{ "type": "Domain", "indicator": "afraid.veloitall.cfd", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/afraid.veloitall.cfd", "alexa": "http://www.alexa.com/siteinfo/afraid.veloitall.cfd", "indicator": "afraid.veloitall.cfd", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": {}, "pulse_info": { "count": 0, "pulses": [], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6a15ba2632bd7e246e9c1250", "name": "Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet", "description": "Threat actors exploited the EtherHiding technique to store ClearFake payload routing instructions within smart contracts on the BNB Smart Chain testnet, creating an immutable command-and-control infrastructure that cannot be taken down. The attack began with injected JavaScript on a compromised Swiss website that queried blockchain contracts to deliver malicious payloads. Victims passing anti-analysis checks were fingerprinted by operating system and routed to platform-specific ClickFix social engineering overlays. The campaign simultaneously deployed SectopRAT, a .NET-based remote access trojan capable of browser session hijacking, and ACRStealer, a C++ infostealer targeting credentials and cryptocurrency wallets. An on-chain execution tracker confirmed each compromise in real time. Four smart contracts shared a single deployer wallet, with the oldest deployed nearly a year before analysis, indicating a long-running, actively maintained operation.", "author_name": "AlienVault", "modified": "2026-05-27T13:56:54.370000", "created": "2026-05-26T15:20:06.238000", "revision": 2, "tlp": "white", "public": 1, "adversary": "", "indicators": [ { "id": 4337169031, "indicator": "afraid.veloitall.cfd", "type": "hostname", "created": "2026-05-27T13:54:02", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4337169031, "indicator": "afraid.veloitall.cfd", "type": "hostname", "created": "2026-05-26T15:20:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4346840893, "indicator": "root-cul.xamir3on.lat", "type": "hostname", "created": "2026-05-27T13:54:02", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4346903848, "indicator": "ohn.stainedunstitch.work", "type": "hostname", "created": "2026-05-26T15:20:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4346903848, "indicator": "ohn.stainedunstitch.work", "type": "hostname", "created": "2026-05-27T13:54:02", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4346952524, "indicator": "getcfgs.qen9varol.lat", "type": "hostname", "created": "2026-05-27T13:54:02", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4347302170, "indicator": "ootid.srv-auth-dlt-msh.in.net", "type": "hostname", "created": "2026-05-26T15:20:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4347302170, "indicator": "ootid.srv-auth-dlt-msh.in.net", "type": "hostname", "created": "2026-05-27T13:54:02", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4379562933, "indicator": "46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d", "type": "FileHash-SHA256", "created": "2026-05-27T13:54:02", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4379562933, "indicator": "46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d", "type": "FileHash-SHA256", "created": "2026-05-26T15:20:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4379562934, "indicator": "9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910", "type": "FileHash-SHA256", "created": "2026-05-26T15:20:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4379562934, "indicator": "9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910", "type": "FileHash-SHA256", "created": "2026-05-27T13:54:02", "content": "", "title": "SUSP_GObfuscate_May21", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4379562935, "indicator": "a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885", "type": "FileHash-SHA256", "created": "2026-05-26T15:20:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4379562935, "indicator": "a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885", "type": "FileHash-SHA256", "created": "2026-05-27T13:54:02", "content": "", "title": "UPX", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4379562936, "indicator": "put34b.camp", "type": "domain", "created": "2026-05-26T15:20:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4379562937, "indicator": "ren.trytoken.life", "type": "hostname", "created": "2026-05-27T13:54:02", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4379562937, "indicator": "ren.trytoken.life", "type": "hostname", "created": "2026-05-26T15:20:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4379562938, "indicator": "www.badischwaendi.ch", "type": "hostname", "created": "2026-05-27T13:54:02", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4379562938, "indicator": "www.badischwaendi.ch", "type": "hostname", "created": "2026-05-26T15:20:07", "content": "", "title": "", "description": "", "expiration": null, "is_active": 1, "role": null }, { "id": 4380352716, "indicator": "4d63c25457d3d5bd37bcf7c3d10154e6", "type": "FileHash-MD5", "created": "2026-05-27T13:54:02", "content": "", "title": "", "description": "MD5 of 46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d", "expiration": null, "is_active": 1, "role": null }, { "id": 4380352717, "indicator": "6691ffa5af2d4d3b3dea04e69185a79d", "type": "FileHash-MD5", "created": "2026-05-27T13:54:02", "content": "", "title": "UPX", "description": "MD5 of a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885", "expiration": null, "is_active": 1, "role": null }, { "id": 4380352718, "indicator": "7405da969d14833a77b4049b3b6a39b9", "type": "FileHash-MD5", "created": "2026-05-27T13:54:02", "content": "", "title": "SUSP_GObfuscate_May21", "description": "MD5 of 9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910", "expiration": null, "is_active": 1, "role": null }, { "id": 4380352719, "indicator": "0eb9241b1530549c258537d647d2723879508778", "type": "FileHash-SHA1", "created": "2026-05-27T13:54:02", "content": "", "title": "UPX", "description": "SHA1 of a5691a4fc69faa4f0fe08f12347783e1dde3c617552be7efd1c5ed89a793e885", "expiration": null, "is_active": 1, "role": null }, { "id": 4380352720, "indicator": "4f72551703b84ae70b0837a97523c66b21c538e6", "type": "FileHash-SHA1", "created": "2026-05-27T13:54:02", "content": "", "title": "SUSP_GObfuscate_May21", "description": "SHA1 of 9c235a84d15087719e59c09f41d43e3574de4544d490aab619184a7d65b02910", "expiration": null, "is_active": 1, "role": null }, { "id": 4380352721, "indicator": "b654603260e52faefd9b5b1aad1ca4bd233f9167", "type": "FileHash-SHA1", "created": "2026-05-27T13:54:02", "content": "", "title": "", "description": "SHA1 of 46add4a5fb2da6fe12759a06fe1c6bc43e987da3ea7c28bff0a7f2a349088f0d", "expiration": null, "is_active": 1, "role": null } ], "tags": [ "infostealer", "blockchain c&c", "clickfix", "etherhiding", "sectoprat", "clearfake", "bnb smart chain", "acrstealer" ], "targeted_countries": [ "Switzerland" ], "malware_families": [ "SectopRAT", "ACRStealer" ], "attack_ids": [ "T1539", "T1036.005", "T1204.002", "T1497.001", "T1140", "T1185", "T1555.003", "T1055.002", "T1102", "T1059.001", "T1055.012", "T1027", "T1012", "T1518.001", "T1059.006", "T1189", "T1071.001", "T1105", "T1056.004" ], "references": [ "https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html" ], "industries": [], "extract_source": [], "more_indicators": false, "indicator_count": 25 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "afraid.veloitall.cfd", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "afraid.veloitall.cfd", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180486.6440837 }