{ "type": "SHA256", "indicator": "941993f885957176d75f24ef3f8935ecb589bb9b445bb0d71fb18b65e61b6ee4", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "941993f885957176d75f24ef3f8935ecb589bb9b445bb0d71fb18b65e61b6ee4", "validation": [], "base_indicator": { "id": 4187765812, "indicator": "941993f885957176d75f24ef3f8935ecb589bb9b445bb0d71fb18b65e61b6ee4", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "6978a64af51a4e50807b6636", "name": "CoolClient backdoor updated, new data stealing tools used", "description": "The HoneyMyte APT group has enhanced its toolset with an updated CoolClient backdoor and new data stealing capabilities. The group targeted government entities in Asia and Europe, particularly Southeast Asia. CoolClient now features clipboard monitoring, HTTP proxy credential sniffing, and plugin support for extended functionality. HoneyMyte also deployed browser login data stealers and document theft scripts. The campaign's focus has shifted towards active surveillance, including keylogging, clipboard data collection, and proxy credential harvesting. Organizations are advised to remain vigilant against HoneyMyte's evolving toolkit, which includes CoolClient, PlugX, ToneShell, Qreverse, and LuminousMoth malware families.", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-27T11:49:30.682000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "MUSTANG PANDA", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 386449, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "697717160b5f9564b40ceb0f", "name": "OpenCTI_Export_2026-01", "description": "Automated export from OpenCTI for 2026-01", "modified": "2026-03-02T17:00:28.656000", "created": "2026-01-26T07:26:12.492000", "tags": [ "OpenCTI", "Automated", "2026-01" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "info@watchtower365.com", "id": "67692", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10866, "FileHash-SHA256": 960, "domain": 86 }, "indicator_count": 11912, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "697bebfcd4770071ed11a5df", "name": "CoolClient Updates to Deploy Browser Login Data Stealer", "description": "The CoolClient malware is distributed through DLL sideloading, leveraging legitimate signed executables to load malicious DLLs and evade security detection. This technique allows the attackers to establish persistence while appearing as trusted software activity on the compromised system.", "modified": "2026-02-28T23:04:31.994000", "created": "2026-01-29T23:23:40.876000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 1, "hostname": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "697a90cf98e96f46136e0f35", "name": "EbeeJan2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-28T19:01:39.239000", "created": "2026-01-28T22:42:23.436000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "Sandworm, Vortex Werewolf (SkyCloak), PureRAT, npm Package Deploys G_Wagon, HoneyMyte", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 115, "CVE": 13, "FileHash-MD5": 122, "FileHash-SHA1": 112, "FileHash-SHA256": 267, "domain": 103, "email": 5, "hostname": 49 }, "indicator_count": 786, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69798960d67bf54dc413c78d", "name": "IOC - HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T03:58:24.296000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6978a64af51a4e50807b6636", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69798961de005e917a9a8b20", "name": "IOC - HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T03:58:25.093000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6978a64af51a4e50807b6636", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "697989d885458b6414b7b6b6", "name": "IOC - HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T04:00:24.087000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6978a64af51a4e50807b6636", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6979c212b9ff26f2f812f863", "name": "IOC - HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T08:00:18.111000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "697989d885458b6414b7b6b6", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6979c96ae5e346f6bb908b5d", "name": "HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T08:31:38.741000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6979c212b9ff26f2f812f863", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6979c9761409f92c8ff2ec8b", "name": "HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T08:31:50.365000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6979c212b9ff26f2f812f863", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6979c99f69417dc99b536083", "name": "HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T08:32:31.780000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6979c212b9ff26f2f812f863", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6979c9afb7a25f9622de9618", "name": "HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T08:32:47.599000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6979c212b9ff26f2f812f863", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6981b2b8c9a037ad8d3a655c", "name": "Malware | 2026-01-31", "description": "Malware indicators. Date: 2026-01-31. Total: 571 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-02-03T08:32:56.404000", "created": "2026-02-03T08:32:56.404000", "tags": [ "malware", "malwarebazaar" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 571 }, "indicator_count": 571, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "116 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69810ffd3347afdb6283cf3d", "name": "HoneyMyte APT Enhances CoolClient Backdoor and Deploys Multi-Browser Credential Stealers", "description": "", "modified": "2026-02-02T20:58:37.407000", "created": "2026-02-02T20:58:37.407000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "krishnababu", "id": "347852", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 1, "hostname": 2 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "116 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://ltna.com.au/cyber", "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/", "IOCs.csv" ], "related": { "alienvault": { "adversary": [ "MUSTANG PANDA" ], "malware_families": [ "Destroyrat", "Tvt", "Coolclient", "Kaba", "Korplug", "Luminousmoth", "Qreverse", "Toneshell", "Sogu", "Plugx - s0013", "Thoper" ], "industries": [ "Government" ] }, "other": { "adversary": [ "Sandworm, Vortex Werewolf (SkyCloak), PureRAT, npm Package Deploys G_Wagon, HoneyMyte", "HoneyMyte" ], "malware_families": [ "Destroyrat", "Tvt", "Coolclient", "Kaba", "Korplug", "Luminousmoth", "Qreverse", "Toneshell", "Sogu", "Plugx - s0013", "Thoper" ], "industries": [ "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "6978a64af51a4e50807b6636", "name": "CoolClient backdoor updated, new data stealing tools used", "description": "The HoneyMyte APT group has enhanced its toolset with an updated CoolClient backdoor and new data stealing capabilities. The group targeted government entities in Asia and Europe, particularly Southeast Asia. CoolClient now features clipboard monitoring, HTTP proxy credential sniffing, and plugin support for extended functionality. HoneyMyte also deployed browser login data stealers and document theft scripts. The campaign's focus has shifted towards active surveillance, including keylogging, clipboard data collection, and proxy credential harvesting. Organizations are advised to remain vigilant against HoneyMyte's evolving toolkit, which includes CoolClient, PlugX, ToneShell, Qreverse, and LuminousMoth malware families.", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-27T11:49:30.682000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "MUSTANG PANDA", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 386449, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "697717160b5f9564b40ceb0f", "name": "OpenCTI_Export_2026-01", "description": "Automated export from OpenCTI for 2026-01", "modified": "2026-03-02T17:00:28.656000", "created": "2026-01-26T07:26:12.492000", "tags": [ "OpenCTI", "Automated", "2026-01" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "info@watchtower365.com", "id": "67692", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10866, "FileHash-SHA256": 960, "domain": 86 }, "indicator_count": 11912, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "89 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "697bebfcd4770071ed11a5df", "name": "CoolClient Updates to Deploy Browser Login Data Stealer", "description": "The CoolClient malware is distributed through DLL sideloading, leveraging legitimate signed executables to load malicious DLLs and evade security detection. This technique allows the attackers to establish persistence while appearing as trusted software activity on the compromised system.", "modified": "2026-02-28T23:04:31.994000", "created": "2026-01-29T23:23:40.876000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 1, "hostname": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "90 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "697a90cf98e96f46136e0f35", "name": "EbeeJan2026 Pt6", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-28T19:01:39.239000", "created": "2026-01-28T22:42:23.436000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "Sandworm, Vortex Werewolf (SkyCloak), PureRAT, npm Package Deploys G_Wagon, HoneyMyte", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 115, "CVE": 13, "FileHash-MD5": 122, "FileHash-SHA1": 112, "FileHash-SHA256": 267, "domain": 103, "email": 5, "hostname": 49 }, "indicator_count": 786, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69798960d67bf54dc413c78d", "name": "IOC - HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T03:58:24.296000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6978a64af51a4e50807b6636", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69798961de005e917a9a8b20", "name": "IOC - HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T03:58:25.093000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6978a64af51a4e50807b6636", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "697989d885458b6414b7b6b6", "name": "IOC - HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T04:00:24.087000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6978a64af51a4e50807b6636", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6979c212b9ff26f2f812f863", "name": "IOC - HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T08:00:18.111000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "697989d885458b6414b7b6b6", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6979c96ae5e346f6bb908b5d", "name": "HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T08:31:38.741000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6979c212b9ff26f2f812f863", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "6979c9761409f92c8ff2ec8b", "name": "HoneyMyte updates CoolClient and deploys multiple stealers in recent campaigns", "description": "", "modified": "2026-02-26T11:03:39.915000", "created": "2026-01-28T08:31:50.365000", "tags": [ "data theft", "plugx", "southeast asia", "toneshell", "backdoor", "credential stealing", "luminousmoth", "apt", "coolclient", "qreverse", "government" ], "references": [ "https://securelist.com/honeymyte-updates-coolclient-uses-browser-stealers-and-scripts/118664/" ], "public": 1, "adversary": "HoneyMyte", "targeted_countries": [ "Malaysia", "Mongolia", "Myanmar", "Pakistan", "Russian Federation", "Thailand" ], "malware_families": [ { "id": "CoolClient", "display_name": "CoolClient", "target": null }, { "id": "ToneShell", "display_name": "ToneShell", "target": null }, { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "LuminousMoth", "display_name": "LuminousMoth", "target": null }, { "id": "QReverse", "display_name": "QReverse", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "6979c212b9ff26f2f812f863", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 1, "hostname": 2 }, "indicator_count": 19, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "941993f885957176d75f24ef3f8935ecb589bb9b445bb0d71fb18b65e61b6ee4", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "941993f885957176d75f24ef3f8935ecb589bb9b445bb0d71fb18b65e61b6ee4", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780173345.705908 }