IOC Radar
SHA1MediumSignal 78/100

9c363fbcc86662ce15cee15e5dd16b71b769ceb4

First Seen
Apr 16, 2026
Last Seen
Apr 24, 2026
Apr 16
First Seen
58d ago
Apr 24
Last Seen
51d ago
4
Reports
source reports
78%
Confidence
medium
Found in 4 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
SHA-1 Hash
SHA-1 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
SHA1
Confidence
78%
Signal Score
78 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

21 techniques

Feed Intelligence Summary

4 reports78% confidence
4
Source reports
78%
Confidence score
Category tags
active scanagentattackbackbad reputationcloudcontactdemodetect-debug-environmentdevtcpipportenumerateexploitation activityfile-hashgrephuntindicatoripv4kagentlong-sleepsmalwaremarimonkabusenkn blockchainpostgresqlpythonrebootresearchedreverse shellscriptselectshellspacesstrongsysdigt1016t1021.004t1027.002t1033t1053t1053.003t1059.004t1059.006t1071.004t1082t1083t1090t1095t1105t1140t1190t1543.001t1543.002t1552.001t1571t1573.002targetvulnerability scan

Activity Timeline

1 total obs
Apr 24Apr 24

Threat Activity Heatmap

· Peak: 2026-04-24
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
1
Minimal
Intelligence SummaryAI Generated

This Indicator of Compromise (IOC) represents a critical threat to organizational security, evidenced by its high score of 77.74 and its direct association with malicious activity. This specific hash is strongly linked to the propagation of a blockchain botnet that leverages the actively exploited vulnerability, CVE-2026-39987. If this IOC is present within the environment, it signals a likely compromise, potentially leading to unauthorized system control, resource hijacking for illicit activiti…

Threat ScoreHigh Risk
78
SIGNAL
Signal Score
78%
Confidence
4
Reports
First seenApr 16, 2026
Last seenApr 24, 2026

VirusTotal

Not checked

WHOIS

description
Bourne-Again shell script, ASCII text executable
references
https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface, IOCs.2026.csv, https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface#conclusion

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 1 month ago · Last seen 1 month ago
Appeared in 4 threat reports