{ "type": "Domain", "indicator": "bkkil.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/bkkil.com", "alexa": "http://www.alexa.com/siteinfo/bkkil.com", "indicator": "bkkil.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4127066049, "indicator": "bkkil.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68babf81ce8dc0a40f7d42f5", "name": "New Botnet Emerges from the Shadows: NightshadeC2", "description": "A new botnet called NightshadeC2 has been identified, employing sophisticated techniques to bypass malware analysis sandboxes and exclude itself from Windows Defender. It uses a 'UAC Prompt Bombing' technique and has both C and Python variants. The botnet's capabilities include reverse shell, file execution, self-deletion, remote control, screen capture, hidden web browsers, and keylogging. It's being distributed through ClickFix attacks and trojanized legitimate software. The botnet uses encryption for C2 communication and gathers victim information. It also employs various persistence mechanisms and can bypass certain sandbox environments. The discovery highlights the evolving sophistication of malware and the need for advanced detection and response capabilities.", "modified": "2025-10-05T10:00:42.432000", "created": "2025-09-05T10:46:25.485000", "tags": [ "c2 communication", "trojanized software", "uac bypass", "nightshadec2", "lumma stealer", "sandbox evasion", "keylogging", "botnet" ], "references": [ "https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 18, "FileHash-SHA256": 32, "domain": 10, "hostname": 1 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 386973, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bc0d92c439f8ebe992a953", "name": "EbeeSep2025 Pt1", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-06T10:31:46.478000", "tags": [], "references": [ "week1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 12, "FileHash-MD5": 157, "FileHash-SHA1": 141, "FileHash-SHA256": 318, "URL": 83, "domain": 78 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bf862c1478abb8bc3b7e19", "name": "IOC - New Botnet Emerges from the Shadows: NightshadeC2", "description": "In August 2025, eSentire's Threat Response Unit (TRU) identified a new botnet, tracked as \"NightshadeC2,\" which is being deployed via a loader that employs a simple yet highly effective technique to bypass malware analysis sandboxes and exclude the final payload in Windows Defender using a technique we refer to here-in as \u201cUAC Prompt Bombing\u201d.\n\nTRU has observed both C and Python-based variants that communicate with an unidentified Command and Control (C2) framework. The C variant primarily communicates over TCP ports 7777, 33336, 33337, and 443, whereas Python variants predominantly utilize TCP port 80.", "modified": "2025-10-09T01:03:27.215000", "created": "2025-09-09T01:43:08.382000", "tags": [ "c variant", "python variant", "redacted", "powershell", "ip lookup", "backdoor", "advanced ip", "scanner", "nightshade c", "hkcuenvironment", "python" ], "references": [ "https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 32, "URL": 2, "domain": 10 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bb29155a70ce68c05e982a", "name": "ioc block", "description": "Hundreds of people have been commenting on the latest developments in the world's largest online community, which are being discussed with a wide range of experts.. and their opinions are as diverse as they are.", "modified": "2025-10-05T18:01:09.375000", "created": "2025-09-05T18:16:53.258000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 24, "FileHash-SHA256": 24, "URL": 1, "domain": 6 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2", "week1.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Multiple" ], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68babf81ce8dc0a40f7d42f5", "name": "New Botnet Emerges from the Shadows: NightshadeC2", "description": "A new botnet called NightshadeC2 has been identified, employing sophisticated techniques to bypass malware analysis sandboxes and exclude itself from Windows Defender. It uses a 'UAC Prompt Bombing' technique and has both C and Python variants. The botnet's capabilities include reverse shell, file execution, self-deletion, remote control, screen capture, hidden web browsers, and keylogging. It's being distributed through ClickFix attacks and trojanized legitimate software. The botnet uses encryption for C2 communication and gathers victim information. It also employs various persistence mechanisms and can bypass certain sandbox environments. The discovery highlights the evolving sophistication of malware and the need for advanced detection and response capabilities.", "modified": "2025-10-05T10:00:42.432000", "created": "2025-09-05T10:46:25.485000", "tags": [ "c2 communication", "trojanized software", "uac bypass", "nightshadec2", "lumma stealer", "sandbox evasion", "keylogging", "botnet" ], "references": [ "https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 15, "FileHash-SHA1": 18, "FileHash-SHA256": 32, "domain": 10, "hostname": 1 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 386973, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bc0d92c439f8ebe992a953", "name": "EbeeSep2025 Pt1", "description": "", "modified": "2025-10-11T12:03:16.109000", "created": "2025-09-06T10:31:46.478000", "tags": [], "references": [ "week1.pdf" ], "public": 1, "adversary": "Multiple", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 12, "FileHash-MD5": 157, "FileHash-SHA1": 141, "FileHash-SHA256": 318, "URL": 83, "domain": 78 }, "indicator_count": 789, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bf862c1478abb8bc3b7e19", "name": "IOC - New Botnet Emerges from the Shadows: NightshadeC2", "description": "In August 2025, eSentire's Threat Response Unit (TRU) identified a new botnet, tracked as \"NightshadeC2,\" which is being deployed via a loader that employs a simple yet highly effective technique to bypass malware analysis sandboxes and exclude the final payload in Windows Defender using a technique we refer to here-in as \u201cUAC Prompt Bombing\u201d.\n\nTRU has observed both C and Python-based variants that communicate with an unidentified Command and Control (C2) framework. The C variant primarily communicates over TCP ports 7777, 33336, 33337, and 443, whereas Python variants predominantly utilize TCP port 80.", "modified": "2025-10-09T01:03:27.215000", "created": "2025-09-09T01:43:08.382000", "tags": [ "c variant", "python variant", "redacted", "powershell", "ip lookup", "backdoor", "advanced ip", "scanner", "nightshade c", "hkcuenvironment", "python" ], "references": [ "https://www.esentire.com/blog/new-botnet-emerges-from-the-shadows-nightshadec2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 32, "FileHash-SHA256": 32, "URL": 2, "domain": 10 }, "indicator_count": 108, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "236 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68bb29155a70ce68c05e982a", "name": "ioc block", "description": "Hundreds of people have been commenting on the latest developments in the world's largest online community, which are being discussed with a wide range of experts.. and their opinions are as diverse as they are.", "modified": "2025-10-05T18:01:09.375000", "created": "2025-09-05T18:16:53.258000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ESFBSOCTCR", "id": "200541", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 24, "FileHash-SHA1": 24, "FileHash-SHA256": 24, "URL": 1, "domain": 6 }, "indicator_count": 79, "is_author": false, "is_subscribing": null, "subscriber_count": 85, "modified_text": "240 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "bkkil.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "bkkil.com", "found": true, "verdict": "malicious", "url_count": 1, "online_count": 0, "blacklists": { "spamhaus_dbl": "not listed", "surbl": "not listed" }, "urls": [ { "url": "https://bkkil.com/apic/TzQx5VOl/TzQx5VOlze8d", "status": "offline", "threat": "malware_download", "date_added": "2025-08-16", "tags": [] } ], "error": null }, "from_cache": true, "_cached_at": 1780442039.1682944 }