{
  "type": "Domain",
  "indicator": "bindirect.click",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/bindirect.click",
    "alexa": "http://www.alexa.com/siteinfo/bindirect.click",
    "indicator": "bindirect.click",
    "type": "domain",
    "type_title": "Domain",
    "validation": [],
    "base_indicator": {
      "id": 4113725822,
      "indicator": "bindirect.click",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 1,
      "pulses": [
        {
          "id": "69fcd21f2198735f03c20357",
          "name": "AI-dvertiser: Multi-Stage Ad Fraud and ClickFix Network Impersonating Web3 Brands",
          "description": "We identified a phishing domain impersonating Bitso that operates as part of a broader malicious advertising and traffic distribution network targeting fintech and Web3 users. The infrastructure chains together multiple redirectors, disposable domains and ad distribution services to deliver highly variable content.\n\nObserved payloads include AI-generated fake news websites featuring synthetic imagery, ClickFix-style landing pages designed to trick users into enabling browser push notifications for large-scale advertising spam, and fully AI-generated YouTube channels focused on music, philosophy and storytelling. In edge cases, the infrastructure redirects victims to low-visibility Spotify tracks that also appear to be AI-generated.\n\nWe refer to this ecosystem as \u201cAI-dvertiser\u201d, an emerging model where generative AI is combined with ad fraud, social engineering and automated content farms to create scalable and low-cost malicious engagement infrastructure.",
          "modified": "2026-05-11T19:53:38.043000",
          "created": "2026-05-07T17:55:43.221000",
          "tags": [
            "Web3"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1472",
              "name": "Generate Fraudulent Advertising Revenue",
              "display_name": "T1472 - Generate Fraudulent Advertising Revenue"
            },
            {
              "id": "T1410",
              "name": "Network Traffic Capture or Redirection",
              "display_name": "T1410 - Network Traffic Capture or Redirection"
            }
          ],
          "industries": [
            "Finance",
            "Crypto"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "QuetzalTeam",
            "id": "273351",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_273351/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 2,
            "URL": 15,
            "domain": 18,
            "hostname": 8,
            "FileHash-SHA256": 3
          },
          "indicator_count": 46,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 40,
          "modified_text": "19 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [],
          "malware_families": [],
          "industries": [
            "Crypto",
            "Finance"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 1,
  "pulses": [
    {
      "id": "69fcd21f2198735f03c20357",
      "name": "AI-dvertiser: Multi-Stage Ad Fraud and ClickFix Network Impersonating Web3 Brands",
      "description": "We identified a phishing domain impersonating Bitso that operates as part of a broader malicious advertising and traffic distribution network targeting fintech and Web3 users. The infrastructure chains together multiple redirectors, disposable domains and ad distribution services to deliver highly variable content.\n\nObserved payloads include AI-generated fake news websites featuring synthetic imagery, ClickFix-style landing pages designed to trick users into enabling browser push notifications for large-scale advertising spam, and fully AI-generated YouTube channels focused on music, philosophy and storytelling. In edge cases, the infrastructure redirects victims to low-visibility Spotify tracks that also appear to be AI-generated.\n\nWe refer to this ecosystem as \u201cAI-dvertiser\u201d, an emerging model where generative AI is combined with ad fraud, social engineering and automated content farms to create scalable and low-cost malicious engagement infrastructure.",
      "modified": "2026-05-11T19:53:38.043000",
      "created": "2026-05-07T17:55:43.221000",
      "tags": [
        "Web3"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1472",
          "name": "Generate Fraudulent Advertising Revenue",
          "display_name": "T1472 - Generate Fraudulent Advertising Revenue"
        },
        {
          "id": "T1410",
          "name": "Network Traffic Capture or Redirection",
          "display_name": "T1410 - Network Traffic Capture or Redirection"
        }
      ],
      "industries": [
        "Finance",
        "Crypto"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "QuetzalTeam",
        "id": "273351",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_273351/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 2,
        "URL": 15,
        "domain": 18,
        "hostname": 8,
        "FileHash-SHA256": 3
      },
      "indicator_count": 46,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 40,
      "modified_text": "19 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "bindirect.click",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "bindirect.click",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780225808.9278898
}