 'No sample in VT\r\nLast check:06/03/2026'
domain, ampolice.org, ''
domain, bigflx.net, ''
domain, copilot-cloud.net, ''
domain, exchange4study.com, ''
domain, mindssurpass.com, ''
domain, oicm.org, ''
domain, onedriveconsole.com, ''
domain, protacik.com, ''
domain, revitpourtous.com, ''
domain, splunkds.com, ''
domain, wikipedla.blog, ''
domain, zhydromet.com, ''
hostname, ns1.exchange4study.com, ''
hostname, ns1.onedriveconsole.com, ''
hostname, ns2.onedriveconsole.com, ''
hostname, drivefrontend.pa-clients.workers.dev, ''

Full IOCs available in Rectifyq’s MISP

2026-02-28 Analysis of the “Kongsi Rezeki” on Threads social media QR-phishing campaign

Sat, 28 Feb 2026 00:00:00 GMT

📃Title: Analysis of the “Kongsi Rezeki” on Threads social media QR-phishing campaign
📅Date: 2026-02-28
🔗References:

https://www.notion.so/3ch0/Analysis-of-the-Kongsi-Rezeki-on-Threads-social-media-QR-phishing-campaign-314d05a447d5809abc48e44233792978

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Malaysia”
mitre-attack-pattern=[‘T1531’, ‘T1588.004’, ‘T1583.001’, ‘T1041’, ‘T1111’, ‘T1566.002’, ‘T1598.003’]

MISP event uuid: 0b6037c8-d75d-4ba2-a378-7e0a2757a051

Indicator of Compromise (IoCs)

type,value,comment
url, https://tngduitraya14.gbdjw.my/, 'Landing page after QR scan.'
url, https://tngduitraya14.gbdjw.my/go/, 'Data collection page.'
url, https://tngduitraya14.gbdjw.my/API/index.php, 'C2 server for data exfiltration.'
domain, gbdjw.my, 'Malicious Domain.'
hostname, money.gbdjw.my, ''
hostname, tngduitraya.gbdjw.my, ''
hostname, moneypocket.gbdjw.my, ''

Full IOCs available in Rectifyq’s MISP

2026-02-23 Chronology of MuddyWater APT Attacks Targeting the Middle East

Mon, 23 Feb 2026 00:00:00 GMT

📃Title: Chronology of MuddyWater APT Attacks Targeting the Middle East
📅Date: 2026-02-23
🔗References:

https://www.genians.co.kr/en/blog/threat_intelligence/muddywater-apt?hs_amp=true

Description

This report analyzes the recent activities of the MuddyWater APT group, which primarily targets organizations in the Middle East. The group employs sophisticated spear-phishing techniques, often impersonating legitimate entities and using malicious documents to gain initial access. Their attacks focus on long-term infiltration and intelligence gathering rather than immediate disruption. The report details several attack cases from 2019 to 2026, highlighting the group’s evolving tactics, including the abuse of legitimate remote management tools and the use of Rust-based malware. The analysis emphasizes the importance of endpoint detection and response (EDR) solutions in identifying and mitigating these threats, as traditional perimeter-based security measures prove insufficient against such advanced persistent threats.

🔖Rectifyq Taxonomies:

relevancy: 🔴 Highly Relevant
category: ⚔Threat
sub-category: campaign-analysis
topic: geopolitical
target: broad-based
MY-relevancy: relevant

🔖MISP Galaxies:

target-information=“Egypt”
target-information=“Iraq”
target-information=“Israel”
target-information=“Jordan”
target-information=“Malaysia”
target-information=“Oman”
target-information=“Turkmenistan”
threat-actor= MuddyWater
mitre-attack-pattern=[‘T1133’, ‘T1071’, ‘T1190’, ‘T1583.001’, ‘T1036’, ‘T1588.001’, ‘T1102’, ‘T1204’, ‘T1059.001’, ‘T1547.001’, ‘T1199’, ‘T1588.002’, ‘T1566’, ‘T1078’, ‘T1027’, ‘T1213’, ‘T1105’, ‘T1569.002’]

MISP event uuid: 902d955b-e5f7-4bca-948e-857e6ab0017c

Indicator of Compromise (IoCs)

type,value,comment
md5, 0a95918fd6000a69b8a70609f93e910f, ''
md5, 1f280f51eeb6cf895fe80082ce725841, ''
md5, 244a4f81cff4a8dc5872628a40713735, ''
md5, 3a95186019af1943a0ea0f8eb07a288f, ''
md5, 4055d8b5c2e909f5db8b75a5750a7005, ''
md5, 43be8a405a7f57cf9f910d829c521b21, ''
md5, 4c169dde3bc184c42ca7a712a61c6f3c, ''
md5, 74e75830252220cbbe7e3adec4340d2d, ''
md5, 75060f5394b72421c0d8f81f79931aa9, ''
md5, 7da3d206519086f2725494b3ab095fbb, ''
md5, 806adc79e7ea3be50ef1d3974a16b7fb, ''
md5, 809334c0b55009c5a50f37e4eec63c43, ''
md5, 95d9e6c262632abe004c4693a71eaced, ''
md5, aba760ec55fdeccb35adb068443feb89, ''
md5, b181ecbb7394e3b1394a8c97af65b7e2, ''
md5, c381c2cb8fdd6acf1636280b9424f573, ''
md5, c89671f994af65677aa48b699a01fe9d, ''
md5, e2d6031afd81bf3b6a44de4d0b039055, ''
md5, f1c935ce028022ab2a495eae83adacc6, ''
md5, f6a4c531e92cbdd5ffac75c76939d7f3, ''
md5, 0873ce3db84b79da935f71df3d6c8e6d, ''
md5, 68352f61da6e3236c4fe760997a981ea, ''
md5, 242098c3e87822bffa7c337987065fbe, ''
md5, aaa9db79b5d6ba319e24e6180a7935d6, ''
md5, b9a67ffb81420e68f9e5607cc200604a, ''
md5, c5c0829df294cc4fd701df5d5c55718f, ''
md5, c478e472f6223e7ee92cff8b459e55e2, ''
md5, cdeb7abfc7775c63745135431272dda3, ''
md5, ef6ec560efd05d21976a6fd3f489e206, ''
md5, f06e30dee8629e951cefa73373fdef9d, ''
md5, f97650ede0c39a29b0b5c5472f685d11, ''
md5, 1e9a4e774b61acc8a6b35ee50417e661, ''
md5, 2ed6ebaa28a9bfccc59c6e89a8990631, ''
md5, 3ab16bd1c339fd0727be650104b74dd1, ''
md5, 6d7ce5b03fe61683229c29a859505163, ''
md5, 23d99f912f2491749b89e4fd337273bc, ''
md5, 64fc017a451ef273dcacdf6c099031f3, ''
md5, 93be13bbcad30440a0d0ef3868d67003, ''
md5, 96d5a7e0e75654c444cb1a915c666ac8, ''
ip-dst, 159.198.66.153, ''
ip-dst, 159.198.68.25, ''
domain, screenai.online, ''
domain, stratioai.org, ''
hostname, nomercys.it.com, ''

Full IOCs available in Rectifyq’s MISP