{ "type": "Domain", "indicator": "anythingshere.shop", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/anythingshere.shop", "alexa": "http://www.alexa.com/siteinfo/anythingshere.shop", "indicator": "anythingshere.shop", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4240176114, "indicator": "anythingshere.shop", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "69a88b31c4401f717710f864", "name": "Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation", "description": "The analysis examines Iranian state-aligned threat actors and their infrastructure patterns during heightened geopolitical tensions. It focuses on mapping network infrastructure, ASN patterns, TLS fingerprints, and hosting clusters associated with various Iranian APT groups. The report highlights the importance of proactive infrastructure monitoring to detect and disrupt potential cyber operations. Key findings include the identification of previously unreported hosts, domains, and servers linked to Iranian operations, as well as insights into the tactics used by groups like MuddyWater and Dark Scepter. The article emphasizes the value of infrastructure intelligence in early threat detection and provides recommendations for organizations to monitor and defend against these threats.", "modified": "2026-04-03T19:20:13.778000", "created": "2026-03-04T19:42:41.596000", "tags": [ "proactive defense", "geopolitical tensions", "tls fingerprinting", "tonnerre", "infrastructure analysis", "cyberattacks", "iranian apt", "sliver", "foudre", "threat intelligence", "fmapp.exe", "tsundere", "asn patterns", "tamecat" ], "references": [ "https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "United States of America", "Iran, Islamic Republic of", "Israel" ], "malware_families": [ { "id": "FMAPP.exe", "display_name": "FMAPP.exe", "target": null }, { "id": "TameCat", "display_name": "TameCat", "target": null }, { "id": "Foudre", "display_name": "Foudre", "target": null }, { "id": "Tonnerre", "display_name": "Tonnerre", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Tsundere", "display_name": "Tsundere", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Defense", "Energy", "Financial Services", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 12 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 377483, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters" ], "related": { "alienvault": { "adversary": [ "MuddyWater" ], "malware_families": [ "Sliver", "Tamecat", "Tsundere", "Tonnerre", "Fmapp.exe", "Foudre" ], "industries": [ "Defense", "Government", "Energy", "Financial services", "Education" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "69a88b31c4401f717710f864", "name": "Iranian APT Infrastructure in Focus: Mapping State-Aligned Clusters During Geopolitical Escalation", "description": "The analysis examines Iranian state-aligned threat actors and their infrastructure patterns during heightened geopolitical tensions. It focuses on mapping network infrastructure, ASN patterns, TLS fingerprints, and hosting clusters associated with various Iranian APT groups. The report highlights the importance of proactive infrastructure monitoring to detect and disrupt potential cyber operations. Key findings include the identification of previously unreported hosts, domains, and servers linked to Iranian operations, as well as insights into the tactics used by groups like MuddyWater and Dark Scepter. The article emphasizes the value of infrastructure intelligence in early threat detection and provides recommendations for organizations to monitor and defend against these threats.", "modified": "2026-04-03T19:20:13.778000", "created": "2026-03-04T19:42:41.596000", "tags": [ "proactive defense", "geopolitical tensions", "tls fingerprinting", "tonnerre", "infrastructure analysis", "cyberattacks", "iranian apt", "sliver", "foudre", "threat intelligence", "fmapp.exe", "tsundere", "asn patterns", "tamecat" ], "references": [ "https://hunt.io/blog/iranian-apt-infrastructure-state-aligned-clusters" ], "public": 1, "adversary": "MuddyWater", "targeted_countries": [ "United States of America", "Iran, Islamic Republic of", "Israel" ], "malware_families": [ { "id": "FMAPP.exe", "display_name": "FMAPP.exe", "target": null }, { "id": "TameCat", "display_name": "TameCat", "target": null }, { "id": "Foudre", "display_name": "Foudre", "target": null }, { "id": "Tonnerre", "display_name": "Tonnerre", "target": null }, { "id": "Sliver", "display_name": "Sliver", "target": null }, { "id": "Tsundere", "display_name": "Tsundere", "target": null } ], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "Defense", "Energy", "Financial Services", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 12 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 377483, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "anythingshere.shop", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "anythingshere.shop", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776586430.2196276 }