{ "type": "Domain", "indicator": "2pointmarkets.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/2pointmarkets.com", "alexa": "http://www.alexa.com/siteinfo/2pointmarkets.com", "indicator": "2pointmarkets.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4050246727, "indicator": "2pointmarkets.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "67dd406c50b049fa09cf97b4", "name": "The rising threat of social engineering through fake fixes", "description": "ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their devices, often by manually copying and pasting malicious commands into the command line. This method bypasses modern security solutions by tricking users into executing commands themselves. Recent campaigns like OBSCURE#BAT and Storm-1865 have targeted various industries and regions. The attack vector has been observed in Field Effect's telemetry, with attempts to deploy AsyncRAT and other malware. Mitigation strategies include restricting command line use, deploying advanced threat detection solutions, enhancing email and web filtering, training users, and maintaining up-to-date security measures.", "modified": "2025-04-20T10:05:35.561000", "created": "2025-03-21T10:33:16.506000", "tags": [ "clickfix", "command line", "captcha", "phishing", "asyncrat", "social engineering", "fake fixes", "powershell" ], "references": [ "https://fieldeffect.com/blog/clickfix-rising-threat-fake-fixes" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Germany", "Virgin Islands, U.S." ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Hospitality", "Construction" ], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 386515, "modified_text": "406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef8d571324a271de986299", "name": "Threat Intel Report - W12-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:42:15.839000", "tags": [ "mozi", "bangladesh", "singapore", "cobaltstrike", "united kingdom", "mozi link", "germany", "france", "china", "turkey", "pink", "indonesia", "clearfake", "ukraine", "panama", "remcos", "asyncrat", "agent tesla", "malware", "date", "snakekeylogger", "masslogger", "mexico", "ransomhub" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 207, "FileHash-MD5": 16, "FileHash-SHA1": 16, "FileHash-SHA256": 19, "CVE": 1, "domain": 43, "hostname": 180 }, "indicator_count": 482, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://urlhaus.abuse.ch/", "https://fieldeffect.com/blog/clickfix-rising-threat-fake-fixes", "https://any.run/malware-trends/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Asyncrat" ], "industries": [ "Hospitality", "Construction" ] }, "other": { "adversary": [], "malware_families": [ "Ransomhub" ], "industries": [ "Cryptocurrency" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "67dd406c50b049fa09cf97b4", "name": "The rising threat of social engineering through fake fixes", "description": "ClickFix is an emerging social engineering tactic that manipulates users into executing malicious actions under the guise of troubleshooting or system maintenance. Attackers present fake error messages, CAPTCHA verifications, or system prompts to convince users to take actions that compromise their devices, often by manually copying and pasting malicious commands into the command line. This method bypasses modern security solutions by tricking users into executing commands themselves. Recent campaigns like OBSCURE#BAT and Storm-1865 have targeted various industries and regions. The attack vector has been observed in Field Effect's telemetry, with attempts to deploy AsyncRAT and other malware. Mitigation strategies include restricting command line use, deploying advanced threat detection solutions, enhancing email and web filtering, training users, and maintaining up-to-date security measures.", "modified": "2025-04-20T10:05:35.561000", "created": "2025-03-21T10:33:16.506000", "tags": [ "clickfix", "command line", "captcha", "phishing", "asyncrat", "social engineering", "fake fixes", "powershell" ], "references": [ "https://fieldeffect.com/blog/clickfix-rising-threat-fake-fixes" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Germany", "Virgin Islands, U.S." ], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Hospitality", "Construction" ], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 1, "domain": 2 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 386515, "modified_text": "406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67ef8d571324a271de986299", "name": "Threat Intel Report - W12-2025", "description": "These are weekly base recommendations to all IT Administrators and CISOs to take corrective actions to upgrade their security infrastructure against newly identified threats and attacks in this week. \n\nSecurity is a continuous process, and it has to be reviewed and audited on a continuous manner through manual or automated tools. \n\nThese details may be used as an additional layer to verify the current security posture of an organization against latest cyber trends.", "modified": "2025-05-04T07:02:31.627000", "created": "2025-04-04T07:42:15.839000", "tags": [ "mozi", "bangladesh", "singapore", "cobaltstrike", "united kingdom", "mozi link", "germany", "france", "china", "turkey", "pink", "indonesia", "clearfake", "ukraine", "panama", "remcos", "asyncrat", "agent tesla", "malware", "date", "snakekeylogger", "masslogger", "mexico", "ransomhub" ], "references": [ "https://urlhaus.abuse.ch/", "https://any.run/malware-trends/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RansomHub", "display_name": "RansomHub", "target": null } ], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [ "Cryptocurrency" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "aa00643640@techmahindra.com", "id": "156540", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 207, "FileHash-MD5": 16, "FileHash-SHA1": 16, "FileHash-SHA256": 19, "CVE": 1, "domain": 43, "hostname": 180 }, "indicator_count": 482, "is_author": false, "is_subscribing": null, "subscriber_count": 106, "modified_text": "392 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "2pointmarkets.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "2pointmarkets.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780227178.9052181 }