{ "type": "MD5", "indicator": "1d1f71936db05f67765f442feb95f3fd", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "1d1f71936db05f67765f442feb95f3fd", "validation": [], "base_indicator": { "id": 4241100602, "indicator": "1d1f71936db05f67765f442feb95f3fd", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69f3241b2759ee934874df9f", "name": "Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "The Silver Fox threat group conducted phishing campaigns in December 2025 and January 2026, impersonating tax authorities in India and Russia. Malicious emails contained archives with a modified Rust-based RustSL loader that deployed ValleyRAT backdoor. Over 1600 malicious emails targeted organizations across industrial, consulting, retail, and transportation sectors. During investigation, a previously undocumented Python-based backdoor named ABCDoor was discovered, active since late 2024. The attacks utilized multi-stage infection chains involving encrypted payloads, custom ValleyRAT modules, and various persistence mechanisms including Phantom Persistence technique. ABCDoor features remote control capabilities, screen broadcasting using ffmpeg, and file manipulation functions. The group employed sophisticated evasion techniques including geofencing, string encryption, and mimicking legitimate VPN services.", "modified": "2026-05-30T09:04:01.553000", "created": "2026-04-30T09:42:51.123000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 386442, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69faa5ac2f35f2ba145bf544", "name": "IOC - Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "", "modified": "2026-05-30T09:04:01.553000", "created": "2026-05-06T02:21:32.241000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": "69f3241b2759ee934874df9f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f91415461df47226894741", "name": "ugugyguguguyguyguyguyguyguyguyg", "description": "The full text of this article, published on Wednesday, is subject to copyright. and will not be published again until after the end of the year, but it is possible to find a link.", "modified": "2026-05-04T21:48:05.343000", "created": "2026-05-04T21:48:05.343000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 49, "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 75, "URL": 38, "domain": 38, "hostname": 286 }, "indicator_count": 549, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69a8a2ba0be790cc89f16a8e", "name": "Nueva actividad por parte de RustyStealer 04/03/2026", "description": "RustyStealer es un tipo de software malicioso dise\u00f1ado para robar datos. Una vez que infecta un dispositivo, empieza a recopilar informaci\u00f3n como detalles del hardware, versi\u00f3n del sistema operativo, nombre de usuario e IP. Tambi\u00e9n puede extraer datos de aplicaciones instaladas, como navegadores, clientes de correo electr\u00f3nico y billeteras de criptomonedas, incluyendo historiales de navegaci\u00f3n, credenciales de inicio de sesi\u00f3n y datos bancarios. RustyStealer puede tener capacidades adicionales da\u00f1inas, como registrar pulsaciones de teclas y tomar capturas de pantalla. La presencia de este malware puede resultar en serios problemas de privacidad, p\u00e9rdidas financieras y robo de identidad.", "modified": "2026-03-04T21:23:06.291000", "created": "2026-03-04T21:23:06.291000", "tags": [], "references": [ "https://darfe.es/ciberwiki/index.php?title=Rusty_Stealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eduarvivas", "id": "372481", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 40, "FileHash-SHA1": 23, "FileHash-SHA256": 23 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "86 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69769f4f4c874688488f0c91", "name": "ipwhois", "description": "", "modified": "2026-02-24T22:03:54.309000", "created": "2026-01-25T22:55:11.049000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 14, "FileHash-SHA256": 188, "URL": 32, "hostname": 1 }, "indicator_count": 250, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "94 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Rusty_Stealer", "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "related": { "alienvault": { "adversary": [ "Silver Fox" ], "malware_families": [ "Winos 4.0", "Abcdoor", "Valleyrat", "Rustsl" ], "industries": [ "Transportation", "Manufacturing", "Retail" ] }, "other": { "adversary": [ "Silver Fox" ], "malware_families": [ "Winos 4.0", "Abcdoor", "Valleyrat", "Rustsl" ], "industries": [ "Transportation", "Manufacturing", "Retail" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69f3241b2759ee934874df9f", "name": "Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "The Silver Fox threat group conducted phishing campaigns in December 2025 and January 2026, impersonating tax authorities in India and Russia. Malicious emails contained archives with a modified Rust-based RustSL loader that deployed ValleyRAT backdoor. Over 1600 malicious emails targeted organizations across industrial, consulting, retail, and transportation sectors. During investigation, a previously undocumented Python-based backdoor named ABCDoor was discovered, active since late 2024. The attacks utilized multi-stage infection chains involving encrypted payloads, custom ValleyRAT modules, and various persistence mechanisms including Phantom Persistence technique. ABCDoor features remote control capabilities, screen broadcasting using ffmpeg, and file manipulation functions. The group employed sophisticated evasion techniques including geofencing, string encryption, and mimicking legitimate VPN services.", "modified": "2026-05-30T09:04:01.553000", "created": "2026-04-30T09:42:51.123000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 386442, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69faa5ac2f35f2ba145bf544", "name": "IOC - Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "", "modified": "2026-05-30T09:04:01.553000", "created": "2026-05-06T02:21:32.241000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": "69f3241b2759ee934874df9f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69f91415461df47226894741", "name": "ugugyguguguyguyguyguyguyguyguyg", "description": "The full text of this article, published on Wednesday, is subject to copyright. and will not be published again until after the end of the year, but it is possible to find a link.", "modified": "2026-05-04T21:48:05.343000", "created": "2026-05-04T21:48:05.343000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 49, "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 75, "URL": 38, "domain": 38, "hostname": 286 }, "indicator_count": 549, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69a8a2ba0be790cc89f16a8e", "name": "Nueva actividad por parte de RustyStealer 04/03/2026", "description": "RustyStealer es un tipo de software malicioso dise\u00f1ado para robar datos. Una vez que infecta un dispositivo, empieza a recopilar informaci\u00f3n como detalles del hardware, versi\u00f3n del sistema operativo, nombre de usuario e IP. Tambi\u00e9n puede extraer datos de aplicaciones instaladas, como navegadores, clientes de correo electr\u00f3nico y billeteras de criptomonedas, incluyendo historiales de navegaci\u00f3n, credenciales de inicio de sesi\u00f3n y datos bancarios. RustyStealer puede tener capacidades adicionales da\u00f1inas, como registrar pulsaciones de teclas y tomar capturas de pantalla. La presencia de este malware puede resultar en serios problemas de privacidad, p\u00e9rdidas financieras y robo de identidad.", "modified": "2026-03-04T21:23:06.291000", "created": "2026-03-04T21:23:06.291000", "tags": [], "references": [ "https://darfe.es/ciberwiki/index.php?title=Rusty_Stealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eduarvivas", "id": "372481", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 40, "FileHash-SHA1": 23, "FileHash-SHA256": 23 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "86 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69769f4f4c874688488f0c91", "name": "ipwhois", "description": "", "modified": "2026-02-24T22:03:54.309000", "created": "2026-01-25T22:55:11.049000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 14, "FileHash-SHA256": 188, "URL": 32, "hostname": 1 }, "indicator_count": 250, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "94 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "1d1f71936db05f67765f442feb95f3fd", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "1d1f71936db05f67765f442feb95f3fd", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780165553.7052279 }