{ "type": "Domain", "indicator": "bearhacks.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bearhacks.com", "alexa": "http://www.alexa.com/siteinfo/bearhacks.com", "indicator": "bearhacks.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4386728546, "indicator": "bearhacks.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6a1bcbeec65e351e3598c593", "name": "Accessibility Features - CAPE Sandbox", "description": "Malicious actors are increasingly weaponizing accessibility features\u2014such as virtual screen readers, braille terminal emulators, and digital mobility assistance interfaces\u2014as high-utility attack vectors. While these frameworks are legally mandated for vulnerable user populations, they inherently require deep operating system permissions, making them primary targets for exploitation. Malicious API Hooking & Keylogging: Attackers leverage UI Automation and Screen Reader APIs to bypass standard process isolation. By mimicking a legitimate vision-assistance tool, malware can intercept keystrokes, harvest active session credentials, and read sensitive on-screen data (vision prescription/medical records) directly from the application layer. Braille or virtual keyboard input pipeline, transparently altering the user's typed characters to change the semantic meaning of outbound communications or commands. research -tbc.", "modified": "2026-05-31T06:05:57.335000", "created": "2026-05-31T05:49:34.164000", "tags": [ "a domains", "date", "status", "moved", "passive dns", "creation date", "as44273 host", "united", "as15169 google", "gmt content", "meta", "unknown", "title", "body", "encrypt", "serving ip", "address", "status code", "body length", "kb body", "sha256", "sameorigin", "xproxycacheinfo", "nc000000 up", "gmt hostheader", "pragma", "date mon", "gmt setcookie", "httponly server", "connection", "true", "health", "merits hq", "d7282f og", "d7282f", "ieedge og", "value a", "cname", "b body", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "registrar", "pdf document", "adobe portable", "document format", "thumbprint", "algorithm", "key identifier", "v3 serial", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 48, "IPv4": 32, "URL": 75, "domain": 20, "hostname": 88, "FileHash-SHA256": 8, "email": 3, "Mutex": 1 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6a1bcbeec65e351e3598c593", "name": "Accessibility Features - CAPE Sandbox", "description": "Malicious actors are increasingly weaponizing accessibility features\u2014such as virtual screen readers, braille terminal emulators, and digital mobility assistance interfaces\u2014as high-utility attack vectors. While these frameworks are legally mandated for vulnerable user populations, they inherently require deep operating system permissions, making them primary targets for exploitation. Malicious API Hooking & Keylogging: Attackers leverage UI Automation and Screen Reader APIs to bypass standard process isolation. By mimicking a legitimate vision-assistance tool, malware can intercept keystrokes, harvest active session credentials, and read sensitive on-screen data (vision prescription/medical records) directly from the application layer. Braille or virtual keyboard input pipeline, transparently altering the user's typed characters to change the semantic meaning of outbound communications or commands. research -tbc.", "modified": "2026-05-31T06:05:57.335000", "created": "2026-05-31T05:49:34.164000", "tags": [ "a domains", "date", "status", "moved", "passive dns", "creation date", "as44273 host", "united", "as15169 google", "gmt content", "meta", "unknown", "title", "body", "encrypt", "serving ip", "address", "status code", "body length", "kb body", "sha256", "sameorigin", "xproxycacheinfo", "nc000000 up", "gmt hostheader", "pragma", "date mon", "gmt setcookie", "httponly server", "connection", "true", "health", "merits hq", "d7282f og", "d7282f", "ieedge og", "value a", "cname", "b body", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "registrar", "pdf document", "adobe portable", "document format", "thumbprint", "algorithm", "key identifier", "v3 serial", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 48, "IPv4": 32, "URL": 75, "domain": 20, "hostname": 88, "FileHash-SHA256": 8, "email": 3, "Mutex": 1 }, "indicator_count": 281, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bearhacks.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bearhacks.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780319216.1593618 }