{ "type": "Domain", "indicator": "astrolinktech.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/astrolinktech.com", "alexa": "http://www.alexa.com/siteinfo/astrolinktech.com", "indicator": "astrolinktech.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4260880330, "indicator": "astrolinktech.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "69b108df5b954bb09603a0db", "name": "Microsoft OAuth Device Code Phishing", "description": "A new phishing technique abusing Microsoft's OAuth Device Code flow is on the rise, with over 180 phishing URLs detected in a week. This method shifts from credential theft to token-based account takeover, making detection more challenging. Attackers initiate a device authorization process, tricking victims into approving it on legitimate Microsoft pages. The attack uses encrypted HTTPS traffic and legitimate authentication flows, bypassing traditional phishing indicators. Victims unknowingly grant attackers access to their Microsoft 365 accounts through OAuth tokens. This poses a critical risk as it allows immediate access to corporate data and resources, potentially leading to business email compromise and persistent access through refresh tokens.", "modified": "2026-03-11T10:19:13.935000", "created": "2026-03-11T06:17:03.540000", "tags": [ "oauth", "account takeover", "ssl decryption", "device code", "https", "token-based", "microsoft 365", "phishing" ], "references": [ "https://any.run/cybersecurity-blog/oauth-device-code-phishing/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "India" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Technology", "Education", "Manufacturing", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 386777, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0e9f202a2612fcd5f053a", "name": "Authentication Broken; Reputation Degraded; Pipeline Filtered", "description": "(AS714 - Apple Inc.): 17.57.156.0/24 (SMTP/IMAP Pool) Origin (High-Volume Mail Relay) Flag: X-Mail-Address-Is-Alias: yes (Trust Failure) Pipeline (Tier-1 Upstreams)\nAS7018 (AT&T Enterprises): Primary North American transit. AS3356 (Lumen/Level 3): Backbone for global fiber paths. AS701 (Verizon Business): Critical US enterprise routing. AS2914 (NTT America): Primary trans-Pacific/Global link. AS1299 (Arelion/Telia): Main European gateway. Peering (Delivery Chain)\nFrance: AS5511 (Orange S.A.) Europe (General): AS6830 (Liberty Global) Germany: AS8767 (M-net), AS44066 (Firstcolo), AS13237 (euNetworks) UK: AS4455 (IX Reach), AS25160 (Vorboss) Australia/Asia: AS7474 (SingTel Optus), AS4809 (China Telecom), AS3786 (LG DACOM)\n Failure Pt- Double Umbrella occurs AS714-to-AS7018/AS3356 handoff.", "modified": "2026-05-13T22:49:01.446000", "created": "2026-03-11T04:05:06.832000", "tags": [ "as714", "smtpimap pool", "node", "highvolume mail", "relay", "internal flag", "trust failure", "tier1 upstreams", "as7018", "as3356", "general" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 7, "URL": 14, "hostname": 15, "domain": 4 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0e9f14cbe0b5d40e6fb31", "name": "Authentication Broken; Reputation Degraded; Pipeline Filtered", "description": "(AS714 - Apple Inc.): 17.57.156.0/24 (SMTP/IMAP Pool) Origin (High-Volume Mail Relay) Flag: X-Mail-Address-Is-Alias: yes (Trust Failure) Pipeline (Tier-1 Upstreams)\nAS7018 (AT&T Enterprises): Primary North American transit. AS3356 (Lumen/Level 3): Backbone for global fiber paths. AS701 (Verizon Business): Critical US enterprise routing. AS2914 (NTT America): Primary trans-Pacific/Global link. AS1299 (Arelion/Telia): Main European gateway. Peering (Delivery Chain)\nFrance: AS5511 (Orange S.A.) Europe (General): AS6830 (Liberty Global) Germany: AS8767 (M-net), AS44066 (Firstcolo), AS13237 (euNetworks) UK: AS4455 (IX Reach), AS25160 (Vorboss) Australia/Asia: AS7474 (SingTel Optus), AS4809 (China Telecom), AS3786 (LG DACOM)\n Failure Pt- Double Umbrella occurs AS714-to-AS7018/AS3356 handoff.", "modified": "2026-05-13T22:48:59.086000", "created": "2026-03-11T04:05:05.255000", "tags": [ "as714", "smtpimap pool", "node", "highvolume mail", "relay", "internal flag", "trust failure", "tier1 upstreams", "as7018", "as3356", "general" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 23, "domain": 7, "hostname": 46, "URL": 38 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0ed2effdcce13f85dbaf7", "name": "Lo Fi Disabler 17.57.156.36 (17.0.0.0/9) AS 714 ( Apple Inc. )", "description": "505/505 detections. 933 exe malicious files communicating. 108 referring", "modified": "2026-05-01T01:03:41.327000", "created": "2026-03-11T04:18:54.258000", "tags": [ "united", "as714 apple", "passive dns", "urls", "files", "location united", "america flag", "america asn", "dns resolutions", "domains top", "trojandropper" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 50, "FileHash-SHA1": 50, "FileHash-SHA256": 51, "hostname": 32, "domain": 3, "URL": 2 }, "indicator_count": 188, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0ed2db6475c4b6f2369f7", "name": "Lo Fi Disabler 17.57.156.36 (17.0.0.0/9) AS 714 ( Apple Inc. )", "description": "505/505 detections. 933 exe malicious files communicating. 108 referring", "modified": "2026-05-01T01:03:40.003000", "created": "2026-03-11T04:18:53.720000", "tags": [ "united", "as714 apple", "passive dns", "urls", "files", "location united", "america flag", "america asn", "dns resolutions", "domains top", "trojandropper" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 761, "FileHash-SHA1": 707, "FileHash-SHA256": 1768, "hostname": 263, "URL": 116, "domain": 49, "CIDR": 1, "email": 2 }, "indicator_count": 3667, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbba3ed3b01bcf222ccc1d", "name": "EbeeMar2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:56:30.058000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara" ], "references": [ "IOCs.2026.3.csv" ], "public": 1, "adversary": "ClipXDaemon, TENGU RANSOMWARE, A0Backdoor, GlassWorm, Operation CamelClone, VOID#GEIST", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 97, "URL": 96, "CVE": 3, "FileHash-MD5": 93, "FileHash-SHA1": 101, "FileHash-SHA256": 153, "domain": 156, "email": 9 }, "indicator_count": 708, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b10515a85f0dcc21e2880b", "name": "VirusTotal report\n for 08fd834ba57989a7c031cc1a66c42dc3c00308e6cc38e99ba47f145bb.sh", "description": "fast.no", "modified": "2026-04-10T07:01:36.400000", "created": "2026-03-11T06:00:53.164000", "tags": [ "date hash", "avast avg", "entries http", "scans record", "value", "body toolbar", "exempt", "cache control", "content type", "set cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 181, "FileHash-SHA256": 631, "domain": 17, "URL": 73, "hostname": 20 }, "indicator_count": 1106, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0f7ac95dc7083708d2091", "name": "ALBERTA clone arek- btc - same virus.", "description": "", "modified": "2026-04-10T05:02:49.470000", "created": "2026-03-11T05:03:40.599000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68346e8e3280aa271c02ec21", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 100, "FileHash-MD5": 178, "FileHash-SHA1": 178, "FileHash-SHA256": 1009, "domain": 129, "hostname": 321, "email": 3 }, "indicator_count": 1918, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0fdf7bf47042ca1d78b44", "name": "A Nexus of Bobsoft superloops", "description": "", "modified": "2026-04-10T05:02:49.470000", "created": "2026-03-11T05:30:31.537000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 38, "hostname": 171, "FileHash-SHA256": 51, "URL": 35, "CIDR": 2, "email": 7, "domain": 11, "FileHash-MD5": 17 }, "indicator_count": 332, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b5d6c369f29b377664434b", "name": "OAuth Device Code Phishing Campaign Targets Microsoft 365 Accounts", "description": "Threat actors are targeting Microsoft 365 accounts using a growing attack method known as OAuth device code phishing.", "modified": "2026-03-14T21:44:34.629000", "created": "2026-03-14T21:44:34.629000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "hostname": 11 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "79 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b1f2fe43889bc195af4c37", "name": "Microsoft OAuth Device Code Phishing", "description": "", "modified": "2026-03-11T22:55:58.006000", "created": "2026-03-11T22:55:58.006000", "tags": [ "oauth", "account takeover", "ssl decryption", "device code", "https", "token-based", "microsoft 365", "phishing" ], "references": [ "https://any.run/cybersecurity-blog/oauth-device-code-phishing/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "India" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Technology", "Education", "Manufacturing", "Government" ], "TLP": "white", "cloned_from": "69b108df5b954bb09603a0db", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "82 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b10d1ce4563d38fbbc72d6", "name": "disable_duck clone Alberta", "description": "", "modified": "2026-03-11T07:40:56.177000", "created": "2026-03-11T06:35:08.464000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "white", "modified", "runtime data", "ansi", "public", "months ago", "filehashsha256", "hostname", "domain", "path", "green", "copy", "powershell", "general", "malicious", "pixel", "suspicious", "meta", "covenant", "virustotal", "click", "open", "cobalt strike", "probe", "first", "installer", "template", "crypto", "cobalt", "mozilla", "mirai", "false", "date", "title", "roboto", "arch", "android", "april", "drovorub", "squad", "baby", "geek", "tofsee", "redline stealer", "twitter", "service", "team", "killswitch", "mini", "cobaltstrike", "enterprise", "simda", "suppobox", "ransomware", "maldoc", "computrace", "february", "tetris", "hybrid", "body", "iframe", "qakbot", "double", "proton", "mark", "jakarta", "win32", "explorer", "union", "redirector", "xrat", "model", "rogue", "done", "python", "police", "thor", "xploit", "impact", "retro", "jeff", "oilrig", "sliver", "bypass", "info", "school", "miner", "phishing", "riots", "comment", "gafgyt", "bashlite", "calgary", "tech", "bitcoin", "test", "survey", "ukraine", "gamarue", "swisyn", "krucky", "systembc", "june", "dridex", "agent", "close", "format", "autodetect", "strings", "contact", "switch", "community", "limits", "inquest labs", "resources api", "cve list", "notes blog", "drop your", "file", "kaspersky threat intelligence portal", "online virus scan file", "online file scanner", "kaspersky online scanner", "online file virus scan", "scan file online", "scan file for virus", "file scanner", "online file virus scanner", "check link for virus", "kaspersky online scan", "check file for virus", "false alarm", "false detection", "false positive", "online virus", "scanner", "hybrid analysis", "api key", "vetting process", "please note", "please", "ualberta", "ualberta http", "xormozilla", "disableduck", "virus", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "triage", "report", "reported", "analyze", "filesize", "set value", "iocs", "process", "process key", "monitor", "resource", "config", "target", "generic", "javascript", "static analyzer", "analyzer", "Microsoft", "YEG", "UAlberta", "Google", "AHS", "Covenant Health" ], "references": [ "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d/68e01fdde76500b3c20326c4", "https://metadefender.com/results/file/bzI1MTAwMzhvTXdHbkVaZGItcW0tbnU2Nmkx_mdaas", "https://opentip.kaspersky.com/5E066617CC959DBAB123F23D5D36A4DC4D813358E43EDDBD1A6E7C87827C301D/?tab=upload", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d", "https://www.filescan.io/uploads/68e01279f377ab2310519c81/reports/02a0a465-8936-4b6d-99a2-6950b71ab1c5/ioc", "https://tria.ge/251003-x8c56azky6/behavioral2", "https://www.virustotal.com/gui/file/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d?nocache=1", "https://app.threat.zone/submission/db9c1a4a-a706-4ed9-9229-4190f02151bc/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": "68e02ab7156e79ecd34a4929", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "CIDR": 8, "CVE": 13, "FileHash-MD5": 31, "FileHash-SHA1": 25, "FileHash-SHA256": 74, "domain": 117, "email": 14, "hostname": 76 }, "indicator_count": 4561, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b105ea2ce9e1de6c87ceb2", "name": "IOC - OAuth Device Code Phishing: A New Microsoft 365 Account Breach Vector", "description": "The victim is then shown the user_code on a phishing page, often disguised as a document verification step (for example, a fake DocuSign notification). The page instructs the user to copy the code and enter it at microsoft[.]com/devicelogin. From the user\u2019s perspective, everything appears legitimate. They are redirected to a real Microsoft page, where they enter their credentials and complete MFA.", "modified": "2026-03-11T06:04:26.623000", "created": "2026-03-11T06:04:26.623000", "tags": [], "references": [ "https://any.run/cybersecurity-blog/cybersecurity-blog/oauth-device-code-phishing/#iocs-18987" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "82 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.3.csv", "https://tria.ge/251003-x8c56azky6/behavioral2", "https://www.virustotal.com/gui/file/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d?nocache=1", "https://any.run/cybersecurity-blog/cybersecurity-blog/oauth-device-code-phishing/#iocs-18987", "https://www.filescan.io/uploads/68e01279f377ab2310519c81/reports/02a0a465-8936-4b6d-99a2-6950b71ab1c5/ioc", "https://metadefender.com/results/file/bzI1MTAwMzhvTXdHbkVaZGItcW0tbnU2Nmkx_mdaas", "https://opentip.kaspersky.com/5E066617CC959DBAB123F23D5D36A4DC4D813358E43EDDBD1A6E7C87827C301D/?tab=upload", "https://app.threat.zone/submission/db9c1a4a-a706-4ed9-9229-4190f02151bc/overview", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d/68e01fdde76500b3c20326c4", "https://any.run/cybersecurity-blog/oauth-device-code-phishing/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Manufacturing", "Education", "Government", "Technology" ] }, "other": { "adversary": [ "ClipXDaemon, TENGU RANSOMWARE, A0Backdoor, GlassWorm, Operation CamelClone, VOID#GEIST" ], "malware_families": [], "industries": [ "Manufacturing", "Healthcare", "Education", "Government", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "69b108df5b954bb09603a0db", "name": "Microsoft OAuth Device Code Phishing", "description": "A new phishing technique abusing Microsoft's OAuth Device Code flow is on the rise, with over 180 phishing URLs detected in a week. This method shifts from credential theft to token-based account takeover, making detection more challenging. Attackers initiate a device authorization process, tricking victims into approving it on legitimate Microsoft pages. The attack uses encrypted HTTPS traffic and legitimate authentication flows, bypassing traditional phishing indicators. Victims unknowingly grant attackers access to their Microsoft 365 accounts through OAuth tokens. This poses a critical risk as it allows immediate access to corporate data and resources, potentially leading to business email compromise and persistent access through refresh tokens.", "modified": "2026-03-11T10:19:13.935000", "created": "2026-03-11T06:17:03.540000", "tags": [ "oauth", "account takeover", "ssl decryption", "device code", "https", "token-based", "microsoft 365", "phishing" ], "references": [ "https://any.run/cybersecurity-blog/oauth-device-code-phishing/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "British Indian Ocean Territory", "India" ], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Technology", "Education", "Manufacturing", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 386777, "modified_text": "82 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0e9f202a2612fcd5f053a", "name": "Authentication Broken; Reputation Degraded; Pipeline Filtered", "description": "(AS714 - Apple Inc.): 17.57.156.0/24 (SMTP/IMAP Pool) Origin (High-Volume Mail Relay) Flag: X-Mail-Address-Is-Alias: yes (Trust Failure) Pipeline (Tier-1 Upstreams)\nAS7018 (AT&T Enterprises): Primary North American transit. AS3356 (Lumen/Level 3): Backbone for global fiber paths. AS701 (Verizon Business): Critical US enterprise routing. AS2914 (NTT America): Primary trans-Pacific/Global link. AS1299 (Arelion/Telia): Main European gateway. Peering (Delivery Chain)\nFrance: AS5511 (Orange S.A.) Europe (General): AS6830 (Liberty Global) Germany: AS8767 (M-net), AS44066 (Firstcolo), AS13237 (euNetworks) UK: AS4455 (IX Reach), AS25160 (Vorboss) Australia/Asia: AS7474 (SingTel Optus), AS4809 (China Telecom), AS3786 (LG DACOM)\n Failure Pt- Double Umbrella occurs AS714-to-AS7018/AS3356 handoff.", "modified": "2026-05-13T22:49:01.446000", "created": "2026-03-11T04:05:06.832000", "tags": [ "as714", "smtpimap pool", "node", "highvolume mail", "relay", "internal flag", "trust failure", "tier1 upstreams", "as7018", "as3356", "general" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 7, "URL": 14, "hostname": 15, "domain": 4 }, "indicator_count": 40, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0e9f14cbe0b5d40e6fb31", "name": "Authentication Broken; Reputation Degraded; Pipeline Filtered", "description": "(AS714 - Apple Inc.): 17.57.156.0/24 (SMTP/IMAP Pool) Origin (High-Volume Mail Relay) Flag: X-Mail-Address-Is-Alias: yes (Trust Failure) Pipeline (Tier-1 Upstreams)\nAS7018 (AT&T Enterprises): Primary North American transit. AS3356 (Lumen/Level 3): Backbone for global fiber paths. AS701 (Verizon Business): Critical US enterprise routing. AS2914 (NTT America): Primary trans-Pacific/Global link. AS1299 (Arelion/Telia): Main European gateway. Peering (Delivery Chain)\nFrance: AS5511 (Orange S.A.) Europe (General): AS6830 (Liberty Global) Germany: AS8767 (M-net), AS44066 (Firstcolo), AS13237 (euNetworks) UK: AS4455 (IX Reach), AS25160 (Vorboss) Australia/Asia: AS7474 (SingTel Optus), AS4809 (China Telecom), AS3786 (LG DACOM)\n Failure Pt- Double Umbrella occurs AS714-to-AS7018/AS3356 handoff.", "modified": "2026-05-13T22:48:59.086000", "created": "2026-03-11T04:05:05.255000", "tags": [ "as714", "smtpimap pool", "node", "highvolume mail", "relay", "internal flag", "trust failure", "tier1 upstreams", "as7018", "as3356", "general" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 23, "domain": 7, "hostname": 46, "URL": 38 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0ed2effdcce13f85dbaf7", "name": "Lo Fi Disabler 17.57.156.36 (17.0.0.0/9) AS 714 ( Apple Inc. )", "description": "505/505 detections. 933 exe malicious files communicating. 108 referring", "modified": "2026-05-01T01:03:41.327000", "created": "2026-03-11T04:18:54.258000", "tags": [ "united", "as714 apple", "passive dns", "urls", "files", "location united", "america flag", "america asn", "dns resolutions", "domains top", "trojandropper" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 50, "FileHash-SHA1": 50, "FileHash-SHA256": 51, "hostname": 32, "domain": 3, "URL": 2 }, "indicator_count": 188, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0ed2db6475c4b6f2369f7", "name": "Lo Fi Disabler 17.57.156.36 (17.0.0.0/9) AS 714 ( Apple Inc. )", "description": "505/505 detections. 933 exe malicious files communicating. 108 referring", "modified": "2026-05-01T01:03:40.003000", "created": "2026-03-11T04:18:53.720000", "tags": [ "united", "as714 apple", "passive dns", "urls", "files", "location united", "america flag", "america asn", "dns resolutions", "domains top", "trojandropper" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 761, "FileHash-SHA1": 707, "FileHash-SHA256": 1768, "hostname": 263, "URL": 116, "domain": 49, "CIDR": 1, "email": 2 }, "indicator_count": 3667, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "31 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bbba3ed3b01bcf222ccc1d", "name": "EbeeMar2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:56:30.058000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara" ], "references": [ "IOCs.2026.3.csv" ], "public": 1, "adversary": "ClipXDaemon, TENGU RANSOMWARE, A0Backdoor, GlassWorm, Operation CamelClone, VOID#GEIST", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 97, "URL": 96, "CVE": 3, "FileHash-MD5": 93, "FileHash-SHA1": 101, "FileHash-SHA256": 153, "domain": 156, "email": 9 }, "indicator_count": 708, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b10515a85f0dcc21e2880b", "name": "VirusTotal report\n for 08fd834ba57989a7c031cc1a66c42dc3c00308e6cc38e99ba47f145bb.sh", "description": "fast.no", "modified": "2026-04-10T07:01:36.400000", "created": "2026-03-11T06:00:53.164000", "tags": [ "date hash", "avast avg", "entries http", "scans record", "value", "body toolbar", "exempt", "cache control", "content type", "set cookie" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 184, "FileHash-SHA1": 181, "FileHash-SHA256": 631, "domain": 17, "URL": 73, "hostname": 20 }, "indicator_count": 1106, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0f7ac95dc7083708d2091", "name": "ALBERTA clone arek- btc - same virus.", "description": "", "modified": "2026-04-10T05:02:49.470000", "created": "2026-03-11T05:03:40.599000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68346e8e3280aa271c02ec21", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 100, "FileHash-MD5": 178, "FileHash-SHA1": 178, "FileHash-SHA256": 1009, "domain": 129, "hostname": 321, "email": 3 }, "indicator_count": 1918, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b0fdf7bf47042ca1d78b44", "name": "A Nexus of Bobsoft superloops", "description": "", "modified": "2026-04-10T05:02:49.470000", "created": "2026-03-11T05:30:31.537000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 38, "hostname": 171, "FileHash-SHA256": 51, "URL": 35, "CIDR": 2, "email": 7, "domain": 11, "FileHash-MD5": 17 }, "indicator_count": 332, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "52 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b5d6c369f29b377664434b", "name": "OAuth Device Code Phishing Campaign Targets Microsoft 365 Accounts", "description": "Threat actors are targeting Microsoft 365 accounts using a growing attack method known as OAuth device code phishing.", "modified": "2026-03-14T21:44:34.629000", "created": "2026-03-14T21:44:34.629000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2, "hostname": 11 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "79 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "type": "Domain", "indicator": "astrolinktech.com", "stats": { "malicious": 16, "suspicious": 1, "harmless": 44, "undetected": 30, "total": 91, "verdict": "malicious", "ratio": "16/91" }, "verdict": "malicious", "ratio": "16/91", "registrar": "", "creation_date": 1747267200, "reputation": 0, "tags": [], "categories": {}, "top_detections": [ { "vendor": "ADMINUSLabs", "result": "malicious", "category": "malicious" }, { "vendor": "BitDefender", "result": "phishing", "category": "malicious" }, { "vendor": "CRDF", "result": "malicious", "category": "malicious" }, { "vendor": "Certego", "result": "suspicious", "category": "suspicious" }, { "vendor": "Chong Lua Dao", "result": "malicious", "category": "malicious" }, { "vendor": "CyRadar", "result": "phishing", "category": "malicious" }, { "vendor": "ESET", "result": "phishing", "category": "malicious" }, { "vendor": "Forcepoint ThreatSeeker", "result": "phishing", "category": "malicious" }, { "vendor": "Fortinet", "result": "phishing", "category": "malicious" }, { "vendor": "G-Data", "result": "phishing", "category": "malicious" } ], "last_analysis": 1780055251, "error": null }, "abuseipdb": null, "urlhaus": { "indicator": "astrolinktech.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780358419.16623 }