{ "type": "bundle", "id": "bundle--d405febc-ac89-49a4-ac1e-647eeb230857", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--40cea600-1476-4e6e-9419-6ed052e3ca9d", "created": "2023-03-10T05:55:31.704852Z", "modified": "2024-10-24T14:21:18.713883Z", "name": "ThreatBook", "identity_class": "organization" }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--9915c9bf-525f-4f00-a266-524e57912f79", "value": "sfrclak.com" }, { "type": "file", "spec_version": "2.1", "id": "file--9d6565c3-1ee2-45f5-b4c3-194bb0bda249", "hashes": { "SHA-256": "ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c" } }, { "type": "file", "spec_version": "2.1", "id": "file--31724907-c57a-4919-88b7-9fb153f4aff3", "hashes": { "SHA-256": "f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd" } }, { "type": "domain-name", "spec_version": "2.1", "id": "domain-name--dbe55bfd-6d10-407e-969a-53d22426522e", "value": "callnrwise.com" }, { "type": "file", "spec_version": "2.1", "id": "file--113f928b-46fb-459a-85b4-12ac83442552", "hashes": { "SHA-256": "617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101" } }, { "type": "file", "spec_version": "2.1", "id": "file--f7748e54-28de-4052-a7e5-eb892e8ade70", "hashes": { "SHA-256": "92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a" } }, { "type": "file", "spec_version": "2.1", "id": "file--cc0c5258-18ba-44b5-be20-97036b027b84", "hashes": { "SHA-256": "fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf" } }, { "type": "url", "spec_version": "2.1", "id": "url--15d803c1-f248-4623-af7b-f379f2a36962", "value": "http://sfrclak.com:8000/6202033" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--794180bf-52c3-45df-bf94-6810144b7a2f", "value": "142.11.206.73" }, { "type": "file", "spec_version": "2.1", "id": "file--7cee3be8-f4f7-42c7-809e-23825786ed58", "hashes": { "SHA-256": "4465bdeaddc8c049a67a3d5ec105b2f07dae72fa080166e51b8f487516eb8d07" } }, { "type": "file", "spec_version": "2.1", "id": "file--ffc9c641-6a8b-46d3-b49b-a6f116019e3d", "hashes": { "SHA-256": "506690fcbd10fbe6f2b85b49a1fffa9d984c376c25ef6b73f764f670e932cab4" } }, { "type": "file", "spec_version": "2.1", "id": "file--845c1a0f-2bf2-4f19-a44f-4675bc61f2ff", "hashes": { "SHA-256": "5b5fbc627502c5797d97b206b6dcf537889e6bea6d4e81a835e103e311690e22" } }, { "type": "file", "spec_version": "2.1", "id": "file--364f4803-ae15-4442-b5af-11b380d0f806", "hashes": { "SHA-256": "46f5eea70d536f7affe40409d7aaa5fa0009f0dc4538ba2867cb7569737db859" } }, { "type": "file", "spec_version": "2.1", "id": "file--eac4c2d3-8125-4d5e-a3f3-6f18f3e4c8cc", "hashes": { "SHA-256": "8c8f5f095d65d3f33ce89a77dfbe84a79bb29d2e0073a57a23dcc014d0683c2e" } }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--af102ffc-7eb7-47ce-8d85-8cc1279124cb", "value": "142.11.199.73" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--e7515407-a89d-4a8b-87f4-fe694c68ba6d", "value": "142.11.196.73" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--80cf55ad-4ad4-4d3e-b442-87c68901a27a", "created": "2026-06-24T22:19:48.494759Z", "modified": "2026-06-24T22:19:48.494759Z", "name": "YARA Rule", "pattern": "rule G_Backdoor_WAVESHAPER_1 {\r\nmeta:\r\nauthor = \"Google Threat Intelligence Group (GTIG)\"\r\ndate_created = \"2025-11-03\"\r\ndate_modified = \"2025-11-03\"\r\nmd5 = \"c91725905b273e81e9cc6983a11c8d60\"\r\nrev = 1\r\nstrings:\r\n$str1 = \"mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)\"\r\n$str2 = \"/tmp/.%s\"\r\n$str3 = \"grep \\\"Install Succeeded\\\" /var/log/install.log | awk '{print $1, $2}'\"\r\n$str4 = \"sysctl -n hw.model\"\r\n$str5 = \"sysctl -n machdep.cpu.brand_string\"\r\n$str6 = \"sw_vers --ProductVersion\"\r\ncondition:\r\nall of them\r\n}", "pattern_type": "yara", "valid_from": "2026-02-10T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--e4e4684e-9079-4388-92f1-f85dcfeb93af", "hashes": { "MD5": "c91725905b273e81e9cc6983a11c8d60" } }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b", "created": "2026-06-24T22:19:48.500664Z", "modified": "2026-06-24T22:19:48.500664Z", "name": "Lazarus" }, { "type": "report", "spec_version": "2.1", "id": "report--2187b405-22ce-4eed-a569-0a71334b7ca2", "created_by_ref": "identity--40cea600-1476-4e6e-9419-6ed052e3ca9d", "created": "2026-06-24T22:19:48.504849Z", "modified": "2026-06-24T22:19:48.504849Z", "name": "Lazarus Group Poisons Axios: Inside the npm Supply Chain Attack", "published": "2026-03-31T00:00:00Z", "object_refs": [ "identity--40cea600-1476-4e6e-9419-6ed052e3ca9d", "domain-name--9915c9bf-525f-4f00-a266-524e57912f79", "file--9d6565c3-1ee2-45f5-b4c3-194bb0bda249", "file--31724907-c57a-4919-88b7-9fb153f4aff3", "domain-name--dbe55bfd-6d10-407e-969a-53d22426522e", "file--113f928b-46fb-459a-85b4-12ac83442552", "file--f7748e54-28de-4052-a7e5-eb892e8ade70", "file--cc0c5258-18ba-44b5-be20-97036b027b84", "url--15d803c1-f248-4623-af7b-f379f2a36962", "ipv4-addr--794180bf-52c3-45df-bf94-6810144b7a2f", "file--7cee3be8-f4f7-42c7-809e-23825786ed58", "file--ffc9c641-6a8b-46d3-b49b-a6f116019e3d", "file--845c1a0f-2bf2-4f19-a44f-4675bc61f2ff", "file--364f4803-ae15-4442-b5af-11b380d0f806", "file--eac4c2d3-8125-4d5e-a3f3-6f18f3e4c8cc", "ipv4-addr--af102ffc-7eb7-47ce-8d85-8cc1279124cb", "ipv4-addr--e7515407-a89d-4a8b-87f4-fe694c68ba6d", "indicator--80cf55ad-4ad4-4d3e-b442-87c68901a27a", "file--e4e4684e-9079-4388-92f1-f85dcfeb93af", "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b" ], "external_references": [ { "source_name": "source", "url": "https://threatbook.io/blog/lazarus-group-poisons-axios-inside-the-npm-supply-chain-attack" } ] } ] }