{ "type": "Domain", "indicator": "1jabber.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/1jabber.com", "alexa": "http://www.alexa.com/siteinfo/1jabber.com", "indicator": "1jabber.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4370487421, "indicator": "1jabber.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6a0f0edd94599950291f3d18", "name": "First VPN Service Infrastructure Used by Ransomware Operators", "description": "This pulse contains indicators of compromise (IOCs) associated with the \u201cFirst VPN Service,\u201d a provider leveraged by multiple ransomware groups for anonymization, reconnaissance, and intrusion activities.\n\nAccording to an FBI FLASH report (May 21, 2026), this VPN infrastructure has been used by at least 25 ransomware groups to conduct scanning, brute-force attempts, and unauthorized network access. The service includes globally distributed exit nodes and supports protocols designed to mask malicious traffic as legitimate HTTPS activity.\n\nThe included indicators (domains, IP addresses, and communication channels) represent historically observed infrastructure tied to this activity and should be validated with additional telemetry due to possible reassignment over time.", "modified": "2026-05-21T13:55:39.928000", "created": "2026-05-21T13:55:39.928000", "tags": [ "fvpns https", "vpn", "anonymization", "ransomware", "c2", "proxy", "threat-infrastructure", "fbi-flash", "firstvpn" ], "references": [ "alienvault_first_vpn_iocs.txt" ], "public": 1, "adversary": "Multiple ransomware groups (including Avaddon and affiliates)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Avaddon", "display_name": "Avaddon", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" } ], "industries": [ "Government", "Financial Services", "Healthcare", "Technology", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Rokalien77", "id": "207164", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 43, "domain": 4 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "alienvault_first_vpn_iocs.txt" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Multiple ransomware groups (including Avaddon and affiliates)" ], "malware_families": [ "Avaddon" ], "industries": [ "Energy", "Healthcare", "Technology", "Financial services", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6a0f0edd94599950291f3d18", "name": "First VPN Service Infrastructure Used by Ransomware Operators", "description": "This pulse contains indicators of compromise (IOCs) associated with the \u201cFirst VPN Service,\u201d a provider leveraged by multiple ransomware groups for anonymization, reconnaissance, and intrusion activities.\n\nAccording to an FBI FLASH report (May 21, 2026), this VPN infrastructure has been used by at least 25 ransomware groups to conduct scanning, brute-force attempts, and unauthorized network access. The service includes globally distributed exit nodes and supports protocols designed to mask malicious traffic as legitimate HTTPS activity.\n\nThe included indicators (domains, IP addresses, and communication channels) represent historically observed infrastructure tied to this activity and should be validated with additional telemetry due to possible reassignment over time.", "modified": "2026-05-21T13:55:39.928000", "created": "2026-05-21T13:55:39.928000", "tags": [ "fvpns https", "vpn", "anonymization", "ransomware", "c2", "proxy", "threat-infrastructure", "fbi-flash", "firstvpn" ], "references": [ "alienvault_first_vpn_iocs.txt" ], "public": 1, "adversary": "Multiple ransomware groups (including Avaddon and affiliates)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Avaddon", "display_name": "Avaddon", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" } ], "industries": [ "Government", "Financial Services", "Healthcare", "Technology", "Energy" ], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Rokalien77", "id": "207164", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 43, "domain": 4 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 22, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "1jabber.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "1jabber.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780182021.4306188 }