{ "type": "Domain", "indicator": "avcheck.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/avcheck.net", "alexa": "http://www.alexa.com/siteinfo/avcheck.net", "indicator": "avcheck.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 1439757, "indicator": "avcheck.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "68a6166f6fc208e3c4192cc1", "name": "Behind the Curtain: How Lumma Affiliates Operate", "description": "This analysis reveals the complex operations of Lumma affiliates within a vast information-stealing ecosystem. Affiliates utilize various tools and services, including proxy networks, VPNs, anti-detect browsers, and crypting services. The investigation uncovered previously undocumented tools and showed that affiliates often run multiple schemes simultaneously, such as rental scams, while also using other infostealers like Vidar, Stealc, and Meduza Stealer. Lumma affiliates are deeply integrated into the cybercriminal ecosystem, leveraging underground forums for resources, marketplaces, and operational support. The analysis highlights the resilience of Lumma's infrastructure and the challenges in disrupting such decentralized cybercriminal networks.", "modified": "2025-09-19T18:03:08.015000", "created": "2025-08-20T18:39:43.148000", "tags": [ "cybercrime", "vpn", "underground forums", "crypting", "infostealer", "affiliate", "lumma", "anti-detect browser", "craxsrat", "stealc", "meduza stealer", "vidar", "proxy" ], "references": [ "https://www.recordedfuture.com/research/media_146663d7945a8f6dd5a6e50a5cdde5655e178e9a3.gif?width=1200&format=pjpg&optimize=medium", "https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate" ], "public": 1, "adversary": "Lumma", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Meduza Stealer", "display_name": "Meduza Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "CraxsRAT", "display_name": "CraxsRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 386584, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651e8e42e47767b4a87002ec", "name": "Ave Maria campaign targeting r/cybersecurity users on Reddit.", "description": "The author of the blog describes how someone was targeting members of r/cybersecurity on Reddit. The threat actor was using AVE Maria / Warzone RAT.", "modified": "2023-11-04T10:03:00.196000", "created": "2023-10-05T10:21:53.490000", "tags": [ "dropper", "vbscript file", "warzone rat", "lure", "warzone", "ave maria" ], "references": [ "https://chris.partridge.tech/2023/malware-targeting-cybersecurity-subreddit/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ave Maria", "display_name": "Ave Maria", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 407, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 1, "email": 1, "hostname": 3, "FileHash-SHA256": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386586, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac2beb494a6e44c0ef38ba", "name": "IOC - Behind the Curtain: How Lumma Affiliates Operate", "description": "", "modified": "2025-09-19T18:03:08.015000", "created": "2025-08-25T09:24:59.455000", "tags": [ "cybercrime", "vpn", "underground forums", "crypting", "infostealer", "affiliate", "lumma", "anti-detect browser", "craxsrat", "stealc", "meduza stealer", "vidar", "proxy" ], "references": [ "https://www.recordedfuture.com/research/media_146663d7945a8f6dd5a6e50a5cdde5655e178e9a3.gif?width=1200&format=pjpg&optimize=medium", "https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate" ], "public": 1, "adversary": "Lumma", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Meduza Stealer", "display_name": "Meduza Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "CraxsRAT", "display_name": "CraxsRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68a6166f6fc208e3c4192cc1", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68abf057cb0f1886c9ad62a3", "name": "Behind the Curtain: How Lumma Affiliates Operate", "description": "", "modified": "2025-09-19T18:03:08.015000", "created": "2025-08-25T05:10:47.218000", "tags": [ "cybercrime", "vpn", "underground forums", "crypting", "infostealer", "affiliate", "lumma", "anti-detect browser", "craxsrat", "stealc", "meduza stealer", "vidar", "proxy" ], "references": [ "https://www.recordedfuture.com/research/media_146663d7945a8f6dd5a6e50a5cdde5655e178e9a3.gif?width=1200&format=pjpg&optimize=medium", "https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate" ], "public": 1, "adversary": "Lumma", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Meduza Stealer", "display_name": "Meduza Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "CraxsRAT", "display_name": "CraxsRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68a6166f6fc208e3c4192cc1", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a6c566f37d78a9fabd2fe6", "name": "Behind the Curtain: How Lumma Affiliates Operate", "description": "", "modified": "2025-09-19T18:03:08.015000", "created": "2025-08-21T07:06:14.108000", "tags": [ "cybercrime", "vpn", "underground forums", "crypting", "infostealer", "affiliate", "lumma", "anti-detect browser", "craxsrat", "stealc", "meduza stealer", "vidar", "proxy" ], "references": [ "https://www.recordedfuture.com/research/media_146663d7945a8f6dd5a6e50a5cdde5655e178e9a3.gif?width=1200&format=pjpg&optimize=medium", "https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate" ], "public": 1, "adversary": "Lumma", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Meduza Stealer", "display_name": "Meduza Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "CraxsRAT", "display_name": "CraxsRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68a6166f6fc208e3c4192cc1", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683b97237aa4dd70b9da2b12", "name": "Twitter Feed - JRoosen - 31-05-2025", "description": "", "modified": "2025-06-30T23:00:46.773000", "created": "2025-05-31T23:56:19.120000", "tags": [ "LummaStealer", "RAT", "NetSupport", "NetSupportRAT" ], "references": [ "https://x.com/JRoosen/status/1928612983564894295", "https://x.com/JRoosen/status/1928612993438203935", "https://x.com/JRoosen/status/1928613005421343180", "https://x.com/JRoosen/status/1928613064615612481", "https://x.com/JRoosen/status/1928684066359910753" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "URL": 9, "FileHash-MD5": 2 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "335 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684340ecd7c27d4f1b3e9dbd", "name": "Operation Endgame: Disrupting AVCheck Forces Threat Actors to Seek Alternatives.", "description": "In a groundbreaking move, Operation Endgame has successfully disrupted AVCheck, a critical tool used by cybercriminals to test malware against antivirus solutions. This coordinated effort has forced threat actors to scramble for alternatives, significantly impacting their operations. Discover how this operation marks a pivotal moment in the fight against cybercrime and what it means for the future of cybersecurity.", "modified": "2025-06-07T15:31:44.387000", "created": "2025-06-06T19:26:36.707000", "tags": [ "avcheck", "kleenscan", "threat response", "unit", "law enforcement", "threat actor", "distribution", "kleenscan user", "kleenscan promo", "promotionthe" ], "references": [ "https://www.esentire.com/blog/operation-endgame-disrupts-avcheck-forces-threat-actors-to-seek-alternatives" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 5, "URL": 44, "FileHash-SHA256": 20, "hostname": 1 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "358 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683b97215ccb957e6a826873", "name": "Twitter Feed - Cryptolaemus1 - 31-05-2025", "description": "", "modified": "2025-05-31T23:56:17.447000", "created": "2025-05-31T23:56:17.447000", "tags": [ "stealer" ], "references": [ "https://x.com/Cryptolaemus1/status/1928606758265577974", "https://x.com/Cryptolaemus1/status/1928607610598576575", "https://x.com/Cryptolaemus1/status/1928609138117882166", "https://x.com/Cryptolaemus1/status/1928609162491027957" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 3, "FileHash-MD5": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "364 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683a4b29917c4694872987d1", "name": "Twitter Feed - Neiki__ - 30-05-2025", "description": "", "modified": "2025-05-31T00:19:53.679000", "created": "2025-05-31T00:19:53.679000", "tags": [], "references": [ "https://x.com/Neiki__/status/1928560134235582482" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "365 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c08242e066fe62a86e5e24", "name": "The-Ultimate-Black-basta-chat-leak", "description": "Black Basta ransomware is actively exploiting Veeam Backup & Replication and Atlassian Confluence vulnerabilities for initial access and privilege escalation. Leaked chats reveal a structured attack strategy targeting unpatched enterprise systems. Immediate patching and enhanced monitoring are recommended to mitigate risk.", "modified": "2025-03-29T15:03:32.562000", "created": "2025-02-27T15:18:26.491000", "tags": [ "commandline", "accountname", "eventid", "newprocessname", "timegenerated", "veeam", "anydesk", "powershell", "sharename", "objectname", "lockbit", "mimikatz", "ransomware", "lsass", "procdump", "helldown", "buddy", "netscan", "blackbasta", "download", "trigger", "realvnc", "chat", "strings", "pikabot", "defender", "recon", "psexec", "persistence", "metasploit", "soar", "kill", "black basta", "atomic red", "zimbra", "socks proxy", "cobalt strike", "netcat", "execution", "team", "amadey", "shell", "formbook", "date", "look", "conti", "agenttesla", "monitoring", "meterpreter", "encodedcommand", "kali", "april", "february", "august", "batloader", "defense", "target", "manipulation", "qbot", "exploit", "speed", "null", "python", "userinit", "tools", "project", "sentinel", "black", "example" ], "references": [ "https://osintteam.blog/the-ultimate-black-basta-chat-leak-part-2-veeam-confluence-8b766c2182ac", "https://osintteam.blog/black-basta-playbook-chat-leak-d5036936166d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 7, "URL": 23, "domain": 12, "email": 1, "hostname": 9 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "652fd32f433023b9559be76e", "name": "Ave Maria campaign targeting r/cybersecurity users on Reddit.", "description": "", "modified": "2023-11-04T10:03:00.196000", "created": "2023-10-18T12:44:31.713000", "tags": [ "dropper", "vbscript file", "warzone rat", "lure", "warzone", "ave maria" ], "references": [ "https://chris.partridge.tech/2023/malware-targeting-cybersecurity-subreddit/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ave Maria", "display_name": "Ave Maria", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "65232747720d0730f0381ad4", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 1, "email": 1, "hostname": 3, "FileHash-SHA256": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65232747720d0730f0381ad4", "name": "Ave Maria campaign targeting r/cybersecurity users on Reddit.", "description": "", "modified": "2023-11-04T10:03:00.196000", "created": "2023-10-08T22:03:51.542000", "tags": [ "dropper", "vbscript file", "warzone rat", "lure", "warzone", "ave maria" ], "references": [ "https://chris.partridge.tech/2023/malware-targeting-cybersecurity-subreddit/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ave Maria", "display_name": "Ave Maria", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "651e8e42e47767b4a87002ec", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "tr2222200", "id": "207905", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 1, "email": 1, "hostname": 3, "FileHash-SHA256": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62793b8ab52e3eac8077af91", "name": "Nigerian Tesla Uses Agent Tesla Stealer to Exfiltrate Data via Phishing Emails", "description": "Nigerian Tesla involves in phishing activities\nWhile looking for threats targeting Ukraine, researchers identified a group named 'Nigerian Tesla' that has been dabbling in phishing and other data theft activities for many years. Agent Tesla, a well-known data stealer written in .NET has been active since 2014 and is one of the most popular payloads observed in malspam campaigns. \n\nAttacker compromises his own device\nIronically, one of the main threat actors seemingly compromised his own device with an Agent Tesla binary. In the last two years, this threat actor was able to collect close to a million credentials from his victims.\n\nSpam campaign\nThe threat actor sent an email in the Russian language titled 'Final payment.msg' to target the victim. It contained a link to a file-sharing site that downloads an archive containing an executable file.", "modified": "2022-05-09T16:04:26.036000", "created": "2022-05-09T16:04:26.036000", "tags": [ "iocs", "nigerian tesla", "perfectmoney", "glassdoor", "warzone rat", "netwire rat", "vpn provider", "code protector", "email", "Phishing Emails" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/" ], "public": 1, "adversary": "Informational", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SVThreatIntel", "id": "148120", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_148120/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "email": 19, "hostname": 2 }, "indicator_count": 32, "is_author": false, "is_subscribing": null, "subscriber_count": 191, "modified_text": "1483 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6274148b028d59a40c01bfc4", "name": "Nigerian Tesla: 419 scammer gone malware distributor unmasked | Malwarebytes Labs", "description": "Malwarebytes is a leading security company in the world of computer security, with its products designed to protect against malware, phishing and other cyber-threats, but which are most popular in Nigeria?", "modified": "2022-05-05T18:16:43.871000", "created": "2022-05-05T18:16:43.871000", "tags": [ "agent tesla", "tesla", "esco crypter", "test", "ip address", "nigerian tesla", "rita bent", "avcheck", "ukraine", "spam campaign", "fast" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/" ], "public": 1, "adversary": "", "targeted_countries": [ "Azerbaijan" ], "malware_families": [ { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "Esco Crypter", "display_name": "Esco Crypter", "target": null }, { "id": "Tesla", "display_name": "Tesla", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "display_name": "T1127 - Trusted Developer Utilities Proxy Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mohdrennis", "id": "138092", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 14, "email": 19 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 355, "modified_text": "1487 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621d30a8d292f10e1acb422d", "name": "Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: Exposing the Conti Ransomware Gang - An OSINT Analysis", "description": "The Conti ransomware gang is a gang that uses XMPP and other technologies to evade detection and control, but is also involved in a multi-million dollar cyber-crime operation, reported by the BBC.", "modified": "2022-03-30T00:00:10.458000", "created": "2022-02-28T20:29:28.053000", "tags": [ "conti", "command", "control", "internet", "n868", "fthxxp", "m12435297", "l216", "fhhxxp", "linkurlhxxp", "source" ], "references": [ "https://ddanchev.blogspot.com/2022/02/exposing-conti-ransomware-gang-osint_28.html" ], "public": 1, "adversary": "Conti", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jackl3-3", "id": "40027", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1641, "FileHash-SHA1": 64, "FileHash-SHA256": 259, "URL": 3931, "domain": 2621, "email": 240, "hostname": 4681 }, "indicator_count": 13437, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1523 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621d30b3361b0692dae1fe6d", "name": "Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: Exposing the Conti Ransomware Gang - An OSINT Analysis", "description": "The Conti ransomware gang is a gang that uses XMPP and other technologies to evade detection and control, but is also involved in a multi-million dollar cyber-crime operation, reported by the BBC.", "modified": "2022-03-30T00:00:10.458000", "created": "2022-02-28T20:29:39.020000", "tags": [ "conti", "command", "control", "internet", "n868", "fthxxp", "m12435297", "l216", "fhhxxp", "linkurlhxxp", "source" ], "references": [ "https://ddanchev.blogspot.com/2022/02/exposing-conti-ransomware-gang-osint_28.html" ], "public": 1, "adversary": "Conti", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jackl3-3", "id": "40027", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1641, "FileHash-SHA1": 64, "FileHash-SHA256": 259, "URL": 3931, "domain": 2621, "email": 240, "hostname": 4681 }, "indicator_count": 13437, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1523 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621d30a9836c7f1a03586f79", "name": "Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: Exposing the Conti Ransomware Gang - An OSINT Analysis", "description": "The Conti ransomware gang is a gang that uses XMPP and other technologies to evade detection and control, but is also involved in a multi-million dollar cyber-crime operation, reported by the BBC.", "modified": "2022-03-30T00:00:10.458000", "created": "2022-02-28T20:29:29.043000", "tags": [ "conti", "command", "control", "internet", "n868", "fthxxp", "m12435297", "l216", "fhhxxp", "linkurlhxxp", "source" ], "references": [ "https://ddanchev.blogspot.com/2022/02/exposing-conti-ransomware-gang-osint_28.html" ], "public": 1, "adversary": "Conti", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "jackl3-3", "id": "40027", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1641, "FileHash-SHA1": 64, "FileHash-SHA256": 259, "URL": 3931, "domain": 2621, "email": 240, "hostname": 4681 }, "indicator_count": 13437, "is_author": false, "is_subscribing": null, "subscriber_count": 89, "modified_text": "1523 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/", "https://x.com/Cryptolaemus1/status/1928609162491027957", "https://osintteam.blog/the-ultimate-black-basta-chat-leak-part-2-veeam-confluence-8b766c2182ac", "https://x.com/JRoosen/status/1928613005421343180", "https://ddanchev.blogspot.com/2022/02/exposing-conti-ransomware-gang-osint_28.html", "https://x.com/JRoosen/status/1928612983564894295", "https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate", "https://x.com/JRoosen/status/1928684066359910753", "https://osintteam.blog/black-basta-playbook-chat-leak-d5036936166d", "https://x.com/Neiki__/status/1928560134235582482", "https://x.com/Cryptolaemus1/status/1928606758265577974", "https://www.recordedfuture.com/research/media_146663d7945a8f6dd5a6e50a5cdde5655e178e9a3.gif?width=1200&format=pjpg&optimize=medium", "https://x.com/Cryptolaemus1/status/1928609138117882166", "https://www.esentire.com/blog/operation-endgame-disrupts-avcheck-forces-threat-actors-to-seek-alternatives", "https://x.com/JRoosen/status/1928613064615612481", "https://x.com/Cryptolaemus1/status/1928607610598576575", "https://x.com/JRoosen/status/1928612993438203935", "https://chris.partridge.tech/2023/malware-targeting-cybersecurity-subreddit/" ], "related": { "alienvault": { "adversary": [ "Lumma" ], "malware_families": [ "Lumma", "Meduza stealer", "Vidar", "Stealc", "Craxsrat", "Ave maria" ], "industries": [] }, "other": { "adversary": [ "Informational", "Lumma", "Conti" ], "malware_families": [ "Tesla", "Lumma", "Agent tesla", "Esco crypter", "Meduza stealer", "Vidar", "Stealc", "Craxsrat", "Ave maria" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "68a6166f6fc208e3c4192cc1", "name": "Behind the Curtain: How Lumma Affiliates Operate", "description": "This analysis reveals the complex operations of Lumma affiliates within a vast information-stealing ecosystem. Affiliates utilize various tools and services, including proxy networks, VPNs, anti-detect browsers, and crypting services. The investigation uncovered previously undocumented tools and showed that affiliates often run multiple schemes simultaneously, such as rental scams, while also using other infostealers like Vidar, Stealc, and Meduza Stealer. Lumma affiliates are deeply integrated into the cybercriminal ecosystem, leveraging underground forums for resources, marketplaces, and operational support. The analysis highlights the resilience of Lumma's infrastructure and the challenges in disrupting such decentralized cybercriminal networks.", "modified": "2025-09-19T18:03:08.015000", "created": "2025-08-20T18:39:43.148000", "tags": [ "cybercrime", "vpn", "underground forums", "crypting", "infostealer", "affiliate", "lumma", "anti-detect browser", "craxsrat", "stealc", "meduza stealer", "vidar", "proxy" ], "references": [ "https://www.recordedfuture.com/research/media_146663d7945a8f6dd5a6e50a5cdde5655e178e9a3.gif?width=1200&format=pjpg&optimize=medium", "https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate" ], "public": 1, "adversary": "Lumma", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Meduza Stealer", "display_name": "Meduza Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "CraxsRAT", "display_name": "CraxsRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 386584, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "651e8e42e47767b4a87002ec", "name": "Ave Maria campaign targeting r/cybersecurity users on Reddit.", "description": "The author of the blog describes how someone was targeting members of r/cybersecurity on Reddit. The threat actor was using AVE Maria / Warzone RAT.", "modified": "2023-11-04T10:03:00.196000", "created": "2023-10-05T10:21:53.490000", "tags": [ "dropper", "vbscript file", "warzone rat", "lure", "warzone", "ave maria" ], "references": [ "https://chris.partridge.tech/2023/malware-targeting-cybersecurity-subreddit/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ave Maria", "display_name": "Ave Maria", "target": null } ], "attack_ids": [ { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 407, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 1, "email": 1, "hostname": 3, "FileHash-SHA256": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386586, "modified_text": "939 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ac2beb494a6e44c0ef38ba", "name": "IOC - Behind the Curtain: How Lumma Affiliates Operate", "description": "", "modified": "2025-09-19T18:03:08.015000", "created": "2025-08-25T09:24:59.455000", "tags": [ "cybercrime", "vpn", "underground forums", "crypting", "infostealer", "affiliate", "lumma", "anti-detect browser", "craxsrat", "stealc", "meduza stealer", "vidar", "proxy" ], "references": [ "https://www.recordedfuture.com/research/media_146663d7945a8f6dd5a6e50a5cdde5655e178e9a3.gif?width=1200&format=pjpg&optimize=medium", "https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate" ], "public": 1, "adversary": "Lumma", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Meduza Stealer", "display_name": "Meduza Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "CraxsRAT", "display_name": "CraxsRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68a6166f6fc208e3c4192cc1", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68abf057cb0f1886c9ad62a3", "name": "Behind the Curtain: How Lumma Affiliates Operate", "description": "", "modified": "2025-09-19T18:03:08.015000", "created": "2025-08-25T05:10:47.218000", "tags": [ "cybercrime", "vpn", "underground forums", "crypting", "infostealer", "affiliate", "lumma", "anti-detect browser", "craxsrat", "stealc", "meduza stealer", "vidar", "proxy" ], "references": [ "https://www.recordedfuture.com/research/media_146663d7945a8f6dd5a6e50a5cdde5655e178e9a3.gif?width=1200&format=pjpg&optimize=medium", "https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate" ], "public": 1, "adversary": "Lumma", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Meduza Stealer", "display_name": "Meduza Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "CraxsRAT", "display_name": "CraxsRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68a6166f6fc208e3c4192cc1", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a6c566f37d78a9fabd2fe6", "name": "Behind the Curtain: How Lumma Affiliates Operate", "description": "", "modified": "2025-09-19T18:03:08.015000", "created": "2025-08-21T07:06:14.108000", "tags": [ "cybercrime", "vpn", "underground forums", "crypting", "infostealer", "affiliate", "lumma", "anti-detect browser", "craxsrat", "stealc", "meduza stealer", "vidar", "proxy" ], "references": [ "https://www.recordedfuture.com/research/media_146663d7945a8f6dd5a6e50a5cdde5655e178e9a3.gif?width=1200&format=pjpg&optimize=medium", "https://www.recordedfuture.com/research/behind-the-curtain-how-lumma-affiliates-operate" ], "public": 1, "adversary": "Lumma", "targeted_countries": [], "malware_families": [ { "id": "Lumma", "display_name": "Lumma", "target": null }, { "id": "Meduza Stealer", "display_name": "Meduza Stealer", "target": null }, { "id": "Vidar", "display_name": "Vidar", "target": null }, { "id": "CraxsRAT", "display_name": "CraxsRAT", "target": null }, { "id": "Stealc", "display_name": "Stealc", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "68a6166f6fc208e3c4192cc1", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "domain": 17, "hostname": 1 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "254 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683b97237aa4dd70b9da2b12", "name": "Twitter Feed - JRoosen - 31-05-2025", "description": "", "modified": "2025-06-30T23:00:46.773000", "created": "2025-05-31T23:56:19.120000", "tags": [ "LummaStealer", "RAT", "NetSupport", "NetSupportRAT" ], "references": [ "https://x.com/JRoosen/status/1928612983564894295", "https://x.com/JRoosen/status/1928612993438203935", "https://x.com/JRoosen/status/1928613005421343180", "https://x.com/JRoosen/status/1928613064615612481", "https://x.com/JRoosen/status/1928684066359910753" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 7, "URL": 9, "FileHash-MD5": 2 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "335 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684340ecd7c27d4f1b3e9dbd", "name": "Operation Endgame: Disrupting AVCheck Forces Threat Actors to Seek Alternatives.", "description": "In a groundbreaking move, Operation Endgame has successfully disrupted AVCheck, a critical tool used by cybercriminals to test malware against antivirus solutions. This coordinated effort has forced threat actors to scramble for alternatives, significantly impacting their operations. Discover how this operation marks a pivotal moment in the fight against cybercrime and what it means for the future of cybersecurity.", "modified": "2025-06-07T15:31:44.387000", "created": "2025-06-06T19:26:36.707000", "tags": [ "avcheck", "kleenscan", "threat response", "unit", "law enforcement", "threat actor", "distribution", "kleenscan user", "kleenscan promo", "promotionthe" ], "references": [ "https://www.esentire.com/blog/operation-endgame-disrupts-avcheck-forces-threat-actors-to-seek-alternatives" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "domain": 5, "URL": 44, "FileHash-SHA256": 20, "hostname": 1 }, "indicator_count": 72, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "358 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683b97215ccb957e6a826873", "name": "Twitter Feed - Cryptolaemus1 - 31-05-2025", "description": "", "modified": "2025-05-31T23:56:17.447000", "created": "2025-05-31T23:56:17.447000", "tags": [ "stealer" ], "references": [ "https://x.com/Cryptolaemus1/status/1928606758265577974", "https://x.com/Cryptolaemus1/status/1928607610598576575", "https://x.com/Cryptolaemus1/status/1928609138117882166", "https://x.com/Cryptolaemus1/status/1928609162491027957" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 3, "FileHash-MD5": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "364 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683a4b29917c4694872987d1", "name": "Twitter Feed - Neiki__ - 30-05-2025", "description": "", "modified": "2025-05-31T00:19:53.679000", "created": "2025-05-31T00:19:53.679000", "tags": [], "references": [ "https://x.com/Neiki__/status/1928560134235582482" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "365 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c08242e066fe62a86e5e24", "name": "The-Ultimate-Black-basta-chat-leak", "description": "Black Basta ransomware is actively exploiting Veeam Backup & Replication and Atlassian Confluence vulnerabilities for initial access and privilege escalation. Leaked chats reveal a structured attack strategy targeting unpatched enterprise systems. Immediate patching and enhanced monitoring are recommended to mitigate risk.", "modified": "2025-03-29T15:03:32.562000", "created": "2025-02-27T15:18:26.491000", "tags": [ "commandline", "accountname", "eventid", "newprocessname", "timegenerated", "veeam", "anydesk", "powershell", "sharename", "objectname", "lockbit", "mimikatz", "ransomware", "lsass", "procdump", "helldown", "buddy", "netscan", "blackbasta", "download", "trigger", "realvnc", "chat", "strings", "pikabot", "defender", "recon", "psexec", "persistence", "metasploit", "soar", "kill", "black basta", "atomic red", "zimbra", "socks proxy", "cobalt strike", "netcat", "execution", "team", "amadey", "shell", "formbook", "date", "look", "conti", "agenttesla", "monitoring", "meterpreter", "encodedcommand", "kali", "april", "february", "august", "batloader", "defense", "target", "manipulation", "qbot", "exploit", "speed", "null", "python", "userinit", "tools", "project", "sentinel", "black", "example" ], "references": [ "https://osintteam.blog/the-ultimate-black-basta-chat-leak-part-2-veeam-confluence-8b766c2182ac", "https://osintteam.blog/black-basta-playbook-chat-leak-d5036936166d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "CVE": 2, "FileHash-MD5": 5, "FileHash-SHA1": 3, "FileHash-SHA256": 7, "URL": 23, "domain": 12, "email": 1, "hostname": 9 }, "indicator_count": 63, "is_author": false, "is_subscribing": null, "subscriber_count": 543, "modified_text": "428 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "avcheck.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "avcheck.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780270186.413652 }