{ "type": "Domain", "indicator": "api-gateway-softupdate.io", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/api-gateway-softupdate.io", "alexa": "http://www.alexa.com/siteinfo/api-gateway-softupdate.io", "indicator": "api-gateway-softupdate.io", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4176110082, "indicator": "api-gateway-softupdate.io", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "6970c8427c1fd561ba4d962a", "name": "EtherRAT Targeting Windows Disguised as a Game Mod Installer", "description": "A Windows variant of EtherRAT, a JavaScript-based malware, has been discovered disguised as game mod installers. The malware uses MSI files to create and execute obfuscated scripts that decrypt and run the main payload. EtherRAT retrieves its Command and Control (C2) server addresses dynamically through Ethereum smart contracts, employing anti-analysis techniques and establishing persistence via Registry Run keys. The malware's infrastructure has been linked to the Tsundere Botnet, sharing C2 servers and smart contract similarities. Analysis revealed multiple contract addresses and wallet addresses associated with the attacker, indicating an expanding and evolving operation targeting both Windows and Linux systems.", "modified": "2026-02-20T12:03:58.357000", "created": "2026-01-21T12:36:18.399000", "tags": [ "msi", "obfuscation", "ethereum", "123 stealer", "windows", "smart contract", "c2 communication", "tsundere botnet", "persistence", "cve-2025-55182", "game mod", "etherrat" ], "references": [ "https://www.enki.co.kr/en/media-center/blog/etherrat-targeting-windows-disguised-as-a-game-mod-installer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null }, { "id": "Tsundere Botnet", "display_name": "Tsundere Botnet", "target": null }, { "id": "123 Stealer", "display_name": "123 Stealer", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 11, "domain": 3, "hostname": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386476, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b436b99318655032774a0", "name": "EtherRAT Campaign Targeted Enterprise Admins via SEO Poisoning", "description": "", "modified": "2026-05-18T16:50:51.805000", "created": "2026-05-18T16:50:51.805000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 16, "URL": 64, "IPv4": 5, "domain": 46 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fdcf72325b49520348bb0a", "name": "EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades", "description": "In March 2026, a highly sophisticated cyber threat campaign was discovered by the Atos Threat Research Center, which specifically targets high-privilege IT personnel like enterprise administrators and security analysts. The attackers employ a dual-layered GitHub repository distribution method, leveraging Search Engine Optimization (SEO) poisoning to manipulate search results for administrative utilities, directing victims to malicious MSI installers masquerading as legitimate tools. This approach maximizes the campaign's resilience, allowing the attackers to evade takedown efforts by keeping the malicious code on secondary repositories while the primary facade remains benign and SEO-optimized.", "modified": "2026-05-08T11:56:34.128000", "created": "2026-05-08T11:56:34.128000", "tags": [ "c2 address", "c2 ip", "javascript file", "windows process", "task manager", "ethereum smart", "ethereum api", "ip address", "url path", "run registry", "lazarus", "apt34", "remote access", "msi", "node.js", "tsundere", "utility spoofing", "threat" ], "references": [ "https://atos.net/en/lp/cybershield/etherrat-distribution-spoofing-administrative-tools-via-github-facades" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 64, "hostname": 17, "domain": 46 }, "indicator_count": 132, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6971e98f961d0049a35675e8", "name": "EbeeJan2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-21T09:02:54.440000", "created": "2026-01-22T09:10:39.136000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filepath", "yara", "ipv6", "tool", "tmobile", "regular" ], "references": [ "week3-ioc-pt1.csv" ], "public": 1, "adversary": "Silver Fox, PurpleBravo, EtherRAT, PDFSIDER Malware, INC Blog Ransomware, velyn Stealer Campaign, Pr", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 44, "CVE": 3, "FileHash-MD5": 109, "FileHash-SHA1": 120, "FileHash-SHA256": 131, "domain": 61, "hostname": 31, "email": 1 }, "indicator_count": 500, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6971da9f5cbf14c00fe3c899", "name": "EtherRAT Targeting Windows Disguised as a Game Mod Installer", "description": "", "modified": "2026-02-20T12:03:58.357000", "created": "2026-01-22T08:06:55.457000", "tags": [ "msi", "obfuscation", "ethereum", "123 stealer", "windows", "smart contract", "c2 communication", "tsundere botnet", "persistence", "cve-2025-55182", "game mod", "etherrat" ], "references": [ "https://www.enki.co.kr/en/media-center/blog/etherrat-targeting-windows-disguised-as-a-game-mod-installer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null }, { "id": "Tsundere Botnet", "display_name": "Tsundere Botnet", "target": null }, { "id": "123 Stealer", "display_name": "123 Stealer", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [], "TLP": "white", "cloned_from": "6970c8427c1fd561ba4d962a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 11, "domain": 3, "hostname": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.enki.co.kr/en/media-center/blog/etherrat-targeting-windows-disguised-as-a-game-mod-installer", "week3-ioc-pt1.csv", "https://atos.net/en/lp/cybershield/etherrat-distribution-spoofing-administrative-tools-via-github-facades" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Etherrat", "Tsundere botnet", "123 stealer" ], "industries": [] }, "other": { "adversary": [ "Silver Fox, PurpleBravo, EtherRAT, PDFSIDER Malware, INC Blog Ransomware, velyn Stealer Campaign, Pr", "Lazarus" ], "malware_families": [ "Etherrat", "Tsundere botnet", "123 stealer" ], "industries": [ "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "6970c8427c1fd561ba4d962a", "name": "EtherRAT Targeting Windows Disguised as a Game Mod Installer", "description": "A Windows variant of EtherRAT, a JavaScript-based malware, has been discovered disguised as game mod installers. The malware uses MSI files to create and execute obfuscated scripts that decrypt and run the main payload. EtherRAT retrieves its Command and Control (C2) server addresses dynamically through Ethereum smart contracts, employing anti-analysis techniques and establishing persistence via Registry Run keys. The malware's infrastructure has been linked to the Tsundere Botnet, sharing C2 servers and smart contract similarities. Analysis revealed multiple contract addresses and wallet addresses associated with the attacker, indicating an expanding and evolving operation targeting both Windows and Linux systems.", "modified": "2026-02-20T12:03:58.357000", "created": "2026-01-21T12:36:18.399000", "tags": [ "msi", "obfuscation", "ethereum", "123 stealer", "windows", "smart contract", "c2 communication", "tsundere botnet", "persistence", "cve-2025-55182", "game mod", "etherrat" ], "references": [ "https://www.enki.co.kr/en/media-center/blog/etherrat-targeting-windows-disguised-as-a-game-mod-installer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null }, { "id": "Tsundere Botnet", "display_name": "Tsundere Botnet", "target": null }, { "id": "123 Stealer", "display_name": "123 Stealer", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 11, "domain": 3, "hostname": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 386476, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b436b99318655032774a0", "name": "EtherRAT Campaign Targeted Enterprise Admins via SEO Poisoning", "description": "", "modified": "2026-05-18T16:50:51.805000", "created": "2026-05-18T16:50:51.805000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 16, "URL": 64, "IPv4": 5, "domain": 46 }, "indicator_count": 131, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fdcf72325b49520348bb0a", "name": "EtherRAT Distribution Spoofing Administrative Tools via GitHub Facades", "description": "In March 2026, a highly sophisticated cyber threat campaign was discovered by the Atos Threat Research Center, which specifically targets high-privilege IT personnel like enterprise administrators and security analysts. The attackers employ a dual-layered GitHub repository distribution method, leveraging Search Engine Optimization (SEO) poisoning to manipulate search results for administrative utilities, directing victims to malicious MSI installers masquerading as legitimate tools. This approach maximizes the campaign's resilience, allowing the attackers to evade takedown efforts by keeping the malicious code on secondary repositories while the primary facade remains benign and SEO-optimized.", "modified": "2026-05-08T11:56:34.128000", "created": "2026-05-08T11:56:34.128000", "tags": [ "c2 address", "c2 ip", "javascript file", "windows process", "task manager", "ethereum smart", "ethereum api", "ip address", "url path", "run registry", "lazarus", "apt34", "remote access", "msi", "node.js", "tsundere", "utility spoofing", "threat" ], "references": [ "https://atos.net/en/lp/cybershield/etherrat-distribution-spoofing-administrative-tools-via-github-facades" ], "public": 1, "adversary": "Lazarus", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [ "Finance" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 64, "hostname": 17, "domain": 46 }, "indicator_count": 132, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "22 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6971e98f961d0049a35675e8", "name": "EbeeJan2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-21T09:02:54.440000", "created": "2026-01-22T09:10:39.136000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "filepath", "yara", "ipv6", "tool", "tmobile", "regular" ], "references": [ "week3-ioc-pt1.csv" ], "public": 1, "adversary": "Silver Fox, PurpleBravo, EtherRAT, PDFSIDER Malware, INC Blog Ransomware, velyn Stealer Campaign, Pr", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 44, "CVE": 3, "FileHash-MD5": 109, "FileHash-SHA1": 120, "FileHash-SHA256": 131, "domain": 61, "hostname": 31, "email": 1 }, "indicator_count": 500, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6971da9f5cbf14c00fe3c899", "name": "EtherRAT Targeting Windows Disguised as a Game Mod Installer", "description": "", "modified": "2026-02-20T12:03:58.357000", "created": "2026-01-22T08:06:55.457000", "tags": [ "msi", "obfuscation", "ethereum", "123 stealer", "windows", "smart contract", "c2 communication", "tsundere botnet", "persistence", "cve-2025-55182", "game mod", "etherrat" ], "references": [ "https://www.enki.co.kr/en/media-center/blog/etherrat-targeting-windows-disguised-as-a-game-mod-installer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "EtherRAT", "display_name": "EtherRAT", "target": null }, { "id": "Tsundere Botnet", "display_name": "Tsundere Botnet", "target": null }, { "id": "123 Stealer", "display_name": "123 Stealer", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [], "TLP": "white", "cloned_from": "6970c8427c1fd561ba4d962a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 11, "domain": 3, "hostname": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "api-gateway-softupdate.io", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "api-gateway-softupdate.io", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780200551.3833745 }