{ "type": "SHA1", "indicator": "82eb4b752c60b99b451f7a53b8ac856afe9deb88", "general": { "sections": [ "general", "analysis" ], "type": "sha1", "type_title": "FileHash-SHA1", "indicator": "82eb4b752c60b99b451f7a53b8ac856afe9deb88", "validation": [], "base_indicator": { "id": 4336935471, "indicator": "e5e0e0c0fadacee1105bd340fa1b2e6d", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69f3a95eda9a5492f5d1b6f4", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...", "modified": "2026-05-30T19:00:26.349000", "created": "2026-04-30T19:11:26.525000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 36, "IPv4": 2, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "38 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69f97a64033cedf372cf42a0", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "", "modified": "2026-05-30T19:00:26.349000", "created": "2026-05-05T05:04:36.248000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": "69f3a95eda9a5492f5d1b6f4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 40, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "38 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fae85d3be396349f6fe7a2", "name": "China Aligned Cyberespionage Campaign Targets Governments", "description": "Cybersecurity researchers have identified a China-aligned espionage campaign targeting government and defense organizations across South, East, and Southeast Asia, as well as a European NATO member. The activity cluster, tracked as SHADOW-EARTH-053, has been active since at least late 2024 and shows overlaps with previously known threat groups.\n\nResearchers said the attackers primarily exploit known vulnerabilities in internet-facing Microsoft Exchange and IIS servers, including flaws similar to...", "modified": "2026-05-06T07:06:05.988000", "created": "2026-05-06T07:06:05.988000", "tags": [ "initial-access", "persistence", "privilege-escalation", "exfiltration", "T1190", "T1204", "T1215", "medium", "vta", "threat-intelligence" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 4, "FileHash-SHA1": 4, "IPv4": 4, "FileHash-SHA256": 4, "domain": 1, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 } ], "references": [ "IOCs-May1.csv", "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "related": { "alienvault": { "adversary": [ "SHADOW-EARTH-053" ], "malware_families": [ "Iox", "Godzilla", "Poisonplug.shadow", "Noodlerat", "Ringq", "Shadowpad - s0596", "Vshell" ], "industries": [ "Transportation", "Defense", "Government", "Technology" ] }, "other": { "adversary": [ "SHADOW-EARTH-053", "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT" ], "malware_families": [ "Iox", "Godzilla", "Poisonplug.shadow", "Noodlerat", "Ringq", "Shadowpad - s0596", "Vshell" ], "industries": [ "Transportation", "Defense", "Government", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69f3a95eda9a5492f5d1b6f4", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...", "modified": "2026-05-30T19:00:26.349000", "created": "2026-04-30T19:11:26.525000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 36, "IPv4": 2, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "38 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69f97a64033cedf372cf42a0", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "", "modified": "2026-05-30T19:00:26.349000", "created": "2026-05-05T05:04:36.248000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": "69f3a95eda9a5492f5d1b6f4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 40, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "38 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69fae85d3be396349f6fe7a2", "name": "China Aligned Cyberespionage Campaign Targets Governments", "description": "Cybersecurity researchers have identified a China-aligned espionage campaign targeting government and defense organizations across South, East, and Southeast Asia, as well as a European NATO member. The activity cluster, tracked as SHADOW-EARTH-053, has been active since at least late 2024 and shows overlaps with previously known threat groups.\n\nResearchers said the attackers primarily exploit known vulnerabilities in internet-facing Microsoft Exchange and IIS servers, including flaws similar to...", "modified": "2026-05-06T07:06:05.988000", "created": "2026-05-06T07:06:05.988000", "tags": [ "initial-access", "persistence", "privilege-escalation", "exfiltration", "T1190", "T1204", "T1215", "medium", "vta", "threat-intelligence" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "FileHash-MD5": 4, "FileHash-SHA1": 4, "IPv4": 4, "FileHash-SHA256": 4, "domain": 1, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "82eb4b752c60b99b451f7a53b8ac856afe9deb88", "type": "Hash" }, "abuseipdb": null, "urlhaus": null, "from_cache": true, "_cached_at": 1780173737.463595 }