{ "type": "Domain", "indicator": "applicationformsubmit.me", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/applicationformsubmit.me", "alexa": "http://www.alexa.com/siteinfo/applicationformsubmit.me", "indicator": "applicationformsubmit.me", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4134991735, "indicator": "applicationformsubmit.me", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "68f756148d1335a1b45d57c2", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "COLDRIVER, a Russian state-sponsored threat group, swiftly shifted operations after their LOSTKEYS malware was exposed in May 2025. They developed new malware families, including NOROBOT, YESROBOT, and MAYBEROBOT, within days. The infection chain begins with a COLDCOPY lure disguised as a CAPTCHA, leading to the deployment of NOROBOT, a DLL that retrieves subsequent stages. YESROBOT, a Python backdoor, was briefly used before being replaced by MAYBEROBOT, a more flexible PowerShell backdoor. The malware chain has undergone constant evolution, with COLDRIVER focusing on evading detection while maintaining intelligence collection capabilities against high-value targets. The group's tactics include using HTTPS for command retrieval, encrypting commands, and implementing various evasion techniques.", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-21T09:44:52.570000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "Callisto", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386771, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695ccc8544f275a44d96bd7b", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "", "modified": "2026-01-06T08:49:09.529000", "created": "2026-01-06T08:49:09.529000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": "693417b3b78f8baed9c055c0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "146 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693417b3b78f8baed9c055c0", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "In May and June 2025, the intrusion set known as Calisto, also referred to as ColdRiver or Star Blizzard, targeted the French NGO Reporters Without Borders (RSF) through a series of spear phishing attempts. This campaign aligns with Calisto's established tactics, techniques, and procedures (TTPs), primarily involving credential harvesting and potential code execution through methods like the ClickFix technique. These attacks specifically aim at entities supporting Ukraine, indicating the actor's ongoing interest in politically motivated targets.\n\nThe operation against Reporters Without Borders began in March 2025 when the NGO reported a suspicious phishing email received by one of its core members. The email originated from a ProtonMail address designed to mimic a trusted contact, soliciting a review of a non-existent document.", "modified": "2026-01-05T11:00:06.923000", "created": "2025-12-06T11:46:59.940000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f8bdeaf3d697c74bef62d4", "name": "Cyber Threat Advisory - COLDRIVER Unleashes ROBOT Malware Suite Following LOSTKEYS Exposure", "description": "", "modified": "2025-11-21T11:03:18.076000", "created": "2025-10-22T11:20:10.554000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "domain": 13 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "192 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f7881fa664f8327961714c", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER | Google Cloud Blog", "description": "A Russian state-sponsored malware group has re-tooled its operations and launched a new infection chain, according to Google Threat Intelligence Group (GTIG) in a blog post published on 20 October 2025.", "modified": "2025-11-20T13:01:30.038000", "created": "2025-10-21T13:18:23.931000", "tags": [ "coldriver", "mayberobot", "gtig", "norobot", "yesrobot", "june", "iocs", "simplefix", "zscaler", "download", "malware", "python" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "davidscott", "id": "359278", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "YARA": 2, "domain": 13 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f86c91d61d56a902ab0add", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T05:33:05.275000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f86cb4659435739966056c", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T05:33:40.106000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f89216d00e182e616a7c05", "name": "IOC - To Be (A Robot) or Not to Be: New Malware Attributed to Russia", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T08:13:10.853000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f73de43e773506ec25b813", "name": "IOC - To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware, operationalizing new malware families five days later. It is unclear how long COLDRIVER had this malware in development, but GTIG has not observed a single instance of LOSTKEYS since publication. Instead, GTIG has seen new malware used more aggressively than any other previous malware campaigns we have attributed to COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto).", "modified": "2025-11-20T08:01:35.430000", "created": "2025-10-21T08:01:40.742000", "tags": [ "coldcopy domain", "norobot", "yesrobot c2", "june", "coldcopy", "clickfix", "yesrobot", "mayberobot c2", "august" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "domain": 13 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68d5daa8d7a7915f36e2959c", "name": "Twitter Feed - 500mk500 - 25-09-2025", "description": "", "modified": "2025-09-26T00:13:28.859000", "created": "2025-09-26T00:13:28.859000", "tags": [], "references": [ "https://x.com/500mk500/status/1971292077532344737" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "URL": 5, "FileHash-SHA256": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "248 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Oct week.3.pdf", "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver/", "https://x.com/500mk500/status/1971292077532344737", "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485", "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/", "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver" ], "related": { "alienvault": { "adversary": [ "Callisto" ], "malware_families": [ "Mayberobot", "Norobot", "Yesrobot", "Coldcopy", "Lostkeys" ], "industries": [ "Ngo", "Government" ] }, "other": { "adversary": [ "COLDRIVER", "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor" ], "malware_families": [ "Calisto", "Mayberobot", "Norobot", "Yesrobot", "Coldcopy", "Lostkeys", "Python" ], "industries": [ "Ngo", "Military", "Defense", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "68f756148d1335a1b45d57c2", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "COLDRIVER, a Russian state-sponsored threat group, swiftly shifted operations after their LOSTKEYS malware was exposed in May 2025. They developed new malware families, including NOROBOT, YESROBOT, and MAYBEROBOT, within days. The infection chain begins with a COLDCOPY lure disguised as a CAPTCHA, leading to the deployment of NOROBOT, a DLL that retrieves subsequent stages. YESROBOT, a Python backdoor, was briefly used before being replaced by MAYBEROBOT, a more flexible PowerShell backdoor. The malware chain has undergone constant evolution, with COLDRIVER focusing on evading detection while maintaining intelligence collection capabilities against high-value targets. The group's tactics include using HTTPS for command retrieval, encrypting commands, and implementing various evasion techniques.", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-21T09:44:52.570000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "Callisto", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 37, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 386771, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695ccc8544f275a44d96bd7b", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "", "modified": "2026-01-06T08:49:09.529000", "created": "2026-01-06T08:49:09.529000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": "693417b3b78f8baed9c055c0", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "146 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693417b3b78f8baed9c055c0", "name": "French NGO Reporters Without Borders targeted by Calisto in recent campaign", "description": "In May and June 2025, the intrusion set known as Calisto, also referred to as ColdRiver or Star Blizzard, targeted the French NGO Reporters Without Borders (RSF) through a series of spear phishing attempts. This campaign aligns with Calisto's established tactics, techniques, and procedures (TTPs), primarily involving credential harvesting and potential code execution through methods like the ClickFix technique. These attacks specifically aim at entities supporting Ukraine, indicating the actor's ongoing interest in politically motivated targets.\n\nThe operation against Reporters Without Borders began in March 2025 when the NGO reported a suspicious phishing email received by one of its core members. The email originated from a ProtonMail address designed to mimic a trusted contact, soliciting a review of a non-existent document.", "modified": "2026-01-05T11:00:06.923000", "created": "2025-12-06T11:46:59.940000", "tags": [ "calisto", "protonmail", "javascript", "borders", "ukraine", "javascript code", "june", "ngos", "aitm", "namecheap", "april", "gamaredon", "evilginx", "anomaly", "iocs known", "mstic" ], "references": [ "https://blog.sekoia.io/ngo-reporters-without-borders-targeted-by-calisto-in-recent-campaign/" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Calisto", "display_name": "Calisto", "target": null } ], "attack_ids": [ { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [ "Military", "Defense" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 90, "hostname": 3 }, "indicator_count": 99, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "147 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68fa56f45f0516a0b3075e7b", "name": "EbeeOct2025 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-11-22T16:03:43.896000", "created": "2025-10-23T16:25:24.750000", "tags": [], "references": [ "Oct week.3.pdf" ], "public": 1, "adversary": "Operation Phantom Net, VoxelGhostBat RAT, QilinLinkPro rootkit, Operation MotorBeacon (CAPI Backdoor", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 61, "CIDR": 2, "CVE": 3, "FileHash-MD5": 175, "FileHash-SHA1": 135, "FileHash-SHA256": 190, "URL": 42, "email": 8, "hostname": 48 }, "indicator_count": 664, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "191 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f8bdeaf3d697c74bef62d4", "name": "Cyber Threat Advisory - COLDRIVER Unleashes ROBOT Malware Suite Following LOSTKEYS Exposure", "description": "", "modified": "2025-11-21T11:03:18.076000", "created": "2025-10-22T11:20:10.554000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "abinsiby7048", "id": "355718", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "domain": 13 }, "indicator_count": 31, "is_author": false, "is_subscribing": null, "subscriber_count": 23, "modified_text": "192 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f7881fa664f8327961714c", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER | Google Cloud Blog", "description": "A Russian state-sponsored malware group has re-tooled its operations and launched a new infection chain, according to Google Threat Intelligence Group (GTIG) in a blog post published on 20 October 2025.", "modified": "2025-11-20T13:01:30.038000", "created": "2025-10-21T13:18:23.931000", "tags": [ "coldriver", "mayberobot", "gtig", "norobot", "yesrobot", "june", "iocs", "simplefix", "zscaler", "download", "malware", "python" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "Python", "display_name": "Python", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "davidscott", "id": "359278", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 10, "YARA": 2, "domain": 13 }, "indicator_count": 45, "is_author": false, "is_subscribing": null, "subscriber_count": 19, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f86c91d61d56a902ab0add", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T05:33:05.275000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f86cb4659435739966056c", "name": "To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T05:33:40.106000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f89216d00e182e616a7c05", "name": "IOC - To Be (A Robot) or Not to Be: New Malware Attributed to Russia", "description": "", "modified": "2025-11-20T09:00:57.891000", "created": "2025-10-22T08:13:10.853000", "tags": [ "coldcopy", "backdoor", "lostkeys", "russian state-sponsored", "powershell" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver?linkId=17354485" ], "public": 1, "adversary": "COLDRIVER", "targeted_countries": [], "malware_families": [ { "id": "LOSTKEYS", "display_name": "LOSTKEYS", "target": null }, { "id": "NOROBOT", "display_name": "NOROBOT", "target": null }, { "id": "YESROBOT", "display_name": "YESROBOT", "target": null }, { "id": "MAYBEROBOT", "display_name": "MAYBEROBOT", "target": null }, { "id": "COLDCOPY", "display_name": "COLDCOPY", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" } ], "industries": [ "NGO", "Government" ], "TLP": "white", "cloned_from": "68f756148d1335a1b45d57c2", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 10, "domain": 13, "YARA": 2 }, "indicator_count": 27, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68f73de43e773506ec25b813", "name": "IOC - To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER", "description": "COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware, operationalizing new malware families five days later. It is unclear how long COLDRIVER had this malware in development, but GTIG has not observed a single instance of LOSTKEYS since publication. Instead, GTIG has seen new malware used more aggressively than any other previous malware campaigns we have attributed to COLDRIVER (also known as UNC4057, Star Blizzard, and Callisto).", "modified": "2025-11-20T08:01:35.430000", "created": "2025-10-21T08:01:40.742000", "tags": [ "coldcopy domain", "norobot", "yesrobot c2", "june", "coldcopy", "clickfix", "yesrobot", "mayberobot c2", "august" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8, "domain": 13 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "193 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "applicationformsubmit.me", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "applicationformsubmit.me", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780356823.6992211 }