{ "type": "Domain", "indicator": "applesso.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/applesso.com", "alexa": "http://www.alexa.com/siteinfo/applesso.com", "indicator": "applesso.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3844174715, "indicator": "applesso.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "663ddbdf6d0f3e9aba3f095a", "name": "New Campaigns from Scattered Spider", "description": "Scattered Spider, a financially motivated threat actor group, has been conducting aggressive phishing campaigns targeting various industries, particularly the finance and insurance sectors. Their tactics involve creating convincing lookalike domains and login pages to lure victims into revealing credentials. Defenders should remain vigilant, monitor for suspicious domains, and educate employees about identifying phishing attempts.", "modified": "2024-05-10T08:45:31.468000", "created": "2024-05-10T08:33:35.228000", "tags": [ "credential theft", "phishing", "telecom targeting", "lookalike domains", "social engineering" ], "references": [ "https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1600", "name": "Weaken Encryption", "display_name": "T1600 - Weaken Encryption" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Finance", "Insurance", "Retail", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 362, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 120, "hostname": 1 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 386617, "modified_text": "751 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f2aae2cba86f3fa50bc34a", "name": "Vanilla Tempest : Ransomware em hospitais", "description": "Avertium has been named a Microsoft Security Solutions partner for the healthcare sector, providing 24x7 monitoring and management of the company\u2019s security services for Microsoft customers, including Microsoft Copilot for Security.", "modified": "2024-10-24T12:03:39.869000", "created": "2024-09-24T12:04:50.109000", "tags": [ "avertium", "strong", "copilot", "security", "vanilla tempest", "fusion mxdr", "latest avertium", "risk", "response", "siem", "defender", "gootloader", "sentinel", "flash", "blackcat", "powershell", "fusion", "chat", "inc" ], "references": [ "https://www.avertium.com/flash-notices/new-malware-campaign-targeting-healthcare-it-and-manufacturing" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "INC", "display_name": "INC", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jamisonfawkez", "id": "289010", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 11, "FileHash-SHA256": 11, "URL": 5, "domain": 41, "hostname": 5 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bd31c93d380b7742659122", "name": "Scattered Spider laying new eggs - Sekoia.io Blog", "description": "Scattered Spider is a lucrative intrusion set active since May 2022, primarily engaged in social engineering, ransomware, extortion campaigns and other advanced techniques, and is reported to be the cyber threat with the greatest impact in 2023.", "modified": "2024-09-13T22:02:03.117000", "created": "2024-08-14T22:38:01.013000", "tags": [ "spider", "august", "mandiant", "microsoft", "megasync", "ttps", "united", "blackcat", "mega", "unc3944", "malware", "ransomware", "february", "star", "fraud", "service", "anydesk", "trojan", "exmatter", "stealbit", "winscp", "bitcoin", "lockbit", "trigona", "monti", "poortry", "procdump", "lazagne", "adrecon", "pingcastle", "sharphound", "desktop", "psexec", "vidar", "meduza", "raccoon", "leverage", "major", "rhysida" ], "references": [ "https://blog.sekoia.io/scattered-spider-laying-new-eggs/" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat", "display_name": "BlackCat", "target": null } ], "attack_ids": [ { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media", "Social Engineering", "Cryptocurrency", "Hospitality", "Telecommunication" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "s2s-otx-nt", "id": "279281", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 37, "hostname": 3 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "625 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b66c62b19516196bac2f11", "name": "Scattered Spider laying new eggs - Sekoia.io Blog", "description": "Scattered Spider is a lucrative intrusion set active since May 2022, primarily engaged in social engineering, ransomware, extortion campaigns and other advanced techniques, and is reported to be the cyber threat with the greatest impact in 2023.", "modified": "2024-09-08T19:02:55.695000", "created": "2024-08-09T19:22:10.495000", "tags": [ "spider", "august", "mandiant", "microsoft", "megasync", "ttps", "united", "blackcat", "mega", "unc3944", "malware", "ransomware", "february", "star", "fraud", "service", "anydesk", "trojan", "winscp", "bitcoin", "lockbit", "procdump", "lazagne", "adrecon", "pingcastle", "sharphound", "desktop", "psexec", "vidar", "meduza", "raccoon", "leverage", "major", "rhysida" ], "references": [ "https://blog.sekoia.io/scattered-spider-laying-new-eggs/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat", "display_name": "BlackCat", "target": null } ], "attack_ids": [ { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media", "Social Engineering", "Cryptocurrency", "Hospitality", "Telecommunication" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nishanttyagi", "id": "271276", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 37, "hostname": 3 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "630 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "667 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "668 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "663deed9e807563e5b43ab07", "name": "Malicious Domains", "description": "", "modified": "2024-05-10T09:54:33.907000", "created": "2024-05-10T09:54:33.907000", "tags": [ "credential theft", "phishing", "telecom targeting", "lookalike domains", "social engineering" ], "references": [ "https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1600", "name": "Weaken Encryption", "display_name": "T1600 - Weaken Encryption" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Finance", "Insurance", "Retail", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "663ddbdf6d0f3e9aba3f095a", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "huzaifaanwer", "id": "273043", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 120, "hostname": 1 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "751 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6601c89dc7d98b1f9a980061", "name": "Scattered Spider laying new eggs - Sekoia.io Blog", "description": "Scattered Spider is a lucrative intrusion set active since May 2022, primarily engaged in social engineering, ransomware, extortion campaigns and other advanced techniques, according to a new report from SentinelOne Research and Intel.", "modified": "2024-04-24T18:03:48.676000", "created": "2024-03-25T18:55:25.516000", "tags": [ "spider", "august", "mandiant", "microsoft", "megasync", "ttps", "united", "blackcat", "mega", "unc3944", "malware", "ransomware", "february", "star", "fraud", "service", "anydesk", "trojan", "exmatter", "stealbit", "winscp", "bitcoin", "lockbit", "trigona", "monti", "poortry", "procdump", "lazagne", "adrecon", "pingcastle", "sharphound", "desktop", "psexec", "vidar", "meduza", "raccoon", "leverage", "major", "rhysida" ], "references": [ "https://blog.sekoia.io/scattered-spider-laying-new-eggs/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat", "display_name": "BlackCat", "target": null } ], "attack_ids": [ { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media", "Social Engineering", "Cryptocurrency", "Hospitality", "Telecommunication" ], "TLP": "white", "cloned_from": null, "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AustinBH", "id": "147442", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 40, "hostname": 4, "URL": 2 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "767 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d757b475df4b213361c801", "name": "Scattered Spider laying new eggs - Sekoia.io Blog", "description": "", "modified": "2024-03-23T14:00:35.724000", "created": "2024-02-22T14:18:28.302000", "tags": [ "spider", "august", "mandiant", "microsoft", "megasync", "ttps", "united", "blackcat", "mega", "unc3944", "malware", "ransomware", "february", "star", "fraud", "service", "anydesk", "trojan", "exmatter", "stealbit", "winscp", "bitcoin", "lockbit", "trigona", "monti", "poortry", "procdump", "lazagne", "adrecon", "pingcastle", "sharphound", "desktop", "psexec", "vidar", "meduza", "raccoon", "leverage", "major" ], "references": [ "https://blog.sekoia.io/scattered-spider-laying-new-eggs/#h-conclusion" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Legion@2023", "id": "234229", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 37, "hostname": 3 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "799 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt", "https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/", "https://blog.sekoia.io/scattered-spider-laying-new-eggs/#h-conclusion", "https://blog.sekoia.io/scattered-spider-laying-new-eggs/", "https://www.avertium.com/flash-notices/new-malware-campaign-targeting-healthcare-it-and-manufacturing" ], "related": { "alienvault": { "adversary": [ "Scattered Spider" ], "malware_families": [], "industries": [ "Technology", "Retail", "Insurance", "Telecommunications", "Finance" ] }, "other": { "adversary": [ "Scattered Spider" ], "malware_families": [ "Rhysida", "Inc", "Blackcat" ], "industries": [ "Technology", "Media", "Retail", "Insurance", "Telecommunications", "Social engineering", "Cryptocurrency", "Telecommunication", "Entertainment", "Hospitality", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "663ddbdf6d0f3e9aba3f095a", "name": "New Campaigns from Scattered Spider", "description": "Scattered Spider, a financially motivated threat actor group, has been conducting aggressive phishing campaigns targeting various industries, particularly the finance and insurance sectors. Their tactics involve creating convincing lookalike domains and login pages to lure victims into revealing credentials. Defenders should remain vigilant, monitor for suspicious domains, and educate employees about identifying phishing attempts.", "modified": "2024-05-10T08:45:31.468000", "created": "2024-05-10T08:33:35.228000", "tags": [ "credential theft", "phishing", "telecom targeting", "lookalike domains", "social engineering" ], "references": [ "https://www.cyberresilience.com/threatonomics/resilience-threat-researchers-identify-new-campaigns-from-scattered-spider/" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1602", "name": "Data from Configuration Repository", "display_name": "T1602 - Data from Configuration Repository" }, { "id": "T1600", "name": "Weaken Encryption", "display_name": "T1600 - Weaken Encryption" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [ "Finance", "Insurance", "Retail", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 362, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 120, "hostname": 1 }, "indicator_count": 122, "is_author": false, "is_subscribing": null, "subscriber_count": 386617, "modified_text": "751 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f73a3f45fa88890276d", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:23.616000", "created": "2024-11-24T03:37:23.616000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 25, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67429f7224d433f384b935c8", "name": "StreamMining", "description": "", "modified": "2024-11-24T03:37:22.551000", "created": "2024-11-24T03:37:22.551000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "670f94e03014212e19fa5a77", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rivocado", "id": "300960", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "554 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f94e03014212e19fa5a77", "name": "Malicious-Dangerous-Domain&URL-New-IOC List", "description": "By Helaly", "modified": "2024-11-15T10:01:11.688000", "created": "2024-10-16T10:26:40.893000", "tags": [ "eliminar", "leer ms", "wishlist vista", "poltica", "secadores", "vista", "sala", "vaporal", "utensilios", "belleza equipos", "ciudad" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39659, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "URL": 170, "domain": 11158, "hostname": 3549 }, "indicator_count": 14883, "is_author": false, "is_subscribing": null, "subscriber_count": 80, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f2aae2cba86f3fa50bc34a", "name": "Vanilla Tempest : Ransomware em hospitais", "description": "Avertium has been named a Microsoft Security Solutions partner for the healthcare sector, providing 24x7 monitoring and management of the company\u2019s security services for Microsoft customers, including Microsoft Copilot for Security.", "modified": "2024-10-24T12:03:39.869000", "created": "2024-09-24T12:04:50.109000", "tags": [ "avertium", "strong", "copilot", "security", "vanilla tempest", "fusion mxdr", "latest avertium", "risk", "response", "siem", "defender", "gootloader", "sentinel", "flash", "blackcat", "powershell", "fusion", "chat", "inc" ], "references": [ "https://www.avertium.com/flash-notices/new-malware-campaign-targeting-healthcare-it-and-manufacturing" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "INC", "display_name": "INC", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jamisonfawkez", "id": "289010", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 11, "FileHash-SHA256": 11, "URL": 5, "domain": 41, "hostname": 5 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66bd31c93d380b7742659122", "name": "Scattered Spider laying new eggs - Sekoia.io Blog", "description": "Scattered Spider is a lucrative intrusion set active since May 2022, primarily engaged in social engineering, ransomware, extortion campaigns and other advanced techniques, and is reported to be the cyber threat with the greatest impact in 2023.", "modified": "2024-09-13T22:02:03.117000", "created": "2024-08-14T22:38:01.013000", "tags": [ "spider", "august", "mandiant", "microsoft", "megasync", "ttps", "united", "blackcat", "mega", "unc3944", "malware", "ransomware", "february", "star", "fraud", "service", "anydesk", "trojan", "exmatter", "stealbit", "winscp", "bitcoin", "lockbit", "trigona", "monti", "poortry", "procdump", "lazagne", "adrecon", "pingcastle", "sharphound", "desktop", "psexec", "vidar", "meduza", "raccoon", "leverage", "major", "rhysida" ], "references": [ "https://blog.sekoia.io/scattered-spider-laying-new-eggs/" ], "public": 1, "adversary": "Scattered Spider", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat", "display_name": "BlackCat", "target": null } ], "attack_ids": [ { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media", "Social Engineering", "Cryptocurrency", "Hospitality", "Telecommunication" ], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "s2s-otx-nt", "id": "279281", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 37, "hostname": 3 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "625 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b66c62b19516196bac2f11", "name": "Scattered Spider laying new eggs - Sekoia.io Blog", "description": "Scattered Spider is a lucrative intrusion set active since May 2022, primarily engaged in social engineering, ransomware, extortion campaigns and other advanced techniques, and is reported to be the cyber threat with the greatest impact in 2023.", "modified": "2024-09-08T19:02:55.695000", "created": "2024-08-09T19:22:10.495000", "tags": [ "spider", "august", "mandiant", "microsoft", "megasync", "ttps", "united", "blackcat", "mega", "unc3944", "malware", "ransomware", "february", "star", "fraud", "service", "anydesk", "trojan", "winscp", "bitcoin", "lockbit", "procdump", "lazagne", "adrecon", "pingcastle", "sharphound", "desktop", "psexec", "vidar", "meduza", "raccoon", "leverage", "major", "rhysida" ], "references": [ "https://blog.sekoia.io/scattered-spider-laying-new-eggs/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "BlackCat", "display_name": "BlackCat", "target": null } ], "attack_ids": [ { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [ "Entertainment", "Technology", "Telecommunications", "Media", "Social Engineering", "Cryptocurrency", "Hospitality", "Telecommunication" ], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "nishanttyagi", "id": "271276", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 37, "hostname": 3 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 28, "modified_text": "630 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdd1247c16c5855518c7", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-02T07:05:02.060000", "created": "2024-07-02T08:44:01.648000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 286, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2521, "domain": 8243, "email": 7, "hostname": 2893 }, "indicator_count": 13683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "667 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6683bdc8052a11fe921381a0", "name": "Domain-URL-IP-Hash-IOC", "description": "Updated collection of malicious , malware , phishing ... etc of domain , UR , IP , Hashes", "modified": "2024-08-01T08:02:48.060000", "created": "2024-07-02T08:43:52.203000", "tags": [ "word" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Eslam-ElHelaly", "id": "259630", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_259630/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 15, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 2409, "domain": 7836, "email": 7, "hostname": 2783 }, "indicator_count": 13054, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "668 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "applesso.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "applesso.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780292688.139421 }