{
  "name": "The #APT36 cluster can't stop, won't stop",
  "slug": "the-apt36-cluster-cant-stop-wont-stop",
  "description": "They just added #CVE-2026-21509 and #CVE-2026-21513 (borrowed from APT28) onto their delivery chain, pushing updated FIREPOWER via weaponized RTF and LNKs against \ud83c\uddee\ud83c\uddf3 targets. Separately, fresh SheetCreep + a shiny new CrystalShell-Slack variant co-dropped on a Kashmir target, because one implant is never enough. The vibeware factory is running three shifts: Crystal, .NET and PowerShell.",
  "published": "2026-06-23T19:23:16.604000+00:00",
  "created_at": "2026-06-23T19:30:08.796000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-23T19:30:08.796000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "apt36",
    "crystalshell",
    "firepower",
    "lnk",
    "rtf",
    "turkey"
  ],
  "tags": [],
  "related_entities": {
    "indicators": [
      {
        "id": "79f682d9-2260-45f3-a6b9-abaac465c840",
        "name": "9a93231038c7807c7c1376de1546cae94b6778106bb2ef115631da0991adbb91"
      },
      {
        "id": "12d8a6ec-4a1a-4db0-bed5-d6f15c986163",
        "name": "6df13b336f3daccc29a5f24bd5824f4ae9b4d7c45ee9c9adcd7a36679ee009c5"
      },
      {
        "id": "b4fa667f-370d-4628-b598-54b3e1ab284d",
        "name": "558dd73f708d4ea7b33fec295ac201ee5c76ba293856d8835225538c11ff208e"
      },
      {
        "id": "8cda21f3-4008-4f78-a05c-45ee2602cd58",
        "name": "12335f9a1b7d3b84d2844b42f6f2ae03b70c2cc3d68e6c2dd468ee1ec6b2f3c1"
      },
      {
        "id": "94938b66-7268-4d23-b934-90bdb8822405",
        "name": "3d74a0fb447590ba7c054e6e7c6d182d145651f588aa4de8bf0972461d9652f2"
      }
    ],
    "intrusion_sets": [
      {
        "id": "db5db15c-525d-4e39-9b12-840d085370b0",
        "name": "APT36",
        "slug": "transparent-tribe"
      }
    ],
    "malware": [
      {
        "id": "4291b73d-65fe-4791-9b3b-b29a3fcbf40a",
        "name": "SHEETCREEP",
        "slug": "sheetcreep"
      },
      {
        "id": "a9336bbb-469b-40e3-a882-1077e2d23c08",
        "name": "CrystalShell"
      }
    ]
  },
  "external_refs": [
    {
      "id": "881d6d88-a976-4ce2-82fc-6f1d80698411",
      "standard_id": "external-reference--88e96019-67ce-50fc-abbd-7a8e7b571684",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a3add255a93c4e851962479",
      "hash": null,
      "external_id": "6a3add255a93c4e851962479",
      "created": "2026-06-23T19:30:07.060Z",
      "modified": "2026-06-23T19:30:07.060Z",
      "createdById": null
    },
    {
      "id": "fa294b4a-2aaa-4eea-a4e9-db65ed1414cd",
      "standard_id": "external-reference--f5bf4941-f5c4-53b9-bb86-7b828547747a",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://x.com/GenThreatLabs/status/2068972067307811234",
      "hash": null,
      "external_id": null,
      "created": "2026-06-23T19:30:07.088Z",
      "modified": "2026-06-23T19:30:07.088Z",
      "createdById": null
    }
  ]
}