{ "type": "Domain", "indicator": "1cbit-dev.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/1cbit-dev.com", "alexa": "http://www.alexa.com/siteinfo/1cbit-dev.com", "indicator": "1cbit-dev.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4212427221, "indicator": "1cbit-dev.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69f340364397310a3917b55d", "name": "Hiding in plain sight: How PhantomCore disguises its activity with legitimate tools", "description": "PhantomCore, a prolific cyber threat actor group active in the Russian cyber landscape, has increasingly targeted TrueConf video conferencing servers since September 2025. They exploit a series of vulnerabilities in TrueConf to gain initial access, specifically vulnerabilities associated with remote command execution. To cover their tracks and maintain persistence within compromised networks, they employ a toolkit of modified open-source utilities, including their proprietary tools such as MacTunnelRAT and PhantomSscp, which facilitate the creation of reverse SSH tunnels and tunneling traffic.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:42:46.807000", "tags": [ "phantomcore", "pt esc", "lockbit", "positive", "trueconf", "rsocx", "phantomsscp", "mactunnelrat", "ps.phatnomlatch", "win64.phantomsscp", "win32.lolbin.a", "generic.b", "generic.a" ], "references": [ "https://ptsecurity.com/research/pt-esc-threat-intelligence/hiding-in-plain-sight-how-phantomcore-masks-its-activity-with-legitimate-tools/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PS.PhatnomLatch", "display_name": "PS.PhatnomLatch", "target": null }, { "id": "Win64.PhantomSscp", "display_name": "Win64.PhantomSscp", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 8, "domain": 28 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "18 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f296e6f8d22e6594cd87c2", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:22.053000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f29701e8ef05a0558464d1", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:49.785000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd2f806b1d5401e22c357b", "name": "Uncovering BO Team\u2019s ZeronetKit Operations and Strategic Overlap with Head Mare", "description": "", "modified": "2026-05-08T00:34:08.145000", "created": "2026-05-08T00:34:08.145000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 26, "domain": 7 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a046863c1c92107079f81b", "name": "EbeeFeb2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:11:34.763000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "FileHash-MD5": 191, "FileHash-SHA1": 220, "FileHash-SHA256": 192, "CVE": 2, "URL": 58, "domain": 220 }, "indicator_count": 961, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a0a5632dc1f330824320c2", "name": "New Head Mare newsletter: the phantom contract", "description": "In February 2026, the hacktivist group Head Mare initiated a widespread phishing campaign utilizing a new variant of the PhantomCore backdoor, referred to as PhantomDL. Targets received emails crafted to appear as communication from a legitimate research organization, containing encrypted archives. Notably, the current year serves as the password to these archives, which include multiple shortcut files (.lnk). When opened, these shortcuts enable the automatic download and installation of the backdoor.", "modified": "2026-03-28T19:18:27.999000", "created": "2026-02-26T19:56:19.108000", "tags": [ "head mare", "phantomcore", "powershell", "ssh", "redacted", "c powershell", "hkcrclsid", "inprocserver32", "default", "force path", "destinationpath", "daily tn", "golang", "mare" ], "references": [ "https://securelist.ru/head-mare-new-campaign/114892/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.006", "name": "Space after Filename", "display_name": "T1036.006 - Space after Filename" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 28, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 14, "domain": 6 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6993efddea42b78cb047a777", "name": "Twitter Feed - smica83 - 16-02-2026", "description": "", "modified": "2026-03-19T04:00:14.122000", "created": "2026-02-17T04:34:37.565000", "tags": [ "opendir" ], "references": [ "https://x.com/smica83/status/2023388717508088301", "https://x.com/smica83/status/2023439423892058608", "https://x.com/smica83/status/2023440487030681633", "https://x.com/smica83/status/2023441052850606537", "https://x.com/smica83/status/2023453372125180162", "https://x.com/smica83/status/2023454582794580164", "https://x.com/smica83/status/2023508618285641940" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "hostname": 4, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://x.com/smica83/status/2023508618285641940", "https://x.com/smica83/status/2023453372125180162", "https://securelist.ru/head-mare-new-campaign/114892/", "https://x.com/smica83/status/2023388717508088301", "https://x.com/smica83/status/2023454582794580164", "https://x.com/smica83/status/2023441052850606537", "https://x.com/smica83/status/2023440487030681633", "https://ptsecurity.com/research/pt-esc-threat-intelligence/hiding-in-plain-sight-how-phantomcore-masks-its-activity-with-legitimate-tools/", "https://x.com/smica83/status/2023439423892058608", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo" ], "malware_families": [ "Ps.phatnomlatch", "Win64.phantomsscp" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69f340364397310a3917b55d", "name": "Hiding in plain sight: How PhantomCore disguises its activity with legitimate tools", "description": "PhantomCore, a prolific cyber threat actor group active in the Russian cyber landscape, has increasingly targeted TrueConf video conferencing servers since September 2025. They exploit a series of vulnerabilities in TrueConf to gain initial access, specifically vulnerabilities associated with remote command execution. To cover their tracks and maintain persistence within compromised networks, they employ a toolkit of modified open-source utilities, including their proprietary tools such as MacTunnelRAT and PhantomSscp, which facilitate the creation of reverse SSH tunnels and tunneling traffic.", "modified": "2026-05-30T11:33:05.564000", "created": "2026-04-30T11:42:46.807000", "tags": [ "phantomcore", "pt esc", "lockbit", "positive", "trueconf", "rsocx", "phantomsscp", "mactunnelrat", "ps.phatnomlatch", "win64.phantomsscp", "win32.lolbin.a", "generic.b", "generic.a" ], "references": [ "https://ptsecurity.com/research/pt-esc-threat-intelligence/hiding-in-plain-sight-how-phantomcore-masks-its-activity-with-legitimate-tools/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PS.PhatnomLatch", "display_name": "PS.PhatnomLatch", "target": null }, { "id": "Win64.PhantomSscp", "display_name": "Win64.PhantomSscp", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 8, "domain": 28 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "18 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f296e6f8d22e6594cd87c2", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:22.053000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f29701e8ef05a0558464d1", "name": "dfhbdfhbfth", "description": "", "modified": "2026-05-29T23:35:16.304000", "created": "2026-04-29T23:40:49.785000", "tags": [ "eio4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 95, "FileHash-MD5": 47, "FileHash-SHA1": 42, "FileHash-SHA256": 149, "URL": 1251, "hostname": 783 }, "indicator_count": 2367, "is_author": false, "is_subscribing": null, "subscriber_count": 15, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fd2f806b1d5401e22c357b", "name": "Uncovering BO Team\u2019s ZeronetKit Operations and Strategic Overlap with Head Mare", "description": "", "modified": "2026-05-08T00:34:08.145000", "created": "2026-05-08T00:34:08.145000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Cherryid", "id": "383941", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 26, "domain": 7 }, "indicator_count": 89, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a046863c1c92107079f81b", "name": "EbeeFeb2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-31T06:00:59.128000", "created": "2026-02-26T13:11:34.763000", "tags": [ "filehashsha1", "filehashsha256", "filehashmd5" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Contagious Interview Campaign, Triton fork campaign, CRESCENTHARVEST, MIMICRAT, Operation Olalampo", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 78, "FileHash-MD5": 191, "FileHash-SHA1": 220, "FileHash-SHA256": 192, "CVE": 2, "URL": 58, "domain": 220 }, "indicator_count": 961, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a0a5632dc1f330824320c2", "name": "New Head Mare newsletter: the phantom contract", "description": "In February 2026, the hacktivist group Head Mare initiated a widespread phishing campaign utilizing a new variant of the PhantomCore backdoor, referred to as PhantomDL. Targets received emails crafted to appear as communication from a legitimate research organization, containing encrypted archives. Notably, the current year serves as the password to these archives, which include multiple shortcut files (.lnk). When opened, these shortcuts enable the automatic download and installation of the backdoor.", "modified": "2026-03-28T19:18:27.999000", "created": "2026-02-26T19:56:19.108000", "tags": [ "head mare", "phantomcore", "powershell", "ssh", "redacted", "c powershell", "hkcrclsid", "inprocserver32", "default", "force path", "destinationpath", "daily tn", "golang", "mare" ], "references": [ "https://securelist.ru/head-mare-new-campaign/114892/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036.006", "name": "Space after Filename", "display_name": "T1036.006 - Space after Filename" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1090.003", "name": "Multi-hop Proxy", "display_name": "T1090.003 - Multi-hop Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 28, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 14, "domain": 6 }, "indicator_count": 57, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "63 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6993efddea42b78cb047a777", "name": "Twitter Feed - smica83 - 16-02-2026", "description": "", "modified": "2026-03-19T04:00:14.122000", "created": "2026-02-17T04:34:37.565000", "tags": [ "opendir" ], "references": [ "https://x.com/smica83/status/2023388717508088301", "https://x.com/smica83/status/2023439423892058608", "https://x.com/smica83/status/2023440487030681633", "https://x.com/smica83/status/2023441052850606537", "https://x.com/smica83/status/2023453372125180162", "https://x.com/smica83/status/2023454582794580164", "https://x.com/smica83/status/2023508618285641940" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "hostname": 4, "domain": 1 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "1cbit-dev.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "1cbit-dev.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780206519.3712187 }