{ "type": "Domain", "indicator": "bilitora.ru", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bilitora.ru", "alexa": "http://www.alexa.com/siteinfo/bilitora.ru", "indicator": "bilitora.ru", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3419832438, "indicator": "bilitora.ru", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "62bc21172edd88c392a1eb24", "name": "GlowSand", "description": "A look at some of the key technology and services used to protect the enterprise from cyber-attacks in Ukraine and other countries in Eastern Europe.", "modified": "2022-06-29T09:53:27.317000", "created": "2022-06-29T09:53:27.317000", "tags": [ "office open", "ukraine", "eastern europe", "glowsand", "geopolitical conflict" ], "references": [ "https://inquest.net/blog/2022/06/27/glowsand" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GlowSand", "display_name": "GlowSand", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 395, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "domain": 20, "hostname": 22 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386946, "modified_text": "1434 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624ff5fdc775e84ef8bd5850", "name": "Cyber \u200b\u200battack of UAC-0010 group (Armageddon) on state organizations of Ukraine", "description": "The Governmental Team for Response to Computer Emergencies of Ukraine CERT-UA received an e-mail from the coordinating subject with the subject \"\u21161275 from 07.04.2022\", containing the HTML file of the same name, the opening of which will lead to the creation of an archive on the computer \" 1275_07.04.2022.rar \". The latter contains an LNK file \"On the facts of persecution and murder of prosecutors by the Russian military in the temporarily occupied territories.lnk\", the opening of which will lead to the download and launch of the payload.", "modified": "2022-05-08T00:03:14.586000", "created": "2022-04-08T08:44:44.856000", "tags": [ "Gamaredon", "Armageddon", "UAC-0010", "Primitive Bear", "geopolitical conflict" ], "references": [ "https://cert.gov.ua/article/39386" ], "public": 1, "adversary": "Gamaredon Group", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 290, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 15, "URL": 1, "email": 1, "hostname": 7, "FileHash-MD5": 5, "FileHash-SHA256": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 386949, "modified_text": "1486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682a46afaa3b85a48f146c2a", "name": "Hunting for File Transfer Sites: Indicators of Compromise (IOCs) and Analysis", "description": "Analysis of recent malicious activity involving file transfer services, including identified IOCs (IPs, domains, malware hashes) and TTPs (Tactics, Techniques, and Procedures). This report highlights phishing campaigns, credential theft, and attacker infrastructure tied to compromised file-sharing platforms.", "modified": "2025-06-17T20:02:14.083000", "created": "2025-05-18T20:44:31.048000", "tags": [], "references": [ "https://www.knowyouradversary.ru/2025/05/138-hunting-for-file-transfer-sites.html", "https://unit42.paloaltonetworks.com/muddled-libra/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 53, "hostname": 33, "domain": 94 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64942fcb66079e25768affe4", "name": "Muddled Libra Targets Large Outsourcing Firms", "description": "", "modified": "2023-07-22T11:03:54.954000", "created": "2023-06-22T11:26:03.633000", "tags": [], "references": [ "June 22nd, 2023 - CryptoGen Cyber Threat Intelligence - Muddled Libra Targets Large Outsourcing Firms" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "hostname": 48, "domain": 91, "FileHash-SHA256": 8 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1046 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62b4346d6d574aa258745c6e", "name": "gamaredon IOCs", "description": "The following is a full list of highlights from this year's Technology, Media and Entertainment (Tech, Entertainment and Design) conference, held at London's O2 Arena on Friday, 1 July.", "modified": "2022-06-23T09:37:49.100000", "created": "2022-06-23T09:37:49.100000", "tags": [], "references": [ "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/2202_06_Gamaredon_IoC_UPDATE.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 144, "hostname": 2 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1440 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "June 22nd, 2023 - CryptoGen Cyber Threat Intelligence - Muddled Libra Targets Large Outsourcing Firms", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/2202_06_Gamaredon_IoC_UPDATE.txt", "https://inquest.net/blog/2022/06/27/glowsand", "https://www.knowyouradversary.ru/2025/05/138-hunting-for-file-transfer-sites.html", "https://cert.gov.ua/article/39386", "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", "https://unit42.paloaltonetworks.com/muddled-libra/" ], "related": { "alienvault": { "adversary": [ "Gamaredon Group" ], "malware_families": [ "Glowsand" ], "industries": [ "Government" ] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "62bc21172edd88c392a1eb24", "name": "GlowSand", "description": "A look at some of the key technology and services used to protect the enterprise from cyber-attacks in Ukraine and other countries in Eastern Europe.", "modified": "2022-06-29T09:53:27.317000", "created": "2022-06-29T09:53:27.317000", "tags": [ "office open", "ukraine", "eastern europe", "glowsand", "geopolitical conflict" ], "references": [ "https://inquest.net/blog/2022/06/27/glowsand" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "GlowSand", "display_name": "GlowSand", "target": null } ], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 395, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 7, "domain": 20, "hostname": 22 }, "indicator_count": 59, "is_author": false, "is_subscribing": null, "subscriber_count": 386946, "modified_text": "1434 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "624ff5fdc775e84ef8bd5850", "name": "Cyber \u200b\u200battack of UAC-0010 group (Armageddon) on state organizations of Ukraine", "description": "The Governmental Team for Response to Computer Emergencies of Ukraine CERT-UA received an e-mail from the coordinating subject with the subject \"\u21161275 from 07.04.2022\", containing the HTML file of the same name, the opening of which will lead to the creation of an archive on the computer \" 1275_07.04.2022.rar \". The latter contains an LNK file \"On the facts of persecution and murder of prosecutors by the Russian military in the temporarily occupied territories.lnk\", the opening of which will lead to the download and launch of the payload.", "modified": "2022-05-08T00:03:14.586000", "created": "2022-04-08T08:44:44.856000", "tags": [ "Gamaredon", "Armageddon", "UAC-0010", "Primitive Bear", "geopolitical conflict" ], "references": [ "https://cert.gov.ua/article/39386" ], "public": 1, "adversary": "Gamaredon Group", "targeted_countries": [ "Ukraine" ], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1193", "name": "Spearphishing Attachment", "display_name": "T1193 - Spearphishing Attachment" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 290, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 15, "URL": 1, "email": 1, "hostname": 7, "FileHash-MD5": 5, "FileHash-SHA256": 5 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 386949, "modified_text": "1486 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "682a46afaa3b85a48f146c2a", "name": "Hunting for File Transfer Sites: Indicators of Compromise (IOCs) and Analysis", "description": "Analysis of recent malicious activity involving file transfer services, including identified IOCs (IPs, domains, malware hashes) and TTPs (Tactics, Techniques, and Procedures). This report highlights phishing campaigns, credential theft, and attacker infrastructure tied to compromised file-sharing platforms.", "modified": "2025-06-17T20:02:14.083000", "created": "2025-05-18T20:44:31.048000", "tags": [], "references": [ "https://www.knowyouradversary.ru/2025/05/138-hunting-for-file-transfer-sites.html", "https://unit42.paloaltonetworks.com/muddled-libra/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 53, "hostname": 33, "domain": 94 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 544, "modified_text": "349 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64942fcb66079e25768affe4", "name": "Muddled Libra Targets Large Outsourcing Firms", "description": "", "modified": "2023-07-22T11:03:54.954000", "created": "2023-06-22T11:26:03.633000", "tags": [], "references": [ "June 22nd, 2023 - CryptoGen Cyber Threat Intelligence - Muddled Libra Targets Large Outsourcing Firms" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 68, "hostname": 48, "domain": 91, "FileHash-SHA256": 8 }, "indicator_count": 215, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "1046 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62b4346d6d574aa258745c6e", "name": "gamaredon IOCs", "description": "The following is a full list of highlights from this year's Technology, Media and Entertainment (Tech, Entertainment and Design) conference, held at London's O2 Arena on Friday, 1 July.", "modified": "2022-06-23T09:37:49.100000", "created": "2022-06-23T09:37:49.100000", "tags": [], "references": [ "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", "https://github.com/pan-unit42/iocs/blob/master/Gamaredon/2202_06_Gamaredon_IoC_UPDATE.txt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "brazen.fox.thirteen", "id": "155136", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 144, "hostname": 2 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "1440 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bilitora.ru", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bilitora.ru", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780425278.777586 }