{ "type": "Domain", "indicator": "adobeupgradeflash.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/adobeupgradeflash.com", "alexa": "http://www.alexa.com/siteinfo/adobeupgradeflash.com", "indicator": "adobeupgradeflash.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1525869, "indicator": "adobeupgradeflash.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "5a8c8b889e7d6c1288e3b570", "name": "A Slice of 2017 Sofacy Activity", "description": "Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard.", "modified": "2018-02-20T20:56:40.717000", "created": "2018-02-20T20:56:40.717000", "tags": [ "sofacy", "nato", "zebrocy", "central asia", "gamefish", "apt28", "xagent", "delphi", "ukraine", "coreshell", "western union", "asia", "fancy bear", "apt", "kaspersky" ], "references": [ "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "government", "military", "ngo", "energy", "engineering" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 39, "FileHash-MD5": 55, "CVE": 2 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 376811, "modified_text": "2975 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "58540a695fb0fc4c5df265c6", "name": "Let It Ride: The Sofacy Group\u2019s DealersChoice Attacks Continue", "description": "Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called \u201cDealersChoice\u201d in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit). As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE Word documents then contain embedded Adobe Flash (.SWF) files that are designed to exploit Abode Flash vulnerabilities.", "modified": "2016-12-16T15:40:07.581000", "created": "2016-12-16T15:38:17.492000", "tags": [ "sofacy", "apt28", "STRONTIUM", "fancy bear", "DealersChoice", "flash", "Carberp", "NATO" ], "references": [ "http://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [ "Turkey", "Lithuania", "Armenia" ], "malware_families": [], "attack_ids": [], "industries": [ "government", "defence" ], "TLP": "green", "cloned_from": null, "export_count": 62, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 11, "CVE": 2, "email": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 376766, "modified_text": "3406 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "644b124399f55d7db8da4358", "name": "Nomadic Octopus group uses Paperbug attack for politically-motivated surveillance campaign", "description": "", "modified": "2023-04-28T00:24:35.992000", "created": "2023-04-28T00:24:35.992000", "tags": [], "references": [ "April 28th, 2023 - CryptoGen Cyber Threat Intelligence - Nomadic Octopus group uses Paperbug attack for politically-motivated surveillance campaign.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "FileHash-MD5": 89, "FileHash-SHA1": 62, "FileHash-SHA256": 62, "URL": 6, "domain": 52 }, "indicator_count": 288, "is_author": false, "is_subscribing": null, "subscriber_count": 482, "modified_text": "1083 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "http://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/", "April 28th, 2023 - CryptoGen Cyber Threat Intelligence - Nomadic Octopus group uses Paperbug attack for politically-motivated surveillance campaign.pdf" ], "related": { "alienvault": { "adversary": [ "Sofacy" ], "malware_families": [], "industries": [ "Engineering", "Energy", "Defence", "Ngo", "Government", "Military" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "5a8c8b889e7d6c1288e3b570", "name": "A Slice of 2017 Sofacy Activity", "description": "Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard.", "modified": "2018-02-20T20:56:40.717000", "created": "2018-02-20T20:56:40.717000", "tags": [ "sofacy", "nato", "zebrocy", "central asia", "gamefish", "apt28", "xagent", "delphi", "ukraine", "coreshell", "western union", "asia", "fancy bear", "apt", "kaspersky" ], "references": [ "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "government", "military", "ngo", "energy", "engineering" ], "TLP": "white", "cloned_from": null, "export_count": 74, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 39, "FileHash-MD5": 55, "CVE": 2 }, "indicator_count": 96, "is_author": false, "is_subscribing": null, "subscriber_count": 376811, "modified_text": "2975 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "58540a695fb0fc4c5df265c6", "name": "Let It Ride: The Sofacy Group\u2019s DealersChoice Attacks Continue", "description": "Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called \u201cDealersChoice\u201d in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit). As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE Word documents then contain embedded Adobe Flash (.SWF) files that are designed to exploit Abode Flash vulnerabilities.", "modified": "2016-12-16T15:40:07.581000", "created": "2016-12-16T15:38:17.492000", "tags": [ "sofacy", "apt28", "STRONTIUM", "fancy bear", "DealersChoice", "flash", "Carberp", "NATO" ], "references": [ "http://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/" ], "public": 1, "adversary": "Sofacy", "targeted_countries": [ "Turkey", "Lithuania", "Armenia" ], "malware_families": [], "attack_ids": [], "industries": [ "government", "defence" ], "TLP": "green", "cloned_from": null, "export_count": 62, "upvotes_count": 1.0, "downvotes_count": 0.0, "votes_count": 1.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 11, "domain": 11, "CVE": 2, "email": 3 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 376766, "modified_text": "3406 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "644b124399f55d7db8da4358", "name": "Nomadic Octopus group uses Paperbug attack for politically-motivated surveillance campaign", "description": "", "modified": "2023-04-28T00:24:35.992000", "created": "2023-04-28T00:24:35.992000", "tags": [], "references": [ "April 28th, 2023 - CryptoGen Cyber Threat Intelligence - Nomadic Octopus group uses Paperbug attack for politically-motivated surveillance campaign.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 17, "FileHash-MD5": 89, "FileHash-SHA1": 62, "FileHash-SHA256": 62, "URL": 6, "domain": 52 }, "indicator_count": 288, "is_author": false, "is_subscribing": null, "subscriber_count": 482, "modified_text": "1083 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "adobeupgradeflash.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "adobeupgradeflash.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776228474.8443444 }