{ "type": "Domain", "indicator": "bildherrywation.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bildherrywation.com", "alexa": "http://www.alexa.com/siteinfo/bildherrywation.com", "indicator": "bildherrywation.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3846126371, "indicator": "bildherrywation.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "681d25f00b6ceeb219d19c9a", "name": "Unmasking the FreeDrain Network", "description": "A collaborative investigation by Validin and SentinelLABS exposes the FreeDrain Network, a large-scale cryptocurrency phishing operation. The campaign exploits search engine optimization, free web services, and redirection techniques to target and drain cryptocurrency wallets. The attackers use lure pages hosted on trusted platforms, which redirect victims to phishing sites mimicking legitimate wallet interfaces. The operation is believed to be run by individuals in the IST timezone, working standard business hours. The campaign has been active since at least 2022, with a notable acceleration in mid-2024. The research highlights the need for stronger safeguards on free publishing platforms to prevent such large-scale abuse.", "modified": "2025-05-09T17:00:14.680000", "created": "2025-05-08T21:45:20.530000", "tags": [ "seo manipulation", "redirectors", "phishing", "infrastructure analysis", "free hosting abuse", "cryptocurrency", "wallet draining" ], "references": [ "https://www.validin.com/blog/freedrain_unmasked" ], "public": 1, "adversary": "FreeDrain", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1584.006", "name": "Web Services", "display_name": "T1584.006 - Web Services" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 18 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 387198, "modified_text": "390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681e194bee59e1953f5a22e8", "name": "FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network", "description": "FreeDrain is a sophisticated, large-scale cryptocurrency phishing operation that has been stealing digital assets for years. It exploits search engine optimization, free-tier web services, and layered redirection techniques to target cryptocurrency wallets. Victims are lured through high-ranking search results to phishing pages that mimic legitimate wallet interfaces. The operation has been linked to over 38,000 distinct subdomains hosting lure pages. Evidence suggests the operators are based in the UTC+05:30 timezone, likely in India, working standard weekday hours. The campaign highlights systemic weaknesses in free publishing platforms and the need for stronger safeguards, user education, and security community collaboration to combat such threats.", "modified": "2025-05-09T16:51:51.926000", "created": "2025-05-09T15:03:39.816000", "tags": [ "redirection techniques", "seo manipulation", "phishing", "cryptocurrency", "search engine poisoning", "wallet theft" ], "references": [ "https://www.sentinelone.com/labs/freedrain-unmasked-uncovering-an-industrial-scale-crypto-theft-network" ], "public": 1, "adversary": "FreeDrain", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 71 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 387197, "modified_text": "390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68215d40820fe554a7140cf6", "name": "TTP - FreeDrain Unmasked Uncovering an Industrial-Scale Crypto Theft Network", "description": "\u672c\u6587\u63ed\u9732\u4e86\u540d\u4e3a\u201cFreeDrain\u201d\u7684\u5168\u7403\u6027\u3001\u5de5\u4e1a\u5316\u52a0\u5bc6\u8d27\u5e01\u9493\u9c7c\u7f51\u7edc\u3002\u653b\u51fb\u8005\u5229\u7528 SEO \u64cd\u7eb5\u3001\u514d\u8d39\u6258\u7ba1\u5e73\u53f0\uff08\u5982 gitbook.io\u3001webflow.io\u3001github.io\uff09\u548c\u591a\u5c42\u91cd\u5b9a\u5411\uff0c\u5c06\u53d7\u5bb3\u8005\u5f15\u5bfc\u81f3\u4eff\u5192\u7684\u94b1\u5305\u7f51\u9875\u7a83\u53d6\u52a9\u8bb0\u8bcd\u3002\u7814\u7a76\u4eba\u5458\u8ffd\u8e2a\u5230 38 000 \u591a\u4e2a\u8bf1\u9975\u5b50\u57df\u540d\u3001\u6570\u767e\u4e2a\u91cd\u5b9a\u5411\u57df\u540d\u4ee5\u53ca\u5728 AWS S3\u3001Azure Web Apps \u4e0a\u6258\u7ba1\u7684\u5927\u91cf\u9493\u9c7c\u7ad9\u70b9\u3002\u8bc1\u636e\u663e\u793a\uff0c\u8fd0\u8425\u8005\u4f4d\u4e8e UTC+05:30 \u65f6\u533a\uff08\u5370\u5ea6\u6807\u51c6\u65f6\u95f4\uff09\uff0c\u6309\u5de5\u4f5c\u65e5\u4f5c\u606f\u624b\u52a8\u7ef4\u62a4\u57fa\u7840\u8bbe\u65bd\u3002FreeDrain \u5c55\u73b0\u4e86\u8d22\u52a1\u9a71\u52a8\u5a01\u80c1\u56e2\u4f19\u5982\u4f55\u6ee5\u7528\u514d\u8d39\u53d1\u5e03\u670d\u52a1\uff0c\u4ee5\u4f4e\u6280\u672f\u95e8\u69db\u3001\u5f3a\u53ef\u6269\u5c55\u6027\u3001\u7075\u6d3b\u65cb\u8f6c\u57fa\u7840\u8bbe\u65bd\u957f\u671f\u7a83\u53d6\u53d7\u5bb3\u8005\u8d44\u4ea7\uff0c\u5e76\u51f8\u663e\u4e86\u5e73\u53f0\u5c42\u9762\u9632\u5fa1\u4e0e\u793e\u533a\u534f\u4f5c\u7684\u8feb\u5207\u9700\u6c42\u3002", "modified": "2025-05-12T02:33:54.133000", "created": "2025-05-12T02:30:24.884000", "tags": [ "redirection techniques", "seo manipulation", "phishing", "cryptocurrency", "search engine poisoning", "wallet theft" ], "references": [ "https://www.sentinelone.com/labs/freedrain-unmasked-uncovering-an-industrial-scale-crypto-theft-network" ], "public": 1, "adversary": "FreeDrain", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "681e194bee59e1953f5a22e8", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 71 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "387 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65dbd8f453b75d3f1b7e603d", "name": "Malware Filter - Phishing List - 25-02-2024", "description": "", "modified": "2024-02-26T00:19:00.672000", "created": "2024-02-26T00:19:00.672000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 251, "domain": 123 }, "indicator_count": 374, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "828 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.validin.com/blog/freedrain_unmasked", "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt", "https://www.sentinelone.com/labs/freedrain-unmasked-uncovering-an-industrial-scale-crypto-theft-network" ], "related": { "alienvault": { "adversary": [ "FreeDrain" ], "malware_families": [], "industries": [] }, "other": { "adversary": [ "FreeDrain" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "681d25f00b6ceeb219d19c9a", "name": "Unmasking the FreeDrain Network", "description": "A collaborative investigation by Validin and SentinelLABS exposes the FreeDrain Network, a large-scale cryptocurrency phishing operation. The campaign exploits search engine optimization, free web services, and redirection techniques to target and drain cryptocurrency wallets. The attackers use lure pages hosted on trusted platforms, which redirect victims to phishing sites mimicking legitimate wallet interfaces. The operation is believed to be run by individuals in the IST timezone, working standard business hours. The campaign has been active since at least 2022, with a notable acceleration in mid-2024. The research highlights the need for stronger safeguards on free publishing platforms to prevent such large-scale abuse.", "modified": "2025-05-09T17:00:14.680000", "created": "2025-05-08T21:45:20.530000", "tags": [ "seo manipulation", "redirectors", "phishing", "infrastructure analysis", "free hosting abuse", "cryptocurrency", "wallet draining" ], "references": [ "https://www.validin.com/blog/freedrain_unmasked" ], "public": 1, "adversary": "FreeDrain", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1102.003", "name": "One-Way Communication", "display_name": "T1102.003 - One-Way Communication" }, { "id": "T1584.006", "name": "Web Services", "display_name": "T1584.006 - Web Services" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 18 }, "indicator_count": 18, "is_author": false, "is_subscribing": null, "subscriber_count": 387198, "modified_text": "390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "681e194bee59e1953f5a22e8", "name": "FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network", "description": "FreeDrain is a sophisticated, large-scale cryptocurrency phishing operation that has been stealing digital assets for years. It exploits search engine optimization, free-tier web services, and layered redirection techniques to target cryptocurrency wallets. Victims are lured through high-ranking search results to phishing pages that mimic legitimate wallet interfaces. The operation has been linked to over 38,000 distinct subdomains hosting lure pages. Evidence suggests the operators are based in the UTC+05:30 timezone, likely in India, working standard weekday hours. The campaign highlights systemic weaknesses in free publishing platforms and the need for stronger safeguards, user education, and security community collaboration to combat such threats.", "modified": "2025-05-09T16:51:51.926000", "created": "2025-05-09T15:03:39.816000", "tags": [ "redirection techniques", "seo manipulation", "phishing", "cryptocurrency", "search engine poisoning", "wallet theft" ], "references": [ "https://www.sentinelone.com/labs/freedrain-unmasked-uncovering-an-industrial-scale-crypto-theft-network" ], "public": 1, "adversary": "FreeDrain", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 71 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 387197, "modified_text": "390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68215d40820fe554a7140cf6", "name": "TTP - FreeDrain Unmasked Uncovering an Industrial-Scale Crypto Theft Network", "description": "\u672c\u6587\u63ed\u9732\u4e86\u540d\u4e3a\u201cFreeDrain\u201d\u7684\u5168\u7403\u6027\u3001\u5de5\u4e1a\u5316\u52a0\u5bc6\u8d27\u5e01\u9493\u9c7c\u7f51\u7edc\u3002\u653b\u51fb\u8005\u5229\u7528 SEO \u64cd\u7eb5\u3001\u514d\u8d39\u6258\u7ba1\u5e73\u53f0\uff08\u5982 gitbook.io\u3001webflow.io\u3001github.io\uff09\u548c\u591a\u5c42\u91cd\u5b9a\u5411\uff0c\u5c06\u53d7\u5bb3\u8005\u5f15\u5bfc\u81f3\u4eff\u5192\u7684\u94b1\u5305\u7f51\u9875\u7a83\u53d6\u52a9\u8bb0\u8bcd\u3002\u7814\u7a76\u4eba\u5458\u8ffd\u8e2a\u5230 38 000 \u591a\u4e2a\u8bf1\u9975\u5b50\u57df\u540d\u3001\u6570\u767e\u4e2a\u91cd\u5b9a\u5411\u57df\u540d\u4ee5\u53ca\u5728 AWS S3\u3001Azure Web Apps \u4e0a\u6258\u7ba1\u7684\u5927\u91cf\u9493\u9c7c\u7ad9\u70b9\u3002\u8bc1\u636e\u663e\u793a\uff0c\u8fd0\u8425\u8005\u4f4d\u4e8e UTC+05:30 \u65f6\u533a\uff08\u5370\u5ea6\u6807\u51c6\u65f6\u95f4\uff09\uff0c\u6309\u5de5\u4f5c\u65e5\u4f5c\u606f\u624b\u52a8\u7ef4\u62a4\u57fa\u7840\u8bbe\u65bd\u3002FreeDrain \u5c55\u73b0\u4e86\u8d22\u52a1\u9a71\u52a8\u5a01\u80c1\u56e2\u4f19\u5982\u4f55\u6ee5\u7528\u514d\u8d39\u53d1\u5e03\u670d\u52a1\uff0c\u4ee5\u4f4e\u6280\u672f\u95e8\u69db\u3001\u5f3a\u53ef\u6269\u5c55\u6027\u3001\u7075\u6d3b\u65cb\u8f6c\u57fa\u7840\u8bbe\u65bd\u957f\u671f\u7a83\u53d6\u53d7\u5bb3\u8005\u8d44\u4ea7\uff0c\u5e76\u51f8\u663e\u4e86\u5e73\u53f0\u5c42\u9762\u9632\u5fa1\u4e0e\u793e\u533a\u534f\u4f5c\u7684\u8feb\u5207\u9700\u6c42\u3002", "modified": "2025-05-12T02:33:54.133000", "created": "2025-05-12T02:30:24.884000", "tags": [ "redirection techniques", "seo manipulation", "phishing", "cryptocurrency", "search engine poisoning", "wallet theft" ], "references": [ "https://www.sentinelone.com/labs/freedrain-unmasked-uncovering-an-industrial-scale-crypto-theft-network" ], "public": 1, "adversary": "FreeDrain", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1585", "name": "Establish Accounts", "display_name": "T1585 - Establish Accounts" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": "681e194bee59e1953f5a22e8", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 71 }, "indicator_count": 71, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "387 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65dbd8f453b75d3f1b7e603d", "name": "Malware Filter - Phishing List - 25-02-2024", "description": "", "modified": "2024-02-26T00:19:00.672000", "created": "2024-02-26T00:19:00.672000", "tags": [], "references": [ "https://malware-filter.gitlab.io/malware-filter/phishing-filter-domains.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 251, "domain": 123 }, "indicator_count": 374, "is_author": false, "is_subscribing": null, "subscriber_count": 1625, "modified_text": "828 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bildherrywation.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bildherrywation.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780528907.7275844 }