{ "type": "Domain", "indicator": "attachment.click", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/attachment.click", "alexa": "http://www.alexa.com/siteinfo/attachment.click", "indicator": "attachment.click", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3982269793, "indicator": "attachment.click", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "66ffdba22731ec82e7316d62", "name": "Cloudflare Threat Intelligence Research - Unraveling SloppyLemming\u2019s operations across South Asia", "description": "Cloudforce One has published the results of an investigation into SloppyLemming, an advanced cyber-espionage actor that targets South Asia and is believed to be targeting government and other institutions.", "modified": "2024-11-03T12:04:39.077000", "created": "2024-10-04T12:12:18.699000", "tags": [ "cloudforce", "cloudforce one", "pakistan", "sloppylemming", "discord", "winrar", "internet", "sri lanka", "bangladesh", "cloudflare", "cobalt strike", "havoc", "indonesia", "mission", "zimbra", "ukraine", "powershell", "cookbox" ], "references": [ "https://www.cloudflare.com/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Sri Lanka", "Bangladesh", "China", "Ukraine", "Indonesia", "Nepal" ], "malware_families": [ { "id": "COOKBOX", "display_name": "COOKBOX", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Energy", "Telecommunications", "Technology", "Military" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 2, "domain": 25, "hostname": 41 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "575 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f49586a28b75abe2652bb2", "name": "The Cloudflare Blog", "description": "Cloud service provider Cloudflare has revealed details of an advanced cyber-espionage campaign targeting South and East Asian countries in the early 2020s and early 21st Century, as part of its research into the threat.", "modified": "2024-10-25T22:05:50.417000", "created": "2024-09-25T22:58:14.597000", "tags": [ "cloudforce", "cloudflare", "sloppylemming", "cloudforce one", "pakistan", "discord", "sha256 hash", "dropbox", "winrar", "internet", "path", "contact", "life", "click", "cobalt strike", "havoc", "indonesia", "police", "next", "mission", "zimbra", "download", "code", "malware", "ukraine", "body", "powershell", "suspicious", "cookbox" ], "references": [ "https://blog.cloudflare.com/unraveling-sloppylemming-operations/" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Sri Lanka", "Bangladesh", "China", "Indonesia", "Nepal", "Ukraine" ], "malware_families": [ { "id": "COOKBOX", "display_name": "COOKBOX", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Energy", "Telecommunications", "Technology", "Military" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 11, "URL": 2, "domain": 25, "hostname": 43 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.cloudflare.com/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/", "https://blog.cloudflare.com/unraveling-sloppylemming-operations/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Cookbox" ], "industries": [ "Telecommunications", "Military", "Technology", "Energy", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "66ffdba22731ec82e7316d62", "name": "Cloudflare Threat Intelligence Research - Unraveling SloppyLemming\u2019s operations across South Asia", "description": "Cloudforce One has published the results of an investigation into SloppyLemming, an advanced cyber-espionage actor that targets South Asia and is believed to be targeting government and other institutions.", "modified": "2024-11-03T12:04:39.077000", "created": "2024-10-04T12:12:18.699000", "tags": [ "cloudforce", "cloudforce one", "pakistan", "sloppylemming", "discord", "winrar", "internet", "sri lanka", "bangladesh", "cloudflare", "cobalt strike", "havoc", "indonesia", "mission", "zimbra", "ukraine", "powershell", "cookbox" ], "references": [ "https://www.cloudflare.com/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Sri Lanka", "Bangladesh", "China", "Ukraine", "Indonesia", "Nepal" ], "malware_families": [ { "id": "COOKBOX", "display_name": "COOKBOX", "target": null } ], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Energy", "Telecommunications", "Technology", "Military" ], "TLP": "white", "cloned_from": null, "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jacksparrow", "id": "142887", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 2, "domain": 25, "hostname": 41 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "575 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f49586a28b75abe2652bb2", "name": "The Cloudflare Blog", "description": "Cloud service provider Cloudflare has revealed details of an advanced cyber-espionage campaign targeting South and East Asian countries in the early 2020s and early 21st Century, as part of its research into the threat.", "modified": "2024-10-25T22:05:50.417000", "created": "2024-09-25T22:58:14.597000", "tags": [ "cloudforce", "cloudflare", "sloppylemming", "cloudforce one", "pakistan", "discord", "sha256 hash", "dropbox", "winrar", "internet", "path", "contact", "life", "click", "cobalt strike", "havoc", "indonesia", "police", "next", "mission", "zimbra", "download", "code", "malware", "ukraine", "body", "powershell", "suspicious", "cookbox" ], "references": [ "https://blog.cloudflare.com/unraveling-sloppylemming-operations/" ], "public": 1, "adversary": "", "targeted_countries": [ "Pakistan", "Sri Lanka", "Bangladesh", "China", "Indonesia", "Nepal", "Ukraine" ], "malware_families": [ { "id": "COOKBOX", "display_name": "COOKBOX", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government", "Energy", "Telecommunications", "Technology", "Military" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ChrisTan0", "id": "262536", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 11, "URL": 2, "domain": 25, "hostname": 43 }, "indicator_count": 88, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "584 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "attachment.click", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "attachment.click", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780399732.032796 }