MD5MediumSignal 81/100
d30cc10d54ebc967c8538ff74f442eee
Location
First Seen
May 16, 2026
Last Seen
Jun 23, 2026
Found in 9 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
MD5 Hash
MD5 file hash associated with malicious samples.
MISP Category
Artifacts Dropped
Hash Algorithm
MD5
Confidence
81%
Signal Score
81 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
9 reports81% confidence
9
Source reports
81%
Confidence score
Category tags
abuse_ch_hashbad reputationbotnetbotnet activitycloakingdelphidetect-debug-environmenteducationexeexecutable filefakecaptchafile-hashfinance and insuranceghost cmsindicatorinformation stealerinfostealerinjection activityinnojameswt_wtlong-sleepsmalwaremass compromisemediapedllperuphishingransomwareresearchedscams & fraudsouth americasql injectiont1027t1055t1059.001t1059.003t1059.007t1071.001t1102t1105t1132.001t1140t1190t1204t1212t1218.011t1547.001t1566t1573t1583.001t1583.006targeting databasethreat actorvulnerability scanwindows
Activity Timeline
Jun 23Jun 23
Threat Activity Heatmap
· Peak: 2026-06-23LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
81
SIGNAL
Signal Score
81%
Confidence
9
Reports
First seenMay 16, 2026
Last seenJun 23, 2026
VirusTotal
Not checked
WHOIS
- description
- Attackers exploited CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS, to obtain Admin API Keys without authorization and conduct mass website poisoning campaigns. Over 700 domains across multiple industries including universities, blockchain, AI, security research, and media were compromised. The attack chain involves CMS takeover, page poisoning with malicious JavaScript loaders, two-stage cloaking scripts, and FakeCaptcha social engineering to trick users into executing malicious commands. Two distinct threat groups are actively exploiting unpatched Ghost CMS installations, delivering information stealers and remote access tools. Compromised sites include Harvard University, Oxford University, and Auburn University. The attacks leverage users' trust in legitimate websites to increase success rates of ClickFix-type attacks, with payloads being dynamically distributed through Cloudflare-proxied domains.
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 1 month ago · Last seen 10 days ago
Appeared in 9 threat reports