{ "type": "Domain", "indicator": "abdulsa.ru", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/abdulsa.ru", "alexa": "http://www.alexa.com/siteinfo/abdulsa.ru", "indicator": "abdulsa.ru", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3599020854, "indicator": "abdulsa.ru", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "63a23e0f836cbe86e53b447b", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-20T22:58:23.105000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 502, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 386611, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1ee5c64dc0e2060647954", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-31T01:17:54.397000", "created": "2020-11-03T23:57:16.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 130798, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45551, "domain": 66446 }, "indicator_count": 111997, "is_author": false, "is_subscribing": null, "subscriber_count": 971, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d90549c1c51747a7e34358", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine (by AlienVault) enriched", "description": "", "modified": "2024-09-05T01:11:35.635000", "created": "2024-09-05T01:11:35.635000", "tags": [], "references": [ "63a23e0f836cbe86e53b447b.csv", "https://unit42.paloaltonetworks.com/trident-ursa/" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 152, "FileHash-SHA1": 153, "FileHash-SHA256": 238, "URL": 2890, "domain": 557, "hostname": 1230 }, "indicator_count": 5220, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "634 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5461ad2cb2f9e8d342d", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:06.188000", "created": "2024-02-06T22:40:06.188000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "845 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b543bc2adfd3eca5ff2b", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:03.501000", "created": "2024-02-06T22:40:03.501000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "845 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5405e6e9e23324e6d8e", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:00.906000", "created": "2024-02-06T22:40:00.906000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "845 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570978ad58c756caaaf65fa", "name": "v2 - shopping_iframe_driver.js - and Related Hashes Samples that dropped this file", "description": "", "modified": "2023-12-06T15:47:22.317000", "created": "2023-12-06T15:47:22.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 521, "domain": 104, "hostname": 376, "URL": 1169, "FileHash-MD5": 8, "FileHash-SHA1": 2, "email": 1 }, "indicator_count": 2181, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f62965a39ad88202f75fca", "name": "v2 - shopping_iframe_driver.js - and Related Hashes Samples that dropped this file", "description": "Here is the full report on the Falcon Sandbox malware analysis service, available to download and view at www.falcon.com (formerly Falcon MalQuery) and the BBC iPlayer.", "modified": "2023-03-24T14:03:40.832000", "created": "2023-02-22T14:40:37.370000", "tags": [ "docmarina", "qchlemail", "utfx86", "payment advice", "note", "vendor", "gf5de", "confirm", "payment receipt", "ach transfer", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "runtime data", "memoryfile scan", "ck id", "array", "typeerror", "typeof symbol", "mitre att", "show technique", "ck matrix", "date", "path", "error", "generator", "suspicious", "format", "void", "hybrid", "model", "general", "close", "click", "ransomware", "february", "strings", "malicious", "00eb49d81e1ca0b23a15e3d902e3ee40f5069da86e6f31d79424e97c70471d56", "shopping_iframe_driver.js" ], "references": [ "00eb49d81e1ca0b23a15e3d902e3ee40f5069da86e6f31d79424e97c70471d56", "https://hybrid-analysis.com/sample/00eb49d81e1ca0b23a15e3d902e3ee40f5069da86e6f31d79424e97c70471d56/63f3de2280658c708b639a72" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 376, "URL": 1169, "domain": 104, "FileHash-SHA256": 521, "FileHash-MD5": 8, "FileHash-SHA1": 2, "email": 1 }, "indicator_count": 2181, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a40a100ba18d2e54d9183d", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "RMPAC7/202 2/002 /1163 Data 21/12/2022 Gamaredon Group: continuano le operazioni cibernetiche dopo l\u2019invasione dell\u2019Ucraina", "modified": "2023-01-21T07:03:04.851000", "created": "2022-12-22T07:41:04.705000", "tags": [ "Gamaredon Group" ], "references": [ "2656787.misp-json", "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "https://t.me/s/chabgei", "https://t.me/s/chanellsac", "https://t.me/s/chanelwer", "https://t.me/s/digitli", "https://t.me/s/dracarc", "https://t.me/s/lnk_44", "https://t.me/s/lnk153", "https://t.me/s/newtesta1", "https://t.me/s/templ36", "https://t.me/s/topnewsas", "https://t.me/s/toporsa", "https://t.me/s/vozmoz2", "https://t.me/s/vzloms", "https://t.me/s/vzloms_9", "https://t.me/s/zalup2", "https://t.me/s/zapula2", "https://t.me/vbs_run14" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otx_support", "id": "26678", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "domain": 553, "FileHash-SHA256": 221, "FileHash-MD5": 40, "FileHash-SHA1": 40 }, "indicator_count": 886, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63be858391c37e13461193a9", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-21T07:03:04.851000", "created": "2023-01-11T09:46:43.811000", "tags": [ "Trident Ursa", "Gamaredon" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "63a40a100ba18d2e54d9183d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rlawlgh827", "id": "208771", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "domain": 553, "FileHash-SHA256": 241, "FileHash-MD5": 40, "FileHash-SHA1": 40, "URL": 17 }, "indicator_count": 923, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "1226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2cca0231f4704fb04c1c8", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.", "modified": "2023-01-20T09:00:00.250000", "created": "2022-12-21T09:06:40.834000", "tags": [ "domain", "ip address", "sample", "url https", "Gamaredon" ], "references": [ "https://raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "URL": 17, "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 241, "domain": 564 }, "indicator_count": 1046, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2aa8a89150b046cc1e835", "name": "Russia\u2019s Trident Ursa ( Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-21T06:41:14.278000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": "63a23e0f836cbe86e53b447b", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2d2a332d80ccb63f9ad94", "name": "Russia\u2019s Trident Ursa ( Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-21T09:32:19.584000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": "63a2aa8a89150b046cc1e835", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1d1716eb178021b496cf5", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "Unit 42, a Palo Alto Networks cybersecurity research team, provides an update on Russia's advanced persistent threat (APT) group, Trident Ursa, which invaded Ukraine in February 2014 and continues to operate in cyberspace.", "modified": "2023-01-19T15:03:30.493000", "created": "2022-12-20T15:14:57.164000", "tags": [ "threatactor/gamaredon", "threatactor/tridentursa", "threatactor.primitivebear", "threatactor/actinium" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/#post-126209-_dyzu0g9z3zwx", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 102, "FileHash-SHA256": 255, "URL": 4, "domain": 578, "hostname": 7 }, "indicator_count": 1047, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63927aba1bf50333fd984d42", "name": "Twitter Feed - 500mk500 - 08-12-2022", "description": "", "modified": "2023-01-08T00:01:11.493000", "created": "2022-12-09T00:00:58.008000", "tags": [], "references": [ "https://twitter.com/500mk500/status/1600854614097772546", "https://twitter.com/500mk500/status/1600856764723138560" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 10, "hostname": 1 }, "indicator_count": 11, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://t.me/s/lnk153", "", "00eb49d81e1ca0b23a15e3d902e3ee40f5069da86e6f31d79424e97c70471d56", "https://unit42.paloaltonetworks.com/trident-ursa/#post-126209-_dyzu0g9z3zwx", "https://hybrid-analysis.com/sample/00eb49d81e1ca0b23a15e3d902e3ee40f5069da86e6f31d79424e97c70471d56/63f3de2280658c708b639a72", "https://t.me/s/chabgei", "https://raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "https://t.me/s/templ36", "https://t.me/s/zalup2", "https://t.me/s/lnk_44", "https://t.me/s/dracarc", "https://t.me/s/zapula2", "https://twitter.com/500mk500/status/1600856764723138560", "https://t.me/s/vzloms_9", "https://t.me/s/vozmoz2", "https://t.me/vbs_run14", "2656787.misp-json", "https://t.me/s/chanellsac", "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "https://t.me/s/vzloms", "https://t.me/s/toporsa", "https://t.me/s/digitli", "https://t.me/s/newtesta1", "https://t.me/s/topnewsas", "63a23e0f836cbe86e53b447b.csv", "https://twitter.com/500mk500/status/1600854614097772546", "https://t.me/s/chanelwer" ], "related": { "alienvault": { "adversary": [ "Trident Ursa" ], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Gamaredon", "Trident Ursa" ], "malware_families": [ "Shadow chaser" ], "industries": [ "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "63a23e0f836cbe86e53b447b", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-20T22:58:23.105000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 502, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 386611, "modified_text": "1228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1ee5c64dc0e2060647954", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-31T01:17:54.397000", "created": "2020-11-03T23:57:16.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 130798, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo_testing", "id": "83138", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45551, "domain": 66446 }, "indicator_count": 111997, "is_author": false, "is_subscribing": null, "subscriber_count": 971, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d90549c1c51747a7e34358", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine (by AlienVault) enriched", "description": "", "modified": "2024-09-05T01:11:35.635000", "created": "2024-09-05T01:11:35.635000", "tags": [], "references": [ "63a23e0f836cbe86e53b447b.csv", "https://unit42.paloaltonetworks.com/trident-ursa/" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 152, "FileHash-SHA1": 153, "FileHash-SHA256": 238, "URL": 2890, "domain": 557, "hostname": 1230 }, "indicator_count": 5220, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "634 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5461ad2cb2f9e8d342d", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:06.188000", "created": "2024-02-06T22:40:06.188000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "845 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b543bc2adfd3eca5ff2b", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:03.501000", "created": "2024-02-06T22:40:03.501000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "845 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c2b5405e6e9e23324e6d8e", "name": "Malware - Malware Domain Feed V2 - 11.93.2020 [Pulse by otxrobottwo_testing]", "description": "", "modified": "2024-02-06T22:40:00.906000", "created": "2024-02-06T22:40:00.906000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "5fa1ee5c64dc0e2060647954", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 45530, "domain": 66406 }, "indicator_count": 111936, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "845 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6570978ad58c756caaaf65fa", "name": "v2 - shopping_iframe_driver.js - and Related Hashes Samples that dropped this file", "description": "", "modified": "2023-12-06T15:47:22.317000", "created": "2023-12-06T15:47:22.317000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 521, "domain": 104, "hostname": 376, "URL": 1169, "FileHash-MD5": 8, "FileHash-SHA1": 2, "email": 1 }, "indicator_count": 2181, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63f62965a39ad88202f75fca", "name": "v2 - shopping_iframe_driver.js - and Related Hashes Samples that dropped this file", "description": "Here is the full report on the Falcon Sandbox malware analysis service, available to download and view at www.falcon.com (formerly Falcon MalQuery) and the BBC iPlayer.", "modified": "2023-03-24T14:03:40.832000", "created": "2023-02-22T14:40:37.370000", "tags": [ "docmarina", "qchlemail", "utfx86", "payment advice", "note", "vendor", "gf5de", "confirm", "payment receipt", "ach transfer", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "runtime data", "memoryfile scan", "ck id", "array", "typeerror", "typeof symbol", "mitre att", "show technique", "ck matrix", "date", "path", "error", "generator", "suspicious", "format", "void", "hybrid", "model", "general", "close", "click", "ransomware", "february", "strings", "malicious", "00eb49d81e1ca0b23a15e3d902e3ee40f5069da86e6f31d79424e97c70471d56", "shopping_iframe_driver.js" ], "references": [ "00eb49d81e1ca0b23a15e3d902e3ee40f5069da86e6f31d79424e97c70471d56", "https://hybrid-analysis.com/sample/00eb49d81e1ca0b23a15e3d902e3ee40f5069da86e6f31d79424e97c70471d56/63f3de2280658c708b639a72" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 376, "URL": 1169, "domain": 104, "FileHash-SHA256": 521, "FileHash-MD5": 8, "FileHash-SHA1": 2, "email": 1 }, "indicator_count": 2181, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "1164 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a40a100ba18d2e54d9183d", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "RMPAC7/202 2/002 /1163 Data 21/12/2022 Gamaredon Group: continuano le operazioni cibernetiche dopo l\u2019invasione dell\u2019Ucraina", "modified": "2023-01-21T07:03:04.851000", "created": "2022-12-22T07:41:04.705000", "tags": [ "Gamaredon Group" ], "references": [ "2656787.misp-json", "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "https://t.me/s/chabgei", "https://t.me/s/chanellsac", "https://t.me/s/chanelwer", "https://t.me/s/digitli", "https://t.me/s/dracarc", "https://t.me/s/lnk_44", "https://t.me/s/lnk153", "https://t.me/s/newtesta1", "https://t.me/s/templ36", "https://t.me/s/topnewsas", "https://t.me/s/toporsa", "https://t.me/s/vozmoz2", "https://t.me/s/vzloms", "https://t.me/s/vzloms_9", "https://t.me/s/zalup2", "https://t.me/s/zapula2", "https://t.me/vbs_run14" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otx_support", "id": "26678", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "domain": 553, "FileHash-SHA256": 221, "FileHash-MD5": 40, "FileHash-SHA1": 40 }, "indicator_count": 886, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63be858391c37e13461193a9", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-21T07:03:04.851000", "created": "2023-01-11T09:46:43.811000", "tags": [ "Trident Ursa", "Gamaredon" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "63a40a100ba18d2e54d9183d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rlawlgh827", "id": "208771", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "domain": 553, "FileHash-SHA256": 241, "FileHash-MD5": 40, "FileHash-SHA1": 40, "URL": 17 }, "indicator_count": 923, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "1226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "abdulsa.ru", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "abdulsa.ru", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780280408.1703582 }