{ "type": "Domain", "indicator": "adminloader.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/adminloader.com", "alexa": "http://www.alexa.com/siteinfo/adminloader.com", "indicator": "adminloader.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1581759345, "indicator": "adminloader.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "5d97485c06f2ca33ff4c73a0", "name": "Chinese Cyber Espionage Group Attacking Asia", "description": "For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker \u201cPKPLUG\u201d for the threat actor group, or groups, behind these and other documented attacks referenced later in this report. We say group or groups as our current visibility doesn\u2019t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking. The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes \u201cPK\u201d in its header, hence PKPLUG.", "modified": "2019-10-04T13:25:48.843000", "created": "2019-10-04T13:25:48.843000", "tags": [ "plugx", "china" ], "references": [ "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/" ], "public": 1, "adversary": "PKPLUG", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 112, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "hostname": 42, "FileHash-SHA256": 470, "domain": 10, "FileHash-MD5": 6 }, "indicator_count": 531, "is_author": false, "is_subscribing": null, "subscriber_count": 386528, "modified_text": "2430 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5c7586b76fb6ab0ee2ee0779", "name": "Farseer: Previously Unknown Malware Family bolsters the Chinese armoury", "description": "Last year, Unit 42 wrote about a newly discovered espionage Android malware family, HenBox, which had countless features for spying on their victims \u2013 primarily the Uyghur population \u2013 including interaction with Xiaomi IoT devices, and the Chinese consumer electronics manufacturer\u2019s smart phones. \n\nThrough investigations into infrastructure used by HenBox malware, Unit 42 has discovered another malware family built for the more frequently-targeted Microsoft Windows operating system they named \u2018Farseer\u2019. As with HenBox, Farseer also has infrastructure ties to other malware, such as Poison Ivy, Zupdax, and PKPLUG. \n\nUnit 42 named this malware Farseer malware due to a string found in the PDB path embedded within the executable files.", "modified": "2019-02-26T21:32:00.700000", "created": "2019-02-26T18:34:31.760000", "tags": [ "Farseer", "HenBox", "Poison Ivy", "Zupdax", "PKPLUG" ], "references": [ "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/" ], "public": 1, "adversary": "Farseer", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [], "industries": [ "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-SHA256": 34, "hostname": 10 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 386531, "modified_text": "2650 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/", "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/" ], "related": { "alienvault": { "adversary": [ "PKPLUG", "Farseer" ], "malware_families": [], "industries": [ "Ngo" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "5d97485c06f2ca33ff4c73a0", "name": "Chinese Cyber Espionage Group Attacking Asia", "description": "For three years, Unit 42 has tracked a set of cyber espionage attack campaigns across Asia, which used a mix of publicly available and custom malware. Unit 42 created the moniker \u201cPKPLUG\u201d for the threat actor group, or groups, behind these and other documented attacks referenced later in this report. We say group or groups as our current visibility doesn\u2019t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking. The name comes from the tactic of delivering PlugX malware inside ZIP archive files as part of a DLL side-loading package. The ZIP file format contains the ASCII magic-bytes \u201cPK\u201d in its header, hence PKPLUG.", "modified": "2019-10-04T13:25:48.843000", "created": "2019-10-04T13:25:48.843000", "tags": [ "plugx", "china" ], "references": [ "https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/" ], "public": 1, "adversary": "PKPLUG", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 112, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "hostname": 42, "FileHash-SHA256": 470, "domain": 10, "FileHash-MD5": 6 }, "indicator_count": 531, "is_author": false, "is_subscribing": null, "subscriber_count": 386528, "modified_text": "2430 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5c7586b76fb6ab0ee2ee0779", "name": "Farseer: Previously Unknown Malware Family bolsters the Chinese armoury", "description": "Last year, Unit 42 wrote about a newly discovered espionage Android malware family, HenBox, which had countless features for spying on their victims \u2013 primarily the Uyghur population \u2013 including interaction with Xiaomi IoT devices, and the Chinese consumer electronics manufacturer\u2019s smart phones. \n\nThrough investigations into infrastructure used by HenBox malware, Unit 42 has discovered another malware family built for the more frequently-targeted Microsoft Windows operating system they named \u2018Farseer\u2019. As with HenBox, Farseer also has infrastructure ties to other malware, such as Poison Ivy, Zupdax, and PKPLUG. \n\nUnit 42 named this malware Farseer malware due to a string found in the PDB path embedded within the executable files.", "modified": "2019-02-26T21:32:00.700000", "created": "2019-02-26T18:34:31.760000", "tags": [ "Farseer", "HenBox", "Poison Ivy", "Zupdax", "PKPLUG" ], "references": [ "https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/" ], "public": 1, "adversary": "Farseer", "targeted_countries": [ "China" ], "malware_families": [], "attack_ids": [], "industries": [ "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 6, "FileHash-SHA256": 34, "hostname": 10 }, "indicator_count": 50, "is_author": false, "is_subscribing": null, "subscriber_count": 386531, "modified_text": "2650 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "adminloader.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "adminloader.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780211219.4873703 }