{ "type": "SHA256", "indicator": "a03705fc225dbcec7e3c2f06a258afe81b5d88aaff1368d10dd6ba4f0932be7c", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "a03705fc225dbcec7e3c2f06a258afe81b5d88aaff1368d10dd6ba4f0932be7c", "validation": [], "base_indicator": { "id": 4335268944, "indicator": "78774672884f8cd7593fced3c7d1faa4", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69f25f09e5c3a33611f7cb16", "name": "DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet", "description": "An exposed open directory on a Netherlands-hosted server revealed the complete operational toolkit of xlabs_v1, a Mirai-derived IoT botnet operated by an actor using the handle Tadashi. The operation provides DDoS-for-hire services specifically targeting game servers and Minecraft hosts through 21 distinct flood attack variants. The botnet exploits Android Debug Bridge (ADB) on TCP/5555 to compromise over 4 million potentially vulnerable IoT devices including Android TV boxes, smart TVs, and routers. The operation features bandwidth profiling to price-tier infected devices, ChaCha20 string encryption with cryptographic weaknesses, and competitor-eradication routines. Infrastructure analysis consolidated the entire operation within a single bulletproof /24 netblock in the Netherlands, with co-located cryptojacking infrastructure also identified.", "modified": "2026-05-29T19:04:23.918000", "created": "2026-04-29T19:42:01.411000", "tags": [ "minecraft", "game server targeting", "ddos-for-hire", "mirai-derived", "vltrig", "xlabs_v1", "mirai", "bandwidth profiling", "iot botnet", "adb exploitation" ], "references": [ "https://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed" ], "public": 1, "adversary": "Tadashi", "targeted_countries": [], "malware_families": [ { "id": "xlabs_v1", "display_name": "xlabs_v1", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "VLTRig", "display_name": "VLTRig", "target": null } ], "attack_ids": [ { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "23 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f8256aebb35e772fd1e967", "name": "DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet", "description": "", "modified": "2026-05-29T19:04:23.918000", "created": "2026-05-04T04:49:46.002000", "tags": [ "minecraft", "game server targeting", "ddos-for-hire", "mirai-derived", "vltrig", "xlabs_v1", "mirai", "bandwidth profiling", "iot botnet", "adb exploitation" ], "references": [ "https://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed" ], "public": 1, "adversary": "Tadashi", "targeted_countries": [], "malware_families": [ { "id": "xlabs_v1", "display_name": "xlabs_v1", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "VLTRig", "display_name": "VLTRig", "target": null } ], "attack_ids": [ { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": "69f25f09e5c3a33611f7cb16", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "23 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f9fc6ef8b7d696ea6b9605", "name": "xlabs_v1 DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet", "description": "", "modified": "2026-05-05T14:19:26.787000", "created": "2026-05-05T14:19:26.787000", "tags": [ "figure", "tcp80", "c2 domain", "offshore lc", "tadashi", "defense evasion", "tcp5555", "chacha20", "as214472", "netherlands", "april", "exploit", "mirai", "android", "persistence", "demo", "botnet", "bridge", "accept", "phishing", "telegram", "beyond", "close", "stop" ], "references": [ "https://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "CIDR": 2, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 6, "domain": 1 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f4d52f3ac9e4314c193b68", "name": "pppppppppppppppppppppp", "description": "", "modified": "2026-05-01T16:30:39.392000", "created": "2026-05-01T16:30:39.392000", "tags": [ "ip address", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69d3c83888c7ab2d407f07a6", "name": "Malicious_File | Apr 7, 2026", "description": "Malicious_File indicators. Date: Apr 7, 2026. Total: 543 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-06T14:50:32.031000", "created": "2026-04-06T14:50:32.031000", "tags": [ "malicious_file" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 543 }, "indicator_count": 543, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "54 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69d274cb5f0de164f9961284", "name": "Unknown | Apr 6, 2026", "description": "Unknown indicators. Date: Apr 6, 2026. Total: 224 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-05T14:42:19.281000", "created": "2026-04-05T14:42:19.281000", "tags": [ "unknown" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 224 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69d27468757aebd3918b663b", "name": "Malicious_File | Apr 6, 2026", "description": "Malicious_File indicators. Date: Apr 6, 2026. Total: 352 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-05T14:40:39.992000", "created": "2026-04-05T14:40:39.992000", "tags": [ "malicious_file" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 352 }, "indicator_count": 352, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://ltna.com.au/cyber", "https://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed", "IOCs-May1.csv" ], "related": { "alienvault": { "adversary": [ "Tadashi" ], "malware_families": [ "Xlabs_v1", "Mirai", "Vltrig" ], "industries": [ "Hospitality" ] }, "other": { "adversary": [ "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "Tadashi" ], "malware_families": [ "Xlabs_v1", "Mirai", "Vltrig" ], "industries": [ "Hospitality" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69f25f09e5c3a33611f7cb16", "name": "DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet", "description": "An exposed open directory on a Netherlands-hosted server revealed the complete operational toolkit of xlabs_v1, a Mirai-derived IoT botnet operated by an actor using the handle Tadashi. The operation provides DDoS-for-hire services specifically targeting game servers and Minecraft hosts through 21 distinct flood attack variants. The botnet exploits Android Debug Bridge (ADB) on TCP/5555 to compromise over 4 million potentially vulnerable IoT devices including Android TV boxes, smart TVs, and routers. The operation features bandwidth profiling to price-tier infected devices, ChaCha20 string encryption with cryptographic weaknesses, and competitor-eradication routines. Infrastructure analysis consolidated the entire operation within a single bulletproof /24 netblock in the Netherlands, with co-located cryptojacking infrastructure also identified.", "modified": "2026-05-29T19:04:23.918000", "created": "2026-04-29T19:42:01.411000", "tags": [ "minecraft", "game server targeting", "ddos-for-hire", "mirai-derived", "vltrig", "xlabs_v1", "mirai", "bandwidth profiling", "iot botnet", "adb exploitation" ], "references": [ "https://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed" ], "public": 1, "adversary": "Tadashi", "targeted_countries": [], "malware_families": [ { "id": "xlabs_v1", "display_name": "xlabs_v1", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "VLTRig", "display_name": "VLTRig", "target": null } ], "attack_ids": [ { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 386445, "modified_text": "23 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f8256aebb35e772fd1e967", "name": "DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet", "description": "", "modified": "2026-05-29T19:04:23.918000", "created": "2026-05-04T04:49:46.002000", "tags": [ "minecraft", "game server targeting", "ddos-for-hire", "mirai-derived", "vltrig", "xlabs_v1", "mirai", "bandwidth profiling", "iot botnet", "adb exploitation" ], "references": [ "https://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed" ], "public": 1, "adversary": "Tadashi", "targeted_countries": [], "malware_families": [ { "id": "xlabs_v1", "display_name": "xlabs_v1", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "VLTRig", "display_name": "VLTRig", "target": null } ], "attack_ids": [ { "id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1562.004", "name": "Disable or Modify System Firewall", "display_name": "T1562.004 - Disable or Modify System Firewall" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" } ], "industries": [ "Hospitality" ], "TLP": "white", "cloned_from": "69f25f09e5c3a33611f7cb16", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 6 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "23 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69fbad82234fc33123b0ce6d", "name": "EbeeMay2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-06T21:07:14.769000", "created": "2026-05-06T21:07:14.769000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "filepath", "localappdata", "cve20250994 cve", "temp", "mutex", "local" ], "references": [ "IOCs-May1.csv" ], "public": 1, "adversary": "Trigona, PowerCod RAT, APT34, PhantomRaven, Hacked sites deliver infostealer, CloudZ RAT", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 80, "CIDR": 3, "CVE": 10, "FileHash-MD5": 154, "FileHash-SHA1": 140, "FileHash-SHA256": 219, "URL": 80, "domain": 82, "email": 8, "hostname": 60 }, "indicator_count": 836, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "23 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f9fc6ef8b7d696ea6b9605", "name": "xlabs_v1 DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet", "description": "", "modified": "2026-05-05T14:19:26.787000", "created": "2026-05-05T14:19:26.787000", "tags": [ "figure", "tcp80", "c2 domain", "offshore lc", "tadashi", "defense evasion", "tcp5555", "chacha20", "as214472", "netherlands", "april", "exploit", "mirai", "android", "persistence", "demo", "botnet", "bridge", "accept", "phishing", "telegram", "beyond", "close", "stop" ], "references": [ "https://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1008", "name": "Fallback Channels", "display_name": "T1008 - Fallback Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1499", "name": "Endpoint Denial of Service", "display_name": "T1499 - Endpoint Denial of Service" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "CIDR": 2, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 6, "domain": 1 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f4d52f3ac9e4314c193b68", "name": "pppppppppppppppppppppp", "description": "", "modified": "2026-05-01T16:30:39.392000", "created": "2026-05-01T16:30:39.392000", "tags": [ "ip address", "domain" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69d3c83888c7ab2d407f07a6", "name": "Malicious_File | Apr 7, 2026", "description": "Malicious_File indicators. Date: Apr 7, 2026. Total: 543 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-06T14:50:32.031000", "created": "2026-04-06T14:50:32.031000", "tags": [ "malicious_file" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 543 }, "indicator_count": 543, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "54 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69d274cb5f0de164f9961284", "name": "Unknown | Apr 6, 2026", "description": "Unknown indicators. Date: Apr 6, 2026. Total: 224 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-05T14:42:19.281000", "created": "2026-04-05T14:42:19.281000", "tags": [ "unknown" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 224 }, "indicator_count": 224, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69d27468757aebd3918b663b", "name": "Malicious_File | Apr 6, 2026", "description": "Malicious_File indicators. Date: Apr 6, 2026. Total: 352 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-04-05T14:40:39.992000", "created": "2026-04-05T14:40:39.992000", "tags": [ "malicious_file" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 352 }, "indicator_count": 352, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "55 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "a03705fc225dbcec7e3c2f06a258afe81b5d88aaff1368d10dd6ba4f0932be7c", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "a03705fc225dbcec7e3c2f06a258afe81b5d88aaff1368d10dd6ba4f0932be7c", "found": true, "verdict": "malicious", "file_type": "elf", "file_size": "68276", "md5": "78774672884f8cd7593fced3c7d1faa4", "sha256": "a03705fc225dbcec7e3c2f06a258afe81b5d88aaff1368d10dd6ba4f0932be7c", "signature": "Mirai", "first_seen": "2026-04-05", "last_seen": "2026-04-30", "url_count": "1", "urls": [ { "url": "http://176.65.139.44/arm7", "status": "offline", "threat": "", "date_added": "", "tags": [] } ], "error": null }, "from_cache": true, "_cached_at": 1780165403.2339404 }