{ "type": "Domain", "indicator": "alienlol.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/alienlol.com", "alexa": "http://www.alexa.com/siteinfo/alienlol.com", "indicator": "alienlol.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 116428464, "indicator": "alienlol.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "5aec1ab38170f445dbd22f2b", "name": "An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers", "description": "We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus, with at least some elements located in the Xicheng District of Beijing.\n\nA number of Chinese state intelligence operations from 2009 to 2018 that were previously unconnected publicly are in fact linked to the Winnti umbrella.\n\nWe assess with high confidence that multiple publicly reported threat actors operate with some shared goals and resources as part of the Chinese state intelligence apparatus. Report from Tom Hegel of 401TRG.\n\nInitial attack targets are commonly software and gaming organizations in United States, Japan, South Korea, and China. Later stage high profile targets tend to be politically motivated or high value technology organizations.", "modified": "2019-11-25T15:17:27.952000", "created": "2018-05-04T08:32:51.904000", "tags": [ "china", "APT41" ], "references": [ "https://401trg.pw/burning-umbrella/" ], "public": 1, "adversary": "APT41", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 159, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-SHA256": 3, "domain": 49, "hostname": 203, "FileHash-MD5": 236, "FileHash-SHA1": 22 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 386285, "modified_text": "2376 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "59e66f461b05901ef0a67b4b", "name": "An Update on Winnti", "description": "The group continues to primarily use publicly available pentesting tools outside of the US. In the multiple incidents we have been involved in, the group has relied heavily on BeEF and Cobalt Strike. Cobalt Strike has been their primary toolset for command and control within the victim networks, while BeEF has been used to assist in the initial infection process.\n\nOn the network traffic analysis end, post compromise activity results in some interesting but not unexpected activity. First, Winnti uses Cobalt Strike to collect credentials and move laterally. The stolen credentials may be used for remote access into the victim network if applicable. The group also continues to focus on theft of code signing certificates and internal documentation, including company files and internal communication history (chats/emails).", "modified": "2017-10-17T20:59:50.822000", "created": "2017-10-17T20:59:50.822000", "tags": [ "Winnti", "webbug", "Cobalt Strike" ], "references": [ "https://401trg.pw/an-update-on-winnti/" ], "public": 1, "adversary": "Winnti", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 76, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 8 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386273, "modified_text": "3145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-27T00:09:42.823000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 58083, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 873839, "is_author": false, "is_subscribing": null, "subscriber_count": 299, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659405e54700e006b5f7f696", "name": "Top 10 Malware Q3 2023", "description": "The Security Information Council (CIS) has released its annual list of the most active malware in the world, which includes the Top 10, the top 10 and the bottom 10 most common infection vectors.", "modified": "2024-02-01T12:03:25.350000", "created": "2024-01-02T12:47:33.725000", "tags": [ "malware", "fake browser", "rogueraticate", "access tool", "malspam", "socgholish", "dropped", "multiple", "msisac", "arechclient2", "agent tesla", "nanocore", "coinminer", "zeus", "amadey", "gh0st", "ratenjay", "vipersoftx", "flash", "cobalt strike", "sectoprat", "local", "q3" ], "references": [ "https://www.cisecurity.org/insights/blog/top-10-malware-q3-2023" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Q3", "display_name": "Q3", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Malspam", "display_name": "Malspam", "target": null }, { "id": "CoinMiner", "display_name": "CoinMiner", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "RogueRaticate", "display_name": "RogueRaticate", "target": null }, { "id": "ViperSoftX", "display_name": "ViperSoftX", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 46, "FileHash-SHA256": 46, "domain": 35, "hostname": 12 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707ae885e2a9a917487146", "name": "An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers", "description": "", "modified": "2023-12-06T13:45:12.043000", "created": "2023-12-06T13:45:12.043000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-SHA256": 3, "domain": 49, "hostname": 203, "FileHash-MD5": 236, "FileHash-SHA1": 22 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "904 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.cisecurity.org/insights/blog/top-10-malware-q3-2023", "https://401trg.pw/an-update-on-winnti/", "https://401trg.pw/burning-umbrella/" ], "related": { "alienvault": { "adversary": [ "APT41", "Winnti" ], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Coinminer", "Malspam", "Cobalt strike", "Socgholish", "Nanocore", "Rogueraticate", "Amadey", "Vipersoftx", "Q3" ], "industries": [ "Government", "Industrial", "Defense" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "5aec1ab38170f445dbd22f2b", "name": "An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers", "description": "We assess with high confidence that the Winnti umbrella is associated with the Chinese state intelligence apparatus, with at least some elements located in the Xicheng District of Beijing.\n\nA number of Chinese state intelligence operations from 2009 to 2018 that were previously unconnected publicly are in fact linked to the Winnti umbrella.\n\nWe assess with high confidence that multiple publicly reported threat actors operate with some shared goals and resources as part of the Chinese state intelligence apparatus. Report from Tom Hegel of 401TRG.\n\nInitial attack targets are commonly software and gaming organizations in United States, Japan, South Korea, and China. Later stage high profile targets tend to be politically motivated or high value technology organizations.", "modified": "2019-11-25T15:17:27.952000", "created": "2018-05-04T08:32:51.904000", "tags": [ "china", "APT41" ], "references": [ "https://401trg.pw/burning-umbrella/" ], "public": 1, "adversary": "APT41", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 159, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-SHA256": 3, "domain": 49, "hostname": 203, "FileHash-MD5": 236, "FileHash-SHA1": 22 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 386285, "modified_text": "2376 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "59e66f461b05901ef0a67b4b", "name": "An Update on Winnti", "description": "The group continues to primarily use publicly available pentesting tools outside of the US. In the multiple incidents we have been involved in, the group has relied heavily on BeEF and Cobalt Strike. Cobalt Strike has been their primary toolset for command and control within the victim networks, while BeEF has been used to assist in the initial infection process.\n\nOn the network traffic analysis end, post compromise activity results in some interesting but not unexpected activity. First, Winnti uses Cobalt Strike to collect credentials and move laterally. The stolen credentials may be used for remote access into the victim network if applicable. The group also continues to focus on theft of code signing certificates and internal documentation, including company files and internal communication history (chats/emails).", "modified": "2017-10-17T20:59:50.822000", "created": "2017-10-17T20:59:50.822000", "tags": [ "Winnti", "webbug", "Cobalt Strike" ], "references": [ "https://401trg.pw/an-update-on-winnti/" ], "public": 1, "adversary": "Winnti", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 76, "upvotes_count": 2.0, "downvotes_count": 0.0, "votes_count": 2.0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 12, "FileHash-MD5": 8 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 386273, "modified_text": "3145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-27T00:09:42.823000", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 58083, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 873839, "is_author": false, "is_subscribing": null, "subscriber_count": 299, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659405e54700e006b5f7f696", "name": "Top 10 Malware Q3 2023", "description": "The Security Information Council (CIS) has released its annual list of the most active malware in the world, which includes the Top 10, the top 10 and the bottom 10 most common infection vectors.", "modified": "2024-02-01T12:03:25.350000", "created": "2024-01-02T12:47:33.725000", "tags": [ "malware", "fake browser", "rogueraticate", "access tool", "malspam", "socgholish", "dropped", "multiple", "msisac", "arechclient2", "agent tesla", "nanocore", "coinminer", "zeus", "amadey", "gh0st", "ratenjay", "vipersoftx", "flash", "cobalt strike", "sectoprat", "local", "q3" ], "references": [ "https://www.cisecurity.org/insights/blog/top-10-malware-q3-2023" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Amadey", "display_name": "Amadey", "target": null }, { "id": "Q3", "display_name": "Q3", "target": null }, { "id": "NanoCore", "display_name": "NanoCore", "target": null }, { "id": "Malspam", "display_name": "Malspam", "target": null }, { "id": "CoinMiner", "display_name": "CoinMiner", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "RogueRaticate", "display_name": "RogueRaticate", "target": null }, { "id": "ViperSoftX", "display_name": "ViperSoftX", "target": null } ], "attack_ids": [ { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 54, "FileHash-SHA1": 46, "FileHash-SHA256": 46, "domain": 35, "hostname": 12 }, "indicator_count": 193, "is_author": false, "is_subscribing": null, "subscriber_count": 36, "modified_text": "847 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65707ae885e2a9a917487146", "name": "An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers", "description": "", "modified": "2023-12-06T13:45:12.043000", "created": "2023-12-06T13:45:12.043000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "FileHash-SHA256": 3, "domain": 49, "hostname": 203, "FileHash-MD5": 236, "FileHash-SHA1": 22 }, "indicator_count": 516, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "904 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "type": "Domain", "indicator": "alienlol.com", "stats": { "malicious": 9, "suspicious": 0, "harmless": 50, "undetected": 32, "total": 91, "verdict": "malicious", "ratio": "9/91" }, "verdict": "malicious", "ratio": "9/91", "registrar": "Dynadot Inc", "creation_date": 1728467875, "reputation": 0, "tags": [], "categories": {}, "top_detections": [ { "vendor": "ADMINUSLabs", "result": "malicious", "category": "malicious" }, { "vendor": "CyRadar", "result": "malware", "category": "malicious" }, { "vendor": "Forcepoint ThreatSeeker", "result": "malicious", "category": "malicious" }, { "vendor": "Fortinet", "result": "malware", "category": "malicious" }, { "vendor": "Kaspersky", "result": "malware", "category": "malicious" }, { "vendor": "Lionic", "result": "malware", "category": "malicious" }, { "vendor": "SOCRadar", "result": "phishing", "category": "malicious" }, { "vendor": "Sophos", "result": "malware", "category": "malicious" }, { "vendor": "alphaMountain.ai", "result": "malicious", "category": "malicious" } ], "last_analysis": 1779964679, "error": null }, "abuseipdb": null, "urlhaus": { "indicator": "alienlol.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780026088.3591259 }