{ "type": "IPv4", "indicator": "86.48.5.53", "general": { "whois": "http://whois.domaintools.com/86.48.5.53", "reputation": 0, "indicator": "86.48.5.53", "type": "IPv4", "type_title": "IPv4", "base_indicator": { "id": 4175708914, "indicator": "86.48.5.53", "type": "IPv4", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69660dd555de5ae495bed8ea", "name": "ThreatFix_IP", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:18:11.474000", "tags": [ "LummaStealer, RedLine,..." ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696e547b54275ed3d44dff3e", "name": "ThreatFox Hunt: Sliver IOCs - 2026-01-19", "description": "Automated ThreatFox hunt for Sliver indicators. 18 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1059.001, T1055, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-18T15:04:13.869000", "created": "2026-01-19T15:57:47.137000", "tags": [ "sliver", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "apt29", "russia" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696de936053728961a21ebad", "name": "OSINT Volley 2026-01-19 - AsyncRAT/Unknown malware/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: AsyncRAT(26), Unknown malware(21), Stealc(17), Sliver(14), Meterpreter(12). Source: abuse.ch ThreatFox API. SSL enriched: 22 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T08:03:49.499000", "created": "2026-01-19T08:20:06.523000", "tags": [ "osint-volley", "threatfox", "automated", "asyncrat", "unknown-malware", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14, "hostname": 33, "domain": 15 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696ddb257e3d8cf3de56eed7", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(58), AsyncRAT(26), Stealc(19), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T07:01:37.929000", "created": "2026-01-19T07:20:05.689000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 48, "hostname": 33, "domain": 15 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696dd41d5a09d3493fe61617", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(26), Stealc(19), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T06:01:23.076000", "created": "2026-01-19T06:50:05.286000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "URL": 39, "domain": 23 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696dcd177c5f27154bb6d32e", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(26), Stealc(19), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T06:01:23.076000", "created": "2026-01-19T06:20:07.551000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "URL": 40, "domain": 23 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696dc60d45bf130fd9bd10c2", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(29), Stealc(20), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T05:00:41.494000", "created": "2026-01-19T05:50:05.400000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "URL": 40, "domain": 23 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696dbf051d90ad625ecba345", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(27), Stealc(20), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T05:00:41.494000", "created": "2026-01-19T05:20:05.098000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "URL": 42, "domain": 23 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696db8074f437e4a32b0bb46", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(27), Stealc(20), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T04:02:22.696000", "created": "2026-01-19T04:50:15.109000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "URL": 43, "domain": 23 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696da9eddda5a86400b675dd", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(67), AsyncRAT(28), Stealc(21), Sliver(15), Meterpreter(13). Source: abuse.ch ThreatFox API. SSL enriched: 24 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T03:04:03.277000", "created": "2026-01-19T03:50:05.093000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 48, "domain": 23, "hostname": 31 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696da2e43bac36fa416b64d2", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(67), AsyncRAT(28), Stealc(21), Sliver(15), Meterpreter(13). Source: abuse.ch ThreatFox API. SSL enriched: 24 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T03:04:03.277000", "created": "2026-01-19T03:20:04.706000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 48, "domain": 23, "hostname": 31 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d94d32f5e38ea2602b7e0", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(67), AsyncRAT(28), Stealc(21), Sliver(15), Meterpreter(13). Source: abuse.ch ThreatFox API. SSL enriched: 24 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T02:05:52.546000", "created": "2026-01-19T02:20:03.962000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 48, "domain": 23, "hostname": 31 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d86c2544849ab66095ce6", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(28), Stealc(21), Sliver(15), Meterpreter(13). Source: abuse.ch ThreatFox API. SSL enriched: 24 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T01:00:30.352000", "created": "2026-01-19T01:20:02.114000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23, "URL": 48, "hostname": 31 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d8dccd5ab29ffa046839c", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(67), AsyncRAT(28), Stealc(21), Sliver(15), Meterpreter(13). Source: abuse.ch ThreatFox API. SSL enriched: 24 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T01:00:30.352000", "created": "2026-01-19T01:50:04.923000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "domain": 23, "hostname": 31 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d7fbb83b7455b14db1f05", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(28), Stealc(21), Sliver(15), Meterpreter(13). Source: abuse.ch ThreatFox API. SSL enriched: 25 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T00:00:14.740000", "created": "2026-01-19T00:50:03.365000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23, "URL": 48, "hostname": 31 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d78b3a8cdbe3f2dd87d0a", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(28), Stealc(21), Sliver(15), Meterpreter(13). Source: abuse.ch ThreatFox API. SSL enriched: 25 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T00:00:14.740000", "created": "2026-01-19T00:20:03.442000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23, "URL": 48, "hostname": 31 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d71addbf74f3a1dfba5c5", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(65), AsyncRAT(29), Stealc(21), Sliver(15), Meterpreter(12). Source: abuse.ch ThreatFox API. SSL enriched: 25 IPs with HTTPS, 7 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T23:01:58.369000", "created": "2026-01-18T23:50:05.262000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23, "URL": 51, "hostname": 31 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d6aa5fc0e1e0c6508b7fb", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(65), AsyncRAT(29), Stealc(21), Sliver(15), Meterpreter(12). Source: abuse.ch ThreatFox API. SSL enriched: 25 IPs with HTTPS, 7 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T23:01:58.369000", "created": "2026-01-18T23:20:05.132000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23, "URL": 51, "hostname": 31 }, "indicator_count": 105, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d639d07b50cd36979f78d", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/Sliver", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(72), AsyncRAT(28), Sliver(13), Meterpreter(12), ClearFake(10). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T22:00:44.588000", "created": "2026-01-18T22:50:05.467000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "sliver", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "URL": 56, "hostname": 34 }, "indicator_count": 116, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d5c9281735684b2c157ee", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/Sliver", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(72), AsyncRAT(27), Sliver(13), Meterpreter(12), ClearFake(10). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T22:00:44.588000", "created": "2026-01-18T22:20:02.035000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "sliver", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "hostname": 34, "domain": 25 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d558ce35533f864336be4", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(72), AsyncRAT(27), ClearFake(13), Sliver(13), Meterpreter(12). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T21:03:13.939000", "created": "2026-01-18T21:50:04.683000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "hostname": 34, "domain": 25 }, "indicator_count": 115, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d4e82b4049990c9fb5989", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/Sliver", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(72), AsyncRAT(27), Sliver(13), ClearFake(12), Meterpreter(12). Source: abuse.ch ThreatFox API. SSL enriched: 27 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T21:03:13.939000", "created": "2026-01-18T21:20:01.998000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "sliver", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "URL": 55, "domain": 25 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d477c5d69dc7d98a195a6", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(71), AsyncRAT(27), ClearFake(13), Sliver(13), Meterpreter(12). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T20:05:30.405000", "created": "2026-01-18T20:50:04.948000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 33, "domain": 24, "URL": 54 }, "indicator_count": 111, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d40727170c3522647357e", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/ClearFake", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(71), AsyncRAT(19), ClearFake(13), Sliver(13), Meterpreter(12). Source: abuse.ch ThreatFox API. SSL enriched: 28 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T20:05:30.405000", "created": "2026-01-18T20:20:02.502000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "clearfake", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22, "URL": 54, "hostname": 27 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d396e14c82f56a8c17363", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(72), AsyncRAT(20), Meterpreter(15), Sliver(15), ClearFake(13). Source: abuse.ch ThreatFox API. SSL enriched: 32 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T19:01:38.717000", "created": "2026-01-18T19:50:06.500000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 22, "URL": 54, "hostname": 27 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d326200b9cddc4bcb3a2d", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(64), AsyncRAT(19), Meterpreter(15), Sliver(15), ClearFake(13). Source: abuse.ch ThreatFox API. SSL enriched: 32 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T19:01:38.717000", "created": "2026-01-18T19:20:02.234000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "hostname": 30, "domain": 13 }, "indicator_count": 101, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d2b5fc01ccc498a1e783b", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/Meterpreter", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(64), AsyncRAT(19), Meterpreter(15), Sliver(15), ClearFake(12). Source: abuse.ch ThreatFox API. SSL enriched: 32 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T18:02:14.336000", "created": "2026-01-18T18:50:06.989000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "meterpreter", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "ClearFake", "display_name": "ClearFake", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "domain": 12, "hostname": 28 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d2452cf56aa9c964f9adb", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/DeimosC2", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(63), AsyncRAT(20), DeimosC2(16), Meterpreter(15), Sliver(15). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T18:02:14.336000", "created": "2026-01-18T18:20:02.477000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "deimosc2", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 28, "URL": 58, "domain": 12 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d1d4d0ecae4ac9ff09385", "name": "OSINT Volley 2026-01-18 - Unknown malware/AsyncRAT/DeimosC2", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(63), AsyncRAT(41), DeimosC2(16), Meterpreter(15), Sliver(15). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T17:04:53.743000", "created": "2026-01-18T17:50:05.425000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "deimosc2", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "domain": 12, "hostname": 18 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d1642c887f528784b50fa", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(78), Unknown malware(63), AsyncRAT(41), DeimosC2(16), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T17:04:53.743000", "created": "2026-01-18T17:20:02.883000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "domain": 12, "hostname": 18 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d08ab252a59efcc06663c", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(163), Unknown malware(63), AsyncRAT(41), DeimosC2(16), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T16:05:41.951000", "created": "2026-01-18T16:22:03.508000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "URL": 57, "hostname": 18 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d08450f70d60ff21d43a4", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(163), Unknown malware(66), AsyncRAT(41), DeimosC2(16), Meterpreter(15). Source: abuse.ch ThreatFox API. SSL enriched: 39 IPs with HTTPS, 8 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T16:05:41.951000", "created": "2026-01-18T16:20:21.567000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "URL": 57, "hostname": 18 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d07880c32d8fd08e17a20", "name": "ThreatFox Hunt: Sliver IOCs - 2026-01-18", "description": "Automated ThreatFox hunt for Sliver indicators. 17 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1059.001, T1055, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-17T16:05:41.951000", "created": "2026-01-18T16:17:12.721000", "tags": [ "sliver", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "apt29", "russia" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696d012d5b43afff4371bf79", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(163), Unknown malware(65), AsyncRAT(42), Sliver(16), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T15:00:32.904000", "created": "2026-01-18T15:50:04.997000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "URL": 57, "hostname": 19 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696cf31da0c984ee735e9260", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(163), Unknown malware(65), AsyncRAT(44), Sliver(16), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T14:00:56.434000", "created": "2026-01-18T14:50:05.312000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 12, "URL": 57, "hostname": 19 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696cec14d63066499ebae303", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(162), Unknown malware(64), AsyncRAT(44), Sliver(16), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T14:00:56.434000", "created": "2026-01-18T14:20:04.130000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "URL": 56, "hostname": 20 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696ce50dc3103b887be302cc", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(162), Unknown malware(64), AsyncRAT(44), Sliver(16), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T13:03:54.421000", "created": "2026-01-18T13:50:05.770000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10, "URL": 57, "hostname": 20 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696cde0450b8a1d8be2b8084", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(162), Unknown malware(64), AsyncRAT(44), Sliver(16), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 36 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T13:03:54.421000", "created": "2026-01-18T13:20:04.793000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10, "URL": 57, "hostname": 20 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696ccff355b44e6b39430092", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(162), Unknown malware(64), AsyncRAT(44), Sliver(16), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 35 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T12:03:40.041000", "created": "2026-01-18T12:20:03.763000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 56, "hostname": 24, "domain": 8 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696cd6fd27ab03cd7b7a985a", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(162), Unknown malware(64), AsyncRAT(44), Sliver(16), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 35 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T12:03:40.041000", "created": "2026-01-18T12:50:05.337000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "hostname": 24, "domain": 7 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696cc8ecd6eb769f81b8732d", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(162), Unknown malware(64), AsyncRAT(45), Sliver(16), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 35 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T11:00:54.681000", "created": "2026-01-18T11:50:04.528000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 55, "hostname": 29, "domain": 12 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696cc1e4112da8efb395a260", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(162), Unknown malware(63), AsyncRAT(34), Sliver(16), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 35 IPs with HTTPS, 10 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T11:00:54.681000", "created": "2026-01-18T11:20:04.006000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 19, "hostname": 23 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696cb3d24f1c18591a0816a8", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(162), Unknown malware(65), AsyncRAT(34), Sliver(17), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 13 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T10:03:38.247000", "created": "2026-01-18T10:20:02.105000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 21, "hostname": 28 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696caccc419a3c53fe405ae8", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(162), Unknown malware(65), AsyncRAT(34), Sliver(17), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 13 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T09:02:18.167000", "created": "2026-01-18T09:50:04.404000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 54, "domain": 21, "hostname": 28 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696ca5c23eb10473efed4946", "name": "OSINT Volley 2026-01-18 - Unknown Stealer/Unknown malware/AsyncRAT", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown Stealer(162), Unknown malware(62), AsyncRAT(34), Sliver(17), DeimosC2(16). Source: abuse.ch ThreatFox API. SSL enriched: 38 IPs with HTTPS, 13 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-17T09:02:18.167000", "created": "2026-01-18T09:20:02.540000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-stealer", "unknown-malware", "asyncrat", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown Stealer", "display_name": "Unknown Stealer", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "DeimosC2", "display_name": "DeimosC2", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 51, "domain": 23, "hostname": 29 }, "indicator_count": 103, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696ca17e87ccf27e0b844657", "name": "ThreatFox Hunt: Sliver IOCs - 2026-01-18", "description": "Automated ThreatFox hunt for Sliver indicators. 12 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1059.001, T1055, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-17T09:02:18.167000", "created": "2026-01-18T09:01:50.070000", "tags": [ "sliver", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "apt29", "russia" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696bbf854caf80f4a799c3a4", "name": "ThreatFox Hunt: Sliver IOCs - 2026-01-17", "description": "Automated ThreatFox hunt for Sliver indicators. 48 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1059.001, T1055, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-16T16:02:11.545000", "created": "2026-01-17T16:57:41.771000", "tags": [ "sliver", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "apt29", "russia" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "61 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696a71efc4378c8e6f1495bb", "name": "ThreatFox Hunt: Sliver IOCs - 2026-01-16", "description": "Automated ThreatFox hunt for Sliver indicators. 48 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1059.001, T1055, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-15T17:04:01.274000", "created": "2026-01-16T17:14:23.495000", "tags": [ "sliver", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "apt29", "russia" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696a6f90a69376d495817b8e", "name": "ThreatFox Hunt: Sliver IOCs - 2026-01-16", "description": "Automated ThreatFox hunt for Sliver indicators. 48 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1059.001, T1055, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-15T17:04:01.274000", "created": "2026-01-16T17:04:16.716000", "tags": [ "sliver", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "apt29", "russia" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696a27718eb1a0692163164f", "name": "ThreatFox Hunt: Sliver IOCs - 2026-01-16", "description": "Automated ThreatFox hunt for Sliver indicators. 40 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1059.001, T1055, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-15T11:01:50.078000", "created": "2026-01-16T11:56:33.350000", "tags": [ "sliver", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "apt29", "russia" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "62 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Stealc", "Asyncrat", "Sliver", "Unknown malware", "Deimosc2", "Unknown stealer", "Clearfake", "Meterpreter" ], "industries": [] } } }, "false_positive": [], "validation": [], "asn": "ASNone ", "city_data": true, "city": null, "region": null, "continent_code": "EU", "country_code3": "DNK", "country_code2": "DK", "subdivision": null, "latitude": 55.7123, "postal_code": null, "longitude": 12.0564, "accuracy_radius": 200, "country_code": "DK", "country_name": "Denmark", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/dk.png", "flag_title": "Denmark", "sections": [ "general", "geo", "reputation", "url_list", "passive_dns", "malware", "nids_list", "http_scans" ] }, "geo": { "asn": "ASNone ", "city_data": true, "city": null, "region": null, "continent_code": "EU", "country_code3": "DNK", "country_code2": "DK", "subdivision": null, "latitude": 55.7123, "postal_code": null, "longitude": 12.0564, "accuracy_radius": 200, "country_code": "DK", "country_name": "Denmark", "dma_code": 0, "charset": 0, "area_code": 0, "flag_url": "/assets/images/flags/dk.png", "flag_title": "Denmark" }, "geo_ipapicom": { "country": "France", "country_code": "FR", "region": "Grand Est", "city": "Lauterbourg", "zip": "67630", "latitude": 48.9742, "longitude": 8.1851, "timezone": "Europe/Paris", "isp": "Contabo GmbH", "org": "Contabo GmbH", "asn": "AS51167 Contabo GmbH", "asn_name": "CONTABO", "is_proxy": false, "is_hosting": true, "source": "ip-api.com" }, "pulse_count": 50, "pulses": [ { "id": "69660dd555de5ae495bed8ea", "name": "ThreatFix_IP", "description": "ThreatFix is an effort to publish various details about ransomware variants and ransomware threat actors. ThreatFix advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.", "modified": "2026-02-25T10:01:35.579000", "created": "2026-01-13T09:18:11.474000", "tags": [ "LummaStealer, RedLine,..." ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "zlepos384", "id": "103244", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 19 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696e547b54275ed3d44dff3e", "name": "ThreatFox Hunt: Sliver IOCs - 2026-01-19", "description": "Automated ThreatFox hunt for Sliver indicators. 18 IOCs collected via Pattern 49 intelligence streaming. MITRE ATT&CK: T1071.001, T1059.001, T1055, T1105. Reference: https://analytics.dugganusa.com", "modified": "2026-02-18T15:04:13.869000", "created": "2026-01-19T15:57:47.137000", "tags": [ "sliver", "threatfox", "automated-hunt", "pattern-49", "dugganusa", "apt29", "russia" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Sliver", "display_name": "Sliver", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": {}, "indicator_count": 0, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696de936053728961a21ebad", "name": "OSINT Volley 2026-01-19 - AsyncRAT/Unknown malware/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: AsyncRAT(26), Unknown malware(21), Stealc(17), Sliver(14), Meterpreter(12). Source: abuse.ch ThreatFox API. SSL enriched: 22 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T08:03:49.499000", "created": "2026-01-19T08:20:06.523000", "tags": [ "osint-volley", "threatfox", "automated", "asyncrat", "unknown-malware", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14, "hostname": 33, "domain": 15 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696ddb257e3d8cf3de56eed7", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(58), AsyncRAT(26), Stealc(19), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T07:01:37.929000", "created": "2026-01-19T07:20:05.689000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 48, "hostname": 33, "domain": 15 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696dd41d5a09d3493fe61617", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(26), Stealc(19), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T06:01:23.076000", "created": "2026-01-19T06:50:05.286000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "URL": 39, "domain": 23 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696dcd177c5f27154bb6d32e", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(26), Stealc(19), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T06:01:23.076000", "created": "2026-01-19T06:20:07.551000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "URL": 40, "domain": 23 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696dc60d45bf130fd9bd10c2", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(29), Stealc(20), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T05:00:41.494000", "created": "2026-01-19T05:50:05.400000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "URL": 40, "domain": 23 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696dbf051d90ad625ecba345", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(27), Stealc(20), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T05:00:41.494000", "created": "2026-01-19T05:20:05.098000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "URL": 42, "domain": 23 }, "indicator_count": 97, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696db8074f437e4a32b0bb46", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(66), AsyncRAT(27), Stealc(20), Sliver(14), Meterpreter(11). Source: abuse.ch ThreatFox API. SSL enriched: 21 IPs with HTTPS, 5 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T04:02:22.696000", "created": "2026-01-19T04:50:15.109000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "URL": 43, "domain": 23 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 }, { "id": "696da9eddda5a86400b675dd", "name": "OSINT Volley 2026-01-19 - Unknown malware/AsyncRAT/Stealc", "description": "Automated OSINT sweep from ThreatFox. Top malware: Unknown malware(67), AsyncRAT(28), Stealc(21), Sliver(15), Meterpreter(13). Source: abuse.ch ThreatFox API. SSL enriched: 24 IPs with HTTPS, 6 self-signed (C2 candidates). Pattern 54: sweep\u2192volley automation.", "modified": "2026-02-18T03:04:03.277000", "created": "2026-01-19T03:50:05.093000", "tags": [ "osint-volley", "threatfox", "automated", "unknown-malware", "asyncrat", "stealc", "c2-infrastructure" ], "references": [ "https://analytics.dugganusa.com/api/v1/stix-feed/v2", "https://threatfox.abuse.ch" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Unknown malware", "display_name": "Unknown malware", "target": null }, { "id": "AsyncRAT", "display_name": "AsyncRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Meterpreter", "display_name": "Meterpreter", "target": null } ], "attack_ids": [ { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "pduggusa", "id": "371400", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_371400/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 48, "domain": 23, "hostname": 31 }, "indicator_count": 102, "is_author": false, "is_subscribing": null, "subscriber_count": 169, "modified_text": "59 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "IPv4", "related_indicator_is_active": 0 } ], "error": null, "vt": { "type": "IPv4", "indicator": "86.48.5.53", "stats": { "malicious": 15, "suspicious": 1, "harmless": 49, "undetected": 29, "total": 94, "verdict": "malicious", "ratio": "15/94" }, "verdict": "malicious", "ratio": "15/94", "country": "FR", "asn": 51167, "as_owner": "Contabo GmbH", "network": "86.48.5.0/24", "reputation": -11, "tags": [], "top_detections": [ { "vendor": "ADMINUSLabs", "result": "malicious", "category": "malicious" }, { "vendor": "AlphaSOC", "result": "malware", "category": "malicious" }, { "vendor": "BitDefender", "result": "malware", "category": "malicious" }, { "vendor": "CRDF", "result": "malicious", "category": "malicious" }, { "vendor": "Cluster25", "result": "malicious", "category": "malicious" }, { "vendor": "CyRadar", "result": "malware", "category": "malicious" }, { "vendor": "Fortinet", "result": "malware", "category": "malicious" }, { "vendor": "G-Data", "result": "malware", "category": "malicious" }, { "vendor": "Gridinsoft", "result": "suspicious", "category": "suspicious" }, { "vendor": "Hunt.io Intelligence", "result": "malicious", "category": "malicious" } ], "last_analysis": 1776104914, "error": null }, "abuseipdb": { "indicator": "86.48.5.53", "abuse_score": 15, "verdict": "low_risk", "total_reports": 4, "distinct_users": 4, "last_reported": "2026-03-18T16:03:08+00:00", "country_code": "FR", "country_name": "France", "isp": "Contabo GmbH", "domain": "contabo.com", "is_tor": false, "is_public": true, "is_whitelisted": false, "usage_type": "Data Center/Web Hosting/Transit", "recent_reports": [ { "date": "2026-03-18", "categories": [ "SQL Injection", "Exploited Host", "Hacking", "Port Scan" ], "comment": "Possible malicious scan or exploit attempt on database services. | Proto: TCP | Port: 27017 | Location: Germany, D\u00fcsseld", "reporter": "" }, { "date": "2026-03-06", "categories": [ "Brute-Force" ], "comment": "Tatic: TA0006 | Technique: T1110 | Source: TAP | Country Destination: BR", "reporter": "" }, { "date": "2026-03-06", "categories": [ "Bad Web Bot" ], "comment": "Triggered Cloudflare WAF (firewallManaged) from FR.\nAction taken: BLOCK\nProtocol: HTTP/1.1 (POST method)\nEndpoint: /\nUA:", "reporter": "" }, { "date": "2026-02-21", "categories": [ "Web App Attack" ], "comment": "suspicious request in access.log", "reporter": "" } ], "error": null }, "urlhaus": { "indicator": "86.48.5.53", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776561992.1709898 }