Malware

GAMECHANGE

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

The malware was written in Python, compiled into a Windows PE file using PyInstaller, and delivered from compromised email accounts impersonating Ukrainian ministry representatives.

Execution

1 technique

T1059.006PythonEvidence1

The malware was written in Python, compiled into a Windows PE file using PyInstaller...

Discovery

4 techniques

T1016System Network Configuration DiscoveryEvidence1

It embedded unique API tokens to resist blacklisting, collected hardware, process, network, and Active Directory data...

T1018Remote System DiscoveryEvidence1

It embedded unique API tokens to resist blacklisting, collected hardware, process, network, and Active Directory data...

T1057Process DiscoveryEvidence1

It embedded unique API tokens to resist blacklisting, collected hardware, process, network, and Active Directory data...

T1082System Information DiscoveryEvidence1

It embedded unique API tokens to resist blacklisting, collected hardware, process, network, and Active Directory data...

Collection

1 technique

T1005Data from Local SystemEvidence1

...and recursively copied Office documents and PDFs.

Command and Control

1 technique

T1568Dynamic ResolutionEvidence1

Instead, it sent queries to Alibaba’s Qwen-Coder model via the Hugging Face API, generating commands to execute in real time.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

cyber security newsNews

May 4, 2026

Threat Actors Use AI to Automate 0-Day Discovery and Exploitation at Machine Speed

AI-orchestrated espionage malware written in Python and compiled as a Windows PE via PyInstaller. It queried Alibaba's Qwen-Coder model through the Hugging Face API to generate commands in real time, collected hardware, process, network, and Active Directory data, and recursively copied Office documents and PDFs.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.