{ "type": "Domain", "indicator": "backblazeb2.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/backblazeb2.com", "alexa": "http://www.alexa.com/siteinfo/backblazeb2.com", "indicator": "backblazeb2.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain backblazeb2.com", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain backblazeb2.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2863091619, "indicator": "backblazeb2.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6a10e8d0c46d08b820206d6c", "name": "Emotet - dating back to before 2019. CAPE Sandbox", "description": "[ Cuckoo is a computer program that runs on an operating system (KVM) and can be run on a desktop or a mobile device (also known as a virtual assistant)]", "modified": "2026-05-23T05:14:22.248000", "created": "2026-05-22T23:37:52.466000", "tags": [ "default", "jjjj", "settingswpad", "dos mode", "payload", "file type", "file size", "mwdb", "bazaar", "sha3384", "emotet", "shutdown", "back" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/008a6413800ef811244f0807e0943df22ba724ed674c03bfc5b57d820c27a632_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779493221&Signature=K7tHlM4p%2FfG1TSV%2FfZASKdmBWp3Se3XBQN%2Fa14YDnlL0ZljOfWTPQ9t%2Bd2aP5K7YN8vKmT4RJJhl7HH4LqZQMp8GIbPe5r%2BM2C1L86LMrE41%2BkG%2Ff1kcZsSCFPfosyqdsDy8WxtnzsLYBOZXWqnqwDaIMQTY03ypckO20Z4rHEcTZV6YKBDggWJQaRNhggjm6jAVXSTzJY9dX0l5Ihm4Qn%2F1hmi80T4VkqsWvPH%2B5dGv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 69, "FileHash-SHA1": 36, "FileHash-SHA256": 1530, "IPv4": 8385, "domain": 631, "URL": 160, "hostname": 6900, "CIDR": 7 }, "indicator_count": 17718, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bd08a498fbf3dfae304d0a", "name": "When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack", "description": "The article discusses the emergence and operations of the World Leaks ransomware group, a rebranding of the former Hunters International group, which shifted to an Extortion-as-a-Service (EaaS) model, emphasizing data theft and extortion rather than traditional ransomware encryption. This transition signifies a broader trend among cybercriminals where data theft has become more crucial than the encryption used in ransomware attacks, facilitating a stealthier operational approach that targets organizational reputations and pressures victims without the complexities of encryption.", "modified": "2026-04-19T08:05:27.295000", "created": "2026-03-20T08:43:16.389000", "tags": [ "world leaks", "darktrace", "ip address", "connection", "activity", "unusual", "control", "mega", "january", "file", "ransomware", "internal", "psexec", "suspicious", "desktop", "rats", "capture", "possible", "ransom", "persistence", "tools", "direct", "execution", "service", "threat", "nathaniel bill", "base64", "perfctl", "netsupport" ], "references": [ "https://www.darktrace.com/blog/when-reality-diverges-from-the-playbook-darktrace-identifies-encryption-in-a-world-leaks-ransomware-attack" ], "public": 1, "adversary": "Unc6148", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1592.004", "name": "Client Configurations", "display_name": "T1592.004 - Client Configurations" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1006", "name": "Direct Volume Access", "display_name": "T1006 - Direct Volume Access" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [ "Manufacturing", "Entertainment", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 1, "domain": 1, "hostname": 3 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.darktrace.com/blog/when-reality-diverges-from-the-playbook-darktrace-identifies-encryption-in-a-world-leaks-ransomware-attack", "https://vtbehaviour.commondatastorage.googleapis.com/008a6413800ef811244f0807e0943df22ba724ed674c03bfc5b57d820c27a632_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779493221&Signature=K7tHlM4p%2FfG1TSV%2FfZASKdmBWp3Se3XBQN%2Fa14YDnlL0ZljOfWTPQ9t%2Bd2aP5K7YN8vKmT4RJJhl7HH4LqZQMp8GIbPe5r%2BM2C1L86LMrE41%2BkG%2Ff1kcZsSCFPfosyqdsDy8WxtnzsLYBOZXWqnqwDaIMQTY03ypckO20Z4rHEcTZV6YKBDggWJQaRNhggjm6jAVXSTzJY9dX0l5Ihm4Qn%2F1hmi80T4VkqsWvPH%2B5dGv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Unc6148" ], "malware_families": [], "industries": [ "Entertainment", "Manufacturing", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6a10e8d0c46d08b820206d6c", "name": "Emotet - dating back to before 2019. CAPE Sandbox", "description": "[ Cuckoo is a computer program that runs on an operating system (KVM) and can be run on a desktop or a mobile device (also known as a virtual assistant)]", "modified": "2026-05-23T05:14:22.248000", "created": "2026-05-22T23:37:52.466000", "tags": [ "default", "jjjj", "settingswpad", "dos mode", "payload", "file type", "file size", "mwdb", "bazaar", "sha3384", "emotet", "shutdown", "back" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/008a6413800ef811244f0807e0943df22ba724ed674c03bfc5b57d820c27a632_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779493221&Signature=K7tHlM4p%2FfG1TSV%2FfZASKdmBWp3Se3XBQN%2Fa14YDnlL0ZljOfWTPQ9t%2Bd2aP5K7YN8vKmT4RJJhl7HH4LqZQMp8GIbPe5r%2BM2C1L86LMrE41%2BkG%2Ff1kcZsSCFPfosyqdsDy8WxtnzsLYBOZXWqnqwDaIMQTY03ypckO20Z4rHEcTZV6YKBDggWJQaRNhggjm6jAVXSTzJY9dX0l5Ihm4Qn%2F1hmi80T4VkqsWvPH%2B5dGv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 69, "FileHash-SHA1": 36, "FileHash-SHA256": 1530, "IPv4": 8385, "domain": 631, "URL": 160, "hostname": 6900, "CIDR": 7 }, "indicator_count": 17718, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69bd08a498fbf3dfae304d0a", "name": "When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack", "description": "The article discusses the emergence and operations of the World Leaks ransomware group, a rebranding of the former Hunters International group, which shifted to an Extortion-as-a-Service (EaaS) model, emphasizing data theft and extortion rather than traditional ransomware encryption. This transition signifies a broader trend among cybercriminals where data theft has become more crucial than the encryption used in ransomware attacks, facilitating a stealthier operational approach that targets organizational reputations and pressures victims without the complexities of encryption.", "modified": "2026-04-19T08:05:27.295000", "created": "2026-03-20T08:43:16.389000", "tags": [ "world leaks", "darktrace", "ip address", "connection", "activity", "unusual", "control", "mega", "january", "file", "ransomware", "internal", "psexec", "suspicious", "desktop", "rats", "capture", "possible", "ransom", "persistence", "tools", "direct", "execution", "service", "threat", "nathaniel bill", "base64", "perfctl", "netsupport" ], "references": [ "https://www.darktrace.com/blog/when-reality-diverges-from-the-playbook-darktrace-identifies-encryption-in-a-world-leaks-ransomware-attack" ], "public": 1, "adversary": "Unc6148", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1588.001", "name": "Malware", "display_name": "T1588.001 - Malware" }, { "id": "T1590.005", "name": "IP Addresses", "display_name": "T1590.005 - IP Addresses" }, { "id": "T1592.004", "name": "Client Configurations", "display_name": "T1592.004 - Client Configurations" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1595.002", "name": "Vulnerability Scanning", "display_name": "T1595.002 - Vulnerability Scanning" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1110.001", "name": "Password Guessing", "display_name": "T1110.001 - Password Guessing" }, { "id": "T1006", "name": "Direct Volume Access", "display_name": "T1006 - Direct Volume Access" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1569.002", "name": "Service Execution", "display_name": "T1569.002 - Service Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1021.002", "name": "SMB/Windows Admin Shares", "display_name": "T1021.002 - SMB/Windows Admin Shares" }, { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1570", "name": "Lateral Tool Transfer", "display_name": "T1570 - Lateral Tool Transfer" }, { "id": "T1039", "name": "Data from Network Shared Drive", "display_name": "T1039 - Data from Network Shared Drive" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" } ], "industries": [ "Manufacturing", "Entertainment", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-SHA256": 1, "domain": 1, "hostname": 3 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 546, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "backblazeb2.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "backblazeb2.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780441425.525124 }