{ "type": "MD5", "indicator": "a85459a1ec90a52b5c1f2f5a12bb2d10", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "a85459a1ec90a52b5c1f2f5a12bb2d10", "validation": [], "base_indicator": { "id": 4336935439, "indicator": "884601e54fc2e6833167d33436b68e952020cdb99507b2807feec1bc086027c2", "type": "FileHash-SHA256", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69f3a95eda9a5492f5d1b6f4", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...", "modified": "2026-05-30T19:00:26.349000", "created": "2026-04-30T19:11:26.525000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 36, "IPv4": 2, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "38 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69f97a64033cedf372cf42a0", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "", "modified": "2026-05-30T19:00:26.349000", "created": "2026-05-05T05:04:36.248000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": "69f3a95eda9a5492f5d1b6f4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 40, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "38 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "6a0d8ae35723d0700ff3013f", "name": "SHADOW-EARTH-053 Uses Legacy Exchange Exploitation to Target Asia-Pacific Governments", "description": "The cyberespionage campaign known as SHADOW-EARTH-053 has been linked to a China-aligned threat actor. This campaign has specifically targeted government agencies, defense contractors, and critical infrastructure organizations across various countries in the Asia-Pacific region, employing a range of advanced exploitation and persistence techniques that mainly revolve around unpatched vulnerabilities in Microsoft Exchange and IIS.", "modified": "2026-05-20T10:20:19.042000", "created": "2026-05-20T10:20:19.042000", "tags": [ "shadowearth053", "exchange", "shadowpad", "defense", "asia", "dll sideloading", "shadowearth054", "ministry", "southeast", "iis worker", "gost", "godzilla", "anydesk", "stack", "mimikatz", "third", "contact", "threat", "wstunnel" ], "references": [ "https://blog.polyswarm.io/shadow-earth-053-uses-legacy-exchange-exploitation-to-target-asia-pacific-governments" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" } ], "industries": [ "Government", "Defense", "Transportation", "Technology", "Critical Infrastructure", "Consulting" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 33, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 13 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69f8fcb054d52df9fcf32d55", "name": "TI Advisory No-ESAF-SOC-TI-2026-441-443", "description": "", "modified": "2026-05-04T20:08:16.187000", "created": "2026-05-04T20:08:16.187000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "IPv4": 9, "domain": 5, "hostname": 27 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 } ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html", "IOCs-MAY2.csv", "https://blog.polyswarm.io/shadow-earth-053-uses-legacy-exchange-exploitation-to-target-asia-pacific-governments" ], "related": { "alienvault": { "adversary": [ "SHADOW-EARTH-053" ], "malware_families": [ "Vshell", "Noodlerat", "Shadowpad - s0596", "Poisonplug.shadow", "Godzilla", "Iox", "Ringq" ], "industries": [ "Transportation", "Government", "Defense", "Technology" ] }, "other": { "adversary": [ "SHADOW-EARTH-053", "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef" ], "malware_families": [ "Vshell", "Noodlerat", "Shadowpad - s0596", "Poisonplug.shadow", "Godzilla", "Iox", "Ringq" ], "industries": [ "Defense", "Critical infrastructure", "Consulting", "Government", "Technology", "Transportation" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69f3a95eda9a5492f5d1b6f4", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "A China-aligned threat group designated SHADOW-EARTH-053 has been conducting cyberespionage operations against government entities and critical infrastructure across at least eight countries in South, East, and Southeast Asia, plus one NATO member state, since December 2024. The group exploits unpatched Microsoft Exchange vulnerabilities, particularly the ProxyLogon chain, to gain initial access and deploys GODZILLA web shells for persistence. ShadowPad implants are staged via DLL sideloading of legitimate signed executables. Nearly half of the compromised environments showed overlap with another intrusion set, SHADOW-EARTH-054, sharing identical tooling including Evil-CreateDump and IOX proxy. The attackers conduct extensive Active Directory reconnaissance, credential harvesting, and mailbox exfiltration targeting high-profile government officials and defense contractors. Multiple tunneling tools including GOST and Wstunnel establish covert command-and-control channels, while lateral movement leverages WM...", "modified": "2026-05-30T19:00:26.349000", "created": "2026-04-30T19:11:26.525000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 36, "IPv4": 2, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 94, "is_author": false, "is_subscribing": null, "subscriber_count": 386446, "modified_text": "38 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69f97a64033cedf372cf42a0", "name": "Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia", "description": "", "modified": "2026-05-30T19:00:26.349000", "created": "2026-05-05T05:04:36.248000", "tags": [ "vshell", "proxylogon exploitation", "godzilla", "exchange server compromise", "ringq", "godzilla webshell", "shadowpad", "noodlerat" ], "references": [ "https://www.trendmicro.com/en_us/research/26/d/inside-shadow-earth-053.html" ], "public": 1, "adversary": "SHADOW-EARTH-053", "targeted_countries": [ "British Indian Ocean Territory", "India", "Malaysia", "Myanmar", "Pakistan", "Poland", "Sri Lanka", "Taiwan", "Thailand" ], "malware_families": [ { "id": "GODZILLA", "display_name": "GODZILLA", "target": null }, { "id": "ShadowPad - S0596", "display_name": "ShadowPad - S0596", "target": null }, { "id": "POISONPLUG.SHADOW", "display_name": "POISONPLUG.SHADOW", "target": null }, { "id": "NOODLERAT", "display_name": "NOODLERAT", "target": null }, { "id": "RingQ", "display_name": "RingQ", "target": null }, { "id": "IOX", "display_name": "IOX", "target": null }, { "id": "VShell", "display_name": "VShell", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1560.001", "name": "Archive via Utility", "display_name": "T1560.001 - Archive via Utility" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1114.002", "name": "Remote Email Collection", "display_name": "T1114.002 - Remote Email Collection" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1090.001", "name": "Internal Proxy", "display_name": "T1090.001 - Internal Proxy" } ], "industries": [ "Government", "Defense", "Technology", "Transportation" ], "TLP": "white", "cloned_from": "69f3a95eda9a5492f5d1b6f4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 24, "FileHash-SHA256": 40, "domain": 3, "hostname": 18, "CVE": 5 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "38 minutes ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "6a0d8ae35723d0700ff3013f", "name": "SHADOW-EARTH-053 Uses Legacy Exchange Exploitation to Target Asia-Pacific Governments", "description": "The cyberespionage campaign known as SHADOW-EARTH-053 has been linked to a China-aligned threat actor. This campaign has specifically targeted government agencies, defense contractors, and critical infrastructure organizations across various countries in the Asia-Pacific region, employing a range of advanced exploitation and persistence techniques that mainly revolve around unpatched vulnerabilities in Microsoft Exchange and IIS.", "modified": "2026-05-20T10:20:19.042000", "created": "2026-05-20T10:20:19.042000", "tags": [ "shadowearth053", "exchange", "shadowpad", "defense", "asia", "dll sideloading", "shadowearth054", "ministry", "southeast", "iis worker", "gost", "godzilla", "anydesk", "stack", "mimikatz", "third", "contact", "threat", "wstunnel" ], "references": [ "https://blog.polyswarm.io/shadow-earth-053-uses-legacy-exchange-exploitation-to-target-asia-pacific-governments" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003.001", "name": "LSASS Memory", "display_name": "T1003.001 - LSASS Memory" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" }, { "id": "T1003.006", "name": "DCSync", "display_name": "T1003.006 - DCSync" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1087.002", "name": "Domain Account", "display_name": "T1087.002 - Domain Account" } ], "industries": [ "Government", "Defense", "Transportation", "Technology", "Critical Infrastructure", "Consulting" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 33, "FileHash-MD5": 12, "FileHash-SHA1": 12, "FileHash-SHA256": 13 }, "indicator_count": 70, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 }, { "id": "69f8fcb054d52df9fcf32d55", "name": "TI Advisory No-ESAF-SOC-TI-2026-441-443", "description": "", "modified": "2026-05-04T20:08:16.187000", "created": "2026-05-04T20:08:16.187000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "IPv4": 9, "domain": 5, "hostname": 27 }, "indicator_count": 104, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA1", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "a85459a1ec90a52b5c1f2f5a12bb2d10", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "a85459a1ec90a52b5c1f2f5a12bb2d10", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780169944.6396601 }