{ "type": "SHA256", "indicator": "2927bc31b4f8254c6b332fc03110a6373cad00ffa2ff9de427c26bb222017bb2", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "2927bc31b4f8254c6b332fc03110a6373cad00ffa2ff9de427c26bb222017bb2", "validation": [], "base_indicator": { "id": 4382267390, "indicator": "2927bc31b4f8254c6b332fc03110a6373cad00ffa2ff9de427c26bb222017bb2", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6a185cd579d639bcc6ece4ac", "name": "FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch", "description": "In May 2026, threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient Endpoint Management Server (EMS), to bypass API authentication and execute privileged requests without credentials. Attackers leveraged trusted endpoint management infrastructure to push malicious PowerShell scripts disguised as legitimate Fortinet patches across managed endpoints. The campaign deployed EKZ Infostealer, a credential-stealing tool targeting Chrome, Firefox, and other browser credentials. The stealer extracts passwords, cookies, and autofill data, staging results locally before exfiltration via HTTP to threat-actor-controlled infrastructure. Threat actors accessed systems through Tor exit nodes, modified VPN configurations to enable script execution, and used FortiClient's own management pathways to distribute payloads fleet-wide without requiring individual endpoint compromises.", "modified": "2026-05-29T10:32:45.611000", "created": "2026-05-28T15:18:45.437000", "tags": [ "endpoint exploitation", "ekz infostealer", "forticlient ems", "vpn configuration abuse", "cve-2026-35616" ], "references": [ "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EKZ Infostealer", "display_name": "EKZ Infostealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 5 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a18f8b7c7f53acc4d91ae63", "name": "IOC - FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch", "description": "In May 2026, Arctic Wolf observed a cluster of malicious activity affecting endpoints managed by FortiClient Endpoint Management Server (EMS). The malicious payload was disguised as a fake Fortinet endpoint patch, but it was actually a credential stealer.\nWe named this payload EKZ Infostealer, based on internal symbol names extracted from decrypted code. This infostealer, which primarily targets browser-based credentials, stages its harvested results in a log file and exfiltrates obtained credentials over HTTP.", "modified": "2026-05-29T02:23:51.784000", "created": "2026-05-29T02:23:51.784000", "tags": [ "note" ], "references": [ "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1857f373e04ee3eb746b6f", "name": "FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf", "description": "What do you need to know about security operations and how to get them in the best possible position to protect your business from cyber attacks and breaches? and what can you learn about this new platform?", "modified": "2026-05-28T14:57:55.214000", "created": "2026-05-28T14:57:55.214000", "tags": [ "arctic wolf", "forticlient ems", "powershell", "ekz infostealer", "cve202635616", "http", "remote access", "chrome", "http post", "firefox", "wolf" ], "references": [ "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EKZ Infostealer", "display_name": "EKZ Infostealer", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "IPv4": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1857d668a9adf54a546ab7", "name": "FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf", "description": "What do you need to know about security operations and how to get them in the best possible position to protect your business from cyber attacks and breaches? and what can you learn about this new platform?", "modified": "2026-05-28T14:57:26.726000", "created": "2026-05-28T14:57:26.726000", "tags": [ "arctic wolf", "forticlient ems", "powershell", "ekz infostealer", "cve202635616", "http", "remote access", "chrome", "http post", "firefox", "wolf" ], "references": [ "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EKZ Infostealer", "display_name": "EKZ Infostealer", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "IPv4": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1857d605f28d9d9d177943", "name": "FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf", "description": "What do you need to know about security operations and how to get them in the best possible position to protect your business from cyber attacks and breaches? and what can you learn about this new platform?", "modified": "2026-05-28T14:57:26.543000", "created": "2026-05-28T14:57:26.543000", "tags": [ "arctic wolf", "forticlient ems", "powershell", "ekz infostealer", "cve202635616", "http", "remote access", "chrome", "http post", "firefox", "wolf" ], "references": [ "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EKZ Infostealer", "display_name": "EKZ Infostealer", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "IPv4": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch", "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Ekz infostealer" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Ekz infostealer" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6a185cd579d639bcc6ece4ac", "name": "FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch", "description": "In May 2026, threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient Endpoint Management Server (EMS), to bypass API authentication and execute privileged requests without credentials. Attackers leveraged trusted endpoint management infrastructure to push malicious PowerShell scripts disguised as legitimate Fortinet patches across managed endpoints. The campaign deployed EKZ Infostealer, a credential-stealing tool targeting Chrome, Firefox, and other browser credentials. The stealer extracts passwords, cookies, and autofill data, staging results locally before exfiltration via HTTP to threat-actor-controlled infrastructure. Threat actors accessed systems through Tor exit nodes, modified VPN configurations to enable script execution, and used FortiClient's own management pathways to distribute payloads fleet-wide without requiring individual endpoint compromises.", "modified": "2026-05-29T10:32:45.611000", "created": "2026-05-28T15:18:45.437000", "tags": [ "endpoint exploitation", "ekz infostealer", "forticlient ems", "vpn configuration abuse", "cve-2026-35616" ], "references": [ "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EKZ Infostealer", "display_name": "EKZ Infostealer", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 5 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a18f8b7c7f53acc4d91ae63", "name": "IOC - FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch", "description": "In May 2026, Arctic Wolf observed a cluster of malicious activity affecting endpoints managed by FortiClient Endpoint Management Server (EMS). The malicious payload was disguised as a fake Fortinet endpoint patch, but it was actually a credential stealer.\nWe named this payload EKZ Infostealer, based on internal symbol names extracted from decrypted code. This infostealer, which primarily targets browser-based credentials, stages its harvested results in a log file and exfiltrates obtained credentials over HTTP.", "modified": "2026-05-29T02:23:51.784000", "created": "2026-05-29T02:23:51.784000", "tags": [ "note" ], "references": [ "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1857f373e04ee3eb746b6f", "name": "FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf", "description": "What do you need to know about security operations and how to get them in the best possible position to protect your business from cyber attacks and breaches? and what can you learn about this new platform?", "modified": "2026-05-28T14:57:55.214000", "created": "2026-05-28T14:57:55.214000", "tags": [ "arctic wolf", "forticlient ems", "powershell", "ekz infostealer", "cve202635616", "http", "remote access", "chrome", "http post", "firefox", "wolf" ], "references": [ "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EKZ Infostealer", "display_name": "EKZ Infostealer", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "IPv4": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1857d668a9adf54a546ab7", "name": "FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf", "description": "What do you need to know about security operations and how to get them in the best possible position to protect your business from cyber attacks and breaches? and what can you learn about this new platform?", "modified": "2026-05-28T14:57:26.726000", "created": "2026-05-28T14:57:26.726000", "tags": [ "arctic wolf", "forticlient ems", "powershell", "ekz infostealer", "cve202635616", "http", "remote access", "chrome", "http post", "firefox", "wolf" ], "references": [ "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EKZ Infostealer", "display_name": "EKZ Infostealer", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "IPv4": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6a1857d605f28d9d9d177943", "name": "FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch - Arctic Wolf", "description": "What do you need to know about security operations and how to get them in the best possible position to protect your business from cyber attacks and breaches? and what can you learn about this new platform?", "modified": "2026-05-28T14:57:26.543000", "created": "2026-05-28T14:57:26.543000", "tags": [ "arctic wolf", "forticlient ems", "powershell", "ekz infostealer", "cve202635616", "http", "remote access", "chrome", "http post", "firefox", "wolf" ], "references": [ "https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EKZ Infostealer", "display_name": "EKZ Infostealer", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 5, "IPv4": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "2927bc31b4f8254c6b332fc03110a6373cad00ffa2ff9de427c26bb222017bb2", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "2927bc31b4f8254c6b332fc03110a6373cad00ffa2ff9de427c26bb222017bb2", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780169994.6317797 }