{ "type": "Domain", "indicator": "2fgithub.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/2fgithub.com", "alexa": "http://www.alexa.com/siteinfo/2fgithub.com", "indicator": "2fgithub.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2985460978, "indicator": "2fgithub.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "697b96e2955f456977e00c46", "name": "Dissecting UAT-8099: New persistence mechanisms and regional focus", "description": "UAT-8099, a threat actor targeting vulnerable IIS servers across Asia, has launched a new campaign from late 2025 to early 2026. The group's tactics have evolved, focusing on Thailand and Vietnam, and employing web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New variants of BadIIS malware now include region-specific features, with separate versions targeting Vietnam and Thailand. The actor has expanded their toolkit to include utilities for log removal, file protection, and anti-rootkit capabilities. They've also adapted their persistence methods, creating hidden user accounts and leveraging legitimate tools to evade detection. The campaign demonstrates significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.", "modified": "2026-02-09T21:41:54.376000", "created": "2026-01-29T17:20:34.042000", "tags": [ "seo fraud", "vietnam", "persistence", "badiis", "thailand", "asia", "gotohttp", "iis" ], "references": [ "https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/" ], "public": 1, "adversary": "UAT-8099", "targeted_countries": [ "British Indian Ocean Territory", "India", "Japan", "Pakistan", "Thailand" ], "malware_families": [ { "id": "BadIIS", "display_name": "BadIIS", "target": null }, { "id": "GotoHTTP", "display_name": "GotoHTTP", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 15, "FileHash-SHA256": 46, "URL": 27, "domain": 1, "hostname": 17 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 377569, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697b57759a314f33d84f3b73", "name": "Dissecting UAT-8099: New persistence mechanisms and regional focus", "description": "UAT-8099's latest campaign from August 2025 to early 2026 targets vulnerable IIS servers across Asia, focusing on Thailand and Vietnam. The threat actor employs web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New BadIIS variants are customized for specific regions, with enhanced persistence mechanisms and SEO fraud tactics. The malware now includes features like hardcoded target regions, exclusive file extensions, and the ability to load HTML templates. A Linux ELF variant of BadIIS was also identified. The campaign shows significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.", "modified": "2026-01-29T16:23:12.314000", "created": "2026-01-29T12:49:57.943000", "tags": [ "persistence", "web shells", "asia", "gotohttp", "badiis", "seo fraud", "iis", "powershell", "regional targeting" ], "references": [ "https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus" ], "public": 1, "adversary": "UAT-8099", "targeted_countries": [ "British Indian Ocean Territory", "India", "Japan", "Pakistan", "Thailand" ], "malware_families": [ { "id": "BadIIS", "display_name": "BadIIS", "target": null }, { "id": "GotoHTTP", "display_name": "GotoHTTP", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" } ], "industries": [ "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 15, "FileHash-SHA256": 46, "URL": 27, "domain": 1, "hostname": 17 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 377570, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68de952252a07c88093c6fb4", "name": "UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud", "description": "A Chinese-speaking cybercrime group, UAT-8099, is targeting high-value Internet Information Services (IIS) servers for search engine optimization fraud and data theft. The group focuses on reputable servers in India, Thailand, Vietnam, Canada, and Brazil, affecting universities, tech firms, and telecom providers. UAT-8099 uses web shells, hacking tools, Cobalt Strike, and BadIIS malware to manipulate search rankings and maintain persistence. They exploit weak file upload settings, enable guest accounts, and use RDP for access. The group also steals valuable credentials, configuration files, and certificates. New BadIIS variants with low detection rates and Chinese debug strings have been identified. The attackers employ SEO techniques like backlinking and inject malicious JavaScript to redirect users to fraudulent websites.", "modified": "2025-11-01T15:00:08.406000", "created": "2025-10-02T15:07:14.573000", "tags": [ "chinese-speaking", "web shells", "data theft", "seo fraud", "badiis", "cybercrime", "iis servers", "cobalt strike" ], "references": [ "https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/", "https://github.com/Cisco-Talos/IOCs/blob/main/2025/09/uat-8099-chinese-speaking-cybercrime-group-seo-fraud.txt" ], "public": 1, "adversary": "UAT-8099", "targeted_countries": [ "Brazil", "British Indian Ocean Territory", "Canada", "India", "Thailand" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "Education", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 44, "domain": 3, "hostname": 29 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 377570, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d6996d3fa5189b9e5bce76", "name": "IOCs for phishing campaign using BitM pages", "description": "This intelligence report focuses on a phishing campaign that utilizes Browser-in-the-Middle (BitM) pages. The campaign likely involves sophisticated tactics to intercept and manipulate browser traffic, potentially allowing attackers to harvest credentials or inject malicious content. While specific details are not provided, the use of BitM techniques suggests a high level of technical sophistication and a targeted approach to compromising user data. The report appears to include Indicators of Compromise (IOCs) related to this campaign, which could be crucial for detecting and mitigating the threat.", "modified": "2025-10-26T13:04:29.817000", "created": "2025-09-26T13:47:25.539000", "tags": [ "browser-in-the-middle", "phishing", "bitm" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 12, "domain": 167, "hostname": 24 }, "indicator_count": 205, "is_author": false, "is_subscribing": null, "subscriber_count": 377567, "modified_text": "175 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e6c6b5e3b5eec595438366", "name": "Gamaredon campaign abuses LNK files to distribute Remcos backdoor", "description": "A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading to execute the Remcos backdoor. The activity is attributed to the Gamaredon threat actor group with medium confidence. The campaign uses the invasion of Ukraine as a theme in phishing attempts, distributing LNK files disguised as Office documents. The servers used are mostly hosted by GTHost and HyperHosting ISPs. The attack chain involves DLL sideloading to load the Remcos backdoor, which communicates with a C2 server on a specific port.", "modified": "2025-04-27T15:00:47.864000", "created": "2025-03-28T15:56:37.744000", "tags": [ "gthost", "lnk files", "phishing", "hyperhosting", "powershell", "remcos", "dll sideloading", "ukraine" ], "references": [ "https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Germany", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 21, "FileHash-SHA256": 92, "domain": 1, "CVE": 1 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 377568, "modified_text": "357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ab02af1c884abf1c23a32b", "name": "New Dohdoor malware campaign targets education and health care", "description": "Talos discovered a multi-stage attack campaign targeting the victims in education and health care sectors, predominantly in the United States.", "modified": "2026-04-05T16:12:21.383000", "created": "2026-03-06T16:37:03.342000", "tags": [ "path", "span", "button", "script", "template", "link", "meta", "github", "footer", "form", "code", "close", "reload", "title", "body", "global", "write", "find", "stop", "small", "enterprise", "star", "copy", "download", "open", "main", "contact", "dohdoor" ], "references": [ "https://github.com/Cisco-Talos/IOCs/blob/main/2026/02/new-dohdoor-malware-campaign.txt", "https://blog.talosintelligence.com/new-dohdoor-malware-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "dohdoor", "display_name": "dohdoor", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 19, "URL": 3, "domain": 1, "hostname": 11 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a5c36b78ed73550bb0bf22", "name": "by Disable_Duck", "description": "", "modified": "2026-03-04T23:37:24.208000", "created": "2026-03-02T17:05:47.288000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB", "TLS/SSL Crawler", "CVE-2026-24061 Attempt", "Generic IoT Default Password Attempt", "Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt", "Dahua Backdoor Attempt", "ENV Crawler", "DCERPC Protocol", "Carries HTTP Referer", "GNU Inetutils Telnetd Auth Bypass", "ICMPv4 Protocol" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada", "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)", "Argentina", "Switzerland" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": "6901363c4ce422f5caf0f72c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 996, "domain": 987, "hostname": 3306, "email": 4, "CVE": 1 }, "indicator_count": 27048, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6811141c708261eb22d3a773", "name": "FileScan.io feed", "description": "", "modified": "2026-03-04T22:16:29.183000", "created": "2025-04-29T18:02:04.881000", "tags": [], "references": [ "https://www.filescan.io/api/feed/reports" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 681, "BitcoinAddress": 1, "FileHash-MD5": 1595, "FileHash-SHA1": 1569, "FileHash-SHA256": 1726, "domain": 116, "email": 60, "hostname": 99 }, "indicator_count": 5847, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6980689d04c3d0afa554c247", "name": "Copy of Proton Suite - Apple iPadOS - Drive VPN Calendar Protonmail Ubiquiti Grok - 02.02.26", "description": "Copy of Proton Suite - Apple iPadOS - Drive VPN Calendar Protonmail Ubiquiti Grok - 02.02.26", "modified": "2026-03-04T08:01:36.153000", "created": "2026-02-02T09:04:29.535000", "tags": [ "entity", "skreutzb", "kgs0", "kls0", "please", "javascript", "Proton", "Drive", "Mail", "Calendar", "VPN", "Ubiquiti", "Unifi", "Malcerts", "Certificates", "Apple", "Github", "Cocoapods" ], "references": [ "https://www.virustotal.com/graph/embed/ge36545cffdc8444caaf69c36a825639183ebd69af93f48369156f4dfc5348f8d?theme=dark", "https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027", "https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 20, "FileHash-SHA256": 146, "hostname": 143, "URL": 218, "domain": 35 }, "indicator_count": 586, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6901363c4ce422f5caf0f72c", "name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)", "description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)", "modified": "2026-02-18T05:00:41.494000", "created": "2025-10-28T21:31:40.008000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 995, "domain": 984, "hostname": 3305, "email": 4 }, "indicator_count": 27042, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69819009fa99833c36d4b0a8", "name": "IOC - Dissecting UAT-8099: New persistence mechanisms and regional focus", "description": "", "modified": "2026-02-03T06:04:57.520000", "created": "2026-02-03T06:04:57.520000", "tags": [ "seo fraud", "vietnam", "persistence", "badiis", "thailand", "asia", "gotohttp", "iis" ], "references": [ "https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/" ], "public": 1, "adversary": "UAT-8099", "targeted_countries": [ "British Indian Ocean Territory", "India", "Japan", "Pakistan", "Thailand" ], "malware_families": [ { "id": "BadIIS", "display_name": "BadIIS", "target": null }, { "id": "GotoHTTP", "display_name": "GotoHTTP", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "697b96e2955f456977e00c46", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 15, "FileHash-SHA256": 46, "URL": 28, "domain": 1, "hostname": 17 }, "indicator_count": 120, "is_author": false, "is_subscribing": null, "subscriber_count": 119, "modified_text": "75 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e35170223f7cf376fdd9f2", "name": "UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud", "description": "", "modified": "2025-11-01T15:00:08.406000", "created": "2025-10-06T05:19:44.981000", "tags": [ "chinese-speaking", "web shells", "data theft", "seo fraud", "badiis", "cybercrime", "iis servers", "cobalt strike" ], "references": [ "https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/", "https://github.com/Cisco-Talos/IOCs/blob/main/2025/09/uat-8099-chinese-speaking-cybercrime-group-seo-fraud.txt" ], "public": 1, "adversary": "UAT-8099", "targeted_countries": [ "Brazil", "British Indian Ocean Territory", "Canada", "India", "Thailand" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "Education", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "68de952252a07c88093c6fb4", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 44, "domain": 3, "hostname": 29 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e3665d92a367b11721e4ca", "name": "UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud", "description": "", "modified": "2025-11-01T15:00:08.406000", "created": "2025-10-06T06:49:01.227000", "tags": [ "chinese-speaking", "web shells", "data theft", "seo fraud", "badiis", "cybercrime", "iis servers", "cobalt strike" ], "references": [ "https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/", "https://github.com/Cisco-Talos/IOCs/blob/main/2025/09/uat-8099-chinese-speaking-cybercrime-group-seo-fraud.txt" ], "public": 1, "adversary": "UAT-8099", "targeted_countries": [ "Brazil", "British Indian Ocean Territory", "Canada", "India", "Thailand" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "Education", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "68de952252a07c88093c6fb4", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 44, "domain": 3, "hostname": 29 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 263, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68e77a9eea0fd1b634b7b3d0", "name": "IOC&TTP - UAT-8099 Chinese-speaking cybercrime group targets high-value IIS for SEO fraud", "description": "Cisco Talos \u4e8e 2025 \u5e74 4 \u6708\u62ab\u9732\u4e86\u4e00\u4e2a\u540d\u4e3a UAT-8099 \u7684\u4e2d\u6587\u7f51\u7edc\u72af\u7f6a\u56e2\u4f19\uff0c\u5176\u4e3b\u8981\u76ee\u6807\u662f\u5229\u7528 \u9ad8\u4fe1\u8a89\u7684 IIS\uff08Internet Information Services\uff09\u670d\u52a1\u5668 \u6765\u8fdb\u884c \u641c\u7d22\u5f15\u64ce\u4f18\u5316\uff08SEO\uff09\u6b3a\u8bc8\uff0c\u5e76\u7a83\u53d6\u9ad8\u4ef7\u503c\u7684\u51ed\u8bc1\u3001\u914d\u7f6e\u6587\u4ef6\u548c\u8bc1\u4e66\u6570\u636e\u3002\n\u8be5\u7ec4\u7ec7\u901a\u8fc7\u4e0a\u4f20 Web Shell\u3001\u5f00\u542f\u5e76\u63d0\u6743\u6765\u83b7\u53d6\u7cfb\u7edf\u63a7\u5236\u6743\uff0c\u518d\u90e8\u7f72 BadIIS \u6076\u610f\u6a21\u5757\u3001Cobalt Strike \u540e\u95e8\uff0c\u4ee5\u53ca\u81ea\u5236\u81ea\u52a8\u5316\u811a\u672c\uff0c\u4ee5\u7ef4\u6301\u6301\u4e45\u8bbf\u95ee\u548c\u6267\u884c SEO \u64cd\u4f5c\u3002\n\u88ab\u653b\u51fb\u7684\u670d\u52a1\u5668\u904d\u5e03 \u5370\u5ea6\u3001\u6cf0\u56fd\u3001\u8d8a\u5357\u3001\u52a0\u62ff\u5927\u4e0e\u5df4\u897f\uff0c\u591a\u6570\u5c5e\u4e8e\u9ad8\u6821\u3001\u79d1\u6280\u516c\u53f8\u53ca\u7535\u4fe1\u670d\u52a1\u5546\u3002\u653b\u51fb\u8005\u7684\u6700\u7ec8\u76ee\u7684\u662f\u901a\u8fc7\u64cd\u7eb5 Google/Baidu \u7b49\u641c\u7d22\u7ed3\u679c\uff0c\u5c06\u7528\u6237\u91cd\u5b9a\u5411\u81f3\u8d4c\u535a\u53ca\u5e7f\u544a\u7f51\u7ad9\uff0c\u4ece\u4e2d\u725f\u5229\u3002", "modified": "2025-11-01T15:00:08.406000", "created": "2025-10-09T09:04:30.223000", "tags": [ "chinese-speaking", "web shells", "data theft", "seo fraud", "badiis", "cybercrime", "iis servers", "cobalt strike" ], "references": [ "https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/", "https://github.com/Cisco-Talos/IOCs/blob/main/2025/09/uat-8099-chinese-speaking-cybercrime-group-seo-fraud.txt" ], "public": 1, "adversary": "UAT-8099", "targeted_countries": [ "Brazil", "British Indian Ocean Territory", "Canada", "India", "Thailand" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "Education", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "68de952252a07c88093c6fb4", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 44, "domain": 3, "hostname": 29 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 119, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a34b91414b23c9019cd6f1", "name": "Malvertising campaign leads to PS1Bot, a multi-stage malware framework", "description": "Cisco Talos has been monitoring an ongoing malware campaign that has been active throughout 2025. The campaign appears to be leveraging malvertising to direct victims to a multi-stage malware framework, implemented in PowerShell and C#, that possesses robust functionality, including the ability to deliver follow-on modules including an information stealer, keylogger, screen capture collector and more. It also establishes persistence to continue operations following system reboots. The design of this malware framework appears to attempt to minimize artifacts left on infected systems by facilitating the delivery and execution of modules in-memory, without requiring them to be written to disk. Due to similarities in the design and implementation with the malware family AHK Bot, we are referring to this PowerShell-based malware as \u201cPS1Bot.\u201d", "modified": "2025-09-17T15:06:44.524000", "created": "2025-08-18T15:49:37.785000", "tags": [ "path", "link", "script", "span", "button", "template", "github", "meta", "form", "footer", "close", "code", "reload", "find", "body", "global", "write", "small", "enterprise", "star", "main", "contact" ], "references": [ "https://github.com/Cisco-Talos/IOCs/blob/main/2025/08/ps1bot-malvertising-campaign.txt", "https://blog.talosintelligence.com/ps1bot-malvertising-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "PS1Bot", "display_name": "PS1Bot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 100, "FileHash-SHA1": 102, "FileHash-SHA256": 128, "URL": 9, "domain": 1 }, "indicator_count": 340, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "214 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "660afeb0c9812049de87dec1", "name": "hxxps://github[.]com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit", "description": "hxxps://github.com/MSUDenverSystemsEngineering/Salt-Instructional-18/tree/master/AppDeployToolkit\n\nSomething I figured worth looking into - present on several University of Alberta documents on devices sampled from several labs\n\nIOCs (04.01.24): parsed using IOC parser on IOCs (behavioral) derived from: Tri.age Analysis: https://tria.ge/240401-v8bafsaf71/behavioral1 and Hybrid Analysis: http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9\n-IOCs submitted to URLscan.io\nUpdate: 09.27.24 -> Present in a word document on Uni Computers (All)", "modified": "2025-09-06T17:02:07.070000", "created": "2024-04-01T18:36:32.583000", "tags": [ "please", "javascript", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "download submit", "sha256", "sha1", "sha512", "prefetch1", "iocs", "suspicious use", "prefetch8", "ck v13", "monitor", "general", "config", "copy", "target", "score", "entity", "domain", "ipv6", "mitreatt", "macaddress", "filename" ], "references": [ "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/iocs", "https://tria.ge/240401-v8bafsaf71/behavioral1", "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/summary", "https://www.virustotal.com/graph/embed/g0e28b9d656774e73b987b563164f4c51556d897677ed4a78920d44a0715390e6?theme=dark", "http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9", "https://viz.greynoise.io/tags/georgia-tech-research-scanner?days=10", "https://www.virustotal.com/graph/embed/g4928995ad74946e184fceac08d1c9ec4b891ca72d6c84eb08fc776c915c99e60?theme=dark", "https://www.filescan.io/uploads/66f6fe25f71b9c224c13bdf7/reports/b95801f7-d70e-4cc6-b967-b1cc8ad56fc9/overview", "https://tria.ge/250807-vg754scn6t/behavioral1 - 08.07.25", "https://app.any.run/tasks/53605645-2825-4d09-95ff-183a59b25518 - 08.07.25" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 103, "FileHash-SHA1": 105, "FileHash-SHA256": 495, "URL": 613, "hostname": 109, "CVE": 4, "domain": 122, "email": 10 }, "indicator_count": 1561, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "687a0c66014ca9fc313a16b2", "name": "MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities", "description": "", "modified": "2025-08-17T08:02:20.462000", "created": "2025-07-18T08:57:10.095000", "tags": [ "path", "link", "script", "span", "button", "template", "github", "meta", "form", "footer", "close", "code", "reload", "find", "body", "global", "write", "small", "enterprise", "star", "main", "contact" ], "references": [ "https://blog.talosintelligence.com/maas-operation-using-emmenhtal-and-amadey-linked-to-threats-against-ukrainian-entities/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 4, "FileHash-SHA256": 18, "URL": 4, "domain": 2 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "245 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67df904daf96180003ff1e14", "name": "hxxps://github[.]com/Cn33liz/p0wnedShell - 07.15.25 (Un-Enriched)", "description": "Yara Rules Triggered:\n\n9b0e9dce190e3dcf83b697ba2a08c9031aa2de00a6d3a3db9c86e2a8b4bc7bc0\np0wnedShell\n\nMatches rule Base64_Encoded_URL from ruleset Base64_Encoded_URL at https://github.com/InQuest/yara-rules-vt by InQuest Labs\nThis signature fires on the presence of Base64 encoded URI prefixes (http:// and https://) across any file. The simple presence of such strings is not inherently an indicator of malicious content, but is worth further investigation. - a moment ago\n View Ruleset\nMatches rule Hacktool_Strings_p0wnedShell from ruleset gen_p0wnshell at https://github.com/Neo23x0/signature-base by Florian Roth\nDetects strings found in Runspace Post Exploitation Toolkit - a moment ago\nMatches rule p0wnedPotato from ruleset gen_p0wnshell at https://github.com/Neo23x0/signature-base by Florian Roth (Nextron Systems)\np0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs - a moment ago", "modified": "2025-08-16T05:00:22.327000", "created": "2025-03-23T04:38:37.512000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "prefetch8 ansi", "date", "threat level", "show process", "sha256", "hash seen", "pcap processing", "command decode", "pcap", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "strings", "contact", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "please", "javascript", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "entity", "report phishing", "suspicious urls", "error", "sorry" ], "references": [ "https://hybrid-analysis.com/sample/c801e05a1ee3423572349377ea9bdc3846b62e949611679e81c3d6cddcde77e5/67dde11e816206bd720dc9a0", "https://pulsedive.com/indicator/?iid=68355616", "https://www.virustotal.com/gui/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f/details", "https://www.filescan.io/uploads/67df8925a175d31773454fd7/reports/d000025d-8403-4b03-8f76-a3b74d9b821f/overview", "https://www.virustotal.com/graph/embed/ga577e541c45f4ef3b8c2ee0e464a4264caf5439148f941db8c2615f1b83baebe?theme=dark", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16/iocs", "https://report.netcraft.com/submission/OAoeOZfDFap5UPDTF52Uy5Q754Z5Fctm?tab=urls", "https://app.threat.zone/submission/ef652ac5-bc19-43e4-a603-e2d2ccae55ff/static-scan-report/strings", "https://www.filescan.io/uploads/685b8c3dcf2af157111779ff/reports/69c49cb3-aef0-4a32-b382-6b38ec8187d0/overview", "https://app.any.run/tasks/2f11fff7-a2bc-4744-af91-279753100630", "https://app.threat.zone/submission/2514e91a-4ad4-4c54-bee3-276c86dcc970/overview", "https://polyswarm.network/scan/results/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f", "https://tria.ge/250717-f744tavxcy/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Technology", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 219, "FileHash-SHA1": 203, "FileHash-SHA256": 530, "SSLCertFingerprint": 10, "email": 3, "hostname": 76, "URL": 164, "domain": 153 }, "indicator_count": 1358, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68396d9ae8b96e90ff1848d5", "name": "AcK-U // unenriched - 05.30.25", "description": "Just a quick check", "modified": "2025-07-23T20:11:01.749000", "created": "2025-05-30T08:34:34.215000", "tags": [ "amazon02", "cloudflarenet", "amazonaes", "fastly", "github", "google", "facebook", "namecheapnet", "service", "cdck", "level3", "cloud", "com laude", "ltd dba", "namecheap inc", "gandi sas", "gmbh", "cloudflare", "namecheap", "registrarsafe", "ascio", "tucows", "spaceship", "please", "javascript", "iocs", "threat", "malware unread", "collection", "crowdsourced", "acku new", "share", "updated", "first ioc", "seen", "premium", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/iocs", "https://www.virustotal.com/graph/embed/g36d8fc13d786418ab1d0a75cc331f0eb5bca28d4a4fe4666a84f23e25fb6600b?theme=dark", "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/summary", "https://report.netcraft.com/submission/iduhE4oNTsMOSAeOeBjzZdIfCLtefF3P - 07.23.25 - see notes on references*" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 91, "domain": 204, "hostname": 192, "URL": 731, "FileHash-SHA256": 27, "email": 1 }, "indicator_count": 1246, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "270 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684690d6dc730b0842d341a7", "name": "Exposing_Malware_in20Linux-Based_Multi-Cloud_Environments_R1Final.pdf", "description": "Falcon Sandbox: \nRansomware/Banking\nDetected indicator that file is ransomware\ndetails\n\"5 | Exposing Malware in Linux-Based Multi-Cloud Environments Ransomware and cryptominers Ransomware The impact of a ransomware attack can range from being a nuisance (e.g., having to restore data from backups and clean up the network) to being devastating (e.g., having to pay large sums of money to regain access to key assets). Unfortunately, when talking about cloud environments, the results tend to be more on the devastating side. Recently, cybercriminals have started calculating the damage they might cause to the valuation of a company going through a financial event to make the potential impact of their attack clear and incentivize ransom payments.5 At the same time, they\\x2122ve been honing their tactics with increasingly sophisticated techniques to target victim organizations\u2026more: https://www.hybrid-analysis.com/sample/92c1ca86f4d025e72acb94ae3cbdd3c6435aaa1b5e3fc3dcb06f8501b5dd3bb7/62e7fdd19a99ce4fa32e6d64", "modified": "2025-07-09T07:03:10.726000", "created": "2025-06-09T07:44:22.507000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684225925f1a076ce3039b55", "name": "hxxps://github[.]com/CocoaPods - 06.05.25", "description": "Github CocoaPods", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:17:38.255000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "prefetch8 ansi", "ansi", "date", "threat level", "show process", "sha256", "hash seen", "pcap", "pcap processing", "command decode", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "june", "general", "path", "model", "strings", "contact", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "please", "javascript", "url", "scanner", "reputation", "phishing", "fastly", "accept", "sectigo limited", "gmt file", "windows nt", "win64", "http2", "url get", "fingerprint", "ascii text", "write" ], "references": [ "https://www.hybrid-analysis.com/sample/2df0978d569e55b6c2176959734d9a6a776eab8c11e2742d7b0cde7a7fb72011/68422003376961f119095141", "https://metadefender.com/results/url/aHR0cHM6Ly9naXRodWIuY29tL0NvY29hUG9kcw==", "https://www.filescan.io/uploads/68421f7dfd02ed5e059acb43/reports/6eb07c34-b325-4107-8652-fe9503ca076e/overview", "https://www.virustotal.com/gui/file/9054fc526befddddb30e9df6dade3c405327951f2cd2add9cb27effd4e64ebc7?nocache=1", "https://urlquery.net/report/ae80c540-8c9b-48e4-a6e1-b18cb4426dbf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 182, "FileHash-SHA1": 267, "FileHash-SHA256": 187, "SSLCertFingerprint": 12, "URL": 297, "email": 4, "hostname": 80, "domain": 13 }, "indicator_count": 1042, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682ffb5e21f5ca290ee9bd73", "name": "Timely Threat Intelligence: IOCs for AdaptixC2 Activity Report", "description": "This report provides an in-depth analysis of Indicators of Compromise (IOCs) associated with AdaptixC2 activity as of May 20, 2025. Compiled by the Unit 42 team at Palo Alto Networks, this document serves as a critical resource for cybersecurity professionals seeking to understand and mitigate potential threats stemming from AdaptixC2 command and control operations.", "modified": "2025-06-22T04:03:38.671000", "created": "2025-05-23T04:36:46.278000", "tags": [ "path", "link", "script", "span", "button", "template", "github", "meta", "form", "footer", "close", "code", "reload", "find", "body", "write", "small", "enterprise", "star", "august", "cobalt strike", "main", "contact" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-05-20-IOCs-for-AdaptixC2-activity.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 7 }, "indicator_count": 29, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "301 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68132cf4352ace6544f645c3", "name": "Microsoft Telnet Server MS-TNAP Guest Access Restriction Bypass Exploit", "description": "A high-risk flaw in Microsoft's Telnet Server's MS-TNAP implementation allows\nunauthenticated attackers to bypass the Guest account login restriction on Microsoft\nTelnet Server. By sending a specially crafted NTLM Type 3 message with empty \ncredentials, attackers can authenticate as the Guest account despite restrictions.\nThis bypasses the server's Guest login restriction, normally seen in password authentication \nas \"Telnet connection not allowed to the Guest account.\" If the Guest account is in the\nTelnetClients group, attackers may also gain unauthorized Telnet session access.", "modified": "2025-05-31T08:05:19.374000", "created": "2025-05-01T08:12:36.386000", "tags": [ "path", "button", "span", "link", "script", "u003c", "u0026", "template", "guest", "guest account", "meta", "form", "footer", "code", "exploit", "close", "target", "null", "reload", "bypass", "find", "shell", "service", "impact", "download", "body", "write", "small", "enterprise", "star", "copy", "open", "main", "contact" ], "references": [ "https://github.com/hackerhouse-opensource/exploits/blob/master/MsTelnetServer_NTLM_Guest.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 11, "FileHash-SHA1": 2, "FileHash-SHA256": 11, "URL": 6, "domain": 4, "email": 2 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 845, "modified_text": "323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761c6d68582c49eff306fe6", "name": "Likely malicious Google Analytics Alternative - App & Web Analytics - Matomo", "description": "The full text of the \"suspicious\"obfuscation using unescape has been published on the website tylabs.com, as well as the official release of a new version of PDF.", "modified": "2025-05-14T21:24:25.364000", "created": "2024-12-17T18:45:42.250000", "tags": [ "bitcoin address", "didier stevens", "didierstevens", "bitcoinaddress", "june", "copyright", "t1027", "unesc", "unescape", "flash define", "matomo", "string", "date", "sufeffxa0", "regexp", "please", "blob", "null", "tag manager", "link", "url https", "ipv4", "url http", "learn", "it for", "no credit", "cloud trial", "start", "contact", "matomo team", "help", "free", "easy", "tools" ], "references": [ "https://matomo.org https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "https://www.filescan.io/uploads/67619a0f99caec9a276f9efd/reports/92e63ab1-1ebd-41a7-90da-f842f0b90392/details" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 62, "YARA": 8, "domain": 83, "URL": 657, "email": 3, "hostname": 152, "IPv4": 15, "CIDR": 1, "FileHash-SHA1": 57, "FileHash-SHA256": 734 }, "indicator_count": 1772, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ebcee06ff20038b2fd4949", "name": "Gamaredon campaign abuses LNK files to distribute Remcos backdoor", "description": "Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader, since at least November 2024.", "modified": "2025-05-01T11:03:54.851000", "created": "2025-04-01T11:32:48.265000", "tags": [ "span", "path", "button", "link", "script", "template", "github", "meta", "form", "footer", "code", "reload", "find", "close", "download", "body", "write", "small", "enterprise", "star", "copy", "open", "main", "contact" ], "references": [ "https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 21, "FileHash-SHA256": 92, "domain": 1 }, "indicator_count": 133, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67eb5c93c3274fd83435b8af", "name": "IOC - Gamaredon campaign abuses LNK files to distribute Remcos backdoor", "description": "", "modified": "2025-04-27T15:00:47.864000", "created": "2025-04-01T03:25:07.051000", "tags": [ "gthost", "lnk files", "phishing", "hyperhosting", "powershell", "remcos", "dll sideloading", "ukraine" ], "references": [ "https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Germany", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "67e6c6b5e3b5eec595438366", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 21, "FileHash-SHA256": 92, "domain": 1, "CVE": 1 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 119, "modified_text": "357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ee1f3689617ea807f1dd35", "name": "Russia-linked Gamaredon targets Ukraine with Remcos RAT", "description": "", "modified": "2025-04-27T15:00:47.864000", "created": "2025-04-03T05:40:06.163000", "tags": [ "gthost", "lnk files", "phishing", "hyperhosting", "powershell", "remcos", "dll sideloading", "ukraine" ], "references": [ "https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Germany", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": "67e6c6b5e3b5eec595438366", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 21, "FileHash-SHA256": 92, "domain": 1, "CVE": 1 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67dfbeec0e4cfd59cca3ac61", "name": "hxxps://github[.]com/imaya/zlib.js/tree/master - 03.22.25 (Un-Enriched)", "description": "hxxps://github[.]com/imaya/zlib.js/tree/master - 03.22.25", "modified": "2025-04-22T07:00:01.273000", "created": "2025-03-23T07:57:32.130000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "prefetch8 ansi", "date", "threat level", "show process", "hash seen", "sha256", "pcap processing", "pcap", "command decode", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "strings", "contact", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "please", "javascript", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "entity" ], "references": [ "https://hybrid-analysis.com/sample/8ee2ed5f3080354e6c8974fbebdc448c8d289a3f05e3bfedefadd5e2a9084376/67dfb4135d3987c5750301fc", "https://pulsedive.com/indicator/?iid=68381634", "https://www.virustotal.com/gui/url/76078f83edcd46bd9b83a87a39731cbe45da33b30a7c4a628223a4959c97ce0f", "https://www.filescan.io/uploads/67dfbaf7a175d317734568e1/reports/83bd2446-c34b-4ce3-9de6-7f9685941d28/overview", "https://www.filescan.io/uploads/67dfbaf7a175d317734568e1/reports/83bd2446-c34b-4ce3-9de6-7f9685941d28/ioc", "https://www.virustotal.com/graph/embed/g8d4be90062df462fbc7be3ba1cca3ec26c9964a0684742ea8ca73e36810d5810?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Education", "Healthcare", "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 91, "FileHash-SHA1": 91, "FileHash-SHA256": 190, "SSLCertFingerprint": 13, "domain": 75, "email": 4, "hostname": 47, "URL": 136 }, "indicator_count": 647, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c0f8782812871b1b0bb1f1", "name": "Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools", "description": "Cisco Talos has identified and identified the Lotus Blossom cyber espionage group, which is believed to be carrying out a series of backdoors and hacking tools, including the Sagerunex malware suite.", "modified": "2025-03-29T23:01:21.543000", "created": "2025-02-27T23:42:48.421000", "tags": [ "threats", "landing page top story", "apt", "threat spotlight", "top story", "sagerunex", "lotus blossom", "dropbox", "beta version", "twitter", "zimbra", "cisco secure", "servicedll t", "regexpandsz d", "ttps", "htran", "venom proxy", "vmprotect", "umbrella", "cookie", "span", "path", "button", "link", "script", "template", "github", "form", "footer", "meta", "code", "reload", "find", "close", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact" ], "references": [ "https://blog.talosintelligence.com/lotus-blossom-espionage-group/", "https://github.com/Cisco-Talos/IOCs/blob/main/2025/02/lotus-blossom-espionage-group.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Philippines", "Viet Nam", "Hong Kong", "Taiwan", "United States of America", "Poland", "Germany" ], "malware_families": [ { "id": "Cookie", "display_name": "Cookie", "target": null }, { "id": "Sagerunex", "display_name": "Sagerunex", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1526", "name": "Cloud Service Discovery", "display_name": "T1526 - Cloud Service Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [ "Government", "Manufacturing", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 20, "FileHash-SHA256": 49, "domain": 5, "hostname": 7 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "385 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67bde372858d6c9980212ae6", "name": "Fake DeepSeek Site Infects Mac Users with Poseidon Stealer", "description": "Adversaries don\u2019t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\n\nWe have discovered some of the most dangerous threats and nation state attacks in our space \u2013 including the Kaseya MSP breach and the more_eggs malware.\n\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit \u2013 the TRU team.", "modified": "2025-03-27T15:03:40.001000", "created": "2025-02-25T15:36:18.832000", "tags": [ "path", "button", "span", "link", "script", "template", "amos", "quot", "cfile", "github", "form", "footer", "code", "atomic", "meta", "stealer", "asyncrat", "terminal", "reload", "find", "close", "autoit", "icedid", "lazarus", "venomrat", "webdav", "solarmarker", "exodus", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "media", "main", "contact" ], "references": [ "https://www.esentire.com/blog/fake-deepseek-site-infects-mac-users-with-poseidon-stealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 14, "URL": 4, "domain": 7, "hostname": 1 }, "indicator_count": 30, "is_author": false, "is_subscribing": null, "subscriber_count": 847, "modified_text": "388 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ba2d306c60738da31d6f27", "name": "Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia", "description": "Cisco Talos has uncovered a new remote access trojan (RAT) used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia, with lures from Turkmenistan.", "modified": "2025-03-24T20:00:11.422000", "created": "2025-02-22T20:01:52.343000", "tags": [ "rat", "threats", "spicerat", "sneakychef", "c2 server", "html", "cisco secure", "talos", "rar file", "dll loader", "hta file", "windows task", "team", "homepage", "plugx", "umbrella", "sugargh0st rat", "spivy", "sugargh0st", "description", "friday", "june", "download", "february", "generatedthe", "tornet", "path", "span", "button", "link", "script", "template", "github", "form", "footer", "meta", "code", "reload", "find", "close", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact" ], "references": [ "https://blog.talosintelligence.com/new-spicerat-sneakychef/", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/06/new-spicerat-sneakychef.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Angola", "Turkmenistan", "Poland", "Germany" ], "malware_families": [ { "id": "SugarGh0st RAT", "display_name": "SugarGh0st RAT", "target": null }, { "id": "PlugX", "display_name": "PlugX", "target": null }, { "id": "SPIVY", "display_name": "SPIVY", "target": null }, { "id": "SugarGh0st", "display_name": "SugarGh0st", "target": null }, { "id": "generatedThe", "display_name": "generatedThe", "target": null }, { "id": "TorNet", "display_name": "TorNet", "target": null } ], "attack_ids": [ { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "hostname": 24, "domain": 31, "FileHash-SHA1": 1, "FileHash-SHA256": 25 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "391 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ba343415e84160c4de64a9", "name": "SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques", "description": "A newly discovered threat actor using SugarGh0st RAT is targeting government agencies in EMEA and Asia, according to Cisco Talos.. and the research team has published its findings.", "modified": "2025-03-24T20:00:11.422000", "created": "2025-02-22T20:31:48.268000", "tags": [ "ministry", "talos", "foreign", "cisco secure", "sneakychef", "sugargh0st", "cisco talos", "sugargh0st rat", "uzbekistan", "november", "august", "defense", "umbrella", "february", "friday", "june", "team", "gh0st rat", "cluster", "april", "sugargg0st", "tornet", "rat", "threats", "sfx rar", "angolaministry", "foreign affairs", "path", "span", "button", "link", "script", "template", "github", "form", "footer", "meta", "code", "reload", "find", "close", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact" ], "references": [ "https://blog.talosintelligence.com/sneakychef-sugarghost-rat/", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/06/sneakychef-sugargh0st-rat.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "Korea, Republic of", "Uzbekistan", "Kazakhstan", "Angola", "Turkmenistan", "Saudi Arabia", "Latvia", "Lithuania", "United States of America", "Poland", "Germany" ], "malware_families": [ { "id": "SugarGg0st", "display_name": "SugarGg0st", "target": null }, { "id": "TorNet", "display_name": "TorNet", "target": null }, { "id": "SugarGh0st", "display_name": "SugarGh0st", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Foreign Affairs", "Government", "Embassy", "Legal", "Transportation", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "hostname": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 157 }, "indicator_count": 162, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "391 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ba34773abb78ff50498c32", "name": "eSentire | AdsExhaust, a Newly Discovered Adware MasqueradingOculus\u2026", "description": "eSentire provides a comprehensive, 24-hour managed detection and response service for businesses across the globe, with the help of artificial intelligence (AI) and advanced threat management tools, including machine learning.", "modified": "2025-03-24T20:00:11.422000", "created": "2025-02-22T20:32:55.474000", "tags": [ "c2 server", "threat response", "unit", "adsexhaust", "figure", "urls", "response", "tru team", "computername", "username", "hunters", "cyber", "june", "download", "powershell", "path", "phishing", "json", "blog graphic", "image feb", "stages", "adsexhaust main" ], "references": [ "https://www.esentire.com/blog/adsexhaust-a-newly-discovered-adware-masquerading-oculus-installer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "AdsExhaust Main", "display_name": "AdsExhaust Main", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Construction", "Finance", "Legal", "Manufacturing", "Healthcare", "Retail", "Food", "Government", "Education", "Automotive" ], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "URL": 74, "domain": 7, "CVE": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 27 }, "indicator_count": 113, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "391 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ae825ee4680bf980f21c4e", "name": "FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT", "description": "A group known as FIN7 has been using Google ads to lure users into downloading malware, according to a report published this week by cybersecurity firm eSentire and the Microsoft Security Research Center..", "modified": "2025-03-15T23:04:39.639000", "created": "2025-02-13T23:38:05.365000", "tags": [ "path", "span", "button", "link", "script", "template", "github", "form", "footer", "overlay", "code", "meta", "asyncrat", "reload", "diceloader", "find", "close", "amos", "stealer", "autoit", "darkvnc", "ducktail", "lumma stealer", "icedid", "lazarus", "mintsloader", "pikabot", "venomrat", "webdav", "solarmarker", "stealc", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact", "cyber security news", "cyber news", "cyber security news today", "cyber security updates", "cyber updates", "hacker news", "hacking news", "software vulnerability", "cyber attacks", "data breach", "ransomware malware", "how to hack", "network security", "information security", "the hacker news", "computer security", "fin7", "netsupport rat", "google", "msix", "blackrock", "asana", "wall street", "journal", "google meet", "powertrash", "anydesk", "winscp", "carbanak", "powerplant", "termite", "gracewire", "april", "fakeupdates", "rats", "twitter", "netsupport" ], "references": [ "https://github.com/esThreatIntelligence/iocs/blob/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html" ], "public": 1, "adversary": "FIN7", "targeted_countries": [], "malware_families": [ { "id": "POWERTRASH", "display_name": "POWERTRASH", "target": null }, { "id": "BlackRock", "display_name": "BlackRock", "target": null }, { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Armature_TIP", "id": "308911", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_308911/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 14, "domain": 45, "hostname": 1 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "399 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67a4decf0ac6d6ed27d27b0d", "name": "Leveraging NetSupport RAT", "description": "NetSupport RAT is frequently exploited by threat actors for various malicious purposes. One common use is data exfiltration, where the RAT is used to locate and extract sensitive information, such as, credentials, financial data, and critical documents. It also enables credential harvesting through keylogging or theft of browser-stored data, which can provide attackers with access to additional systems or accounts. Once inside a network, attackers leverage the RAT\u2019s capabilities to facilitate lateral movement, compromising additional systems and expanding their control. Furthermore, NetSupport RAT often serves as a dropper, deploying other malware such as ransomware or secondary backdoors to escalate the attack\u2019s impact.", "modified": "2025-03-08T16:01:15.391000", "created": "2025-02-06T16:09:51.352000", "tags": [ "path", "span", "button", "link", "script", "template", "github", "form", "footer", "meta", "code", "reload", "find", "close", "download", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "main", "contact", "malware", "RAT" ], "references": [ "https://security.microsoft.com/threatanalytics3/03b28902-53fb-4091-8840-01477263cc44/analystreport", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/08/detecting-evolving-threats-netsupport-rat.txt" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Israel" ], "malware_families": [ { "id": "NetSupportManager RAT", "display_name": "NetSupportManager RAT", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Jnorton16", "id": "281242", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 67, "domain": 10 }, "indicator_count": 86, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "407 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679a3beebc879c3c3d9bbb8c", "name": "New Phishing Campaign Mimic Amazon Prime Membership To Steal Credit Card Data", "description": "A sophisticated phishing campaign targeting Amazon Prime members has been uncovered, aiming to steal credit card information and other sensitive data.\n\nCybersecurity experts have identified a complex attack chain that leverages PDF attachments, redirects, and cleverly crafted phishing sites to deceive unsuspecting victims.\n\nThe campaign begins with malicious PDF files containing links to phishing sites impersonating Amazon.\n\nResearchers have collected 31 such PDF files, each with a unique SHA256 hash.", "modified": "2025-02-28T14:02:13.817000", "created": "2025-01-29T14:32:14.404000", "tags": [ "path", "button", "span", "link", "script", "template", "form", "footer", "meta", "overlay", "code", "reload", "find", "close", "download", "body", "write", "small", "enterprise", "star", "virustotal", "courier", "copy", "open", "main", "contact" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-24-IOCs-for-phishing-campaign-impersonating-amazon.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 44, "domain": 3, "hostname": 5 }, "indicator_count": 58, "is_author": false, "is_subscribing": null, "subscriber_count": 847, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679a41b1f84094e260c7364c", "name": "Fake Microsoft Teams Page Drops Malware On Windows By Exploiting Bing Ads", "description": "Unit 42 researchers Bradley Duncan and Zach Diehl uncovered a malicious campaign exploiting Bing search advertisements to deliver malware through deceptive websites impersonating legitimate software pages.\n\nThis alarming discovery highlights the growing trend of attackers leveraging legitimate platforms for malicious purposes.", "modified": "2025-02-28T14:02:13.817000", "created": "2025-01-29T14:56:49.395000", "tags": [ "path", "button", "span", "link", "script", "template", "form", "footer", "meta", "overlay", "code", "download", "reload", "find", "close", "body", "write", "small", "enterprise", "star", "courier", "copy", "open", "persistence", "main", "contact" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-22-IOCs-for-malware-from-fake-Microsoft-Teams-site.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "URL": 3, "domain": 4, "hostname": 2 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 846, "modified_text": "415 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678aabf6071a953af98be50f", "name": "ipsum", "description": "", "modified": "2025-02-16T19:01:33.938000", "created": "2025-01-17T19:13:58.211000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "santosh171423", "id": "279350", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 12, "URL": 3, "domain": 1 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "427 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67599188f2e9b1fe72d47cc6", "name": "Black Basta Campaign Uses Teams to Deliver Zbot, DarkGate, and Custom Malware", "description": "This report analyzes a renewed and evolving campaign by Black Basta. Since October 2024, its affiliates have used email bombing and impersonation of IT support via Microsoft Teams to deceive victims into installing remote management tools. These tools enable initial access to deploy malware, including a custom credential stealer, Zbot, and DarkGate for persistence and data exfiltration. These tactics reflect the adaptability of ransomware attackers, with similar techniques observed in campaigns potentially attributed to Sangria Tempest.", "modified": "2025-01-10T13:00:54.980000", "created": "2024-12-11T13:20:08.438000", "tags": [ "malware/Ransomware", "threattype/Credential Theft", "threattype/Malware", "Malware/Credential Stealing Malware", "malwaretype/Loader", "malware/Zbot", "malwaretype/Remote Access Trojan (RAT)", "Malware/DarkGate", "Malware/Black Basta", "Malware/Cobalt Strike", "Industries/All Industries" ], "references": [ "https://github.com/rapid7/Rapid7-Labs/blob/main/IOCs/BlackBasta_SocialEngineering_IOCs.txt", "https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Black Basta", "display_name": "Black Basta", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 36, "FileHash-SHA256": 48, "domain": 11, "email": 7, "hostname": 4 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676257dfbf989a369ca33539", "name": "Black Basta Campaign Uses Teams to Deliver Zbot, DarkGate, and Custom Malware - Test 18th Dec 2024 ", "description": "", "modified": "2025-01-10T13:00:54.980000", "created": "2024-12-18T05:04:31.074000", "tags": [ "malware/Ransomware", "threattype/Credential Theft", "threattype/Malware", "Malware/Credential Stealing Malware", "malwaretype/Loader", "malware/Zbot", "malwaretype/Remote Access Trojan (RAT)", "Malware/DarkGate", "Malware/Black Basta", "Malware/Cobalt Strike", "Industries/All Industries" ], "references": [ "https://github.com/rapid7/Rapid7-Labs/blob/main/IOCs/BlackBasta_SocialEngineering_IOCs.txt", "https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Black Basta", "display_name": "Black Basta", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "67599188f2e9b1fe72d47cc6", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 36, "FileHash-SHA256": 48, "domain": 11, "email": 7, "hostname": 4 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "676258156b2e39e6b48f6828", "name": "Black Basta Campaign Uses Teams to Deliver Zbot, DarkGate, and Custom Malware - Test 18th Dec 2024", "description": "", "modified": "2025-01-10T13:00:54.980000", "created": "2024-12-18T05:05:25.202000", "tags": [ "malware/Ransomware", "threattype/Credential Theft", "threattype/Malware", "Malware/Credential Stealing Malware", "malwaretype/Loader", "malware/Zbot", "malwaretype/Remote Access Trojan (RAT)", "Malware/DarkGate", "Malware/Black Basta", "Malware/Cobalt Strike", "Industries/All Industries" ], "references": [ "https://github.com/rapid7/Rapid7-Labs/blob/main/IOCs/BlackBasta_SocialEngineering_IOCs.txt", "https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Zbot", "display_name": "Zbot", "target": null }, { "id": "DarkGate", "display_name": "DarkGate", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "Black Basta", "display_name": "Black Basta", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "676257dfbf989a369ca33539", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 36, "FileHash-SHA256": 48, "domain": 11, "email": 7, "hostname": 4 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 264, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "673df2d29c4f79d508ac4d96", "name": "Latrodectus | Brute Ratel IOCs - @pr0xylife - 11-19-24", "description": "Latrodectus to Brute Ratel infection chain - CampaignID: Lambda\nurl > .js > .msi > .dll", "modified": "2024-12-20T14:00:54.678000", "created": "2024-11-20T14:31:46.906000", "tags": [ "github", "lambda", "Latrodectus", "Brute Ratel" ], "references": [ "https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_19.11.2024.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Latrodectus", "display_name": "Latrodectus", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 15, "URL": 20, "domain": 10 }, "indicator_count": 47, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "672e2868a0172d0834d3f142", "name": "Unwrapping the emerging Interlock ransomware attack", "description": "IOCs taken from github IOC link in article:\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/ --- \nATT&CK supplemental information taken from https://foresiet.com/blog/protect-your-business-from-interlock-ransomware-prevention-and-detection-tips", "modified": "2024-12-08T14:02:38.672000", "created": "2024-11-08T15:04:08.466000", "tags": [ "github", "Interlock", "Rhysida", "RDP", "AnyDesk", "PuTTY", "PowerShell", "AzCopy", "Kerberoasting", "ransomware" ], "references": [ "https://github.com/Cisco-Talos/IOCs/blob/main/2024/11/emerging-interlock-ransomware.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "interlock", "display_name": "interlock", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1218.011", "name": "Rundll32", "display_name": "T1218.011 - Rundll32" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 3 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "497 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "671fe3985e690abadc7ec144", "name": "Warm Cookie IOCs - 10/23/24", "description": "Threat Spotlight: WarmCookie/BadSpace from Cisco Talos\nhttps://blog.talosintelligence.com/warmcookie-analysis/", "modified": "2024-11-27T19:01:22.447000", "created": "2024-10-28T19:18:48.666000", "tags": [ "TA866", "Warm Cookie", "CSharp-Streamer-RAT", "Resident backdoor" ], "references": [ "https://github.com/Cisco-Talos/IOCs/blob/main/2024/10/warmcookie-analysis.txt" ], "public": 1, "adversary": "TA866", "targeted_countries": [], "malware_families": [ { "id": "csharp-streamer RAT", "display_name": "csharp-streamer RAT", "target": null }, { "id": "Warm Cookie", "display_name": "Warm Cookie", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 29, "FileHash-SHA1": 30, "FileHash-SHA256": 165, "domain": 6, "hostname": 9 }, "indicator_count": 239, "is_author": false, "is_subscribing": null, "subscriber_count": 84, "modified_text": "508 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6746eae02e409b017dfc3446", "name": "test", "description": "", "modified": "2024-11-27T09:49:56.893000", "created": "2024-11-27T09:48:16.350000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e72e166ce385bcf6a190", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7079 }, "indicator_count": 12733, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746eada877212ce963923c4", "name": "test", "description": "", "modified": "2024-11-27T09:48:10.379000", "created": "2024-11-27T09:48:10.379000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6746e72e166ce385bcf6a190", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e72e166ce385bcf6a190", "name": "test", "description": "", "modified": "2024-11-27T09:32:30.359000", "created": "2024-11-27T09:32:30.359000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e72528402d5f2b560f94", "name": "test", "description": "", "modified": "2024-11-27T09:32:21.842000", "created": "2024-11-27T09:32:21.842000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f7e75b22b226428b54", "name": "test", "description": "", "modified": "2024-11-27T09:31:35.510000", "created": "2024-11-27T09:31:35.510000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "6746e6f777858514fd47721b", "name": "test", "description": "", "modified": "2024-11-27T09:31:35.336000", "created": "2024-11-27T09:31:35.336000", "tags": [ "msi file", "tuesday", "malspam email", "headers", "anna paula", "utf8", "currc3adculo", "from email", "associated", "zip archive" ], "references": [ "2021-09-21-Curriculo-IOCs.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6503e2757924cd9f6f7a9611", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "testivk1", "id": "218690", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5654, "domain": 7078 }, "indicator_count": 12732, "is_author": false, "is_subscribing": null, "subscriber_count": 29, "modified_text": "508 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 } ], "references": [ "https://www.filescan.io/uploads/66f6fe25f71b9c224c13bdf7/reports/b95801f7-d70e-4cc6-b967-b1cc8ad56fc9/overview", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada", "https://blog.talosintelligence.com/sneakychef-sugarghost-rat/", "https://urlquery.net/report/ae80c540-8c9b-48e4-a6e1-b18cb4426dbf", "https://www.virustotal.com/graph/embed/g8d4be90062df462fbc7be3ba1cca3ec26c9964a0684742ea8ca73e36810d5810?theme=dark", "2021-09-21-Curriculo-IOCs.txt", "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/iocs", "https://blog.talosintelligence.com/ps1bot-malvertising-campaign/", "https://github.com/Cisco-Talos/IOCs/blob/main/2026/02/new-dohdoor-malware-campaign.txt", "https://matomo.org https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "https://report.netcraft.com/submission/iduhE4oNTsMOSAeOeBjzZdIfCLtefF3P - 07.23.25 - see notes on references*", "https://pulsedive.com/indicator/?iid=68381634", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/06/sneakychef-sugargh0st-rat.txt", "https://www.virustotal.com/graph/embed/ga577e541c45f4ef3b8c2ee0e464a4264caf5439148f941db8c2615f1b83baebe?theme=dark", "https://github.com/Cisco-Talos/IOCs/blob/main/2025/09/uat-8099-chinese-speaking-cybercrime-group-seo-fraud.txt", "https://app.any.run/tasks/2f11fff7-a2bc-4744-af91-279753100630", "https://hybrid-analysis.com/sample/8ee2ed5f3080354e6c8974fbebdc448c8d289a3f05e3bfedefadd5e2a9084376/67dfb4135d3987c5750301fc", "https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/", "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-05-20-IOCs-for-AdaptixC2-activity.txt", "https://app.threat.zone/submission/ef652ac5-bc19-43e4-a603-e2d2ccae55ff/static-scan-report/strings", "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-24-IOCs-for-phishing-campaign-impersonating-amazon.txt", "https://www.filescan.io/uploads/685b8c3dcf2af157111779ff/reports/69c49cb3-aef0-4a32-b382-6b38ec8187d0/overview", "https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16", "https://www.filescan.io/api/feed/reports", "https://metadefender.com/results/url/aHR0cHM6Ly9naXRodWIuY29tL0NvY29hUG9kcw==", "https://www.hybrid-analysis.com/sample/2df0978d569e55b6c2176959734d9a6a776eab8c11e2742d7b0cde7a7fb72011/68422003376961f119095141", "https://tria.ge/250807-vg754scn6t/behavioral1 - 08.07.25", "https://github.com/rapid7/Rapid7-Labs/blob/main/IOCs/BlackBasta_SocialEngineering_IOCs.txt", "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt", "https://hybrid-analysis.com/sample/c801e05a1ee3423572349377ea9bdc3846b62e949611679e81c3d6cddcde77e5/67dde11e816206bd720dc9a0", "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/iocs", "https://www.virustotal.com/graph/embed/g36d8fc13d786418ab1d0a75cc331f0eb5bca28d4a4fe4666a84f23e25fb6600b?theme=dark", "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-22-IOCs-for-malware-from-fake-Microsoft-Teams-site.txt", "https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/08/detecting-evolving-threats-netsupport-rat.txt", "https://www.esentire.com/blog/adsexhaust-a-newly-discovered-adware-masquerading-oculus-installer", "https://www.filescan.io/uploads/68421f7dfd02ed5e059acb43/reports/6eb07c34-b325-4107-8652-fe9503ca076e/overview", "https://viz.greynoise.io/tags/georgia-tech-research-scanner?days=10", "http://www.hybrid-analysis.com/sample/e1a88d17a7c013cf623d01c2105e6233e2debb67a9c3fd0eb73b286091c82917/660af3e16e24fdbb100e03d9", "https://www.esentire.com/blog/fake-deepseek-site-infects-mac-users-with-poseidon-stealer", "https://blog.talosintelligence.com/new-dohdoor-malware-campaign/", "https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/", "https://www.virustotal.com/gui/url/76078f83edcd46bd9b83a87a39731cbe45da33b30a7c4a628223a4959c97ce0f", "https://www.virustotal.com/gui/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f/details", "https://www.virustotal.com/gui/collection/f5259d2e7f82856773d9a0867206fe5b571627740209eb72652fd2c04b099a16/iocs", "https://tria.ge/250717-f744tavxcy/behavioral1", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/10/warmcookie-analysis.txt", "https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/", "https://app.any.run/tasks/53605645-2825-4d09-95ff-183a59b25518 - 08.07.25", "https://report.netcraft.com/submission/OAoeOZfDFap5UPDTF52Uy5Q754Z5Fctm?tab=urls", "https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus", "https://app.threat.zone/submission/2514e91a-4ad4-4c54-bee3-276c86dcc970/overview", "https://www.virustotal.com/graph/embed/ge36545cffdc8444caaf69c36a825639183ebd69af93f48369156f4dfc5348f8d?theme=dark", "https://pulsedive.com/indicator/?iid=68355616", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/06/new-spicerat-sneakychef.txt", "https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html", "https://www.filescan.io/uploads/67619a0f99caec9a276f9efd/reports/92e63ab1-1ebd-41a7-90da-f842f0b90392/details", "https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027/iocs", "https://www.virustotal.com/graph/embed/g0e28b9d656774e73b987b563164f4c51556d897677ed4a78920d44a0715390e6?theme=dark", "https://www.filescan.io/uploads/67dfbaf7a175d317734568e1/reports/83bd2446-c34b-4ce3-9de6-7f9685941d28/ioc", "https://blog.talosintelligence.com/maas-operation-using-emmenhtal-and-amadey-linked-to-threats-against-ukrainian-entities/", "https://polyswarm.network/scan/results/url/bc0fe9233e19654c54cc439e9f3e06491556867cde40e25c8589dbee265f3f2f", "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96", "https://github.com/pr0xylife/Latrodectus/blob/main/Latrodectus_19.11.2024.txt", "https://blog.talosintelligence.com/new-spicerat-sneakychef/", "https://www.virustotal.com/gui/collection/78cac7a60cb9ea18ed98d5529491d4351d031634dfe7de0088a3054fba1e53be/summary", "https://github.com/esThreatIntelligence/iocs/blob/main/FIN7/FIN7_IOCs_5-3-2024.txt", "https://github.com/hackerhouse-opensource/exploits/blob/master/MsTelnetServer_NTLM_Guest.txt", "https://security.microsoft.com/threatanalytics3/03b28902-53fb-4091-8840-01477263cc44/analystreport", "https://blog.talosintelligence.com/lotus-blossom-espionage-group/", "https://www.virustotal.com/graph/embed/g4928995ad74946e184fceac08d1c9ec4b891ca72d6c84eb08fc776c915c99e60?theme=dark", "https://www.virustotal.com/gui/file/9054fc526befddddb30e9df6dade3c405327951f2cd2add9cb27effd4e64ebc7?nocache=1", "https://github.com/Cisco-Talos/IOCs/blob/main/2025/02/lotus-blossom-espionage-group.txt", "https://github.com/Cisco-Talos/IOCs/blob/main/2024/11/emerging-interlock-ransomware.txt", "https://tria.ge/240401-v8bafsaf71/behavioral1", "https://www.filescan.io/uploads/67dfbaf7a175d317734568e1/reports/83bd2446-c34b-4ce3-9de6-7f9685941d28/overview", "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/summary", "https://github.com/Cisco-Talos/IOCs/blob/main/2025/08/ps1bot-malvertising-campaign.txt", "https://www.filescan.io/uploads/67df8925a175d31773454fd7/reports/d000025d-8403-4b03-8f76-a3b74d9b821f/overview" ], "related": { "alienvault": { "adversary": [ "Gamaredon", "UAT-8099" ], "malware_families": [ "Remcos", "Badiis", "Gotohttp" ], "industries": [ "Government", "Education", "Technology", "Telecommunications", "Defense" ] }, "other": { "adversary": [ "TA866", "Gamaredon", "FIN7", "UAT-8099" ], "malware_families": [ "Blackrock", "Cookie", "Dohdoor", "Gotohttp", "Csharp-streamer rat", "Warm cookie", "Powertrash", "Black basta", "Zbot", "Sagerunex", "Remcos", "Ps1bot", "Tornet", "Sugargg0st", "Spivy", "Sugargh0st", "Netsupportmanager rat", "Plugx", "Generatedthe", "Darkgate", "Interlock", "Cobalt strike", "Badiis", "Adsexhaust main", "Latrodectus", "Sugargh0st rat", "Netsupport", "Json" ], "industries": [ "Retail", "Defense", "Healthcare", "Transportation", "Education", "Government", "Legal", "Automotive", "Finance", "Food", "Technology", "Manufacturing", "Telecommunications", "Foreign affairs", "Construction", "Media", "Embassy", "Energy" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "697b96e2955f456977e00c46", "name": "Dissecting UAT-8099: New persistence mechanisms and regional focus", "description": "UAT-8099, a threat actor targeting vulnerable IIS servers across Asia, has launched a new campaign from late 2025 to early 2026. The group's tactics have evolved, focusing on Thailand and Vietnam, and employing web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New variants of BadIIS malware now include region-specific features, with separate versions targeting Vietnam and Thailand. The actor has expanded their toolkit to include utilities for log removal, file protection, and anti-rootkit capabilities. They've also adapted their persistence methods, creating hidden user accounts and leveraging legitimate tools to evade detection. The campaign demonstrates significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.", "modified": "2026-02-09T21:41:54.376000", "created": "2026-01-29T17:20:34.042000", "tags": [ "seo fraud", "vietnam", "persistence", "badiis", "thailand", "asia", "gotohttp", "iis" ], "references": [ "https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus/" ], "public": 1, "adversary": "UAT-8099", "targeted_countries": [ "British Indian Ocean Territory", "India", "Japan", "Pakistan", "Thailand" ], "malware_families": [ { "id": "BadIIS", "display_name": "BadIIS", "target": null }, { "id": "GotoHTTP", "display_name": "GotoHTTP", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 15, "FileHash-SHA256": 46, "URL": 27, "domain": 1, "hostname": 17 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 377569, "modified_text": "69 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697b57759a314f33d84f3b73", "name": "Dissecting UAT-8099: New persistence mechanisms and regional focus", "description": "UAT-8099's latest campaign from August 2025 to early 2026 targets vulnerable IIS servers across Asia, focusing on Thailand and Vietnam. The threat actor employs web shells, PowerShell scripts, and the GotoHTTP tool for remote access. New BadIIS variants are customized for specific regions, with enhanced persistence mechanisms and SEO fraud tactics. The malware now includes features like hardcoded target regions, exclusive file extensions, and the ability to load HTML templates. A Linux ELF variant of BadIIS was also identified. The campaign shows significant operational overlaps with the WEBJACK campaign, including shared malware hashes, C2 infrastructure, and victimology.", "modified": "2026-01-29T16:23:12.314000", "created": "2026-01-29T12:49:57.943000", "tags": [ "persistence", "web shells", "asia", "gotohttp", "badiis", "seo fraud", "iis", "powershell", "regional targeting" ], "references": [ "https://blog.talosintelligence.com/uat-8099-new-persistence-mechanisms-and-regional-focus" ], "public": 1, "adversary": "UAT-8099", "targeted_countries": [ "British Indian Ocean Territory", "India", "Japan", "Pakistan", "Thailand" ], "malware_families": [ { "id": "BadIIS", "display_name": "BadIIS", "target": null }, { "id": "GotoHTTP", "display_name": "GotoHTTP", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1070.001", "name": "Clear Windows Event Logs", "display_name": "T1070.001 - Clear Windows Event Logs" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1056.004", "name": "Credential API Hooking", "display_name": "T1056.004 - Credential API Hooking" } ], "industries": [ "Government", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 15, "FileHash-SHA256": 46, "URL": 27, "domain": 1, "hostname": 17 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 377570, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68de952252a07c88093c6fb4", "name": "UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud", "description": "A Chinese-speaking cybercrime group, UAT-8099, is targeting high-value Internet Information Services (IIS) servers for search engine optimization fraud and data theft. The group focuses on reputable servers in India, Thailand, Vietnam, Canada, and Brazil, affecting universities, tech firms, and telecom providers. UAT-8099 uses web shells, hacking tools, Cobalt Strike, and BadIIS malware to manipulate search rankings and maintain persistence. They exploit weak file upload settings, enable guest accounts, and use RDP for access. The group also steals valuable credentials, configuration files, and certificates. New BadIIS variants with low detection rates and Chinese debug strings have been identified. The attackers employ SEO techniques like backlinking and inject malicious JavaScript to redirect users to fraudulent websites.", "modified": "2025-11-01T15:00:08.406000", "created": "2025-10-02T15:07:14.573000", "tags": [ "chinese-speaking", "web shells", "data theft", "seo fraud", "badiis", "cybercrime", "iis servers", "cobalt strike" ], "references": [ "https://blog.talosintelligence.com/uat-8099-chinese-speaking-cybercrime-group-seo-fraud/", "https://github.com/Cisco-Talos/IOCs/blob/main/2025/09/uat-8099-chinese-speaking-cybercrime-group-seo-fraud.txt" ], "public": 1, "adversary": "UAT-8099", "targeted_countries": [ "Brazil", "British Indian Ocean Territory", "Canada", "India", "Thailand" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1136.001", "name": "Local Account", "display_name": "T1136.001 - Local Account" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" } ], "industries": [ "Education", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 3, "FileHash-SHA256": 44, "domain": 3, "hostname": 29 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 377570, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d6996d3fa5189b9e5bce76", "name": "IOCs for phishing campaign using BitM pages", "description": "This intelligence report focuses on a phishing campaign that utilizes Browser-in-the-Middle (BitM) pages. The campaign likely involves sophisticated tactics to intercept and manipulate browser traffic, potentially allowing attackers to harvest credentials or inject malicious content. While specific details are not provided, the use of BitM techniques suggests a high level of technical sophistication and a targeted approach to compromising user data. The report appears to include Indicators of Compromise (IOCs) related to this campaign, which could be crucial for detecting and mitigating the threat.", "modified": "2025-10-26T13:04:29.817000", "created": "2025-09-26T13:47:25.539000", "tags": [ "browser-in-the-middle", "phishing", "bitm" ], "references": [ "https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-09-23-IOCs-for-phishing-campaign-using-BitM-pages.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1187", "name": "Forced Authentication", "display_name": "T1187 - Forced Authentication" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 2, "FileHash-SHA256": 12, "domain": 167, "hostname": 24 }, "indicator_count": 205, "is_author": false, "is_subscribing": null, "subscriber_count": 377567, "modified_text": "175 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e6c6b5e3b5eec595438366", "name": "Gamaredon campaign abuses LNK files to distribute Remcos backdoor", "description": "A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading to execute the Remcos backdoor. The activity is attributed to the Gamaredon threat actor group with medium confidence. The campaign uses the invasion of Ukraine as a theme in phishing attempts, distributing LNK files disguised as Office documents. The servers used are mostly hosted by GTHost and HyperHosting ISPs. The attack chain involves DLL sideloading to load the Remcos backdoor, which communicates with a C2 server on a specific port.", "modified": "2025-04-27T15:00:47.864000", "created": "2025-03-28T15:56:37.744000", "tags": [ "gthost", "lnk files", "phishing", "hyperhosting", "powershell", "remcos", "dll sideloading", "ukraine" ], "references": [ "https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Germany", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "Remcos", "display_name": "Remcos", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 21, "FileHash-SHA256": 92, "domain": 1, "CVE": 1 }, "indicator_count": 134, "is_author": false, "is_subscribing": null, "subscriber_count": 377568, "modified_text": "357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ab02af1c884abf1c23a32b", "name": "New Dohdoor malware campaign targets education and health care", "description": "Talos discovered a multi-stage attack campaign targeting the victims in education and health care sectors, predominantly in the United States.", "modified": "2026-04-05T16:12:21.383000", "created": "2026-03-06T16:37:03.342000", "tags": [ "path", "span", "button", "script", "template", "link", "meta", "github", "footer", "form", "code", "close", "reload", "title", "body", "global", "write", "find", "stop", "small", "enterprise", "star", "copy", "download", "open", "main", "contact", "dohdoor" ], "references": [ "https://github.com/Cisco-Talos/IOCs/blob/main/2026/02/new-dohdoor-malware-campaign.txt", "https://blog.talosintelligence.com/new-dohdoor-malware-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "dohdoor", "display_name": "dohdoor", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 7, "FileHash-SHA1": 9, "FileHash-SHA256": 19, "URL": 3, "domain": 1, "hostname": 11 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69a5c36b78ed73550bb0bf22", "name": "by Disable_Duck", "description": "", "modified": "2026-03-04T23:37:24.208000", "created": "2026-03-02T17:05:47.288000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB", "TLS/SSL Crawler", "CVE-2026-24061 Attempt", "Generic IoT Default Password Attempt", "Cisco Prime Infrastructure CVE-2019-1821 RCE Attempt", "Dahua Backdoor Attempt", "ENV Crawler", "DCERPC Protocol", "Carries HTTP Referer", "GNU Inetutils Telnetd Auth Bypass", "ICMPv4 Protocol" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada", "https://viz.greynoise.io/ip/analysis/7e527b44-c950-4c01-bb33-d96" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)", "Argentina", "Switzerland" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": "6901363c4ce422f5caf0f72c", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 996, "domain": 987, "hostname": 3306, "email": 4, "CVE": 1 }, "indicator_count": 27048, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "45 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6811141c708261eb22d3a773", "name": "FileScan.io feed", "description": "", "modified": "2026-03-04T22:16:29.183000", "created": "2025-04-29T18:02:04.881000", "tags": [], "references": [ "https://www.filescan.io/api/feed/reports" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 681, "BitcoinAddress": 1, "FileHash-MD5": 1595, "FileHash-SHA1": 1569, "FileHash-SHA256": 1726, "domain": 116, "email": 60, "hostname": 99 }, "indicator_count": 5847, "is_author": false, "is_subscribing": null, "subscriber_count": 178, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6980689d04c3d0afa554c247", "name": "Copy of Proton Suite - Apple iPadOS - Drive VPN Calendar Protonmail Ubiquiti Grok - 02.02.26", "description": "Copy of Proton Suite - Apple iPadOS - Drive VPN Calendar Protonmail Ubiquiti Grok - 02.02.26", "modified": "2026-03-04T08:01:36.153000", "created": "2026-02-02T09:04:29.535000", "tags": [ "entity", "skreutzb", "kgs0", "kls0", "please", "javascript", "Proton", "Drive", "Mail", "Calendar", "VPN", "Ubiquiti", "Unifi", "Malcerts", "Certificates", "Apple", "Github", "Cocoapods" ], "references": [ "https://www.virustotal.com/graph/embed/ge36545cffdc8444caaf69c36a825639183ebd69af93f48369156f4dfc5348f8d?theme=dark", "https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027", "https://www.virustotal.com/gui/collection/1a335578b9905ed48ee04a8c52890951a06a1034dc9362d3ae4e042512eeb027/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 20, "FileHash-SHA256": 146, "hostname": 143, "URL": 218, "domain": 35 }, "indicator_count": 586, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6901363c4ce422f5caf0f72c", "name": "Copy of DevT-OddTags-Browser-BasedOdditites - (L4ke.Aff3ct.216, 01.18.26)", "description": "Updated based on VT Graph & Tracking Spread of Cybercrime. This Pulse is mostly covering activity in the Province of Alberta Canada. Given recent news, it appears that BC Interior Health and Kelowna RCMP Detachment impacted in addition to Alberta Sectors of Education, Healthcare, and Government (Provincial & Federal - e.g. Treaty 6,7,8 as well as the Canadian CRA heavily impacted). \nEnriched a graph by vt user (L4ke.Aff3ct.216, 01.02.26)\nSubmitted IOCs to Greynoise.io (10.28.25)", "modified": "2026-02-18T05:00:41.494000", "created": "2025-10-28T21:31:40.008000", "tags": [ "kgs0", "kls0", "botname http", "entity", "UAlberta", "Telus", "Norton", "ffss", "Alberta", "AlbertaNDP", "InteriorHealth", "RCMP", "CrimeStoppersAB", "EdmontonPolice", "RCMP Kelowna", "RCMP AB" ], "references": [ "https://www.virustotal.com/graph/embed/g34c2ebfedb6c47c286431a829da992c3744ab3fab0d74008946f3b9bbeb83e23?theme=dark", "https://viz.greynoise.io/ip/analysis/61bb7542-40c2-448e-87d4-947a4623eada" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Panama", "Poland", "United Kingdom of Great Britain and Northern Ireland", "Slovakia", "Aruba", "Anguilla", "Australia", "Costa Rica", "Guatemala", "Mexico", "Trinidad and Tobago", "Cura\u00e7ao", "Philippines", "Virgin Islands, U.S.", "Ukraine", "Barbados", "Germany", "Sint Maarten (Dutch part)" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Energy", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3903, "FileHash-SHA1": 4967, "FileHash-SHA256": 12884, "URL": 995, "domain": 984, "hostname": 3305, "email": 4 }, "indicator_count": 27042, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "2fgithub.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "2fgithub.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776638242.9046445 }