{ "type": "Domain", "indicator": "biggerfun.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/biggerfun.org", "alexa": "http://www.alexa.com/siteinfo/biggerfun.org", "indicator": "biggerfun.org", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3811182632, "indicator": "biggerfun.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "6895aceaf8d4d7295fce7c8c", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload.", "modified": "2025-08-08T08:19:18.280000", "created": "2025-08-08T07:53:14.905000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "GOLD PRELUDE", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386757, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f879377f69603fe32d425", "name": "A Website Attacked", "description": "This report investigates a watering hole attack on a U.S. apartment website that delivered malware by spoofing a fake browser update. The investigation uncovered dozens of other compromised websites from various industries like healthcare, retail, and consumer sites. The compromised sites loaded malicious scripts from external domains, using techniques like iframes, random variable strings, and insertBefore methods. The malware spoofed Chrome, Mozilla, and Edge browser updates to deliver NetSupport malware. Domain registration analysis revealed the actor utilized various registrars, ISPs, and nameservers, prioritizing volume and speed over operational security. The activity shares similarities with the Socgholish threat group.", "modified": "2024-11-15T09:03:06.312000", "created": "2024-10-16T09:29:55.871000", "tags": [ "spoofing", "browser updates", "netsupport", "compromised websites", "malware", "watering hole" ], "references": [ "https://www.domaintools.com/resources/blog/a-website-attacked/" ], "public": 1, "adversary": "Socgholish", "targeted_countries": [ "United States of America", "Thailand", "Japan" ], "malware_families": [ { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [ "Aerospace", "Healthcare", "Retail", "Hospitality", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "URL": 30, "domain": 33, "hostname": 1 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 386756, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689acf7b65de644b57cec5ca", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "", "modified": "2025-08-12T05:22:03.648000", "created": "2025-08-12T05:22:03.648000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": "6895aceaf8d4d7295fce7c8c", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "293 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689901bb2323b0727bc2539f", "name": "SocGholish Malware Exploits TDS Networks to Target Victims", "description": "Cybercriminals behind SocGholish malware are using Traffic Distribution Systems (TDS) like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious sites.", "modified": "2025-08-10T20:31:55.193000", "created": "2025-08-10T20:31:55.193000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "295 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6895e01b6aa8015c20031989", "name": "Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the \u201cPioneer of Fake Updates\u201d and Its Operator, TA569 - Silent Push", "description": "", "modified": "2025-08-08T11:31:39.962000", "created": "2025-08-08T11:31:39.962000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "297 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a2b971cad0f744c2793342", "name": "ACTIVIDAD MALICIOSA | Relacionada con SocGholish 25-07-2024", "description": "SocGholish, tambi\u00e9n conocido como FakeUpdates, es un tipo de malware empleado por grupos de ciberdelincuentes desde 2017, atacando principalmente sitios web basados en WordPress. Este malware se propaga mediante descargas autom\u00e1ticas disfrazadas como actualizaciones de navegador falsas, resultando en la instalaci\u00f3n de software malicioso en los dispositivos de los usuarios sin su conocimiento. Esto permite la ejecuci\u00f3n de c\u00f3digo malicioso, el robo de datos y la implementaci\u00f3n de ransomware. SocGholish utiliza t\u00e9cnicas avanzadas para evadir la detecci\u00f3n, como la inyecci\u00f3n de c\u00f3digo JavaScript y la obfuscaci\u00f3n, lo que dificulta su identificaci\u00f3n y eliminaci\u00f3n.", "modified": "2024-08-24T20:03:49.146000", "created": "2024-07-25T20:45:37.329000", "tags": [ "ta0001", "ta0002", "ta0005", "ta0011", "command", "control", "ta0042", "development", "t1189", "t1027" ], "references": [ "https://www.virustotal.com/graph/embed/gbe69d08cc77f41ba8ece59fff453ab7cb42cfb4819ce477c957caa6901893c17?theme=light", "https://www.gdatasoftware.com/blog/2024/07/37976-socgholish-fake-update", "https://www.alertasyseguridad.net/repositorio-ioc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SocGholish - S1124", "display_name": "SocGholish - S1124", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 10, "URL": 1, "domain": 11, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fe20d1635c58fd2be328bc", "name": "FAKEUPDATES by ThreatFox", "description": "", "modified": "2024-05-12T20:27:02.873000", "created": "2024-03-23T00:22:41.667000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1001, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 426, "hostname": 272 }, "indicator_count": 1708, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "750 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e3d36fadbe23f8ca2de018", "name": "Keitaro TDS WordPress Injects | SocGholish | VexTrio", "description": "", "modified": "2024-03-03T01:33:35.090000", "created": "2024-03-03T01:33:35.090000", "tags": [], "references": [ "https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/FAKEUPDATES/KeitaroTDS.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FAKEUPDATES", "display_name": "FAKEUPDATES", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "KeitaroTDS", "display_name": "KeitaroTDS", "target": null }, { "id": "VexTrio", "display_name": "VexTrio", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65d27eac8ad9391c910ee0e9", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 47, "domain": 40 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "820 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d27eac8ad9391c910ee0e9", "name": "Keitaro TDS WordPress Injects | SocGholish | VexTrio", "description": "This is a list of common KeitaroTDS wordpress injects used to load SocGholish and VexTrio malware.", "modified": "2024-02-18T22:03:24.055000", "created": "2024-02-18T22:03:24.055000", "tags": [], "references": [ "https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/FAKEUPDATES/KeitaroTDS.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FAKEUPDATES", "display_name": "FAKEUPDATES", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "KeitaroTDS", "display_name": "KeitaroTDS", "target": null }, { "id": "VexTrio", "display_name": "VexTrio", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "@Gi7w0rm", "id": "165134", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 47, "domain": 40 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "833 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65a83783dd35d9275170a466", "name": "TA569", "description": "AKA GOLD PRELUDE, UNC1543. IOCs gathered from social media, other analysts, and individual research.", "modified": "2024-02-16T20:01:20.947000", "created": "2024-01-17T20:24:35.310000", "tags": [ "SocGholish" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [ { "id": "FAKEUPDATES", "display_name": "FAKEUPDATES", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ajmeese7", "id": "218349", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_218349/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 63, "hostname": 164, "URL": 3, "FileHash-MD5": 24, "FileHash-SHA1": 24, "FileHash-SHA256": 32 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "836 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.gdatasoftware.com/blog/2024/07/37976-socgholish-fake-update", "https://www.proofpoint.com/us/blog/threat-insight/ta569-socgholish-and-beyond", "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt", "https://www.domaintools.com/resources/blog/a-website-attacked/", "https://www.alertasyseguridad.net/repositorio-ioc/", "https://www.virustotal.com/graph/embed/gbe69d08cc77f41ba8ece59fff453ab7cb42cfb4819ce477c957caa6901893c17?theme=light", "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201", "https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/FAKEUPDATES/KeitaroTDS.txt", "https://www.silentpush.com/blog/socgholish/" ], "related": { "alienvault": { "adversary": [ "GOLD PRELUDE", "Socgholish" ], "malware_families": [ "Lockbit", "Socgholish", "Mintsloader", "Wastedlocker - s0612", "Bugat v5", "Dridex - s0384", "Hades", "Raspberry robin", "Netsupport", "Netsupportrat" ], "industries": [ "Energy", "Hospitality", "Retail", "Healthcare", "Government", "Technology", "Finance", "Aerospace" ] }, "other": { "adversary": [ "TA569" ], "malware_families": [ "Lockbit", "Socgholish", "Fakeupdates", "Mintsloader", "Keitarotds", "Wastedlocker - s0612", "Bugat v5", "Dridex - s0384", "Hades", "Vextrio", "Raspberry robin", "Socgholish - s1124", "Netsupportrat" ], "industries": [ "Energy", "Healthcare", "Government", "Technology", "Finance" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "6895aceaf8d4d7295fce7c8c", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "SocGholish, operated by TA569, functions as a Malware-as-a-Service vendor, employing deceptive 'fake browser update' lures to compromise systems. It leverages Traffic Distribution Systems like Parrot TDS and Keitaro TDS to filter and redirect victims. TA569 acts as an Initial Access Broker, enabling other cybercriminal groups to conduct follow-on attacks, including ransomware deployments. SocGholish utilizes domain shadowing and frequent domain rotation to evade detection. The malware's infection chain involves multiple stages, from compromised websites to on-device payload delivery. Notable customers include Evil Corp and MintsLoader operators. SocGholish's sophisticated filtering mechanisms and tracking techniques ensure only high-value targets receive the final payload.", "modified": "2025-08-08T08:19:18.280000", "created": "2025-08-08T07:53:14.905000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "GOLD PRELUDE", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 386757, "modified_text": "297 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "670f879377f69603fe32d425", "name": "A Website Attacked", "description": "This report investigates a watering hole attack on a U.S. apartment website that delivered malware by spoofing a fake browser update. The investigation uncovered dozens of other compromised websites from various industries like healthcare, retail, and consumer sites. The compromised sites loaded malicious scripts from external domains, using techniques like iframes, random variable strings, and insertBefore methods. The malware spoofed Chrome, Mozilla, and Edge browser updates to deliver NetSupport malware. Domain registration analysis revealed the actor utilized various registrars, ISPs, and nameservers, prioritizing volume and speed over operational security. The activity shares similarities with the Socgholish threat group.", "modified": "2024-11-15T09:03:06.312000", "created": "2024-10-16T09:29:55.871000", "tags": [ "spoofing", "browser updates", "netsupport", "compromised websites", "malware", "watering hole" ], "references": [ "https://www.domaintools.com/resources/blog/a-website-attacked/" ], "public": 1, "adversary": "Socgholish", "targeted_countries": [ "United States of America", "Thailand", "Japan" ], "malware_families": [ { "id": "NetSupport", "display_name": "NetSupport", "target": null } ], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [ "Aerospace", "Healthcare", "Retail", "Hospitality", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 76, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "URL": 30, "domain": 33, "hostname": 1 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 386756, "modified_text": "563 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6783308fc0b6e2bd8dfb209c", "name": "TTC-CERT_blocklist_recommended", "description": "", "modified": "2026-02-14T00:03:07.406000", "created": "2025-01-12T03:01:35.075000", "tags": [], "references": [ "https://github.com/ttc-cert/TTC-CERT_blocklist_recommended/blob/master/domain_blocklist_recommended.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 606, "URL": 4, "domain": 25122, "hostname": 25306 }, "indicator_count": 51038, "is_author": false, "is_subscribing": null, "subscriber_count": 187, "modified_text": "107 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689acf7b65de644b57cec5ca", "name": "Unmasking SocGholish: Untangling the Malware Web Behind the 'Pioneer of Fake Updates' and Its Operator", "description": "", "modified": "2025-08-12T05:22:03.648000", "created": "2025-08-12T05:22:03.648000", "tags": [ "wastedlocker", "socgholish", "netsupportrat", "malware-as-a-service", "fake updates", "traffic distribution system", "domain shadowing", "hades", "mintsloader", "raspberry robin", "lockbit", "ransomware", "dridex", "initial access broker" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "TA569", "targeted_countries": [ "United States of America", "Canada", "Russian Federation" ], "malware_families": [ { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "Raspberry Robin", "display_name": "Raspberry Robin", "target": null }, { "id": "LockBit", "display_name": "LockBit", "target": null }, { "id": "WastedLocker - S0612", "display_name": "WastedLocker - S0612", "target": null }, { "id": "NetSupportRAT", "display_name": "NetSupportRAT", "target": null }, { "id": "Hades", "display_name": "Hades", "target": null }, { "id": "Dridex - S0384", "display_name": "Dridex - S0384", "target": null }, { "id": "Bugat v5", "display_name": "Bugat v5", "target": null }, { "id": "MintsLoader", "display_name": "MintsLoader", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [ "Finance", "Government", "Healthcare", "Energy", "Technology" ], "TLP": "white", "cloned_from": "6895aceaf8d4d7295fce7c8c", "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 18, "hostname": 12 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "293 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689901bb2323b0727bc2539f", "name": "SocGholish Malware Exploits TDS Networks to Target Victims", "description": "Cybercriminals behind SocGholish malware are using Traffic Distribution Systems (TDS) like Parrot TDS and Keitaro TDS to filter and redirect victims to malicious sites.", "modified": "2025-08-10T20:31:55.193000", "created": "2025-08-10T20:31:55.193000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 58, "modified_text": "295 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6895e01b6aa8015c20031989", "name": "Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the \u201cPioneer of Fake Updates\u201d and Its Operator, TA569 - Silent Push", "description": "", "modified": "2025-08-08T11:31:39.962000", "created": "2025-08-08T11:31:39.962000", "tags": [ "socgholish", "ta569", "raspberry robin", "keitaro tds", "silent push", "parrot tds", "ta2726", "evil corp", "russia", "dev0243", "dridex", "mintsloader", "push", "keitaro", "lockbit", "attack", "first", "pioneer", "rats", "inject", "wastedlocker", "hades", "fakeupdates", "malware", "fakeupdate", "android", "trojan", "august", "agent", "installer", "worm", "thus" ], "references": [ "https://www.silentpush.com/blog/socgholish/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3, "domain": 19, "hostname": 14 }, "indicator_count": 36, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "297 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66a2b971cad0f744c2793342", "name": "ACTIVIDAD MALICIOSA | Relacionada con SocGholish 25-07-2024", "description": "SocGholish, tambi\u00e9n conocido como FakeUpdates, es un tipo de malware empleado por grupos de ciberdelincuentes desde 2017, atacando principalmente sitios web basados en WordPress. Este malware se propaga mediante descargas autom\u00e1ticas disfrazadas como actualizaciones de navegador falsas, resultando en la instalaci\u00f3n de software malicioso en los dispositivos de los usuarios sin su conocimiento. Esto permite la ejecuci\u00f3n de c\u00f3digo malicioso, el robo de datos y la implementaci\u00f3n de ransomware. SocGholish utiliza t\u00e9cnicas avanzadas para evadir la detecci\u00f3n, como la inyecci\u00f3n de c\u00f3digo JavaScript y la obfuscaci\u00f3n, lo que dificulta su identificaci\u00f3n y eliminaci\u00f3n.", "modified": "2024-08-24T20:03:49.146000", "created": "2024-07-25T20:45:37.329000", "tags": [ "ta0001", "ta0002", "ta0005", "ta0011", "command", "control", "ta0042", "development", "t1189", "t1027" ], "references": [ "https://www.virustotal.com/graph/embed/gbe69d08cc77f41ba8ece59fff453ab7cb42cfb4819ce477c957caa6901893c17?theme=light", "https://www.gdatasoftware.com/blog/2024/07/37976-socgholish-fake-update", "https://www.alertasyseguridad.net/repositorio-ioc/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "SocGholish - S1124", "display_name": "SocGholish - S1124", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 10, "URL": 1, "domain": 11, "hostname": 7 }, "indicator_count": 33, "is_author": false, "is_subscribing": null, "subscriber_count": 267, "modified_text": "646 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65fe20d1635c58fd2be328bc", "name": "FAKEUPDATES by ThreatFox", "description": "", "modified": "2024-05-12T20:27:02.873000", "created": "2024-03-23T00:22:41.667000", "tags": [ "virustotal" ], "references": [ "https://www.virustotal.com/gui/collection/threatfox_js_fakeupdates", "https://twitter.com/500mk500/status/1771235578274607201" ], "public": 1, "adversary": "TA569", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1001, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 5, "domain": 426, "hostname": 272 }, "indicator_count": 1708, "is_author": false, "is_subscribing": null, "subscriber_count": 186, "modified_text": "750 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65e3d36fadbe23f8ca2de018", "name": "Keitaro TDS WordPress Injects | SocGholish | VexTrio", "description": "", "modified": "2024-03-03T01:33:35.090000", "created": "2024-03-03T01:33:35.090000", "tags": [], "references": [ "https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/FAKEUPDATES/KeitaroTDS.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FAKEUPDATES", "display_name": "FAKEUPDATES", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "KeitaroTDS", "display_name": "KeitaroTDS", "target": null }, { "id": "VexTrio", "display_name": "VexTrio", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "65d27eac8ad9391c910ee0e9", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 47, "domain": 40 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "820 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d27eac8ad9391c910ee0e9", "name": "Keitaro TDS WordPress Injects | SocGholish | VexTrio", "description": "This is a list of common KeitaroTDS wordpress injects used to load SocGholish and VexTrio malware.", "modified": "2024-02-18T22:03:24.055000", "created": "2024-02-18T22:03:24.055000", "tags": [], "references": [ "https://raw.githubusercontent.com/Gi7w0rm/MalwareConfigLists/main/FAKEUPDATES/KeitaroTDS.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "FAKEUPDATES", "display_name": "FAKEUPDATES", "target": null }, { "id": "FakeUpdates", "display_name": "FakeUpdates", "target": null }, { "id": "SocGholish", "display_name": "SocGholish", "target": null }, { "id": "KeitaroTDS", "display_name": "KeitaroTDS", "target": null }, { "id": "VexTrio", "display_name": "VexTrio", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "@Gi7w0rm", "id": "165134", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 47, "domain": 40 }, "indicator_count": 87, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "833 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "biggerfun.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "biggerfun.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780347493.1549118 }