{ "type": "SHA256", "indicator": "51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57", "validation": [], "base_indicator": { "id": 30285380, "indicator": "51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "55afcff3b45ff57d4094e6b3", "name": "Duke APT group's latest tools: cloud services and Linux support", "description": "Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or \"solutions\" as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.", "modified": "2017-07-24T11:16:43.608000", "created": "2015-07-22T17:16:35.665000", "tags": [ "cloudduke", "duke", "onedrive", "seaduke", "cozyduke", "minidionis", "trojan", "f-secure" ], "references": [ "https://www.f-secure.com/weblog/archives/00002822.html" ], "public": 1, "adversary": "APT 29", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 54, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-SHA1": 18, "YARA": 6, "FileHash-SHA256": 13 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386516, "modified_text": "3232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-30T00:28:12.957000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 58066, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 873822, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "65707cfd7deec618b32401ae", "name": "yarex_APTMalware", "description": "", "modified": "2023-12-06T13:54:05.062000", "created": "2023-12-06T13:54:05.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1429, "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "hostname": 48, "URL": 146, "domain": 85, "YARA": 965, "email": 2 }, "indicator_count": 7699, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "61ebb686fb654ea04bf28cd4", "name": "yarex_APTMalware", "description": "yarex/APTMalware\n\nhttps://github.com/resteex0/yarex", "modified": "2022-04-27T00:03:12.448000", "created": "2022-01-22T07:47:18.162000", "tags": [ "clsid", "quvtohr", "yara rule", "set author", "identifier", "aptmalwareapt28", "rule", "nblockuse", "start", "dbcsbuffer", "nbsp", "name", "ithesaurusword", "namespace3http", "wdcecfchgigjg", "address", "aptmalwareapt21", "ainfbf", "dekmcugcl", "dltuntu", "edbfa", "zyxzedbfa", "path", "newwindow", "aptmalwareapt1", "j5feq1a", "yljl8wk29gvu", "assoc", "aptmalwareapt29", "b8b4b0b", "closehandle", "matchlen", "finishmsg", "feedback", "error", "cimagemanager", "getimage", "ccmdtarget", "getdata", "p6gpav2", "getruntimeclass", "aptmalwareapt19", "enpi", "vmrqs", "mmnmbivesahl", "dvirev", "failed", "ctrll", "lookup", "ctrlshiftr", "ascii ctrla", "rule set", "vgkjbmcqvepmkjw", "ihjw9", "shellmainthread", "initfirst", "filesexcalibur", "filemg1", "entry", "socket", "concurrency", "shell", "aptmalwareapt30", "okbps", "plcqtobyjf" ], "references": [ "APT 30.yar", "Equation Group.yar", "Winnti.yar", "Energetic Bear.yar", "Dark Hotel.yar", "APT 19.yar", "APT 10.yar", "APT 29.yar", "APT 1.yar", "APT 21.yar", "Gorgon Group.yar", "APT 28.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "resteex0", "id": "175858", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "FileHash-SHA256": 1429, "YARA": 979, "URL": 146, "domain": 85, "hostname": 48, "email": 2 }, "indicator_count": 7713, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "Gorgon Group.yar", "APT 28.yar", "APT 29.yar", "Winnti.yar", "APT 21.yar", "APT 1.yar", "https://www.f-secure.com/weblog/archives/00002822.html", "APT 19.yar", "Energetic Bear.yar", "APT 30.yar", "APT 10.yar", "Equation Group.yar", "Dark Hotel.yar" ], "related": { "alienvault": { "adversary": [ "APT 29" ], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Government", "Industrial", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "55afcff3b45ff57d4094e6b3", "name": "Duke APT group's latest tools: cloud services and Linux support", "description": "Recent weeks have seen the outing of two new additions to the Duke group's toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it's written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single - albeit cross-platform - trojan, CloudDuke appears to be an entire toolset of malware components, or \"solutions\" as the Duke group apparently calls them. These components include a unique loader, downloader, and not one but two different trojan components. CloudDuke also greatly expands on the Duke group's usage of cloud storage services, specifically Microsoft's OneDrive, as a channel for both command and control as well as the exfiltration of stolen data. Finally, some of the recent CloudDuke spear-phishing campaigns have born a striking resemblance to CozyDuke spear-phishing campaigns from a year ago.", "modified": "2017-07-24T11:16:43.608000", "created": "2015-07-22T17:16:35.665000", "tags": [ "cloudduke", "duke", "onedrive", "seaduke", "cozyduke", "minidionis", "trojan", "f-secure" ], "references": [ "https://www.f-secure.com/weblog/archives/00002822.html" ], "public": 1, "adversary": "APT 29", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 54, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-SHA1": 18, "YARA": 6, "FileHash-SHA256": 13 }, "indicator_count": 44, "is_author": false, "is_subscribing": null, "subscriber_count": 386516, "modified_text": "3232 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-30T00:28:12.957000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 58066, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 873822, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "19 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "65707cfd7deec618b32401ae", "name": "yarex_APTMalware", "description": "", "modified": "2023-12-06T13:54:05.062000", "created": "2023-12-06T13:54:05.062000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1429, "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "hostname": 48, "URL": 146, "domain": 85, "YARA": 965, "email": 2 }, "indicator_count": 7699, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "61ebb686fb654ea04bf28cd4", "name": "yarex_APTMalware", "description": "yarex/APTMalware\n\nhttps://github.com/resteex0/yarex", "modified": "2022-04-27T00:03:12.448000", "created": "2022-01-22T07:47:18.162000", "tags": [ "clsid", "quvtohr", "yara rule", "set author", "identifier", "aptmalwareapt28", "rule", "nblockuse", "start", "dbcsbuffer", "nbsp", "name", "ithesaurusword", "namespace3http", "wdcecfchgigjg", "address", "aptmalwareapt21", "ainfbf", "dekmcugcl", "dltuntu", "edbfa", "zyxzedbfa", "path", "newwindow", "aptmalwareapt1", "j5feq1a", "yljl8wk29gvu", "assoc", "aptmalwareapt29", "b8b4b0b", "closehandle", "matchlen", "finishmsg", "feedback", "error", "cimagemanager", "getimage", "ccmdtarget", "getdata", "p6gpav2", "getruntimeclass", "aptmalwareapt19", "enpi", "vmrqs", "mmnmbivesahl", "dvirev", "failed", "ctrll", "lookup", "ctrlshiftr", "ascii ctrla", "rule set", "vgkjbmcqvepmkjw", "ihjw9", "shellmainthread", "initfirst", "filesexcalibur", "filemg1", "entry", "socket", "concurrency", "shell", "aptmalwareapt30", "okbps", "plcqtobyjf" ], "references": [ "APT 30.yar", "Equation Group.yar", "Winnti.yar", "Energetic Bear.yar", "Dark Hotel.yar", "APT 19.yar", "APT 10.yar", "APT 29.yar", "APT 1.yar", "APT 21.yar", "Gorgon Group.yar", "APT 28.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "resteex0", "id": "175858", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3594, "FileHash-SHA1": 1430, "FileHash-SHA256": 1429, "YARA": 979, "URL": 146, "domain": 85, "hostname": 48, "email": 2 }, "indicator_count": 7713, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "1494 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "51e713c7247f978f5836133dd0b8f9fb229e6594763adda59951556e1df5ee57", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780170635.366704 }