{ "type": "Domain", "indicator": "bctcontractors.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bctcontractors.com", "alexa": "http://www.alexa.com/siteinfo/bctcontractors.com", "indicator": "bctcontractors.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3133365619, "indicator": "bctcontractors.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69add6d04a7afb93f9bf442f", "name": "BQTLock, Thread-Hijack Phishing, and MFA Bypass Evolution", "description": "In February 2026, the cyber threat landscape experienced significant evolution with the emergence of new ransomware and remote access trojans (RATs), as well as enhanced phishing techniques. Two noteworthy ransomware families, GREENBLOOD and BQTLock, were identified for their destructive capabilities. GREENBLOOD is a Go-based ransomware that quickly encrypts files while employing self-deletion tactics to obscure forensic traces, and it threatens data leaks through a TOR site, amplifying the potential impact on businesses. BQTLock operates stealthily, integrating into trusted Windows processes to delay visible harm, thus complicating early detection. It employs process injection techniques, a User Account Control (UAC) bypass, and autorun persistence to escalate privileges before launching further attacks like credential theft and screen capturing.", "modified": "2026-04-07T20:13:04.622000", "created": "2026-03-08T20:06:40.331000", "tags": [ "february", "bqtlock", "moonrise", "ti lookup", "karsto", "tycoon", "rats", "microsoft azure", "google firebase", "lookup", "virustotal", "sandbox", "team", "ransomware", "contact", "stop", "beyond", "inside" ], "references": [ "https://any.run/cybersecurity-blog/february-26-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Moonrise", "display_name": "Moonrise", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Financial", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs.2026.1.csv", "https://any.run/cybersecurity-blog/february-26-attacks/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab" ], "malware_families": [ "Moonrise" ], "industries": [ "Healthcare", "Financial" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69bbb1e7ff6cad955292ee7f", "name": "EbeeMar2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-18T08:06:12.483000", "created": "2026-03-19T08:20:55.172000", "tags": [ "filehashmd5", "filehashsha256", "filehashsha1", "computername", "date", "time", "username", "generatedbotid", "uwhi6jqzqh7", "encoded url" ], "references": [ "IOCs.2026.1.csv" ], "public": 1, "adversary": "Forbidden Hyena, Fake FileZilla site, TAXISPY RAT, InstallFix, Lone wolf, BoryptGrab", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 58, "FileHash-MD5": 262, "FileHash-SHA1": 197, "FileHash-SHA256": 270, "CVE": 6, "domain": 58, "email": 4, "hostname": 52 }, "indicator_count": 907, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "44 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69add6d04a7afb93f9bf442f", "name": "BQTLock, Thread-Hijack Phishing, and MFA Bypass Evolution", "description": "In February 2026, the cyber threat landscape experienced significant evolution with the emergence of new ransomware and remote access trojans (RATs), as well as enhanced phishing techniques. Two noteworthy ransomware families, GREENBLOOD and BQTLock, were identified for their destructive capabilities. GREENBLOOD is a Go-based ransomware that quickly encrypts files while employing self-deletion tactics to obscure forensic traces, and it threatens data leaks through a TOR site, amplifying the potential impact on businesses. BQTLock operates stealthily, integrating into trusted Windows processes to delay visible harm, thus complicating early detection. It employs process injection techniques, a User Account Control (UAC) bypass, and autorun persistence to escalate privileges before launching further attacks like credential theft and screen capturing.", "modified": "2026-04-07T20:13:04.622000", "created": "2026-03-08T20:06:40.331000", "tags": [ "february", "bqtlock", "moonrise", "ti lookup", "karsto", "tycoon", "rats", "microsoft azure", "google firebase", "lookup", "virustotal", "sandbox", "team", "ransomware", "contact", "stop", "beyond", "inside" ], "references": [ "https://any.run/cybersecurity-blog/february-26-attacks/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Moonrise", "display_name": "Moonrise", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1016.001", "name": "Internet Connection Discovery", "display_name": "T1016.001 - Internet Connection Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Financial", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "domain": 2 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "55 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bctcontractors.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bctcontractors.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780346676.040116 }