{ "type": "Domain", "indicator": "adobefileshare.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/adobefileshare.com", "alexa": "http://www.alexa.com/siteinfo/adobefileshare.com", "indicator": "adobefileshare.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2284998203, "indicator": "adobefileshare.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69329279adf6aee08f7d6c20", "name": "Analysis of the new Trojan StreamSpy using WebSocket, which is called Mahayana (APT-Q-36).", "description": "The analysis of the StreamSpy Trojan, also known as Mahayana and attributed to the APT-Q-36 group, identifies a sophisticated piece of malware designed for cyber espionage. This group, often referred to as Patchwork, has a history of operations targeting various sectors, particularly in Asia since 2009. The StreamSpy Trojan utilizes a hybrid communication approach, leveraging WebSocket in conjunction with HTTP protocols to establish connections with its command and control (C2) servers. This method enhances its ability to transmit commands and receive operational results while obscuring some of its traffic through the established connection.", "modified": "2025-12-05T08:06:17.655000", "created": "2025-12-05T08:06:17.655000", "tags": [ "apt \u653b\u51fb", "\u6728\u9a6c", "streamspy", "prefix", "zipname", "spyder", "websocket", "http", "auth", "fidus software", "shellexecuteexw", "c0v3rt", "persistence", "stream", "maha grass", "spyder variant", "belly worm", "ioc md5", "belly" ], "references": [ "https://zhuanlan.zhihu.com/p/1979499278541017681" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "military", "Government", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 18, "domain": 7, "hostname": 4 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69303ff3c0137a735bf43b91", "name": "Analysis of StreamSpy, a new Trojan horse utilizing WebSocket in Mahabusa (APT-Q-36)", "description": "The analysis of the StreamSpy Trojan, attributed to the Mahabusa group (also known as APT-Q-36), reveals its innovative use of WebSocket for communication, marking a significant evolution in its attack methodology. This group has been active for over a decade, with a focus on cyber espionage directed at various sectors in the Asian region, including government, military, energy, industrial, research, education, diplomacy, and economic organizations.\n\nStreamSpy leverages the WebSocket protocol to maintain persistent and real-time communication with its command and control (C2) servers, which allows for dynamic and covert data extraction. This technique presents advantages over traditional HTTP-based communications by facilitating a two-way interactive channel capable of bypassing certain network defenses. The use of WebSocket can also make traffic patterns harder to detect, increasing the malware's stealth and operational longevity.", "modified": "2025-12-03T13:49:39.511000", "created": "2025-12-03T13:49:39.511000", "tags": [ "streamspy", "websocket", "spyder", "http", "prefix", "zipname", "auth", "c0v3rt", "fidus", "https", "persistence", "stream", "shell", "powershell", "donot", "alpha", "galaxy", "konni", "muddywater" ], "references": [ "https://www.ctfiot.com/284804.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 22, "domain": 6, "hostname": 4 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692fd63fde28839964296c8b", "name": "IOC - \u6469\u8bc3\u8349\uff08APT-Q-36\uff09\u5229\u7528 WebSocket \u7684\u65b0\u6728\u9a6c StreamSpy \u5206\u6790", "description": "\u6469\u8bc3\u8349\uff0c\u53c8\u540d Patchwork\u3001\u767d\u8c61\u3001Hangover\u3001Dropping Elephant \u7b49\uff0c\u5947\u5b89\u4fe1\u5185\u90e8\u8ddf\u8e2a\u7f16\u53f7 APT-Q-36\u3002\u8be5\u7ec4\u7ec7\u88ab\u666e\u904d\u8ba4\u4e3a\u5177\u6709\u5357\u4e9a\u5730\u533a\u80cc\u666f\uff0c\u5176\u6700\u65e9\u653b\u51fb\u6d3b\u52a8\u53ef\u8ffd\u6eaf\u5230 2009 \u5e74 11 \u6708\uff0c\u5df2\u6301\u7eed\u6d3b\u8dc3 10 \u4f59\u5e74\u3002\u8be5\u7ec4\u7ec7\u4e3b\u8981\u9488\u5bf9\u4e9a\u6d32\u5730\u533a\u7684\u56fd\u5bb6\u8fdb\u884c\u7f51\u7edc\u95f4\u8c0d\u6d3b\u52a8\uff0c\u653b\u51fb\u76ee\u6807\u5305\u62ec\u653f\u5e9c\u3001\u519b\u4e8b\u3001\u7535\u529b\u3001\u5de5\u4e1a\u3001\u79d1\u7814\u6559\u80b2\u3001\u5916\u4ea4\u548c\u7ecf\u6d4e\u7b49\u9886\u57df\u7684\u7ec4\u7ec7\u673a\u6784\u3002", "modified": "2025-12-03T06:18:39.254000", "created": "2025-12-03T06:18:39.254000", "tags": [ "streamspy", "spyder" ], "references": [ "https://www.ctfiot.com/284804.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "URL": 15, "domain": 7, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ffdba22731ec82e7316d62", "name": "Cloudflare Threat Intelligence Research - Unraveling SloppyLemming\u2019s operations across South Asia", "description": "Cloudforce One has published the results of an investigation into SloppyLemming, an advanced cyber-espionage actor that targets South Asia and is believed to be targeting government and other institutions.", "modified": "2024-11-03T12:04:39.077000", "created": "2024-10-04T12:12:18.699000", "tags": [ "cloudforce", "cloudforce one", "pakistan", "sloppylemming", "discord", "winrar", "internet", "sri lanka", "bangladesh", "cloudflare", "cobalt strike", "havoc", "indonesia", "mission", "zimbra", "ukraine", "powershell", "cookbox" ], "references": [ "https://www.cloudflare.com/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Sri Lanka", "Bangladesh", "China", "Ukraine", "Indonesia", "Nepal" ], "malware_families": [ { "id": "COOKBOX", "display_name": "COOKBOX", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Energy", "Telecommunications", "Technology", "Military" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 2, "domain": 25, "hostname": 41 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "573 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f49586a28b75abe2652bb2", "name": "The Cloudflare Blog", "description": "Cloud service provider Cloudflare has revealed details of an advanced cyber-espionage campaign targeting South and East Asian countries in the early 2020s and early 21st Century, as part of its research into the threat.", "modified": "2024-10-25T22:05:50.417000", "created": "2024-09-25T22:58:14.597000", "tags": [ "cloudforce", "cloudflare", "sloppylemming", "cloudforce one", "pakistan", "discord", "sha256 hash", "dropbox", "winrar", "internet", "path", "contact", "life", "click", "cobalt strike", "havoc", "indonesia", "police", "next", "mission", "zimbra", "download", "code", "malware", "ukraine", "body", "powershell", "suspicious", "cookbox" ], "references": [ "https://blog.cloudflare.com/unraveling-sloppylemming-operations/" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Sri Lanka", "Bangladesh", "China", "Indonesia", "Nepal", "Ukraine" ], "malware_families": [ { "id": "COOKBOX", "display_name": "COOKBOX", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Energy", "Telecommunications", "Technology", "Military" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 11, "URL": 2, "domain": 25, "hostname": 43 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "582 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.cloudflare.com/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/", "https://zhuanlan.zhihu.com/p/1979499278541017681", "https://blog.cloudflare.com/unraveling-sloppylemming-operations/", "https://www.ctfiot.com/284804.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer" ], "malware_families": [ "Cookbox" ], "industries": [ "Energy", "Telecommunications", "Government", "Technology", "Education", "Military" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69329279adf6aee08f7d6c20", "name": "Analysis of the new Trojan StreamSpy using WebSocket, which is called Mahayana (APT-Q-36).", "description": "The analysis of the StreamSpy Trojan, also known as Mahayana and attributed to the APT-Q-36 group, identifies a sophisticated piece of malware designed for cyber espionage. This group, often referred to as Patchwork, has a history of operations targeting various sectors, particularly in Asia since 2009. The StreamSpy Trojan utilizes a hybrid communication approach, leveraging WebSocket in conjunction with HTTP protocols to establish connections with its command and control (C2) servers. This method enhances its ability to transmit commands and receive operational results while obscuring some of its traffic through the established connection.", "modified": "2025-12-05T08:06:17.655000", "created": "2025-12-05T08:06:17.655000", "tags": [ "apt \u653b\u51fb", "\u6728\u9a6c", "streamspy", "prefix", "zipname", "spyder", "websocket", "http", "auth", "fidus software", "shellexecuteexw", "c0v3rt", "persistence", "stream", "maha grass", "spyder variant", "belly worm", "ioc md5", "belly" ], "references": [ "https://zhuanlan.zhihu.com/p/1979499278541017681" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "military", "Government", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 18, "domain": 7, "hostname": 4 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "176 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69303ff3c0137a735bf43b91", "name": "Analysis of StreamSpy, a new Trojan horse utilizing WebSocket in Mahabusa (APT-Q-36)", "description": "The analysis of the StreamSpy Trojan, attributed to the Mahabusa group (also known as APT-Q-36), reveals its innovative use of WebSocket for communication, marking a significant evolution in its attack methodology. This group has been active for over a decade, with a focus on cyber espionage directed at various sectors in the Asian region, including government, military, energy, industrial, research, education, diplomacy, and economic organizations.\n\nStreamSpy leverages the WebSocket protocol to maintain persistent and real-time communication with its command and control (C2) servers, which allows for dynamic and covert data extraction. This technique presents advantages over traditional HTTP-based communications by facilitating a two-way interactive channel capable of bypassing certain network defenses. The use of WebSocket can also make traffic patterns harder to detect, increasing the malware's stealth and operational longevity.", "modified": "2025-12-03T13:49:39.511000", "created": "2025-12-03T13:49:39.511000", "tags": [ "streamspy", "websocket", "spyder", "http", "prefix", "zipname", "auth", "c0v3rt", "fidus", "https", "persistence", "stream", "shell", "powershell", "donot", "alpha", "galaxy", "konni", "muddywater" ], "references": [ "https://www.ctfiot.com/284804.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 9, "FileHash-SHA1": 9, "FileHash-SHA256": 9, "URL": 22, "domain": 6, "hostname": 4 }, "indicator_count": 60, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692fd63fde28839964296c8b", "name": "IOC - \u6469\u8bc3\u8349\uff08APT-Q-36\uff09\u5229\u7528 WebSocket \u7684\u65b0\u6728\u9a6c StreamSpy \u5206\u6790", "description": "\u6469\u8bc3\u8349\uff0c\u53c8\u540d Patchwork\u3001\u767d\u8c61\u3001Hangover\u3001Dropping Elephant \u7b49\uff0c\u5947\u5b89\u4fe1\u5185\u90e8\u8ddf\u8e2a\u7f16\u53f7 APT-Q-36\u3002\u8be5\u7ec4\u7ec7\u88ab\u666e\u904d\u8ba4\u4e3a\u5177\u6709\u5357\u4e9a\u5730\u533a\u80cc\u666f\uff0c\u5176\u6700\u65e9\u653b\u51fb\u6d3b\u52a8\u53ef\u8ffd\u6eaf\u5230 2009 \u5e74 11 \u6708\uff0c\u5df2\u6301\u7eed\u6d3b\u8dc3 10 \u4f59\u5e74\u3002\u8be5\u7ec4\u7ec7\u4e3b\u8981\u9488\u5bf9\u4e9a\u6d32\u5730\u533a\u7684\u56fd\u5bb6\u8fdb\u884c\u7f51\u7edc\u95f4\u8c0d\u6d3b\u52a8\uff0c\u653b\u51fb\u76ee\u6807\u5305\u62ec\u653f\u5e9c\u3001\u519b\u4e8b\u3001\u7535\u529b\u3001\u5de5\u4e1a\u3001\u79d1\u7814\u6559\u80b2\u3001\u5916\u4ea4\u548c\u7ecf\u6d4e\u7b49\u9886\u57df\u7684\u7ec4\u7ec7\u673a\u6784\u3002", "modified": "2025-12-03T06:18:39.254000", "created": "2025-12-03T06:18:39.254000", "tags": [ "streamspy", "spyder" ], "references": [ "https://www.ctfiot.com/284804.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "URL": 15, "domain": 7, "hostname": 2 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66ffdba22731ec82e7316d62", "name": "Cloudflare Threat Intelligence Research - Unraveling SloppyLemming\u2019s operations across South Asia", "description": "Cloudforce One has published the results of an investigation into SloppyLemming, an advanced cyber-espionage actor that targets South Asia and is believed to be targeting government and other institutions.", "modified": "2024-11-03T12:04:39.077000", "created": "2024-10-04T12:12:18.699000", "tags": [ "cloudforce", "cloudforce one", "pakistan", "sloppylemming", "discord", "winrar", "internet", "sri lanka", "bangladesh", "cloudflare", "cobalt strike", "havoc", "indonesia", "mission", "zimbra", "ukraine", "powershell", "cookbox" ], "references": [ "https://www.cloudflare.com/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Sri Lanka", "Bangladesh", "China", "Ukraine", "Indonesia", "Nepal" ], "malware_families": [ { "id": "COOKBOX", "display_name": "COOKBOX", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Energy", "Telecommunications", "Technology", "Military" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 2, "domain": 25, "hostname": 41 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "573 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f49586a28b75abe2652bb2", "name": "The Cloudflare Blog", "description": "Cloud service provider Cloudflare has revealed details of an advanced cyber-espionage campaign targeting South and East Asian countries in the early 2020s and early 21st Century, as part of its research into the threat.", "modified": "2024-10-25T22:05:50.417000", "created": "2024-09-25T22:58:14.597000", "tags": [ "cloudforce", "cloudflare", "sloppylemming", "cloudforce one", "pakistan", "discord", "sha256 hash", "dropbox", "winrar", "internet", "path", "contact", "life", "click", "cobalt strike", "havoc", "indonesia", "police", "next", "mission", "zimbra", "download", "code", "malware", "ukraine", "body", "powershell", "suspicious", "cookbox" ], "references": [ "https://blog.cloudflare.com/unraveling-sloppylemming-operations/" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Sri Lanka", "Bangladesh", "China", "Indonesia", "Nepal", "Ukraine" ], "malware_families": [ { "id": "COOKBOX", "display_name": "COOKBOX", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Energy", "Telecommunications", "Technology", "Military" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 11, "URL": 2, "domain": 25, "hostname": 43 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "582 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "adobefileshare.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "adobefileshare.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780211297.4291108 }