{ "type": "Domain", "indicator": "archlinuxo.ru", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/archlinuxo.ru", "alexa": "http://www.alexa.com/siteinfo/archlinuxo.ru", "indicator": "archlinuxo.ru", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3386447266, "indicator": "archlinuxo.ru", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "63a23e0f836cbe86e53b447b", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-20T22:58:23.105000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 502, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 386512, "modified_text": "1227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d90549c1c51747a7e34358", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine (by AlienVault) enriched", "description": "", "modified": "2024-09-05T01:11:35.635000", "created": "2024-09-05T01:11:35.635000", "tags": [], "references": [ "63a23e0f836cbe86e53b447b.csv", "https://unit42.paloaltonetworks.com/trident-ursa/" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 152, "FileHash-SHA1": 153, "FileHash-SHA256": 238, "URL": 2890, "domain": 557, "hostname": 1230 }, "indicator_count": 5220, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "633 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a40a100ba18d2e54d9183d", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "RMPAC7/202 2/002 /1163 Data 21/12/2022 Gamaredon Group: continuano le operazioni cibernetiche dopo l\u2019invasione dell\u2019Ucraina", "modified": "2023-01-21T07:03:04.851000", "created": "2022-12-22T07:41:04.705000", "tags": [ "Gamaredon Group" ], "references": [ "2656787.misp-json", "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "https://t.me/s/chabgei", "https://t.me/s/chanellsac", "https://t.me/s/chanelwer", "https://t.me/s/digitli", "https://t.me/s/dracarc", "https://t.me/s/lnk_44", "https://t.me/s/lnk153", "https://t.me/s/newtesta1", "https://t.me/s/templ36", "https://t.me/s/topnewsas", "https://t.me/s/toporsa", "https://t.me/s/vozmoz2", "https://t.me/s/vzloms", "https://t.me/s/vzloms_9", "https://t.me/s/zalup2", "https://t.me/s/zapula2", "https://t.me/vbs_run14" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otx_support", "id": "26678", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "domain": 553, "FileHash-SHA256": 221, "FileHash-MD5": 40, "FileHash-SHA1": 40 }, "indicator_count": 886, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63be858391c37e13461193a9", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-21T07:03:04.851000", "created": "2023-01-11T09:46:43.811000", "tags": [ "Trident Ursa", "Gamaredon" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "63a40a100ba18d2e54d9183d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rlawlgh827", "id": "208771", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "domain": 553, "FileHash-SHA256": 241, "FileHash-MD5": 40, "FileHash-SHA1": 40, "URL": 17 }, "indicator_count": 923, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "1226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2cca0231f4704fb04c1c8", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.", "modified": "2023-01-20T09:00:00.250000", "created": "2022-12-21T09:06:40.834000", "tags": [ "domain", "ip address", "sample", "url https", "Gamaredon" ], "references": [ "https://raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "URL": 17, "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 241, "domain": 564 }, "indicator_count": 1046, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2aa8a89150b046cc1e835", "name": "Russia\u2019s Trident Ursa ( Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-21T06:41:14.278000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": "63a23e0f836cbe86e53b447b", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "1227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2d2a332d80ccb63f9ad94", "name": "Russia\u2019s Trident Ursa ( Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-21T09:32:19.584000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": "63a2aa8a89150b046cc1e835", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "1227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1d1716eb178021b496cf5", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "Unit 42, a Palo Alto Networks cybersecurity research team, provides an update on Russia's advanced persistent threat (APT) group, Trident Ursa, which invaded Ukraine in February 2014 and continues to operate in cyberspace.", "modified": "2023-01-19T15:03:30.493000", "created": "2022-12-20T15:14:57.164000", "tags": [ "threatactor/gamaredon", "threatactor/tridentursa", "threatactor.primitivebear", "threatactor/actinium" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/#post-126209-_dyzu0g9z3zwx", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 102, "FileHash-SHA256": 255, "URL": 4, "domain": 578, "hostname": 7 }, "indicator_count": 1047, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "1227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626148d001d02adb0615b755", "name": "IOC for Russia-Ukraine Conflict-Related Cyberattacks", "description": "IOC for Russia-Ukraine Conflict-Related Cyberattacks", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T12:06:40.655000", "tags": [], "references": [ "Russia_Ukraine_Conflict_Related_Cyberattacks_1650409565.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hitman", "id": "195", "avatar_url": "/otxapi/users/avatar_image/media/avatars/hitman/resized/80/MtDewBot.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 15, "FileHash-SHA1": 24, "FileHash-SHA256": 15, "domain": 11, "hostname": 31 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62260ed69b0d66e3dd53a77d", "name": "Russia-Ukraine Conflict", "description": "The following is a summary of the key data-wiper attacks in Ukraine, which have affected more than 100,000 computers in the country and are believed to have been carried out by Russian hackers.", "modified": "2022-04-06T00:02:16.312000", "created": "2022-03-07T13:55:34.040000", "tags": [ "trojanspy", "troj.win32.trx.xxpe50fff053e0002", "troj.win32.trx.xxpe50fff053e0003", "x97m.cve20170199.yx cbp", "msil.whispergate.yxcaq", "troj.win32.trx.xxpe50fff053", "msil.whispergate.yxcaq| tspy.win32.trx.xxpe50fff053", "win32.frs.vsnw11a22", "win32.whispergate.yxcax", "t.a", "clipbanker", "trend micro", "related hashes", "detection", "hashes", "sourced", "vsapitrendx", "compromise", "iocs", "https", "http", "killdisk", "gamaredon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSIL.WHISPERGATE.YXCAQ", "display_name": "MSIL.WHISPERGATE.YXCAQ", "target": null }, { "id": "X97M.CVE20170199.YX CBP", "display_name": "X97M.CVE20170199.YX CBP", "target": null }, { "id": "TROJ.Win32.TRX.XXPE50FFF053E0003", "display_name": "TROJ.Win32.TRX.XXPE50FFF053E0003", "target": null }, { "id": "TROJ.Win32.TRX.XXPE50FFF053E0002", "display_name": "TROJ.Win32.TRX.XXPE50FFF053E0002", "target": null }, { "id": "Clipbanker", "display_name": "Clipbanker", "target": null }, { "id": "T.A", "display_name": "T.A", "target": null }, { "id": "Win32.WHISPERGATE.YXCAX", "display_name": "Win32.WHISPERGATE.YXCAX", "target": null }, { "id": "Win32.FRS.VSNW11A22", "display_name": "Win32.FRS.VSNW11A22", "target": null }, { "id": "MSIL.WHISPERGATE.YXCAQ| TSPY.Win32.TRX.XXPE50FFF053", "display_name": "MSIL.WHISPERGATE.YXCAQ| TSPY.Win32.TRX.XXPE50FFF053", "target": null }, { "id": "TROJ.Win32.TRX.XXPE50FFF053", "display_name": "TROJ.Win32.TRX.XXPE50FFF053", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bheshaj1", "id": "126979", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 8, "FileHash-SHA1": 24, "FileHash-SHA256": 8, "domain": 11, "hostname": 30 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "1516 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62217ab1271a66346e8e22fa", "name": "Cyberattacks are Prominent in the Russia-Ukraine Conflict", "description": "Follow Trend Micro on Facebook, Twitter, Instagram and other social media sites for all of the latest developments in the world of cybersecurity and the search for the company\u2019s most popular sites on the web.", "modified": "2022-04-03T00:00:55.161000", "created": "2022-03-04T02:34:25.018000", "tags": [ "trojanspy", "conti", "clipbanker", "cobalt strike", "saintbot", "outsteel", "bazarloader", "emotet", "ave maria", "gamaredon", "cyber threats", "malware", "reports", "phishing", "endpoints", "ransomware", "articles", "news", "ukraine", "trend micro", "february", "figure", "russia", "january", "certua", "find", "service", "indonesia", "project", "alliance", "tools", "bitcoin", "discord", "whispergate", "powershell", "belarus", "armenia", "cyber", "contact" ], "references": [ "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Clipbanker", "display_name": "Clipbanker", "target": null }, { "id": "Conti", "display_name": "Conti", "target": null }, { "id": "SaintBot", "display_name": "SaintBot", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "OutSteel", "display_name": "OutSteel", "target": null }, { "id": "Gamaredon", "display_name": "Gamaredon", "target": null }, { "id": "Ave Maria", "display_name": "Ave Maria", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "BazarLoader", "display_name": "BazarLoader", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [ "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 14, "domain": 16, "hostname": 32, "FileHash-MD5": 7, "FileHash-SHA1": 24, "FileHash-SHA256": 7 }, "indicator_count": 100, "is_author": false, "is_subscribing": null, "subscriber_count": 369, "modified_text": "1519 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621abcb970b664ac1c17a290", "name": "Twitter Feed - 500mk500 - 27-02-2022", "description": "", "modified": "2022-03-28T23:03:24.699000", "created": "2022-02-26T23:50:17.717000", "tags": [ "RedLine" ], "references": [ "https://twitter.com/500mk500/status/1497520375932108801", "https://twitter.com/500mk500/status/1497564394556833798", "https://twitter.com/500mk500/status/1497565304032923655", "https://twitter.com/500mk500/status/1497632589452042241" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "hostname": 2 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1524 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://t.me/s/chanelwer", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict/IOC%20Resource%20for%20Russia-Ukraine%20Conflict-Related%20Cyberattacks-03032022.pdf", "https://twitter.com/500mk500/status/1497565304032923655", "https://twitter.com/500mk500/status/1497520375932108801", "https://unit42.paloaltonetworks.com/trident-ursa/#post-126209-_dyzu0g9z3zwx", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "https://t.me/s/chanellsac", "https://t.me/s/vozmoz2", "https://t.me/s/newtesta1", "https://t.me/s/digitli", "https://twitter.com/500mk500/status/1497564394556833798", "https://twitter.com/500mk500/status/1497632589452042241", "https://t.me/s/vzloms", "https://t.me/s/topnewsas", "https://raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "https://t.me/s/lnk153", "https://t.me/s/toporsa", "63a23e0f836cbe86e53b447b.csv", "https://t.me/s/templ36", "https://t.me/vbs_run14", "https://t.me/s/zapula2", "https://t.me/s/zalup2", "https://unit42.paloaltonetworks.com/trident-ursa/", "https://t.me/s/dracarc", "Russia_Ukraine_Conflict_Related_Cyberattacks_1650409565.pdf", "2656787.misp-json", "https://t.me/s/chabgei", "https://t.me/s/vzloms_9", "https://t.me/s/lnk_44", "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html" ], "related": { "alienvault": { "adversary": [ "Trident Ursa" ], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Trident Ursa", "Gamaredon" ], "malware_families": [ "Conti", "Msil.whispergate.yxcaq| tspy.win32.trx.xxpe50fff053", "Win32.frs.vsnw11a22", "Emotet", "T.a", "Win32.whispergate.yxcax", "Msil.whispergate.yxcaq", "Cobalt strike", "Bazarloader", "Saintbot", "X97m.cve20170199.yx cbp", "Trojanspy", "Gamaredon", "Clipbanker", "Troj.win32.trx.xxpe50fff053e0002", "Outsteel", "Troj.win32.trx.xxpe50fff053e0003", "Ave maria", "Troj.win32.trx.xxpe50fff053", "Shadow chaser" ], "industries": [ "Government", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "63a23e0f836cbe86e53b447b", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-20T22:58:23.105000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 502, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 386512, "modified_text": "1227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66d90549c1c51747a7e34358", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine (by AlienVault) enriched", "description": "", "modified": "2024-09-05T01:11:35.635000", "created": "2024-09-05T01:11:35.635000", "tags": [], "references": [ "63a23e0f836cbe86e53b447b.csv", "https://unit42.paloaltonetworks.com/trident-ursa/" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 152, "FileHash-SHA1": 153, "FileHash-SHA256": 238, "URL": 2890, "domain": 557, "hostname": 1230 }, "indicator_count": 5220, "is_author": false, "is_subscribing": null, "subscriber_count": 185, "modified_text": "633 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a40a100ba18d2e54d9183d", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "RMPAC7/202 2/002 /1163 Data 21/12/2022 Gamaredon Group: continuano le operazioni cibernetiche dopo l\u2019invasione dell\u2019Ucraina", "modified": "2023-01-21T07:03:04.851000", "created": "2022-12-22T07:41:04.705000", "tags": [ "Gamaredon Group" ], "references": [ "2656787.misp-json", "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "https://t.me/s/chabgei", "https://t.me/s/chanellsac", "https://t.me/s/chanelwer", "https://t.me/s/digitli", "https://t.me/s/dracarc", "https://t.me/s/lnk_44", "https://t.me/s/lnk153", "https://t.me/s/newtesta1", "https://t.me/s/templ36", "https://t.me/s/topnewsas", "https://t.me/s/toporsa", "https://t.me/s/vozmoz2", "https://t.me/s/vzloms", "https://t.me/s/vzloms_9", "https://t.me/s/zalup2", "https://t.me/s/zapula2", "https://t.me/vbs_run14" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otx_support", "id": "26678", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "domain": 553, "FileHash-SHA256": 221, "FileHash-MD5": 40, "FileHash-SHA1": 40 }, "indicator_count": 886, "is_author": false, "is_subscribing": null, "subscriber_count": 210, "modified_text": "1226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63be858391c37e13461193a9", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-21T07:03:04.851000", "created": "2023-01-11T09:46:43.811000", "tags": [ "Trident Ursa", "Gamaredon" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt", "" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": "63a40a100ba18d2e54d9183d", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "rlawlgh827", "id": "208771", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "domain": 553, "FileHash-SHA256": 241, "FileHash-MD5": 40, "FileHash-SHA1": 40, "URL": 17 }, "indicator_count": 923, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "1226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2cca0231f4704fb04c1c8", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine.", "modified": "2023-01-20T09:00:00.250000", "created": "2022-12-21T09:06:40.834000", "tags": [ "domain", "ip address", "sample", "url https", "Gamaredon" ], "references": [ "https://raw.githubusercontent.com/pan-unit42/iocs/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "URL": 17, "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 241, "domain": 564 }, "indicator_count": 1046, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2aa8a89150b046cc1e835", "name": "Russia\u2019s Trident Ursa ( Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-21T06:41:14.278000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": "63a23e0f836cbe86e53b447b", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 188, "modified_text": "1227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a2d2a332d80ccb63f9ad94", "name": "Russia\u2019s Trident Ursa ( Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "", "modified": "2023-01-19T22:04:44.402000", "created": "2022-12-21T09:32:19.584000", "tags": [ "ukraine", "russia", "trident ursa", "gamaredon", "dns flux", "phishing", "maldocs", "apt" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Trident Ursa", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" } ], "industries": [], "TLP": "white", "cloned_from": "63a2aa8a89150b046cc1e835", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 84, "FileHash-SHA1": 86, "FileHash-SHA256": 229, "URL": 3, "domain": 555, "hostname": 7 }, "indicator_count": 964, "is_author": false, "is_subscribing": null, "subscriber_count": 279, "modified_text": "1227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63a1d1716eb178021b496cf5", "name": "Russia\u2019s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine", "description": "Unit 42, a Palo Alto Networks cybersecurity research team, provides an update on Russia's advanced persistent threat (APT) group, Trident Ursa, which invaded Ukraine in February 2014 and continues to operate in cyberspace.", "modified": "2023-01-19T15:03:30.493000", "created": "2022-12-20T15:14:57.164000", "tags": [ "threatactor/gamaredon", "threatactor/tridentursa", "threatactor.primitivebear", "threatactor/actinium" ], "references": [ "https://unit42.paloaltonetworks.com/trident-ursa/#post-126209-_dyzu0g9z3zwx", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/Gamaredon_IoCs_DEC2022.txt" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "Shadow Chaser", "display_name": "Shadow Chaser", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 101, "FileHash-SHA1": 102, "FileHash-SHA256": 255, "URL": 4, "domain": 578, "hostname": 7 }, "indicator_count": 1047, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "1227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626148d001d02adb0615b755", "name": "IOC for Russia-Ukraine Conflict-Related Cyberattacks", "description": "IOC for Russia-Ukraine Conflict-Related Cyberattacks", "modified": "2022-05-21T00:03:44.725000", "created": "2022-04-21T12:06:40.655000", "tags": [], "references": [ "Russia_Ukraine_Conflict_Related_Cyberattacks_1650409565.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "hitman", "id": "195", "avatar_url": "/otxapi/users/avatar_image/media/avatars/hitman/resized/80/MtDewBot.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 15, "FileHash-SHA1": 24, "FileHash-SHA256": 15, "domain": 11, "hostname": 31 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "1471 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62260ed69b0d66e3dd53a77d", "name": "Russia-Ukraine Conflict", "description": "The following is a summary of the key data-wiper attacks in Ukraine, which have affected more than 100,000 computers in the country and are believed to have been carried out by Russian hackers.", "modified": "2022-04-06T00:02:16.312000", "created": "2022-03-07T13:55:34.040000", "tags": [ "trojanspy", "troj.win32.trx.xxpe50fff053e0002", "troj.win32.trx.xxpe50fff053e0003", "x97m.cve20170199.yx cbp", "msil.whispergate.yxcaq", "troj.win32.trx.xxpe50fff053", "msil.whispergate.yxcaq| tspy.win32.trx.xxpe50fff053", "win32.frs.vsnw11a22", "win32.whispergate.yxcax", "t.a", "clipbanker", "trend micro", "related hashes", "detection", "hashes", "sourced", "vsapitrendx", "compromise", "iocs", "https", "http", "killdisk", "gamaredon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "MSIL.WHISPERGATE.YXCAQ", "display_name": "MSIL.WHISPERGATE.YXCAQ", "target": null }, { "id": "X97M.CVE20170199.YX CBP", "display_name": "X97M.CVE20170199.YX CBP", "target": null }, { "id": "TROJ.Win32.TRX.XXPE50FFF053E0003", "display_name": "TROJ.Win32.TRX.XXPE50FFF053E0003", "target": null }, { "id": "TROJ.Win32.TRX.XXPE50FFF053E0002", "display_name": "TROJ.Win32.TRX.XXPE50FFF053E0002", "target": null }, { "id": "Clipbanker", "display_name": "Clipbanker", "target": null }, { "id": "T.A", "display_name": "T.A", "target": null }, { "id": "Win32.WHISPERGATE.YXCAX", "display_name": "Win32.WHISPERGATE.YXCAX", "target": null }, { "id": "Win32.FRS.VSNW11A22", "display_name": "Win32.FRS.VSNW11A22", "target": null }, { "id": "MSIL.WHISPERGATE.YXCAQ| TSPY.Win32.TRX.XXPE50FFF053", "display_name": "MSIL.WHISPERGATE.YXCAQ| TSPY.Win32.TRX.XXPE50FFF053", "target": null }, { "id": "TROJ.Win32.TRX.XXPE50FFF053", "display_name": "TROJ.Win32.TRX.XXPE50FFF053", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "bheshaj1", "id": "126979", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11, "FileHash-MD5": 8, "FileHash-SHA1": 24, "FileHash-SHA256": 8, "domain": 11, "hostname": 30 }, "indicator_count": 92, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "1516 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "archlinuxo.ru", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "archlinuxo.ru", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780221594.914465 }