{ "type": "Domain", "indicator": "betamodetradingview.dev", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/betamodetradingview.dev", "alexa": "http://www.alexa.com/siteinfo/betamodetradingview.dev", "indicator": "betamodetradingview.dev", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4072965320, "indicator": "betamodetradingview.dev", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "684209ff0c889eabbed70e8b", "name": "How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme", "description": "A malicious campaign exploits user trust through deceptive websites, including spoofed Gitcodes and fake Docusign verification pages. Victims are tricked into running malicious PowerShell scripts on their Windows machines, leading to the installation of NetSupport RAT. The multi-stage attack uses clipboard poisoning and fake CAPTCHAs to deliver the malware. The campaign involves multiple domains, uses ROT13 encoding, and creates persistent infections. Similar techniques were observed in other spoofed content, including Okta and popular media apps. The attack capitalizes on user familiarity with common online interactions, emphasizing the need for vigilance and skepticism in online activities.", "modified": "2025-07-05T21:03:20.611000", "created": "2025-06-05T21:19:59.635000", "tags": [ "netsupport rat", "clipboard poisoning", "gitcodes", "social engineering" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 49 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 387182, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842a77c3ea4d693b401514a", "name": "How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme", "description": "This report details a malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines. Victims are lured into copying and pasting these scripts into their Windows Run prompt, which then download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport RAT (remote access trojan).", "modified": "2025-07-06T08:01:54.732000", "created": "2025-06-06T08:31:56.660000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68424677819a88aa8f56d9f3", "name": "IOC - How Threat Actors Exploit Human Trust", "description": "", "modified": "2025-07-05T21:03:20.611000", "created": "2025-06-06T01:37:59.581000", "tags": [ "netsupport rat", "clipboard poisoning", "gitcodes", "captcha", "social engineering", "CAPTCHA" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "684209ff0c889eabbed70e8b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 49 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6841edc5bd14ff20dc36b897", "name": "Malicious Scripts Delivered via Fake Gitcode and Docusign Pages", "description": "A new cyber campaign is using fake websites impersonating Gitcode and DocuSign to trick users into running malicious PowerShell scripts, ultimately infecting systems with NetSupport RAT malware. Researchers found that these deceptive sites prompt victims to copy and execute PowerShell commands, which then download additional scripts from external servers.", "modified": "2025-07-05T19:02:44.113000", "created": "2025-06-05T19:19:33.963000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6841dff7a8343f18920cb8f5", "name": "How Threat Actors Exploit Human Trust", "description": "A malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines\nhttps://dti.domaintools.com/how-threat-actors-exploit-human-trust/\nhttps://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv", "modified": "2025-07-05T18:00:21.599000", "created": "2025-06-05T18:20:39.780000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "NetSupportRAT", "Gitcodes", "Docusign", "Clipboard Poisoning" ], "references": [ "Prove You Are Human.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupportManager RAT", "display_name": "NetSupportManager RAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6841a64b9407cc16e72ebedb", "name": "Exploiting Human Trust: Tactics Used by Threat Actors.", "description": "A detailed analysis from DomainTools reveals how threat actors manipulate human trust to conduct phishing, social engineering, and credential theft campaigns. The report highlights common tactics, such as impersonation and domain spoofing, along with actionable IOCs and defensive strategies to mitigate these risks.", "modified": "2025-07-05T14:03:02.187000", "created": "2025-06-05T14:14:34.655000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684059cb2e895a12159bf66e", "name": "How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme", "description": "This report details a malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines. Victims are lured into copying and pasting these scripts into their Windows Run prompt, which then download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport RAT (remote access trojan).", "modified": "2025-07-04T14:02:16.965000", "created": "2025-06-04T14:35:55.463000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [ "Table 1 IOC,IOC Type 0xpaste[.]com,IOC Domain aitradingview[.]app,IOC Domain aitradingview[.]dev,IOC Domain batalia-dansului[.]xyz,IOC Domain battalia-dansului[.]com,IOC Domain betamodetradingview[.]dev,IOC Domain betatradingview[.]app,IOC Domain betatradingview[.]dev,IOC Domain charts-beta[.]dev,IOC Domain codepaste[.]io,IOC Domain dans-lupta[.]xyz,IOC Domain dev-beta[.]com,IOC Domain devbetabeta[.]dev,IOC Domain devchart[.]ai,IOC Domain developer-ai[.]dev,IOC Domain developerbeta[.]dev,IOC Domain develope" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "334 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683faa1dd35a0d3e4ad9d227", "name": "A New Campaign Distributing NetSupport RAT via Malicious PowerShell Scripts", "description": "Hashes ( SHA-256) - here is the full list of key information:-1.0xpaste, 1.4m-2.5m.1m, 2.3m", "modified": "2025-07-04T02:01:59.787000", "created": "2025-06-04T02:06:21.508000", "tags": [ "hashes", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 54, "URL": 3, "hostname": 6 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 502, "modified_text": "334 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust", "https://dti.domaintools.com/how-threat-actors-exploit-human-trust/", "Table 1 IOC,IOC Type 0xpaste[.]com,IOC Domain aitradingview[.]app,IOC Domain aitradingview[.]dev,IOC Domain batalia-dansului[.]xyz,IOC Domain battalia-dansului[.]com,IOC Domain betamodetradingview[.]dev,IOC Domain betatradingview[.]app,IOC Domain betatradingview[.]dev,IOC Domain charts-beta[.]dev,IOC Domain codepaste[.]io,IOC Domain dans-lupta[.]xyz,IOC Domain dev-beta[.]com,IOC Domain devbetabeta[.]dev,IOC Domain devchart[.]ai,IOC Domain developer-ai[.]dev,IOC Domain developerbeta[.]dev,IOC Domain develope", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv", "Prove You Are Human.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Netsupport rat" ], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Netsupport rat", "Netsupportmanager rat" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "684209ff0c889eabbed70e8b", "name": "How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme", "description": "A malicious campaign exploits user trust through deceptive websites, including spoofed Gitcodes and fake Docusign verification pages. Victims are tricked into running malicious PowerShell scripts on their Windows machines, leading to the installation of NetSupport RAT. The multi-stage attack uses clipboard poisoning and fake CAPTCHAs to deliver the malware. The campaign involves multiple domains, uses ROT13 encoding, and creates persistent infections. Similar techniques were observed in other spoofed content, including Okta and popular media apps. The attack capitalizes on user familiarity with common online interactions, emphasizing the need for vigilance and skepticism in online activities.", "modified": "2025-07-05T21:03:20.611000", "created": "2025-06-05T21:19:59.635000", "tags": [ "netsupport rat", "clipboard poisoning", "gitcodes", "social engineering" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 49 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 387182, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6842a77c3ea4d693b401514a", "name": "How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme", "description": "This report details a malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines. Victims are lured into copying and pasting these scripts into their Windows Run prompt, which then download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport RAT (remote access trojan).", "modified": "2025-07-06T08:01:54.732000", "created": "2025-06-06T08:31:56.660000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 15, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 95, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68424677819a88aa8f56d9f3", "name": "IOC - How Threat Actors Exploit Human Trust", "description": "", "modified": "2025-07-05T21:03:20.611000", "created": "2025-06-06T01:37:59.581000", "tags": [ "netsupport rat", "clipboard poisoning", "gitcodes", "captcha", "social engineering", "CAPTCHA" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust", "https://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupport RAT", "display_name": "NetSupport RAT", "target": null } ], "attack_ids": [ { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": "684209ff0c889eabbed70e8b", "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 3, "FileHash-SHA256": 18, "domain": 49 }, "indicator_count": 73, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "332 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6841edc5bd14ff20dc36b897", "name": "Malicious Scripts Delivered via Fake Gitcode and Docusign Pages", "description": "A new cyber campaign is using fake websites impersonating Gitcode and DocuSign to trick users into running malicious PowerShell scripts, ultimately infecting systems with NetSupport RAT malware. Researchers found that these deceptive sites prompt victims to copy and execute PowerShell commands, which then download additional scripts from external servers.", "modified": "2025-07-05T19:02:44.113000", "created": "2025-06-05T19:19:33.963000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [ "https://dti.domaintools.com/how-threat-actors-exploit-human-trust/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Superpro", "id": "61676", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 214, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6841dff7a8343f18920cb8f5", "name": "How Threat Actors Exploit Human Trust", "description": "A malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines\nhttps://dti.domaintools.com/how-threat-actors-exploit-human-trust/\nhttps://github.com/DomainTools/SecuritySnacks/blob/main/2025/Prove-You-Are-Human.csv", "modified": "2025-07-05T18:00:21.599000", "created": "2025-06-05T18:20:39.780000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "NetSupportRAT", "Gitcodes", "Docusign", "Clipboard Poisoning" ], "references": [ "Prove You Are Human.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "NetSupportManager RAT", "display_name": "NetSupportManager RAT", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Techronik", "id": "114546", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6841a64b9407cc16e72ebedb", "name": "Exploiting Human Trust: Tactics Used by Threat Actors.", "description": "A detailed analysis from DomainTools reveals how threat actors manipulate human trust to conduct phishing, social engineering, and credential theft campaigns. The report highlights common tactics, such as impersonation and domain spoofing, along with actionable IOCs and defensive strategies to mitigate these risks.", "modified": "2025-07-05T14:03:02.187000", "created": "2025-06-05T14:14:34.655000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056.003", "name": "Web Portal Capture", "display_name": "T1056.003 - Web Portal Capture" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "333 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684059cb2e895a12159bf66e", "name": "How Threat Actors Exploit Human Trust: A Breakdown of the 'Prove You Are Human' Malware Scheme", "description": "This report details a malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines. Victims are lured into copying and pasting these scripts into their Windows Run prompt, which then download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport RAT (remote access trojan).", "modified": "2025-07-04T14:02:16.965000", "created": "2025-06-04T14:35:55.463000", "tags": [ "ioc domain", "malware hash", "ioc ip", "malware", "ioc type" ], "references": [ "Table 1 IOC,IOC Type 0xpaste[.]com,IOC Domain aitradingview[.]app,IOC Domain aitradingview[.]dev,IOC Domain batalia-dansului[.]xyz,IOC Domain battalia-dansului[.]com,IOC Domain betamodetradingview[.]dev,IOC Domain betatradingview[.]app,IOC Domain betatradingview[.]dev,IOC Domain charts-beta[.]dev,IOC Domain codepaste[.]io,IOC Domain dans-lupta[.]xyz,IOC Domain dev-beta[.]com,IOC Domain devbetabeta[.]dev,IOC Domain devchart[.]ai,IOC Domain developer-ai[.]dev,IOC Domain developerbeta[.]dev,IOC Domain develope" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 50 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "334 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "683faa1dd35a0d3e4ad9d227", "name": "A New Campaign Distributing NetSupport RAT via Malicious PowerShell Scripts", "description": "Hashes ( SHA-256) - here is the full list of key information:-1.0xpaste, 1.4m-2.5m.1m, 2.3m", "modified": "2025-07-04T02:01:59.787000", "created": "2025-06-04T02:06:21.508000", "tags": [ "hashes", "sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 15, "domain": 54, "URL": 3, "hostname": 6 }, "indicator_count": 82, "is_author": false, "is_subscribing": null, "subscriber_count": 502, "modified_text": "334 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "betamodetradingview.dev", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "betamodetradingview.dev", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780520564.2149222 }