{ "type": "Domain", "indicator": "adbufrd.cn", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/adbufrd.cn", "alexa": "http://www.alexa.com/siteinfo/adbufrd.cn", "indicator": "adbufrd.cn", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4320967119, "indicator": "adbufrd.cn", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "13 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e0c75ee5ca57ac39bdda56", "name": "EbeeApril2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-16T11:26:22.347000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-MD5": 223, "FileHash-SHA1": 235, "FileHash-SHA256": 214, "URL": 54, "domain": 70, "hostname": 64 }, "indicator_count": 868, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e71c0b2acb92c1534b0b1c", "name": "IOC - \u3010\u5929\u7a79\u3011\u6697\u5ea6\u9648\u4ed3\uff1a\u94f6\u72d0\u767d\u5229\u7528\u6280\u672f\u5347\u7ea7", "description": "\u5929\u7a79\u6c99\u7bb1\u8fd1\u671f\u6355\u83b7\u5e76\u6df1\u5ea6\u5206\u6790\u4e86\u4e00\u7c7b\u5177\u5907\u73af\u5883\u81ea\u9002\u5e94\u80fd\u529b\u7684\u9ad8\u7ea7\u6076\u610f\u6837\u672c\u3002\u8fd9\u4e9b\u6837\u672c\u5728\u521d\u59cb\u6267\u884c\u9636\u6bb5\u4f1a\u4e3b\u52a8\u63a2\u6d4b\u7cfb\u7edf\u662f\u5426\u5b89\u88c5 360sd.exe \u6216 ZhuDongFangYu.exe\uff0c\u5e76\u6839\u636e\u63a2\u6d4b\u7ed3\u679c\u52a8\u6001\u5207\u6362\u653b\u51fb\u8def\u5f84\uff1a\n\n\u7b56\u7565\u4e00\uff08\u68c0\u6d4b\u5230\u5b89\u5168\u8f6f\u4ef6\uff09\uff1a\u91c7\u7528 .URL \u70ed\u952e\u5feb\u6377\u65b9\u5f0f + \u6587\u4ef6\u5173\u8054\u52ab\u6301 + \u6a21\u62df\u6309\u952e\u89e6\u53d1\u7684\u7ec4\u5408\u94fe\uff0c\u901a\u8fc7\u7ec8\u6b62\u5e76\u91cd\u542f explorer.exe \u5b8c\u6210\u9690\u853d\u6295\u9012\uff0c\u6700\u7ec8\u5c06\u8f7d\u8377\u7cbe\u51c6\u91ca\u653e\u81f3\u5f00\u673a\u542f\u52a8\u9879\u3002\n\n\u7b56\u7565\u4e8c\uff08\u8f7d\u8377\u6267\u884c\u4e0eC2\u901a\u4fe1\uff09\uff1a\u65e0\u8bba\u901a\u8fc7\u4f55\u79cd\u8def\u5f84\u6295\u9012\uff0c\u6700\u7ec8\u5747\u4f1a\u5229\u7528\u201c\u767d\u52a0\u9ed1\u201d\u6280\u672f\u52a0\u8f7d sgfeedbackhelper.exe \u4e0e HWSignature.dll\uff0c\u5728\u5185\u5b58\u4e2d\u53cd\u5c04\u6267\u884c Shellcode\uff0c\u5e76\u76f4\u8fde C2 \u670d\u52a1\u5668 206.238.180[.]192\u3002", "modified": "2026-05-21T06:02:23.735000", "created": "2026-04-21T06:41:15.539000", "tags": [], "references": [ "https://mp.weixin.qq.com/s?src=11×tamp=1776753382&ver=6673&signature=nvFZvgrm5lPSc7hes3djnDVxg2NR*Zyrta4yP9rtJQUSmWdCYS-T7XC-3d5Ih036-cC1k4X6UMFf9QF3gUpa2BRE9srrW-fe8BduQ9dyGFxdgCcwEsM4g3h7keHcAj5i&new=1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 1, "domain": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.April.pdf", "https://mp.weixin.qq.com/s?src=11×tamp=1776753382&ver=6673&signature=nvFZvgrm5lPSc7hes3djnDVxg2NR*Zyrta4yP9rtJQUSmWdCYS-T7XC-3d5Ih036-cC1k4X6UMFf9QF3gUpa2BRE9srrW-fe8BduQ9dyGFxdgCcwEsM4g3h7keHcAj5i&new=1", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69f32bff38251e177e78b526", "name": "EbeeApril2026 Pt7", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:16:31.340000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20243721 cve" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "GopherWhisper, Seedworm (MuddyWater), Adware Bundles Delivering RAT, Donot", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 63, "CVE": 8, "FileHash-MD5": 216, "FileHash-SHA1": 220, "FileHash-SHA256": 246, "domain": 98, "hostname": 95 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "13 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e0c75ee5ca57ac39bdda56", "name": "EbeeApril2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-22T23:04:42.859000", "created": "2026-04-16T11:26:22.347000", "tags": [], "references": [ "IOCs.April.pdf" ], "public": 1, "adversary": "STX RAT, Deploying NetSupport RAT via Compromised Websites, AngrySpark, Abusing n8n platform", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 8, "FileHash-MD5": 223, "FileHash-SHA1": 235, "FileHash-SHA256": 214, "URL": 54, "domain": 70, "hostname": 64 }, "indicator_count": 868, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e71c0b2acb92c1534b0b1c", "name": "IOC - \u3010\u5929\u7a79\u3011\u6697\u5ea6\u9648\u4ed3\uff1a\u94f6\u72d0\u767d\u5229\u7528\u6280\u672f\u5347\u7ea7", "description": "\u5929\u7a79\u6c99\u7bb1\u8fd1\u671f\u6355\u83b7\u5e76\u6df1\u5ea6\u5206\u6790\u4e86\u4e00\u7c7b\u5177\u5907\u73af\u5883\u81ea\u9002\u5e94\u80fd\u529b\u7684\u9ad8\u7ea7\u6076\u610f\u6837\u672c\u3002\u8fd9\u4e9b\u6837\u672c\u5728\u521d\u59cb\u6267\u884c\u9636\u6bb5\u4f1a\u4e3b\u52a8\u63a2\u6d4b\u7cfb\u7edf\u662f\u5426\u5b89\u88c5 360sd.exe \u6216 ZhuDongFangYu.exe\uff0c\u5e76\u6839\u636e\u63a2\u6d4b\u7ed3\u679c\u52a8\u6001\u5207\u6362\u653b\u51fb\u8def\u5f84\uff1a\n\n\u7b56\u7565\u4e00\uff08\u68c0\u6d4b\u5230\u5b89\u5168\u8f6f\u4ef6\uff09\uff1a\u91c7\u7528 .URL \u70ed\u952e\u5feb\u6377\u65b9\u5f0f + \u6587\u4ef6\u5173\u8054\u52ab\u6301 + \u6a21\u62df\u6309\u952e\u89e6\u53d1\u7684\u7ec4\u5408\u94fe\uff0c\u901a\u8fc7\u7ec8\u6b62\u5e76\u91cd\u542f explorer.exe \u5b8c\u6210\u9690\u853d\u6295\u9012\uff0c\u6700\u7ec8\u5c06\u8f7d\u8377\u7cbe\u51c6\u91ca\u653e\u81f3\u5f00\u673a\u542f\u52a8\u9879\u3002\n\n\u7b56\u7565\u4e8c\uff08\u8f7d\u8377\u6267\u884c\u4e0eC2\u901a\u4fe1\uff09\uff1a\u65e0\u8bba\u901a\u8fc7\u4f55\u79cd\u8def\u5f84\u6295\u9012\uff0c\u6700\u7ec8\u5747\u4f1a\u5229\u7528\u201c\u767d\u52a0\u9ed1\u201d\u6280\u672f\u52a0\u8f7d sgfeedbackhelper.exe \u4e0e HWSignature.dll\uff0c\u5728\u5185\u5b58\u4e2d\u53cd\u5c04\u6267\u884c Shellcode\uff0c\u5e76\u76f4\u8fde C2 \u670d\u52a1\u5668 206.238.180[.]192\u3002", "modified": "2026-05-21T06:02:23.735000", "created": "2026-04-21T06:41:15.539000", "tags": [], "references": [ "https://mp.weixin.qq.com/s?src=11×tamp=1776753382&ver=6673&signature=nvFZvgrm5lPSc7hes3djnDVxg2NR*Zyrta4yP9rtJQUSmWdCYS-T7XC-3d5Ih036-cC1k4X6UMFf9QF3gUpa2BRE9srrW-fe8BduQ9dyGFxdgCcwEsM4g3h7keHcAj5i&new=1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 1, "domain": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "adbufrd.cn", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "adbufrd.cn", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780185582.7318275 }