{
  "name": "PJobRAT makes a comeback, takes another crack at chat apps",
  "slug": "pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps",
  "description": "In the latest campaign, X-Ops researchers found PJobRAT samples disguising themselves as instant messaging apps. In our telemetry, all the victims appeared to be based in Taiwan.",
  "published": "2025-03-27T20:52:43+00:00",
  "created_at": "2025-03-27T20:52:43+00:00",
  "modified_at": "2025-03-27T21:24:28+00:00",
  "created_at_opencti": "2025-03-27T20:52:43+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-03-27",
    "android",
    "breadcrumbs",
    "c2 server",
    "code issues",
    "domain hosting",
    "eio4",
    "github",
    "history",
    "infostealer",
    "pjobrat",
    "pjobrat domain",
    "pjobrat package",
    "pull"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "http://westvist.myftp.org:8181"
      },
      {
        "id": "",
        "name": "http://westvist.myftp.org:3574/notification/chat_notification_v2.php"
      },
      {
        "id": "",
        "name": "http://westvist.myftp.org:8181/socket.io/?EIO=4&transport=websocket"
      },
      {
        "id": "",
        "name": "http://westvist.myftp.org:3574"
      },
      {
        "id": "",
        "name": "http://westvist.myftp.org:3574/m_chowa_srv/main.php"
      },
      {
        "id": "",
        "name": "westvist.myftp.org"
      },
      {
        "id": "",
        "name": "itechcube.xyz"
      },
      {
        "id": "",
        "name": "toolkitapi.xyz"
      },
      {
        "id": "",
        "name": "44a05d1e36938c0d6039e0986de91744482d86d641d1d981f3e8a61385fb33a3"
      },
      {
        "id": "",
        "name": "37c390ff137ac71004223c73b99a9d8eec8ae2e879dee679bda29c09e1b11a37"
      },
      {
        "id": "",
        "name": "0ebcfbcda27b84b8f0db6d50abb1b0ff7831938913912156d27880704e69f1f2"
      },
      {
        "id": "",
        "name": "0ad9cd56764ef70bdfbd3b2d269020557135f075d63327dbaab1bf0e9d816fb5"
      }
    ],
    "malware": [
      {
        "id": "0c4c1eb7-dedb-4406-a678-3aaf3440e0fd",
        "name": "PJobRAT",
        "slug": "pjobrat"
      }
    ],
    "attack_patterns": [
      {
        "id": "436e795b-553f-444e-b837-65818d8f539f",
        "name": "T1119"
      },
      {
        "id": "fc699aef-8931-4a79-8f79-9651be9abd50",
        "name": "T1021"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "50514c04-b3a2-4abf-a855-e3a434200c87",
        "name": "T1204"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Taiwan"
      }
    ]
  },
  "external_refs": [
    "https://news.sophos.com/en-us/2025/03/27/pjobrat-makes-a-comeback-takes-another-crack-at-chat-apps/",
    "https://otx.alienvault.com/pulse/67e5c8abe70b87d810a5b6c6"
  ]
}