{ "type": "Domain", "indicator": "98kk89.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/98kk89.com", "alexa": "http://www.alexa.com/siteinfo/98kk89.com", "indicator": "98kk89.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4290763864, "indicator": "98kk89.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-09T05:56:16.764000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 96, "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 989, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d04548fc66ec860b90063e", "name": "ffbbbvhfdvjfbvjhfdvjhbfdv", "description": "", "modified": "2026-04-03T22:55:04.612000", "created": "2026-04-03T22:55:04.612000", "tags": [ "a6 https", "a5 https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 70, "URL": 659, "FileHash-MD5": 54, "FileHash-SHA1": 47, "FileHash-SHA256": 107, "IPv4": 4250, "email": 1, "hostname": 33 }, "indicator_count": 5221, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cea01b6001284aa29ee861", "name": "TI Advisory No-ESAF-SOC-TI-2026-311 - 317", "description": "", "modified": "2026-04-02T16:58:03.861000", "created": "2026-04-02T16:58:03.861000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 27, "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "hostname": 3, "domain": 4 }, "indicator_count": 112, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "21 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ce90cf55aaaa63b38e43a7", "name": "Operation NoVoice: Rootkit Tells No Tales", "description": "Operation Novoice is a sophisticated Android rootkit campaign uncovered by McAfee's mobile research team, leveraging vulnerabilities that were patched between 2016 and 2021. Devices with a security patch level of May 1, 2021, or later are not vulnerable to the specific exploits discovered, although patched devices that downloaded these malicious apps may still be at risk of unknown payloads. The rootkit is distributed via seemingly benign apps available on Google Play, masquerading as utilities like cleaners or games. Once installed, these apps silently communicate with a command-and-control (C2) server to identify device specifics and download tailored root exploits. Successful exploitation grants attackers complete control over the device, allowing them to inject malicious code into any application, notably targeting WhatsApp to facilitate session theft.", "modified": "2026-04-02T15:52:47.452000", "created": "2026-04-02T15:52:47.452000", "tags": [ "control servers", "carrier app", "samples" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1407", "name": "Download New Code at Runtime", "display_name": "T1407 - Download New Code at Runtime" } ], "industries": [ "Transportation" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 50, "domain": 1, "hostname": 14 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 173, "modified_text": "21 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/", "Book1.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5." ], "malware_families": [], "industries": [ "Transportation" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-09T05:56:16.764000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 96, "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 989, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d04548fc66ec860b90063e", "name": "ffbbbvhfdvjfbvjhfdvjhbfdv", "description": "", "modified": "2026-04-03T22:55:04.612000", "created": "2026-04-03T22:55:04.612000", "tags": [ "a6 https", "a5 https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 70, "URL": 659, "FileHash-MD5": 54, "FileHash-SHA1": 47, "FileHash-SHA256": 107, "IPv4": 4250, "email": 1, "hostname": 33 }, "indicator_count": 5221, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "20 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cea01b6001284aa29ee861", "name": "TI Advisory No-ESAF-SOC-TI-2026-311 - 317", "description": "", "modified": "2026-04-02T16:58:03.861000", "created": "2026-04-02T16:58:03.861000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 27, "FileHash-MD5": 26, "FileHash-SHA1": 26, "FileHash-SHA256": 26, "hostname": 3, "domain": 4 }, "indicator_count": 112, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "21 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ce90cf55aaaa63b38e43a7", "name": "Operation NoVoice: Rootkit Tells No Tales", "description": "Operation Novoice is a sophisticated Android rootkit campaign uncovered by McAfee's mobile research team, leveraging vulnerabilities that were patched between 2016 and 2021. Devices with a security patch level of May 1, 2021, or later are not vulnerable to the specific exploits discovered, although patched devices that downloaded these malicious apps may still be at risk of unknown payloads. The rootkit is distributed via seemingly benign apps available on Google Play, masquerading as utilities like cleaners or games. Once installed, these apps silently communicate with a command-and-control (C2) server to identify device specifics and download tailored root exploits. Successful exploitation grants attackers complete control over the device, allowing them to inject malicious code into any application, notably targeting WhatsApp to facilitate session theft.", "modified": "2026-04-02T15:52:47.452000", "created": "2026-04-02T15:52:47.452000", "tags": [ "control servers", "carrier app", "samples" ], "references": [ "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1407", "name": "Download New Code at Runtime", "display_name": "T1407 - Download New Code at Runtime" } ], "industries": [ "Transportation" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 50, "domain": 1, "hostname": 14 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 173, "modified_text": "21 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "98kk89.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "98kk89.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1777018236.0779026 }